Attempt to fix CheckOrigin

web-auth · Jan 30, 2025 · 1d64b61 · 1d64b61
1 parent 430c57c
commit 1d64b61
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/webauthn/src/CeremonyStep/CheckOrigin.php b/src/webauthn/src/CeremonyStep/CheckOrigin.php
@@ -46,6 +46,14 @@ public function process(
                 'Invalid scheme. HTTPS required.'
             );
         }
+        // Companion application
+        if (in_array($parsedRelyingPartyId['scheme'], ['android', 'ios'])) {
+            in_array($C->origin, $this->securedRelyingPartyId, true) || throw AuthenticatorResponseVerificationException::create(
+                'Unauthorized origin.'
+            );
+            return;
+        }
+        // Web
         $clientDataRpId = $parsedRelyingPartyId['host'] ?? '';
         $clientDataRpId !== '' || throw AuthenticatorResponseVerificationException::create('Invalid origin rpId.');
         $rpIdLength = mb_strlen($facetId);