Attempt to fix CheckOrigin

web-auth · Jan 31, 2025 · c74b7c5 · c74b7c5
1 parent 1d64b61
commit c74b7c5
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/webauthn/src/CeremonyStep/CheckOrigin.php b/src/webauthn/src/CeremonyStep/CheckOrigin.php
@@ -40,6 +40,14 @@ public function process(
         is_array($parsedRelyingPartyId) || throw AuthenticatorResponseVerificationException::create(
             'Invalid origin'
         );
+        // Companion application
+        if (in_array($parsedRelyingPartyId['scheme'], ['android', 'ios'])) {
+            in_array($C->origin, $this->securedRelyingPartyId, true) || throw AuthenticatorResponseVerificationException::create(
+                'Unauthorized origin.'
+            );
+            return;
+        }
+        // Web
         if (! in_array($facetId, $this->securedRelyingPartyId, true)) {
             $scheme = $parsedRelyingPartyId['scheme'] ?? '';
             $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(