From c74b7c50f3eac9a2e98d44360dc6e40fb67e9622 Mon Sep 17 00:00:00 2001
From: Hugues Peccatte <hugues.peccatte@aareon.com>
Date: Thu, 30 Jan 2025 17:36:37 +0100
Subject: [PATCH] Attempt to fix CheckOrigin

---
 src/webauthn/src/CeremonyStep/CheckOrigin.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/webauthn/src/CeremonyStep/CheckOrigin.php b/src/webauthn/src/CeremonyStep/CheckOrigin.php
index 30cd2160..03c96a29 100644
--- a/src/webauthn/src/CeremonyStep/CheckOrigin.php
+++ b/src/webauthn/src/CeremonyStep/CheckOrigin.php
@@ -40,6 +40,14 @@ public function process(
         is_array($parsedRelyingPartyId) || throw AuthenticatorResponseVerificationException::create(
             'Invalid origin'
         );
+        // Companion application
+        if (in_array($parsedRelyingPartyId['scheme'], ['android', 'ios'])) {
+            in_array($C->origin, $this->securedRelyingPartyId, true) || throw AuthenticatorResponseVerificationException::create(
+                'Unauthorized origin.'
+            );
+            return;
+        }
+        // Web
         if (! in_array($facetId, $this->securedRelyingPartyId, true)) {
             $scheme = $parsedRelyingPartyId['scheme'] ?? '';
             $scheme === 'https' || throw AuthenticatorResponseVerificationException::create(