Skip to content

Support multi-origin passkey verification#37

Open
Abhishek5Sharma wants to merge 2 commits into
mainfrom
bugs/nv32_passkey_for_multi_origins
Open

Support multi-origin passkey verification#37
Abhishek5Sharma wants to merge 2 commits into
mainfrom
bugs/nv32_passkey_for_multi_origins

Conversation

@Abhishek5Sharma
Copy link
Copy Markdown
Member

@Abhishek5Sharma Abhishek5Sharma commented May 28, 2026
edited
Loading

Add neev.relying_party_id and neev.allowed_origins config keys so PasskeyController can verify WebAuthn ceremonies against multiple origins bound to a single relying party ID. Replaces hardcoded APP_URL parsing and swaps CheckOrigin for CheckAllowedOrigins.

Description

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)

Checklist

  • composer lint passes
  • composer analyse passes
  • composer test passes
  • I have updated the documentation accordingly
  • I have added an entry to CHANGELOG.md

@Abhishek5Sharma
Support multi-origin passkey verification
92db564 
Add `neev.relying_party_id` and `neev.allowed_origins` config keys so
PasskeyController can verify WebAuthn ceremonies against multiple
origins bound to a single relying party ID. Replaces hardcoded
APP_URL parsing and swaps `CheckOrigin` for `CheckAllowedOrigins`.
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 28, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 23.07692% with 10 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/Http/Controllers/Auth/PasskeyController.php 23.07% 10 Missing ⚠️

📢 Thoughts on this report? Let us know!

@Abhishek5Sharma
Fix phpstan errors for webauthn-lib 5.3+ check() signature
7c70476 
Use positional args and pass AuthenticatorAssertionResponse directly,
since the validator's first parameter was renamed to $credentialRecord
and PublicKeyCredential::$response is typed as the parent class.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Abhishek5Sharma @codecov-commenter