911aa34ba9
* feat(auth): add WebAuthn MFA credentials * fix(auth): harden WebAuthn MFA review paths * fix(auth): polish WebAuthn error handling * fix(auth): handle duplicate WebAuthn credential races * fix(auth): permit WebAuthn credential params * fix(auth): trim WebAuthn registration controller cleanup * fix(auth): tighten WebAuthn MFA handling * fix(auth): pin WebAuthn relying party config
1.2 KiB
WebAuthn MFA Configuration
Sure supports passkeys, Touch ID, Windows Hello, and hardware security keys as MFA credentials. WebAuthn credentials are bound to the relying party ID used when they are registered, so production deployments should pin these values explicitly instead of deriving them from incoming request headers.
Set these environment variables for self-hosted deployments:
WEBAUTHN_RP_ID=example.com
WEBAUTHN_ALLOWED_ORIGINS=https://sure.example.com
WEBAUTHN_RP_ID is usually the registrable domain, such as example.com, not a full URL and not a hostname with a port. This lets credentials work across subdomains when the browser permits it.
WEBAUTHN_ALLOWED_ORIGINS is a comma-separated list of full origins where users access Sure, including scheme and host. Examples:
WEBAUTHN_ALLOWED_ORIGINS=https://sure.example.com,https://app.example.com
For local development, use:
WEBAUTHN_RP_ID=localhost
WEBAUTHN_ALLOWED_ORIGINS=http://localhost:3000
Changing WEBAUTHN_RP_ID after users register credentials can make existing passkeys and security keys unavailable. Keep the value stable across reverse proxy, domain, and hostname changes.