From fda7f199ad36800568684d9d559b2b3ad36a5163 Mon Sep 17 00:00:00 2001
From: jissepo <jissepo@users.noreply.github.com>
Date: Tue, 24 May 2022 11:43:19 +0300
Subject: [PATCH] Added rpId to webauthnAssertAuthentication expectations

This allows for authentication from subdomains. Fido2Lib.assertionResult compares the rpIdHash returned by the users browser, and since the key is created on the main domain it can't use the passed in origin for the hash comparison.

The related Fido2Lib line: https://github.com/webauthn-open-source/fido2-lib/blob/a5003fa5bf95a3b154ea340ecc39165a9b04de59/lib/validator.js#L437
---
 lib/user-handler.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/user-handler.js b/lib/user-handler.js
index f99c6c58..ec4d1ccc 100644
--- a/lib/user-handler.js
+++ b/lib/user-handler.js
@@ -2713,7 +2713,8 @@ class UserHandler {
             factor: 'either',
             publicKey: credentialData.publicKey,
             prevCounter: credentialData.counter,
-            userHandle: null
+            userHandle: null,
+            rpId: config.webauthn.rpId
         };
 
         const f2l = new Fido2Lib(Object.assign({}, config.webauthn));