fill origin into webauthn config if not provided

in order to allow subdomains to work, the wa config should
only specify 'id' and 'rp', the 'origin' gets filled in by
the node

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 2e9e2f69ae8cbafab2d3d9dad6b656889f4f578e..168fc26b36acc2c775582cf350e6488a64840329 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -882,25 +882,30 @@ sub authenticate_yubico_do : prototype($$$) {
 sub configure_u2f_and_wa : prototype($) {
     my ($tfa_cfg) = @_;
 
+    my $rpc_origin;
+    my $get_origin = sub {
+       return $rpc_origin if defined($rpc_origin);
+       my $rpcenv = PVE::RPCEnvironment::get();
+       if (my $origin = $rpcenv->get_request_host(1)) {
+           $rpc_origin = "https://$origin";
+           return $rpc_origin;
+       }
+       die "failed to figure out origin\n";
+    };
+
     my $dc = cfs_read_file('datacenter.cfg');
     if (my $u2f = $dc->{u2f}) {
-       my $origin = $u2f->{origin};
-       if (!defined($origin)) {
-           my $rpcenv = PVE::RPCEnvironment::get();
-           $origin = $rpcenv->get_request_host(1);
-           if ($origin) {
-               $origin = "https://$origin";
-           } else {
-               die "failed to figure out u2f origin\n";
-           }
-       }
        $tfa_cfg->set_u2f_config({
-           origin => $origin,
+           origin => $u2f->{origin} // $get_origin->(),
            appid => $u2f->{appid},
        });
     }
     if (my $wa = $dc->{webauthn}) {
-       $tfa_cfg->set_webauthn_config($wa);
+       $tfa_cfg->set_webauthn_config({
+           origin => $wa->{origin} // $get_origin->(),
+           rp => $wa->{rp},
+           id => $wa->{id},
+       });
     }
 }