From d12f247edc0529f4e262b55b4d33c0865cb09567 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 22 Nov 2021 13:52:57 +0100
Subject: [PATCH] fill origin into webauthn config if not provided

in order to allow subdomains to work, the wa config should
only specify 'id' and 'rp', the 'origin' gets filled in by
the node

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/AccessControl.pm | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 2e9e2f6..168fc26 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -882,25 +882,30 @@ sub authenticate_yubico_do : prototype($$$) {
 sub configure_u2f_and_wa : prototype($) {
     my ($tfa_cfg) = @_;
 
+    my $rpc_origin;
+    my $get_origin = sub {
+	return $rpc_origin if defined($rpc_origin);
+	my $rpcenv = PVE::RPCEnvironment::get();
+	if (my $origin = $rpcenv->get_request_host(1)) {
+	    $rpc_origin = "https://$origin";
+	    return $rpc_origin;
+	}
+	die "failed to figure out origin\n";
+    };
+
     my $dc = cfs_read_file('datacenter.cfg');
     if (my $u2f = $dc->{u2f}) {
-	my $origin = $u2f->{origin};
-	if (!defined($origin)) {
-	    my $rpcenv = PVE::RPCEnvironment::get();
-	    $origin = $rpcenv->get_request_host(1);
-	    if ($origin) {
-		$origin = "https://$origin";
-	    } else {
-		die "failed to figure out u2f origin\n";
-	    }
-	}
 	$tfa_cfg->set_u2f_config({
-	    origin => $origin,
+	    origin => $u2f->{origin} // $get_origin->(),
 	    appid => $u2f->{appid},
 	});
     }
     if (my $wa = $dc->{webauthn}) {
-	$tfa_cfg->set_webauthn_config($wa);
+	$tfa_cfg->set_webauthn_config({
+	    origin => $wa->{origin} // $get_origin->(),
+	    rp => $wa->{rp},
+	    id => $wa->{id},
+	});
     }
 }
 
-- 
2.39.2