Ensure assertion origin starts with “https://“

2 files changed, 15 insertions, 1 deletions

diff --git a/packages/server/src/assertion/verifyAssertionResponse.test.ts b/packages/server/src/assertion/verifyAssertionResponse.test.ts
index 99e87d2..848acee 100644
--- a/packages/server/src/assertion/verifyAssertionResponse.test.ts
+++ b/packages/server/src/assertion/verifyAssertionResponse.test.ts
@@ -26,6 +26,16 @@ test('should verify an assertion response', () => {
   expect(verification.verified).toEqual(true);
 });
 
+test('should verify an assertion response if origin does not start with https', () => {
+  const verification = verifyAssertionResponse(
+    assertionResponse,
+    'dev.dontneeda.pw',
+    authenticator,
+  );
+
+  expect(verification.verified).toEqual(true);
+});
+
 test('should return authenticator info after verification', () => {
   const verification = verifyAssertionResponse(
     assertionResponse,
diff --git a/packages/server/src/assertion/verifyAssertionResponse.ts b/packages/server/src/assertion/verifyAssertionResponse.ts
index a3b631b..015c467 100644
--- a/packages/server/src/assertion/verifyAssertionResponse.ts
+++ b/packages/server/src/assertion/verifyAssertionResponse.ts
@@ -28,9 +28,13 @@ export default function verifyAssertionResponse(
 
   const { type, origin } = clientDataJSON;
 
+  if (!expectedOrigin.startsWith('https://')) {
+    expectedOrigin = `https://${expectedOrigin}`;
+  }
+
   // Check that the origin is our site
   if (origin !== expectedOrigin) {
-    throw new Error(`Unexpected assertion origin: ${origin}`);
+    throw new Error(`Unexpected assertion origin "${origin}", expected "${expectedOrigin}"`);
   }
 
   // Make sure we're handling an assertion