From 07b69edef2e961195d65f3ef5cb754532311741e Mon Sep 17 00:00:00 2001
From: Andreas Coroiu <andreas.coroiu@gmail.com>
Date: Fri, 17 May 2024 17:34:16 +0200
Subject: [PATCH] [PM-6413] feat: add http loophole for localhost

Fixes #6882
---
 .../fido2/fido2-client.service.spec.ts        | 20 +++++++++++++++++++
 .../services/fido2/fido2-client.service.ts    | 10 ++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/libs/common/src/platform/services/fido2/fido2-client.service.spec.ts b/libs/common/src/platform/services/fido2/fido2-client.service.spec.ts
index 13e1d8f282..a13c237a36 100644
--- a/libs/common/src/platform/services/fido2/fido2-client.service.spec.ts
+++ b/libs/common/src/platform/services/fido2/fido2-client.service.spec.ts
@@ -151,6 +151,16 @@ describe("FidoAuthenticatorService", () => {
         await rejects.toBeInstanceOf(DOMException);
       });
 
+      it("should not throw error if localhost is http", async () => {
+        const params = createParams({
+          origin: "http://localhost",
+          rp: { id: undefined, name: "localhost" },
+        });
+        authenticator.makeCredential.mockResolvedValue(createAuthenticatorMakeResult());
+
+        await client.createCredential(params, tab);
+      });
+
       // Spec: If credTypesAndPubKeyAlgs is empty, return a DOMException whose name is "NotSupportedError", and terminate this algorithm.
       it("should throw error if no support key algorithms were found", async () => {
         const params = createParams({
@@ -506,6 +516,16 @@ describe("FidoAuthenticatorService", () => {
           expect.anything(),
         );
       });
+
+      it("should not throw error if localhost is http", async () => {
+        const params = createParams({
+          origin: "http://localhost",
+        });
+        params.rpId = undefined;
+        authenticator.getAssertion.mockResolvedValue(createAuthenticatorAssertResult());
+
+        await client.assertCredential(params, tab);
+      });
     });
 
     describe("assert discoverable credential", () => {
diff --git a/libs/common/src/platform/services/fido2/fido2-client.service.ts b/libs/common/src/platform/services/fido2/fido2-client.service.ts
index 5b6a13bc3f..d22b91fda0 100644
--- a/libs/common/src/platform/services/fido2/fido2-client.service.ts
+++ b/libs/common/src/platform/services/fido2/fido2-client.service.ts
@@ -103,7 +103,10 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {
     }
 
     params.rp.id = params.rp.id ?? parsedOrigin.hostname;
-    if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
+    if (
+      parsedOrigin.hostname == undefined ||
+      (!params.origin.startsWith("https://") && parsedOrigin.hostname !== "localhost")
+    ) {
       this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
       throw new DOMException("'origin' is not a valid https origin", "SecurityError");
     }
@@ -238,7 +241,10 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {
 
     params.rpId = params.rpId ?? parsedOrigin.hostname;
 
-    if (parsedOrigin.hostname == undefined || !params.origin.startsWith("https://")) {
+    if (
+      parsedOrigin.hostname == undefined ||
+      (!params.origin.startsWith("https://") && parsedOrigin.hostname !== "localhost")
+    ) {
       this.logService?.warning(`[Fido2Client] Invalid https origin: ${params.origin}`);
       throw new DOMException("'origin' is not a valid https origin", "SecurityError");
     }