Add option to validate keys where browser reports subdomain of domain URL

src/api/core/two_factor/webauthn.rs

@@ -32,12 +32,17 @@ use webauthn_rs_proto::{
 static WEBAUTHN: LazyLock<Webauthn> = LazyLock::new(|| {
     let domain = CONFIG.domain();
     let domain_origin = CONFIG.domain_origin();
-    let rp_id = Url::parse(&domain).map(|u| u.domain().map(str::to_owned)).ok().flatten().unwrap_or_default();
+    let rp_id = Url::parse(&domain)
-    let rp_origin = Url::parse(&domain_origin).unwrap();
+        .map(|u| u.domain().map(str::to_owned))
+        .ok()
+        .flatten()
+        .expect("Invalid domain part for rp_id");
+    let rp_origin = Url::parse(&domain_origin).expect("Invalid domain_origin for rp_origin");
 
     let webauthn = WebauthnBuilder::new(&rp_id, &rp_origin)
         .expect("Creating WebauthnBuilder failed")
         .rp_name(&domain)
+        .allow_subdomains(CONFIG.webauthn_allow_subdomains())
         .timeout(Duration::from_millis(60000));
 
     webauthn.build().expect("Building Webauthn failed")

src/config.rs

@@ -793,6 +793,9 @@ make_config! {
         /// Prefer IPv6 (AAAA) resolving |> This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
         /// This could be useful in IPv6 only environments.
         dns_prefer_ipv6: bool, true, def, false;
+
+        /// Accept passkeys bound to subdomains |> This setting controls if passkeys bound to sub-domains of <Domain URL> are accepted for authentication.
+        webauthn_allow_subdomains: bool, false, def, false;
     },
 
     /// OpenID Connect SSO settings