From 0b58ff364bd1faff30d7c0c50f970d62676d2729 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Mon, 9 Mar 2026 19:27:31 -0700
Subject: [PATCH] fix(auth): sync .well-known/webauthn origins with EncryptID
 server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The main server's Related Origins list was stale — it listed 5 generic
r*.online domains instead of the priority domains where passkey ceremonies
actually happen. This caused p2pf socials (socials.p2pfoundation.net) and
other external domains to fail WebAuthn authentication because browsers
couldn't verify them as related origins for RP ID rspace.online.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/index.ts | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/server/index.ts b/server/index.ts
index 4c44345..e12673f 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -125,15 +125,19 @@ const app = new Hono();
 app.use("/api/*", cors());
 
 // ── .well-known/webauthn (WebAuthn Related Origins) ──
+// Browsers enforce a 5 eTLD+1 limit. Only list domains where passkey
+// ceremonies happen directly. Must match encryptid/server.ts priority list.
 app.get("/.well-known/webauthn", (c) => {
 	return c.json(
 		{
 			origins: [
-				"https://rwallet.online",
-				"https://rvote.online",
-				"https://rmaps.online",
-				"https://rfiles.online",
-				"https://rnotes.online",
+				"https://ridentity.online",           // OIDC authorize + admin (eTLD+1 #1)
+				"https://auth.ridentity.online",
+				"https://rsocials.online",            // Postiz ecosystem (eTLD+1 #2)
+				"https://demo.rsocials.online",
+				"https://socials.crypto-commons.org", // (eTLD+1 #3)
+				"https://socials.p2pfoundation.net",  // (eTLD+1 #4)
+				"https://rwallet.online",             // (eTLD+1 #5)
 			],
 		},
 		200,