fix: change WebAuthn RP ID from jeffemmett.com to rspace.online

The RP ID jeffemmett.com caused "relying party ID is not a registrable domain suffix" errors on *.rspace.online subdomains. Related Origins also exceeded the 5 eTLD+1 browser limit with 18+ domains listed. Now rspace.online is the RP ID, so all *.rspace.online subdomains (including cca.rspace.online) are valid automatically. The Related Origins file only lists non-rspace.online r* ecosystem domains. Also points rspace-header auth URL to auth.rspace.online. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 14:32:57 -07:00 · 2026-02-18 14:32:57 -07:00 · 9f39e2393b
parent 73aee64401
commit 9f39e2393b
6 changed files with 41 additions and 28 deletions
--- a/docker-compose.encryptid.yml
+++ b/docker-compose.encryptid.yml
@ -29,8 +29,8 @@ services:
      - "traefik.http.routers.encryptid.entrypoints=web"
      - "traefik.http.routers.encryptid.priority=150"
      - "traefik.http.services.encryptid.loadbalancer.server.port=3000"
-      # Also serve from root domain for .well-known (WebAuthn Related Origins)
-      - "traefik.http.routers.encryptid-wellknown.rule=Host(`jeffemmett.com`) && PathPrefix(`/.well-known/webauthn`)"
+      # Also serve from RP ID domain for .well-known (WebAuthn Related Origins)
+      - "traefik.http.routers.encryptid-wellknown.rule=Host(`rspace.online`) && PathPrefix(`/.well-known/webauthn`)"
      - "traefik.http.routers.encryptid-wellknown.entrypoints=web"
      - "traefik.http.routers.encryptid-wellknown.priority=200"
      - "traefik.http.routers.encryptid-wellknown.service=encryptid"
--- a/lib/rspace-header.ts
+++ b/lib/rspace-header.ts
@ -6,7 +6,7 @@
 */

 const SESSION_KEY = 'encryptid_session';
-const ENCRYPTID_URL = 'https://encryptid.jeffemmett.com';
+const ENCRYPTID_URL = 'https://auth.rspace.online';

 interface SessionState {
  accessToken: string;
--- a/public/.well-known/webauthn
+++ b/public/.well-known/webauthn
@ -1,20 +1,9 @@
 {
  "origins": [
-    "https://rspace.online",
-    "https://app.rspace.online",
-    "https://dev.rspace.online",
    "https://rwallet.online",
-    "https://app.rwallet.online",
    "https://rvote.online",
-    "https://app.rvote.online",
    "https://rmaps.online",
-    "https://app.rmaps.online",
    "https://rfiles.online",
-    "https://app.rfiles.online",
-    "https://encryptid.jeffemmett.com",
-    "https://jeffemmett.com",
-    "https://canvas.jeffemmett.com",
-    "http://localhost:3000",
-    "http://localhost:5173"
+    "https://rnotes.online"
  ]
 }
--- a/server/index.ts
+++ b/server/index.ts
@ -194,6 +194,26 @@ const server = Bun.serve<WSData>({
 			return new Response("WebSocket upgrade failed", { status: 400 });
 		}

+		// Serve .well-known/webauthn for WebAuthn Related Origins
+		// RP ID is rspace.online — *.rspace.online subdomains are automatic,
+		// this file lists non-rspace.online origins that should also be allowed.
+		if (url.pathname === "/.well-known/webauthn") {
+			return Response.json({
+				origins: [
+					"https://rwallet.online",
+					"https://rvote.online",
+					"https://rmaps.online",
+					"https://rfiles.online",
+					"https://rnotes.online",
+				],
+			}, {
+				headers: {
+					"Access-Control-Allow-Origin": "*",
+					"Cache-Control": "public, max-age=3600",
+				},
+			});
+		}
+
 		// API routes
 		if (url.pathname.startsWith("/api/")) {
 			return handleAPI(req, url);
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@ -47,7 +47,7 @@ import {

 const CONFIG = {
  port: process.env.PORT || 3000,
-  rpId: 'jeffemmett.com',
+  rpId: 'rspace.online',
  rpName: 'EncryptID',
  jwtSecret: (() => {
    const secret = process.env.JWT_SECRET;
@ -66,10 +66,14 @@ const CONFIG = {
  },
  recoveryUrl: process.env.RECOVERY_URL || 'https://auth.rspace.online/recover',
  allowedOrigins: [
-    'https://auth.rspace.online',
-    'https://encryptid.jeffemmett.com',
-    'https://jeffemmett.com',
+    // rspace.online — RP ID domain and all subdomains
    'https://rspace.online',
+    'https://auth.rspace.online',
+    'https://cca.rspace.online',
+    'https://demo.rspace.online',
+    'https://app.rspace.online',
+    'https://dev.rspace.online',
+    // r* ecosystem apps (each *.online is an eTLD+1 — Related Origins limit is 5)
    'https://rwallet.online',
    'https://rvote.online',
    'https://rmaps.online',
@ -84,11 +88,7 @@ const CONFIG = {
    'https://rstack.online',
    'https://rpubs.online',
    'https://rauctions.online',
-    'https://shop.mycofi.earth',
-    'https://canvas.jeffemmett.com',
-    'https://press.jeffemmett.com',
-    'https://cart.jeffemmett.com',
-    'https://cart.mycofi.earth',
+    // Development
    'http://localhost:3000',
    'http://localhost:5173',
  ],
@ -205,10 +205,14 @@ app.use('*', cors({
 // ============================================================================

 // Serve .well-known/webauthn for Related Origins
+// Only list non-rspace.online origins here — *.rspace.online subdomains are
+// automatically valid because rspace.online is the RP ID.
+// Keep to max 5 eTLD+1 labels to stay within browser limits.
 app.get('/.well-known/webauthn', (c) => {
-  return c.json({
-    origins: CONFIG.allowedOrigins.filter(o => o.startsWith('https://')),
-  });
+  const nonRspaceOrigins = CONFIG.allowedOrigins.filter(
+    o => o.startsWith('https://') && !o.endsWith('.rspace.online') && o !== 'https://rspace.online'
+  );
+  return c.json({ origins: nonRspaceOrigins });
 });

 // Health check — includes database connectivity
--- a/src/encryptid/webauthn.ts
+++ b/src/encryptid/webauthn.ts
@ -37,7 +37,7 @@ export interface EncryptIDConfig {

 // Default configuration for EncryptID
 const DEFAULT_CONFIG: EncryptIDConfig = {
-  rpId: 'jeffemmett.com',  // Root domain for Related Origins to work across subdomains
+  rpId: 'rspace.online',  // Root domain — all *.rspace.online subdomains are valid
  rpName: 'EncryptID',
  origin: typeof window !== 'undefined' ? window.location.origin : '',
  userVerification: 'required',