Move passkey configuration from hard-coded values to environment variables (#3818)

* refactor: add multi-platform origin validation for WebAuthn (Web/iOS/Android)

Refactor WebAuthn origin verification to support multiple platforms using
an origin pool (allowlist) approach instead of single origin validation.

* add one more log

* add some log

* move key valuse into env variable.

* update manifest file

* fix rename issue

Author: BillyWooo

tee-worker/omni-executor/core/src/config.rs

@@ -90,10 +90,17 @@ pub struct OAuth2Config {
 	pub client_secret: String,
 }
 
+#[derive(Debug, Clone)]
+pub struct PasskeyConfig {
+	pub rp_id: String,
+	pub allowed_origins: Vec<String>,
+}
+
 #[derive(Debug, Clone)]
 pub struct ConfigLoader {
 	pub mailer_configs: HashMap<String, MailerConfig>,
 	pub oauth2_configs: HashMap<String, HashMap<String, OAuth2Config>>, // client -> provider -> config
+	pub passkey_configs: HashMap<String, PasskeyConfig>,                // client -> passkey config
 	pub ethereum_url: String,
 	pub solana_url: String,
 	pub bsc_url: String,
@@ -336,10 +343,12 @@ impl ConfigLoader {
 
 		let mailer_configs = Self::load_mailer_configs();
 		let oauth2_configs = Self::load_oauth2_configs();
+		let passkey_configs = Self::load_passkey_configs();
 
 		ConfigLoader {
 			mailer_configs,
 			oauth2_configs,
+			passkey_configs,
 			ethereum_url: append_key(&get("ethereum_url")),
 			solana_url: append_key(&get("solana_url")),
 			bsc_url: append_key(&get("bsc_url")),
@@ -530,4 +539,91 @@ impl ConfigLoader {
 		let provider_key = provider.to_lowercase();
 		self.oauth2_configs.get(&client_key)?.get(&provider_key).cloned()
 	}
+
+	/// Load passkey configurations for all clients from environment variables
+	/// Format: OE_PASSKEY_RP_ID_{CLIENT}, OE_PASSKEY_ALLOWED_ORIGINS_{CLIENT}
+	/// ALLOWED_ORIGINS should be comma-separated list
+	fn load_passkey_configs() -> HashMap<String, PasskeyConfig> {
+		let mut configs = HashMap::new();
+
+		let env_vars: HashMap<String, String> = std::env::vars().collect();
+		let mut clients = std::collections::HashSet::new();
+
+		// Find all unique client suffixes
+		for key in env_vars.keys() {
+			if key.starts_with("OE_PASSKEY_RP_ID_") {
+				if let Some(client) = key.strip_prefix("OE_PASSKEY_RP_ID_") {
+					info!("Found passkey configuration for client: {}", client);
+					clients.insert(client.to_lowercase());
+				}
+			}
+		}
+
+		info!("Total discovered passkey clients: {:?}", clients);
+
+		// If no clients configured, provide default localhost config
+		if clients.is_empty() {
+			warn!("No passkey configurations found in environment variables. Adding default localhost config.");
+			let default_config = PasskeyConfig {
+				rp_id: "localhost".to_string(),
+				allowed_origins: vec![
+					"http://localhost:3000".to_string(),
+					"https://localhost:3000".to_string(),
+				],
+			};
+			configs.insert("default".to_string(), default_config);
+			return configs;
+		}
+
+		// Load configuration for each client
+		for client in clients {
+			let client_upper = client.to_uppercase();
+
+			let rp_id = std::env::var(format!("OE_PASSKEY_RP_ID_{}", client_upper))
+				.unwrap_or_else(|_| "localhost".to_string());
+
+			let allowed_origins_str =
+				std::env::var(format!("OE_PASSKEY_ALLOWED_ORIGINS_{}", client_upper))
+					.unwrap_or_else(|_| "http://localhost:3000,https://localhost:3000".to_string());
+
+			let allowed_origins: Vec<String> = allowed_origins_str
+				.split(',')
+				.map(|s| s.trim().to_string())
+				.filter(|s| !s.is_empty())
+				.collect();
+
+			if allowed_origins.is_empty() {
+				warn!("No allowed origins configured for client '{}', skipping.", client);
+				continue;
+			}
+
+			let config = PasskeyConfig { rp_id, allowed_origins };
+
+			info!(
+				"Loaded passkey config for client '{}': rp_id={}, origins={:?}",
+				client, config.rp_id, config.allowed_origins
+			);
+
+			configs.insert(client.clone(), config);
+		}
+
+		configs
+	}
+
+	/// Get passkey configuration for a specific client
+	/// Falls back to "default" if client not found
+	pub fn get_passkey_config(&self, client_id: &str) -> PasskeyConfig {
+		let client_key = client_id.to_lowercase();
+		self.passkey_configs
+			.get(&client_key)
+			.cloned()
+			.or_else(|| self.passkey_configs.get("default").cloned())
+			.unwrap_or_else(|| PasskeyConfig {
+				rp_id: "localhost".to_string(),
+				allowed_origins: vec![
+					"http://localhost:3000".to_string(),
+					"https://localhost:3000".to_string(),
+				],
+			})
+	}
 }

tee-worker/omni-executor/crypto/src/passkey.rs

@@ -78,7 +78,7 @@ impl PasskeyVerifier {
 	pub fn verify_client_data_json<F>(
 		client_data_json: &str,
 		omni_account: &[u8; 32],
-		expected_origin: &str,
+		allowed_origins: &[&str],
 		expected_type: &str,
 		verify_and_consume_challenge: F,
 	) -> Result<(), PasskeyError>
@@ -88,8 +88,8 @@ impl PasskeyVerifier {
 		// Parse client data JSON
 		let client_data = Self::parse_client_data_json(client_data_json)?;
 
-		// Verify origin
-		if client_data.origin != expected_origin {
+		// Verify origin against the allowed origins pool
+		if !allowed_origins.iter().any(|&origin| origin == client_data.origin) {
 			return Err(PasskeyError::OriginVerificationFailed);
 		}
 

tee-worker/omni-executor/omni-executor.manifest.template

@@ -74,6 +74,8 @@ loader.env.OE_GOOGLE_CLIENT_ID_WILDMETA = { passthrough = true }
 loader.env.OE_GOOGLE_CLIENT_SECRET_WILDMETA = { passthrough = true }
 loader.env.OE_APPLE_CLIENT_ID_WILDMETA = { passthrough = true }
 loader.env.OE_APPLE_CLIENT_SECRET_WILDMETA = { passthrough = true }
+loader.env.OE_PASSKEY_RP_ID_WILDMETA = { passthrough = true }
+loader.env.OE_PASSKEY_ALLOWED_ORIGINS_WILDMETA = { passthrough = true }
 loader.env.OE_ETHEREUM_URL = { passthrough = true }
 loader.env.OE_SOLANA_URL = { passthrough = true }
 loader.env.OE_BSC_URL = { passthrough = true }

tee-worker/omni-executor/rpc-server/src/methods/omni/attach_passkey.rs

@@ -54,14 +54,17 @@ pub fn register_attach_passkey<CrossChainIntentExecutor: IntentExecutor + Send +
 				.user_id
 				.to_omni_account(&params.client_id)
 				.map_err_parse("Failed to convert to omni_account")?;
-			let expected_origin = super::get_origin_for_client(&params.client_id);
+			let allowed_origins =
+				ctx.config_loader.get_passkey_config(&params.client_id).allowed_origins;
+			let allowed_origins_refs: Vec<&str> =
+				allowed_origins.iter().map(|s| s.as_str()).collect();
 
 			// Verify client data JSON and consume challenge
 			let challenge_storage = PasskeyChallengeStorage::new(ctx.storage_db.clone());
 			PasskeyVerifier::verify_client_data_json(
 				&params.client_data_json,
 				omni_account.as_ref(),
-				expected_origin,
+				&allowed_origins_refs,
 				"webauthn.create", // For passkey registration/attachment
 				|challenge, omni_account| {
 					challenge_storage

tee-worker/omni-executor/rpc-server/src/methods/omni/get_hyperliquid_signature_data.rs

@@ -168,15 +168,18 @@ pub fn register_get_hyperliquid_signature_data<
 					e.to_detailed_error().to_rpc_error()
 				})?;
 
-				// Determine expected origin based on client_id
-				let expected_origin = super::get_origin_for_client(&params.client_id);
+				// Get allowed origins for the client (supports web, iOS, and Android)
+				let allowed_origins =
+					ctx.config_loader.get_passkey_config(&params.client_id).allowed_origins;
+				let allowed_origins_refs: Vec<&str> =
+					allowed_origins.iter().map(|s| s.as_str()).collect();
 
 				// Verify client data JSON and consume challenge
 				let challenge_storage = PasskeyChallengeStorage::new(ctx.storage_db.clone());
 				PasskeyVerifier::verify_client_data_json(
 					&attach_passkey_data.client_data_json,
 					omni_account.as_ref(),
-					expected_origin,
+					&allowed_origins_refs,
 					"webauthn.create", // For passkey registration/attachment
 					|challenge, omni_account| {
 						challenge_storage
@@ -400,6 +403,8 @@ pub fn register_get_hyperliquid_signature_data<
 				},
 			};
 
+			debug!("main_address: {:?}", main_address);
+
 			Ok(GetHyperliquidSignatureDataResponse {
 				main_address,
 				hyperliquid_signature_data: HyperliquidSignatureData { action, nonce, signature },

tee-worker/omni-executor/rpc-server/src/methods/omni/list_passkey.rs

@@ -7,6 +7,7 @@ use jsonrpsee::{types::ErrorObject, RpcModule};
 use oe_core::intent::executor::IntentExecutor;
 use oe_primitives::UserId;
 use oe_storage::PasskeyStorage;
+use tracing::debug;
 
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct ListPasskeyParams {
@@ -34,6 +35,8 @@ pub fn register_list_passkey<CrossChainIntentExecutor: IntentExecutor + Send + S
 		.register_async_method("omni_listPasskey", |params, ctx, _| async move {
 			let params = parse_rpc_params::<ListPasskeyParams>(params)?;
 
+			debug!("Received omni_listPasskey, params: {:?}", params);
+
 			let omni_account = params
 				.user_id
 				.to_omni_account(&params.client_id)

tee-worker/omni-executor/rpc-server/src/methods/omni/mod.rs

@@ -182,18 +182,3 @@ pub fn check_backend_response<T: Codec>(response: &ApiResponse<T>, op: &str) ->
 	}
 	Ok(())
 }
-
-// Passkey helper functions
-pub fn get_rp_id_for_client(client_id: &str) -> &str {
-	match client_id {
-		"wildmeta" => "app.wildmeta.ai",
-		_ => "localhost", // Development/testing
-	}
-}
-
-pub fn get_origin_for_client(client_id: &str) -> &str {
-	match client_id {
-		"wildmeta" => "https://app.wildmeta.ai",
-		_ => "http://localhost:3000", // Development/testing
-	}
-}

tee-worker/omni-executor/rpc-server/src/server.rs

@@ -24,6 +24,7 @@ use tracing::info;
 pub struct RpcContext<CrossChainIntentExecutor: IntentExecutor + Send + Sync + 'static> {
 	pub shielding_key: ShieldingKey,
 	pub storage_db: Arc<StorageDB>,
+	pub config_loader: Arc<ConfigLoader>,
 	pub mailer_factory: Arc<MailerFactory>,
 	pub oauth2_factory: Arc<OAuth2ConfigFactory>,
 	pub jwt_rsa_private_key: Vec<u8>,
@@ -51,6 +52,7 @@ impl<CrossChainIntentExecutor: IntentExecutor + Send + Sync + 'static>
 	pub fn new(
 		shielding_key: ShieldingKey,
 		storage_db: Arc<StorageDB>,
+		config_loader: Arc<ConfigLoader>,
 		mailer_factory: Arc<MailerFactory>,
 		oauth2_factory: Arc<OAuth2ConfigFactory>,
 		jwt_rsa_private_key: Vec<u8>,
@@ -69,6 +71,7 @@ impl<CrossChainIntentExecutor: IntentExecutor + Send + Sync + 'static>
 	) -> Self {
 		Self {
 			shielding_key,
+			config_loader,
 			storage_db,
 			mailer_factory,
 			oauth2_factory,
@@ -111,11 +114,12 @@ pub async fn start_server<CrossChainIntentExecutor: IntentExecutor + Send + Sync
 ) -> Result<(), Box<dyn std::error::Error>> {
 	let config_loader_arc = Arc::new(config_loader.clone());
 	let mailer_factory = Arc::new(MailerFactory::new(config_loader_arc.clone()));
-	let oauth2_factory = Arc::new(OAuth2ConfigFactory::new(config_loader_arc));
+	let oauth2_factory = Arc::new(OAuth2ConfigFactory::new(config_loader_arc.clone()));
 
 	let ctx = RpcContext::new(
 		shielding_key,
 		storage_db,
+		config_loader_arc,
 		mailer_factory,
 		oauth2_factory,
 		jwt_rsa_private_key.clone(),

tee-worker/omni-executor/rpc-server/src/verify_auth.rs

@@ -311,7 +311,6 @@ pub fn verify_passkey_authentication<
 	ctx: Arc<RpcContext<CrossChainIntentExecutor>>,
 	passkey_data: &PasskeyData,
 ) -> Result<(), AuthenticationError> {
-	use crate::methods::omni::{get_origin_for_client, get_rp_id_for_client};
 	use oe_crypto::passkey::{ClientData, PasskeyVerifier};
 	use oe_storage::PasskeyStorage;
 
@@ -324,13 +323,12 @@ pub fn verify_passkey_authentication<
 			AuthenticationError::PasskeyError(format!("Failed to parse client data: {}", e))
 		})?;
 
-	let expected_origin = get_origin_for_client(&passkey_data.client_id);
-	if client_data.origin != expected_origin {
-		return Err(AuthenticationError::PasskeyError(format!(
-			"Client data origin mismatch: expected '{}', got '{}'",
-			expected_origin,
-			client_data.origin.as_str()
-		)));
+	let allowed_origins =
+		ctx.config_loader.get_passkey_config(&passkey_data.client_id).allowed_origins;
+	if !allowed_origins.iter().any(|origin| origin == &client_data.origin) {
+		return Err(AuthenticationError::PasskeyError(
+			oe_crypto::passkey::PasskeyError::OriginVerificationFailed.to_string(),
+		));
 	}
 
 	const EXPECTED_PASSKEY_TYPE: &str = "webauthn.get";
@@ -391,9 +389,8 @@ pub fn verify_passkey_authentication<
 	// CRITICAL SECURITY CHECK: Verify RP ID hash
 	// The first 32 bytes of auth data must be SHA-256(RP ID) to prevent phishing attacks
 	// This ensures the authenticator signed for the correct domain
-	let expected_rp_id = get_rp_id_for_client(&passkey_data.client_id);
-
-	PasskeyVerifier::verify_rp_id_hash(&auth_data_bytes, expected_rp_id).map_err(|e| {
+	let expected_rp_id = ctx.config_loader.get_passkey_config(&passkey_data.client_id).rp_id;
+	PasskeyVerifier::verify_rp_id_hash(&auth_data_bytes, &expected_rp_id).map_err(|e| {
 		AuthenticationError::PasskeyError(format!(
 			"RP ID validation failed: {}. Expected RP ID: '{}' for client_id: '{}'",
 			e, expected_rp_id, passkey_data.client_id