Fix alternative origins for 2.0 (dfinity#3195)

Llorenç Muntaner · web-flow · commit f6530715925f · 2025-07-17T11:31:39.000Z
* Fix derivation origin

* Default to mainnet URL schema

* Fix and add tests

* Add e2e test for altnernative origins

* Fix tests

* Clean up comments

* Move variable
diff --git a/src/frontend/src/lib/utils/validateDerivationOrigin.test.ts b/src/frontend/src/lib/utils/validateDerivationOrigin.test.ts
@@ -34,6 +34,10 @@ test("should fetch alternative origins file from expected URL", async () => {
       iiUrl: "https://identity.ic0.app",
       fetchUrl: `https://${TEST_CANISTER_ID}.icp0.io/.well-known/ii-alternative-origins`,
     },
+    {
+      iiUrl: "https://id.ai",
+      fetchUrl: `https://${TEST_CANISTER_ID}.icp0.io/.well-known/ii-alternative-origins`,
+    },
     {
       iiUrl: "https://identity.raw.ic0.app",
       fetchUrl: `https://${TEST_CANISTER_ID}.icp0.io/.well-known/ii-alternative-origins`,
@@ -86,16 +90,6 @@ test("should fetch alternative origins file from expected URL", async () => {
       iiUrl: "https://127.0.0.1/?canisterId=222ew-7aaaa-aaaar-akaia-cai",
       fetchUrl: `https://127.0.0.1/.well-known/ii-alternative-origins?canisterId=${TEST_CANISTER_ID}`,
     },
-    {
-      iiUrl:
-        "https://totally-custom.com/?canisterId=222ew-7aaaa-aaaar-akaia-cai",
-      fetchUrl: `https://totally-custom.com/.well-known/ii-alternative-origins?canisterId=${TEST_CANISTER_ID}`,
-    },
-    {
-      iiUrl:
-        "http://totally-custom.com:8080/?canisterId=222ew-7aaaa-aaaar-akaia-cai",
-      fetchUrl: `https://totally-custom.com:8080/.well-known/ii-alternative-origins?canisterId=${TEST_CANISTER_ID}`,
-    },
   ];
 
   for (const { iiUrl, fetchUrl } of testCases) {
@@ -117,27 +111,6 @@ test("should fetch alternative origins file from expected URL", async () => {
   }
 });
 
-test("should fetch alternative origins file using non-raw URL", async () => {
-  const fetchMock = setupMocks({
-    iiUrl: "https://identity.ic0.app",
-    response: Response.json({
-      alternativeOrigins: [`https://${TEST_CANISTER_ID}.raw.ic0.app`],
-    }),
-  });
-
-  const result = await validateDerivationOrigin({
-    requestOrigin: `https://${TEST_CANISTER_ID}.raw.ic0.app`,
-    derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
-    resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
-  });
-
-  expect(result).toEqual({ result: "valid" });
-  expect(fetchMock).toHaveBeenLastCalledWith(
-    `https://${TEST_CANISTER_ID}.icp0.io/.well-known/ii-alternative-origins`,
-    FETCH_OPTS,
-  );
-});
-
 test("should not validate if canister id resolution fails", async () => {
   const result = await validateDerivationOrigin({
     requestOrigin: "https://example.com",
@@ -147,69 +120,98 @@ test("should not validate if canister id resolution fails", async () => {
   expect(result.result).toBe("invalid");
 });
 
-test("should not validate if origin not allowed", async () => {
-  setupMocks({
-    iiUrl: "https://identity.ic0.app",
-    response: Response.json({
-      alternativeOrigins: ["https://not-example.com"],
-    }),
-  });
+const validIIUrls = [
+  "https://identity.ic0.app",
+  "https://identity.internetcomputer.org",
+  "https://id.ai",
+];
 
-  const result = await validateDerivationOrigin({
-    requestOrigin: "https://example.com",
-    derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
-    resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
-  });
+for (const iiUrl of validIIUrls) {
+  test("should fetch alternative origins file using non-raw URL", async () => {
+    const fetchMock = setupMocks({
+      iiUrl,
+      response: Response.json({
+        alternativeOrigins: [`https://${TEST_CANISTER_ID}.raw.ic0.app`],
+      }),
+    });
 
-  expect(result.result).toBe("invalid");
-});
+    const result = await validateDerivationOrigin({
+      requestOrigin: `https://${TEST_CANISTER_ID}.raw.ic0.app`,
+      derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
+      resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+    });
 
-test("should not validate if alternative origins file malformed", async () => {
-  setupMocks({
-    iiUrl: "https://identity.ic0.app",
-    response: Response.json({
-      notAlternativeOrigins: ["https://example.com"],
-    }),
+    expect(result).toEqual({ result: "valid" });
+    expect(fetchMock).toHaveBeenLastCalledWith(
+      `https://${TEST_CANISTER_ID}.icp0.io/.well-known/ii-alternative-origins`,
+      FETCH_OPTS,
+    );
   });
 
-  const result = await validateDerivationOrigin({
-    requestOrigin: "https://example.com",
-    derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
-    resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
-  });
+  test("should not validate if origin not allowed", async () => {
+    setupMocks({
+      iiUrl,
+      response: Response.json({
+        alternativeOrigins: ["https://not-example.com"],
+      }),
+    });
 
-  expect(result.result).toBe("invalid");
-});
+    const result = await validateDerivationOrigin({
+      requestOrigin: "https://example.com",
+      derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
+      resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+    });
 
-test("should not validate on alternative origins redirect", async () => {
-  setupMocks({
-    iiUrl: "https://identity.ic0.app",
-    response: Response.redirect("https://some-evil-url.com"),
+    expect(result.result).toBe("invalid");
   });
 
-  const result = await validateDerivationOrigin({
-    requestOrigin: "https://example.com",
-    derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
-    resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
-  });
+  test("should not validate if alternative origins file malformed", async () => {
+    setupMocks({
+      iiUrl,
+      response: Response.json({
+        notAlternativeOrigins: ["https://example.com"],
+      }),
+    });
 
-  expect(result.result).toBe("invalid");
-});
+    const result = await validateDerivationOrigin({
+      requestOrigin: "https://example.com",
+      derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
+      resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+    });
 
-test("should not validate on alternative origins error", async () => {
-  setupMocks({
-    iiUrl: "https://identity.ic0.app",
-    response: new Response(undefined, { status: 404 }),
+    expect(result.result).toBe("invalid");
   });
 
-  const result = await validateDerivationOrigin({
-    requestOrigin: "https://example.com",
-    derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
-    resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+  test("should not validate on alternative origins redirect", async () => {
+    setupMocks({
+      iiUrl,
+      response: Response.redirect("https://some-evil-url.com"),
+    });
+
+    const result = await validateDerivationOrigin({
+      requestOrigin: "https://example.com",
+      derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
+      resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+    });
+
+    expect(result.result).toBe("invalid");
   });
 
-  expect(result.result).toBe("invalid");
-});
+  test("should not validate on alternative origins error", async () => {
+    setupMocks({
+      iiUrl,
+      response: new Response(undefined, { status: 404 }),
+    });
+
+    const result = await validateDerivationOrigin({
+      requestOrigin: "https://example.com",
+      derivationOrigin: "https://some-url.com", // different from requestOrigin so that we need to fetch the alternative origins
+      resolveCanisterId: () => Promise.resolve({ ok: TEST_CANISTER_ID }),
+    });
+
+    expect(result.result).toBe("invalid");
+  });
+}
 
 const setupMocks = ({
   iiUrl,
diff --git a/src/frontend/src/lib/utils/validateDerivationOrigin.ts b/src/frontend/src/lib/utils/validateDerivationOrigin.ts
@@ -137,16 +137,6 @@ const inferAlternativeOriginsUrl = ({
     return `https://${canisterId.toText()}.${IC_HTTP_GATEWAY_DOMAIN}${ALTERNATIVE_ORIGINS_PATH}`;
   }
 
-  if (
-    location.hostname.endsWith("icp0.io") ||
-    location.hostname.endsWith("ic0.app") ||
-    location.hostname.endsWith("internetcomputer.org")
-  ) {
-    // If this is a canister running on one of the official IC domains, then return the
-    // official canister id based API endpoint
-    return `https://${canisterId}.${IC_HTTP_GATEWAY_DOMAIN}${ALTERNATIVE_ORIGINS_PATH}`;
-  }
-
   // Local deployment -> add query parameter
   // For this asset the query parameter should work regardless of whether we use a canister id based subdomain or not
   if (location.hostname.endsWith("localhost")) {
@@ -162,9 +152,6 @@ const inferAlternativeOriginsUrl = ({
     return `${location.protocol}//${location.host}${ALTERNATIVE_ORIGINS_PATH}?canisterId=${canisterId}`;
   }
 
-  // Otherwise assume it's a custom setup expecting the gateway to
-  // - be on the same domain
-  // - use HTTPS
-  // - support query parameter based routing
-  return `https://${location.host}${ALTERNATIVE_ORIGINS_PATH}?canisterId=${canisterId}`;
+  // Otherwise, assume it's a mainnet environment.
+  return `https://${canisterId.toText()}.${IC_HTTP_GATEWAY_DOMAIN}${ALTERNATIVE_ORIGINS_PATH}`;
 };
diff --git a/src/frontend/tests/e2e-playwright/authorize/alternativeOrigins.spec.ts b/src/frontend/tests/e2e-playwright/authorize/alternativeOrigins.spec.ts
@@ -0,0 +1,119 @@
+import { test, expect } from "@playwright/test";
+import {
+  dummyAuth,
+  II_URL,
+  NOT_TEST_APP_URL,
+  TEST_APP_CANONICAL_URL,
+  TEST_APP_URL,
+} from "../utils";
+
+test("Should not issue delegation when alternative origins are empty", async ({
+  page,
+}) => {
+  await page.goto(TEST_APP_URL);
+
+  // Configure the test app
+  await page.getByRole("textbox", { name: "Identity Provider" }).fill(II_URL);
+  await page.locator("#hostUrl").fill("https://icp-api.io");
+  await page
+    .locator("#newAlternativeOrigins")
+    .fill('{"alternativeOrigins":[]}');
+  await page.locator("#certified").click();
+  await page.locator("#updateNewAlternativeOrigins").click();
+
+  // Wait for alternative origins to update
+  await expect(page.locator("#alternativeOrigins")).toHaveText(
+    '{"alternativeOrigins":[]}',
+    { timeout: 6000 },
+  );
+
+  // Set derivation origin
+  await page.locator("#derivationOrigin").fill(TEST_APP_CANONICAL_URL);
+
+  // Attempt to sign in
+  const pagePromise = page.context().waitForEvent("page");
+  await page.getByRole("button", { name: "Sign In" }).click();
+  const authPage = await pagePromise;
+
+  // Verify error message is displayed in II
+  await expect(authPage.getByText("Unverified origin")).toBeVisible();
+});
+
+test("Should not issue delegation when origin is missing from /.well-known/ii-alternative-origins", async ({
+  page,
+}) => {
+  await page.goto(TEST_APP_URL);
+
+  // Configure the test app
+  await page.getByRole("textbox", { name: "Identity Provider" }).fill(II_URL);
+  await page.locator("#hostUrl").fill("https://icp-api.io");
+  const alternativeOrigins = JSON.stringify({
+    alternativeOrigins: [NOT_TEST_APP_URL],
+  });
+  await page.locator("#newAlternativeOrigins").fill(alternativeOrigins);
+  await page.locator("#certified").click();
+  await page.locator("#updateNewAlternativeOrigins").click();
+
+  // Wait for alternative origins to update
+  await expect(page.locator("#alternativeOrigins")).toHaveText(
+    alternativeOrigins,
+    { timeout: 6000 },
+  );
+
+  // Set derivation origin
+  await page.locator("#derivationOrigin").fill(TEST_APP_CANONICAL_URL);
+
+  // Attempt to sign in
+  const pagePromise = page.context().waitForEvent("page");
+  await page.getByRole("button", { name: "Sign In" }).click();
+  const authPage = await pagePromise;
+
+  // Verify error message is displayed in II
+  await expect(authPage.getByText("Unverified origin")).toBeVisible();
+});
+
+// Add a positive test case where alternative origins are properly configured
+test("Should issue delegation when derivationOrigin is properly configured in /.well-known/ii-alternative-origins", async ({
+  page,
+}) => {
+  await page.goto(TEST_APP_URL);
+
+  // Configure the test app
+  await page.getByRole("textbox", { name: "Identity Provider" }).fill(II_URL);
+  const alternativeOrigins = JSON.stringify({
+    alternativeOrigins: [TEST_APP_URL],
+  });
+  await page.locator("#hostUrl").fill("https://icp-api.io");
+  await page.locator("#newAlternativeOrigins").fill(alternativeOrigins);
+  await page.locator("#certified").click();
+  await page.locator("#updateNewAlternativeOrigins").click();
+
+  // Wait for alternative origins to update
+  await expect(page.locator("#alternativeOrigins")).toHaveText(
+    alternativeOrigins,
+    { timeout: 6000 },
+  );
+
+  // Set derivation origin
+  await page.locator("#derivationOrigin").fill(TEST_APP_CANONICAL_URL);
+
+  // Attempt to sign in
+  const pagePromise = page.context().waitForEvent("page");
+  await page.getByRole("button", { name: "Sign In" }).click();
+  const authPage = await pagePromise;
+
+  // Create a new identity in II
+  await authPage.getByRole("button", { name: "Continue with Passkey" }).click();
+  await authPage.getByRole("button", { name: "Set up a new Passkey" }).click();
+  await authPage.getByLabel("Identity name").fill("John Doe");
+  const auth = dummyAuth();
+  auth(authPage);
+  await authPage.getByRole("button", { name: "Create Passkey" }).click();
+
+  // Wait for II window to close
+  await authPage.waitForEvent("close");
+
+  // Verify successful authentication by checking for a principal
+  const principal = await page.locator("#principal").textContent();
+  expect(principal).toBeTruthy();
+});
diff --git a/src/frontend/tests/e2e-playwright/utils.ts b/src/frontend/tests/e2e-playwright/utils.ts
@@ -1,8 +1,12 @@
 import { Page, expect } from "@playwright/test";
 import { Principal } from "@dfinity/principal";
+import { readCanisterId } from "@dfinity/internet-identity-vite-plugins/utils";
 
+const testAppCanisterId = readCanisterId({ canisterName: "test_app" });
 export const II_URL = "https://id.ai";
 export const TEST_APP_URL = "https://nice-name.com";
+export const NOT_TEST_APP_URL = "https://very-nice-name.com";
+export const TEST_APP_CANONICAL_URL = `https://${testAppCanisterId}.icp0.io`;
 
 export type DummyAuthFn = (page: Page) => void;
 
