Describe the issue
isValidDomain() in @simplewebauthn/browser rejects valid punycode/IDN domains. WebAuthn registration and authentication fail with: "xn--80akjhbed8ahk.xn--p1ai is an invalid domain".
Root cause: The regex in packages/browser/src/helpers/isValidDomain.ts uses [a-z]{2,} for the TLD (letters only). Punycode TLDs like .xn--p1ai (.рф) contain digits in the label (p1ai), so validation fails.
// Current: packages/browser/src/helpers/isValidDomain.ts/^([a-z0-9]+(-[a-z0-9]+)*.)+[a-z]{2,}$/i// ^^^^^^^^ TLD: letters only — rejects p1ai
Reproduction Steps
Deploy a site on an IDN domain (e.g. https://xn--80akjhbed8ahk.xn--p1ai/ — мастерклик.рф)
Call startRegistration() or startAuthentication() with options from the server (rpID set to that domain)
See error: "xn--80akjhbed8ahk.xn--p1ai is an invalid domain"
Expected behavior
Valid IDN domains (including punycode form) should pass validation, per WebAuthn Level 2 and IDNA.
Code Samples + WebAuthn Options and Responses
Server options include:
{ "rpID": "xn--80akjhbed8ahk.xn--p1ai", "rpName": "Мастер Клик", ... }
isValidDomain(location.hostname) returns false for xn--80akjhbed8ahk.xn--p1ai.
Dependencies
OS: Windows 10/11
Browser: Chrome 120+, Firefox 122+
Authenticator: Windows Hello, YubiKey
SimpleWebAuthn Libraries:
├── @simplewebauthn/browser@13.2.2├── @simplewebauthn/server@13.2.3
Additional context
Suggested fix: Extend the TLD part to allow digits: [a-z0-9]{2,}, or use proper IDN/ACE validation per the URL spec.
Workaround: Use ASCII-only domains for RP ID until fixed.
Describe the issue
isValidDomain() in @simplewebauthn/browser rejects valid punycode/IDN domains. WebAuthn registration and authentication fail with: "xn--80akjhbed8ahk.xn--p1ai is an invalid domain".
Root cause: The regex in packages/browser/src/helpers/isValidDomain.ts uses [a-z]{2,} for the TLD (letters only). Punycode TLDs like .xn--p1ai (.рф) contain digits in the label (p1ai), so validation fails.
// Current: packages/browser/src/helpers/isValidDomain.ts/^([a-z0-9]+(-[a-z0-9]+)*.)+[a-z]{2,}$/i// ^^^^^^^^ TLD: letters only — rejects p1ai
Reproduction Steps
Deploy a site on an IDN domain (e.g. https://xn--80akjhbed8ahk.xn--p1ai/ — мастерклик.рф)
Call startRegistration() or startAuthentication() with options from the server (rpID set to that domain)
See error: "xn--80akjhbed8ahk.xn--p1ai is an invalid domain"
Expected behavior
Valid IDN domains (including punycode form) should pass validation, per WebAuthn Level 2 and IDNA.
Code Samples + WebAuthn Options and Responses
Server options include:
{ "rpID": "xn--80akjhbed8ahk.xn--p1ai", "rpName": "Мастер Клик", ... }
isValidDomain(location.hostname) returns false for xn--80akjhbed8ahk.xn--p1ai.
Dependencies
OS: Windows 10/11
Browser: Chrome 120+, Firefox 122+
Authenticator: Windows Hello, YubiKey
SimpleWebAuthn Libraries:
├── @simplewebauthn/browser@13.2.2├── @simplewebauthn/server@13.2.3
Additional context
Suggested fix: Extend the TLD part to allow digits: [a-z0-9]{2,}, or use proper IDN/ACE validation per the URL spec.
Workaround: Use ASCII-only domains for RP ID until fixed.