From e0edfb851837cc9adcb8545355a7071b560843c7 Mon Sep 17 00:00:00 2001
From: "backport-actions-token[bot]"
 <87506591+backport-actions-token[bot]@users.noreply.github.com>
Date: Tue, 18 Jan 2022 09:49:10 -0700
Subject: [PATCH] webauthn: use absolute URL for delete redirect (#2935)
 (#2937)

* authenticate: add callback endpoint

* webauthn: use absolute URL for delete redirect

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
---
 authenticate/handlers/webauthn/webauthn.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/authenticate/handlers/webauthn/webauthn.go b/authenticate/handlers/webauthn/webauthn.go
index bf95f9ad2..d69749915 100644
--- a/authenticate/handlers/webauthn/webauthn.go
+++ b/authenticate/handlers/webauthn/webauthn.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 
 	"github.com/google/uuid"
 	"github.com/pomerium/csrf"
@@ -345,7 +346,9 @@ func (h *Handler) handleUnregister(w http.ResponseWriter, r *http.Request, state
 
 	// remove the credential from the session
 	state.Session.DeviceCredentials = removeSessionDeviceCredential(state.Session.DeviceCredentials, deviceCredentialID)
-	return h.saveSessionAndRedirect(w, r, state, "/.pomerium")
+	return h.saveSessionAndRedirect(w, r, state, urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{
+		Path: "/.pomerium",
+	}).String())
 }
 
 func (h *Handler) handleView(w http.ResponseWriter, r *http.Request, state *State) error {