Complete WebAuthn web handlers and download real htmx

- Real htmx.min.js (v2.0.4, 50KB) replaces stub - WebAuthn registration handlers (begin/finish) for adding security keys - WebAuthn login handlers (begin/finish) for passwordless login - Key management page (list/delete registered keys) - Login page updated with "Login with Security Key" button + JS - Session store for WebAuthn ceremonies (mutex-protected map) - WebAuthn config passed from server command through to webserver - Added LookupUserID helper for username-based WebAuthn login Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 21:33:45 -07:00
parent 49de9269d6
commit 710fcfcd34
6 changed files with 413 additions and 17 deletions
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -8,24 +8,33 @@ import (
 	"io/fs"
 	"log/slog"
 	"net/http"
+	"sync"
 	"time"

+	"git.wntrmute.dev/kyle/eng-pad-server/internal/auth"
 	"git.wntrmute.dev/kyle/eng-pad-server/web"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-webauthn/webauthn/webauthn"
 )

 type Config struct {
-	Addr    string
-	DB      *sql.DB
-	BaseURL string
-	TLSCert string
-	TLSKey  string
+	Addr          string
+	DB            *sql.DB
+	BaseURL       string
+	TLSCert       string
+	TLSKey        string
+	RPDisplayName string
+	RPID          string
+	RPOrigins     []string
 }

 type WebServer struct {
-	db      *sql.DB
-	baseURL string
-	tmpl    *template.Template
+	db       *sql.DB
+	baseURL  string
+	tmpl     *template.Template
+	webauthn *webauthn.WebAuthn
+	mu       sync.Mutex
+	sessions map[string]*webauthn.SessionData
 }

 func Start(cfg Config) (*http.Server, error) {
@@ -40,9 +49,19 @@ func Start(cfg Config) (*http.Server, error) {
 	}

 	ws := &WebServer{
-		db:      cfg.DB,
-		baseURL: cfg.BaseURL,
-		tmpl:    tmpl,
+		db:       cfg.DB,
+		baseURL:  cfg.BaseURL,
+		tmpl:     tmpl,
+		sessions: make(map[string]*webauthn.SessionData),
+	}
+
+	if cfg.RPID != "" {
+		wa, err := auth.NewWebAuthn(cfg.RPDisplayName, cfg.RPID, cfg.RPOrigins)
+		if err != nil {
+			return nil, fmt.Errorf("init webauthn: %w", err)
+		}
+		ws.webauthn = wa
+		slog.Info("WebAuthn enabled", "rpid", cfg.RPID)
 	}

 	r := chi.NewRouter()
@@ -55,6 +74,10 @@ func Start(cfg Config) (*http.Server, error) {
 	r.Get("/login", ws.handleLoginPage)
 	r.Post("/login", ws.handleLoginSubmit)

+	// WebAuthn public routes (login ceremony)
+	r.Post("/webauthn/login/begin", ws.handleWebAuthnLoginBegin)
+	r.Post("/webauthn/login/finish", ws.handleWebAuthnLoginFinish)
+
 	// Share routes (no auth)
 	r.Get("/s/{token}", ws.handleShareNotebook)
 	r.Get("/s/{token}/pages/{num}", ws.handleSharePage)
@@ -67,6 +90,12 @@ func Start(cfg Config) (*http.Server, error) {
 		r.Get("/notebooks/{id}", ws.handleNotebook)
 		r.Get("/notebooks/{id}/pages/{num}", ws.handlePage)
 		r.Get("/logout", ws.handleLogout)
+
+		// WebAuthn authenticated routes (registration + key management)
+		r.Post("/webauthn/register/begin", ws.handleWebAuthnRegisterBegin)
+		r.Post("/webauthn/register/finish", ws.handleWebAuthnRegisterFinish)
+		r.Get("/keys", ws.handleKeysList)
+		r.Post("/keys/delete", ws.handleKeyDelete)
 	})

 	srv := &http.Server{