Add FIDO2/WebAuthn passkey authentication
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -8,18 +8,29 @@ import (
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/pelletier/go-toml/v2"
|
||||
)
|
||||
|
||||
// Config is the top-level configuration structure parsed from the TOML file.
|
||||
type Config struct {
|
||||
type Config struct { //nolint:govet // fieldalignment: TOML section order is more readable
|
||||
Server ServerConfig `toml:"server"`
|
||||
MasterKey MasterKeyConfig `toml:"master_key"`
|
||||
Database DatabaseConfig `toml:"database"`
|
||||
Tokens TokensConfig `toml:"tokens"`
|
||||
Argon2 Argon2Config `toml:"argon2"`
|
||||
WebAuthn WebAuthnConfig `toml:"webauthn"`
|
||||
}
|
||||
|
||||
// WebAuthnConfig holds FIDO2/WebAuthn settings. Omitting the entire [webauthn]
|
||||
// section disables WebAuthn support. If any field is set, RPID and RPOrigin are
|
||||
// required and RPOrigin must use the HTTPS scheme.
|
||||
type WebAuthnConfig struct {
|
||||
RPID string `toml:"rp_id"`
|
||||
RPOrigin string `toml:"rp_origin"`
|
||||
DisplayName string `toml:"display_name"`
|
||||
}
|
||||
|
||||
// ServerConfig holds HTTP listener and TLS settings.
|
||||
@@ -222,6 +233,19 @@ func (c *Config) validate() error {
|
||||
errs = append(errs, errors.New("master_key: only one of passphrase_env or keyfile may be set"))
|
||||
}
|
||||
|
||||
// WebAuthn — if any field is set, RPID and RPOrigin are required.
|
||||
hasWebAuthn := c.WebAuthn.RPID != "" || c.WebAuthn.RPOrigin != "" || c.WebAuthn.DisplayName != ""
|
||||
if hasWebAuthn {
|
||||
if c.WebAuthn.RPID == "" {
|
||||
errs = append(errs, errors.New("webauthn.rp_id is required when webauthn is configured"))
|
||||
}
|
||||
if c.WebAuthn.RPOrigin == "" {
|
||||
errs = append(errs, errors.New("webauthn.rp_origin is required when webauthn is configured"))
|
||||
} else if !strings.HasPrefix(c.WebAuthn.RPOrigin, "https://") {
|
||||
errs = append(errs, fmt.Errorf("webauthn.rp_origin must use the https:// scheme (got %q)", c.WebAuthn.RPOrigin))
|
||||
}
|
||||
}
|
||||
|
||||
return errors.Join(errs...)
|
||||
}
|
||||
|
||||
@@ -233,3 +257,8 @@ func (c *Config) AdminExpiry() time.Duration { return c.Tokens.AdminExpiry.Durat
|
||||
|
||||
// ServiceExpiry returns the configured service token expiry duration.
|
||||
func (c *Config) ServiceExpiry() time.Duration { return c.Tokens.ServiceExpiry.Duration }
|
||||
|
||||
// WebAuthnEnabled reports whether WebAuthn/passkey support is configured.
|
||||
func (c *Config) WebAuthnEnabled() bool {
|
||||
return c.WebAuthn.RPID != "" && c.WebAuthn.RPOrigin != ""
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user