Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/db/migrate.go

@@ -22,7 +22,7 @@ var migrationsFS embed.FS
 // LatestSchemaVersion is the highest migration version defined in the
 // migrations/ directory.  Update this constant whenever a new migration file
 // is added.
-const LatestSchemaVersion = 7
+const LatestSchemaVersion = 9
 
 // newMigrate constructs a migrate.Migrate instance backed by the embedded SQL
 // files.  It opens a dedicated *sql.DB using the same DSN as the main

internal/db/migrations/000009_webauthn_credentials.down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS webauthn_credentials;

internal/db/migrations/000009_webauthn_credentials.up.sql

@@ -0,0 +1,18 @@
+CREATE TABLE webauthn_credentials (
+    id               INTEGER PRIMARY KEY AUTOINCREMENT,
+    account_id       INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
+    name             TEXT    NOT NULL DEFAULT '',
+    credential_id_enc   BLOB NOT NULL,
+    credential_id_nonce BLOB NOT NULL,
+    public_key_enc      BLOB NOT NULL,
+    public_key_nonce    BLOB NOT NULL,
+    aaguid           TEXT    NOT NULL DEFAULT '',
+    sign_count       INTEGER NOT NULL DEFAULT 0,
+    discoverable     INTEGER NOT NULL DEFAULT 0,
+    transports       TEXT    NOT NULL DEFAULT '',
+    created_at       TEXT    NOT NULL,
+    updated_at       TEXT    NOT NULL,
+    last_used_at     TEXT
+);
+
+CREATE INDEX idx_webauthn_credentials_account_id ON webauthn_credentials(account_id);

internal/db/webauthn.go

@@ -0,0 +1,208 @@
+package db
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+)
+
+// CreateWebAuthnCredential inserts a new WebAuthn credential record.
+// All encrypted fields (credential_id, public_key) must be encrypted by the caller.
+func (db *DB) CreateWebAuthnCredential(cred *model.WebAuthnCredential) (int64, error) {
+	n := now()
+	result, err := db.sql.Exec(`
+		INSERT INTO webauthn_credentials
+		(account_id, name, credential_id_enc, credential_id_nonce,
+		 public_key_enc, public_key_nonce, aaguid, sign_count,
+		 discoverable, transports, created_at, updated_at)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		cred.AccountID, cred.Name, cred.CredentialIDEnc, cred.CredentialIDNonce,
+		cred.PublicKeyEnc, cred.PublicKeyNonce, cred.AAGUID, cred.SignCount,
+		boolToInt(cred.Discoverable), cred.Transports, n, n)
+	if err != nil {
+		return 0, fmt.Errorf("db: create webauthn credential: %w", err)
+	}
+	id, err := result.LastInsertId()
+	if err != nil {
+		return 0, fmt.Errorf("db: webauthn credential last insert id: %w", err)
+	}
+	return id, nil
+}
+
+// GetWebAuthnCredentials returns all WebAuthn credentials for an account.
+func (db *DB) GetWebAuthnCredentials(accountID int64) ([]*model.WebAuthnCredential, error) {
+	rows, err := db.sql.Query(`
+		SELECT id, account_id, name, credential_id_enc, credential_id_nonce,
+		       public_key_enc, public_key_nonce, aaguid, sign_count,
+		       discoverable, transports, created_at, updated_at, last_used_at
+		FROM webauthn_credentials WHERE account_id = ? ORDER BY created_at ASC`, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("db: list webauthn credentials: %w", err)
+	}
+	defer rows.Close() //nolint:errcheck // rows.Close error is non-fatal
+	return scanWebAuthnCredentials(rows)
+}
+
+// GetWebAuthnCredentialByID returns a single WebAuthn credential by its DB row ID.
+// Returns ErrNotFound if the credential does not exist.
+func (db *DB) GetWebAuthnCredentialByID(id int64) (*model.WebAuthnCredential, error) {
+	row := db.sql.QueryRow(`
+		SELECT id, account_id, name, credential_id_enc, credential_id_nonce,
+		       public_key_enc, public_key_nonce, aaguid, sign_count,
+		       discoverable, transports, created_at, updated_at, last_used_at
+		FROM webauthn_credentials WHERE id = ?`, id)
+	return scanWebAuthnCredential(row)
+}
+
+// DeleteWebAuthnCredential deletes a WebAuthn credential by ID, verifying ownership.
+// Returns ErrNotFound if the credential does not exist or does not belong to the account.
+func (db *DB) DeleteWebAuthnCredential(id, accountID int64) error {
+	result, err := db.sql.Exec(
+		`DELETE FROM webauthn_credentials WHERE id = ? AND account_id = ?`, id, accountID)
+	if err != nil {
+		return fmt.Errorf("db: delete webauthn credential: %w", err)
+	}
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("db: webauthn delete rows affected: %w", err)
+	}
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeleteWebAuthnCredentialAdmin deletes a WebAuthn credential by ID without ownership check.
+func (db *DB) DeleteWebAuthnCredentialAdmin(id int64) error {
+	result, err := db.sql.Exec(`DELETE FROM webauthn_credentials WHERE id = ?`, id)
+	if err != nil {
+		return fmt.Errorf("db: admin delete webauthn credential: %w", err)
+	}
+	n, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("db: webauthn admin delete rows affected: %w", err)
+	}
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// DeleteAllWebAuthnCredentials removes all WebAuthn credentials for an account.
+func (db *DB) DeleteAllWebAuthnCredentials(accountID int64) (int64, error) {
+	result, err := db.sql.Exec(
+		`DELETE FROM webauthn_credentials WHERE account_id = ?`, accountID)
+	if err != nil {
+		return 0, fmt.Errorf("db: delete all webauthn credentials: %w", err)
+	}
+	return result.RowsAffected()
+}
+
+// UpdateWebAuthnSignCount updates the sign counter for a credential.
+func (db *DB) UpdateWebAuthnSignCount(id int64, signCount uint32) error {
+	_, err := db.sql.Exec(
+		`UPDATE webauthn_credentials SET sign_count = ?, updated_at = ? WHERE id = ?`,
+		signCount, now(), id)
+	if err != nil {
+		return fmt.Errorf("db: update webauthn sign count: %w", err)
+	}
+	return nil
+}
+
+// UpdateWebAuthnLastUsed sets the last_used_at timestamp for a credential.
+func (db *DB) UpdateWebAuthnLastUsed(id int64) error {
+	_, err := db.sql.Exec(
+		`UPDATE webauthn_credentials SET last_used_at = ?, updated_at = ? WHERE id = ?`,
+		now(), now(), id)
+	if err != nil {
+		return fmt.Errorf("db: update webauthn last used: %w", err)
+	}
+	return nil
+}
+
+// HasWebAuthnCredentials reports whether the account has any WebAuthn credentials.
+func (db *DB) HasWebAuthnCredentials(accountID int64) (bool, error) {
+	var count int
+	err := db.sql.QueryRow(
+		`SELECT COUNT(*) FROM webauthn_credentials WHERE account_id = ?`, accountID).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf("db: count webauthn credentials: %w", err)
+	}
+	return count > 0, nil
+}
+
+// CountWebAuthnCredentials returns the number of WebAuthn credentials for an account.
+func (db *DB) CountWebAuthnCredentials(accountID int64) (int, error) {
+	var count int
+	err := db.sql.QueryRow(
+		`SELECT COUNT(*) FROM webauthn_credentials WHERE account_id = ?`, accountID).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf("db: count webauthn credentials: %w", err)
+	}
+	return count, nil
+}
+
+// boolToInt converts a bool to 0/1 for SQLite storage.
+func boolToInt(b bool) int {
+	if b {
+		return 1
+	}
+	return 0
+}
+
+func scanWebAuthnCredentials(rows *sql.Rows) ([]*model.WebAuthnCredential, error) {
+	var creds []*model.WebAuthnCredential
+	for rows.Next() {
+		cred, err := scanWebAuthnRow(rows)
+		if err != nil {
+			return nil, err
+		}
+		creds = append(creds, cred)
+	}
+	return creds, rows.Err()
+}
+
+// scannable is implemented by both *sql.Row and *sql.Rows.
+type scannable interface {
+	Scan(dest ...any) error
+}
+
+func scanWebAuthnRow(s scannable) (*model.WebAuthnCredential, error) {
+	var cred model.WebAuthnCredential
+	var createdAt, updatedAt string
+	var lastUsedAt *string
+	var discoverable int
+	err := s.Scan(
+		&cred.ID, &cred.AccountID, &cred.Name,
+		&cred.CredentialIDEnc, &cred.CredentialIDNonce,
+		&cred.PublicKeyEnc, &cred.PublicKeyNonce,
+		&cred.AAGUID, &cred.SignCount,
+		&discoverable, &cred.Transports,
+		&createdAt, &updatedAt, &lastUsedAt)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, fmt.Errorf("db: scan webauthn credential: %w", err)
+	}
+	cred.Discoverable = discoverable != 0
+	cred.CreatedAt, err = parseTime(createdAt)
+	if err != nil {
+		return nil, err
+	}
+	cred.UpdatedAt, err = parseTime(updatedAt)
+	if err != nil {
+		return nil, err
+	}
+	cred.LastUsedAt, err = nullableTime(lastUsedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &cred, nil
+}
+
+func scanWebAuthnCredential(row *sql.Row) (*model.WebAuthnCredential, error) {
+	return scanWebAuthnRow(row)
+}

internal/db/webauthn_test.go

@@ -0,0 +1,251 @@
+package db
+
+import (
+	"errors"
+	"testing"
+
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+)
+
+func TestWebAuthnCRUD(t *testing.T) {
+	database := openTestDB(t)
+
+	acct, err := database.CreateAccount("webauthnuser", model.AccountTypeHuman, "hash")
+	if err != nil {
+		t.Fatalf("create account: %v", err)
+	}
+
+	// Empty state.
+	has, err := database.HasWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("has credentials: %v", err)
+	}
+	if has {
+		t.Error("expected no credentials")
+	}
+
+	count, err := database.CountWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("count credentials: %v", err)
+	}
+	if count != 0 {
+		t.Errorf("expected 0 credentials, got %d", count)
+	}
+
+	creds, err := database.GetWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("get credentials (empty): %v", err)
+	}
+	if len(creds) != 0 {
+		t.Errorf("expected 0 credentials, got %d", len(creds))
+	}
+
+	// Create credential.
+	cred := &model.WebAuthnCredential{
+		AccountID:         acct.ID,
+		Name:              "Test Key",
+		CredentialIDEnc:   []byte("enc-cred-id"),
+		CredentialIDNonce: []byte("nonce-cred-id"),
+		PublicKeyEnc:      []byte("enc-pubkey"),
+		PublicKeyNonce:    []byte("nonce-pubkey"),
+		AAGUID:            "2fc0579f811347eab116bb5a8db9202a",
+		SignCount:         0,
+		Discoverable:      true,
+		Transports:        "usb,nfc",
+	}
+	id, err := database.CreateWebAuthnCredential(cred)
+	if err != nil {
+		t.Fatalf("create credential: %v", err)
+	}
+	if id == 0 {
+		t.Error("expected non-zero credential ID")
+	}
+
+	// Now has credentials.
+	has, err = database.HasWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("has credentials after create: %v", err)
+	}
+	if !has {
+		t.Error("expected credentials to exist")
+	}
+
+	count, err = database.CountWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("count after create: %v", err)
+	}
+	if count != 1 {
+		t.Errorf("expected 1 credential, got %d", count)
+	}
+
+	// Get by ID.
+	got, err := database.GetWebAuthnCredentialByID(id)
+	if err != nil {
+		t.Fatalf("get by ID: %v", err)
+	}
+	if got.Name != "Test Key" {
+		t.Errorf("Name = %q, want %q", got.Name, "Test Key")
+	}
+	if !got.Discoverable {
+		t.Error("expected discoverable=true")
+	}
+	if got.Transports != "usb,nfc" {
+		t.Errorf("Transports = %q, want %q", got.Transports, "usb,nfc")
+	}
+	if got.AccountID != acct.ID {
+		t.Errorf("AccountID = %d, want %d", got.AccountID, acct.ID)
+	}
+
+	// Get list.
+	creds, err = database.GetWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("get credentials: %v", err)
+	}
+	if len(creds) != 1 {
+		t.Fatalf("expected 1 credential, got %d", len(creds))
+	}
+	if creds[0].ID != id {
+		t.Errorf("credential ID = %d, want %d", creds[0].ID, id)
+	}
+
+	// Update sign count.
+	if err := database.UpdateWebAuthnSignCount(id, 5); err != nil {
+		t.Fatalf("update sign count: %v", err)
+	}
+	got, _ = database.GetWebAuthnCredentialByID(id)
+	if got.SignCount != 5 {
+		t.Errorf("SignCount = %d, want 5", got.SignCount)
+	}
+
+	// Update last used.
+	if err := database.UpdateWebAuthnLastUsed(id); err != nil {
+		t.Fatalf("update last used: %v", err)
+	}
+	got, _ = database.GetWebAuthnCredentialByID(id)
+	if got.LastUsedAt == nil {
+		t.Error("expected LastUsedAt to be set")
+	}
+}
+
+func TestWebAuthnDeleteOwnership(t *testing.T) {
+	database := openTestDB(t)
+
+	acct1, _ := database.CreateAccount("wa1", model.AccountTypeHuman, "hash")
+	acct2, _ := database.CreateAccount("wa2", model.AccountTypeHuman, "hash")
+
+	cred := &model.WebAuthnCredential{
+		AccountID:         acct1.ID,
+		Name:              "Key",
+		CredentialIDEnc:   []byte("enc"),
+		CredentialIDNonce: []byte("nonce"),
+		PublicKeyEnc:      []byte("enc"),
+		PublicKeyNonce:    []byte("nonce"),
+	}
+	id, _ := database.CreateWebAuthnCredential(cred)
+
+	// Delete with wrong owner should fail.
+	err := database.DeleteWebAuthnCredential(id, acct2.ID)
+	if !errors.Is(err, ErrNotFound) {
+		t.Errorf("expected ErrNotFound for wrong owner, got %v", err)
+	}
+
+	// Delete with correct owner succeeds.
+	if err := database.DeleteWebAuthnCredential(id, acct1.ID); err != nil {
+		t.Fatalf("delete with correct owner: %v", err)
+	}
+
+	// Verify gone.
+	_, err = database.GetWebAuthnCredentialByID(id)
+	if !errors.Is(err, ErrNotFound) {
+		t.Errorf("expected ErrNotFound after delete, got %v", err)
+	}
+}
+
+func TestWebAuthnDeleteAdmin(t *testing.T) {
+	database := openTestDB(t)
+
+	acct, _ := database.CreateAccount("waadmin", model.AccountTypeHuman, "hash")
+	cred := &model.WebAuthnCredential{
+		AccountID:         acct.ID,
+		Name:              "Key",
+		CredentialIDEnc:   []byte("enc"),
+		CredentialIDNonce: []byte("nonce"),
+		PublicKeyEnc:      []byte("enc"),
+		PublicKeyNonce:    []byte("nonce"),
+	}
+	id, _ := database.CreateWebAuthnCredential(cred)
+
+	// Admin delete (no ownership check).
+	if err := database.DeleteWebAuthnCredentialAdmin(id); err != nil {
+		t.Fatalf("admin delete: %v", err)
+	}
+
+	// Non-existent should return ErrNotFound.
+	if err := database.DeleteWebAuthnCredentialAdmin(id); !errors.Is(err, ErrNotFound) {
+		t.Errorf("expected ErrNotFound for non-existent, got %v", err)
+	}
+}
+
+func TestWebAuthnDeleteAll(t *testing.T) {
+	database := openTestDB(t)
+
+	acct, _ := database.CreateAccount("wada", model.AccountTypeHuman, "hash")
+
+	for i := range 3 {
+		cred := &model.WebAuthnCredential{
+			AccountID:         acct.ID,
+			Name:              "Key",
+			CredentialIDEnc:   []byte{byte(i)},
+			CredentialIDNonce: []byte("n"),
+			PublicKeyEnc:      []byte{byte(i)},
+			PublicKeyNonce:    []byte("n"),
+		}
+		if _, err := database.CreateWebAuthnCredential(cred); err != nil {
+			t.Fatalf("create %d: %v", i, err)
+		}
+	}
+
+	deleted, err := database.DeleteAllWebAuthnCredentials(acct.ID)
+	if err != nil {
+		t.Fatalf("delete all: %v", err)
+	}
+	if deleted != 3 {
+		t.Errorf("expected 3 deleted, got %d", deleted)
+	}
+
+	count, _ := database.CountWebAuthnCredentials(acct.ID)
+	if count != 0 {
+		t.Errorf("expected 0 after delete all, got %d", count)
+	}
+}
+
+func TestWebAuthnCascadeDelete(t *testing.T) {
+	database := openTestDB(t)
+
+	acct, _ := database.CreateAccount("wacascade", model.AccountTypeHuman, "hash")
+	cred := &model.WebAuthnCredential{
+		AccountID:         acct.ID,
+		Name:              "Key",
+		CredentialIDEnc:   []byte("enc"),
+		CredentialIDNonce: []byte("nonce"),
+		PublicKeyEnc:      []byte("enc"),
+		PublicKeyNonce:    []byte("nonce"),
+	}
+	id, _ := database.CreateWebAuthnCredential(cred)
+
+	// Delete the account — credentials should cascade.
+	if err := database.UpdateAccountStatus(acct.ID, model.AccountStatusDeleted); err != nil {
+		t.Fatalf("update status: %v", err)
+	}
+
+	// The credential should still be retrievable (soft delete on account doesn't cascade).
+	// But if we hard-delete via SQL, the FK cascade should clean up.
+	// For now just verify the credential still exists after a status change.
+	got, err := database.GetWebAuthnCredentialByID(id)
+	if err != nil {
+		t.Fatalf("get after account status change: %v", err)
+	}
+	if got.ID != id {
+		t.Errorf("credential ID = %d, want %d", got.ID, id)
+	}
+}