Add FIDO2/WebAuthn passkey authentication
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -213,6 +213,11 @@ const (
|
||||
|
||||
EventTokenDelegateGranted = "token_delegate_granted"
|
||||
EventTokenDelegateRevoked = "token_delegate_revoked"
|
||||
|
||||
EventWebAuthnEnrolled = "webauthn_enrolled"
|
||||
EventWebAuthnRemoved = "webauthn_removed"
|
||||
EventWebAuthnLoginOK = "webauthn_login_ok"
|
||||
EventWebAuthnLoginFail = "webauthn_login_fail"
|
||||
)
|
||||
|
||||
// ServiceAccountDelegate records that a specific account has been granted
|
||||
@@ -229,6 +234,26 @@ type ServiceAccountDelegate struct {
|
||||
GranteeID int64 `json:"-"`
|
||||
}
|
||||
|
||||
// WebAuthnCredential holds a stored WebAuthn/passkey credential.
|
||||
// Credential IDs and public keys are encrypted at rest with AES-256-GCM;
|
||||
// decrypted values must never be logged or included in API responses.
|
||||
type WebAuthnCredential struct {
|
||||
CreatedAt time.Time `json:"created_at"`
|
||||
UpdatedAt time.Time `json:"updated_at"`
|
||||
LastUsedAt *time.Time `json:"last_used_at,omitempty"`
|
||||
Name string `json:"name"`
|
||||
AAGUID string `json:"aaguid"`
|
||||
Transports string `json:"transports,omitempty"`
|
||||
CredentialIDEnc []byte `json:"-"`
|
||||
CredentialIDNonce []byte `json:"-"`
|
||||
PublicKeyEnc []byte `json:"-"`
|
||||
PublicKeyNonce []byte `json:"-"`
|
||||
ID int64 `json:"id"`
|
||||
AccountID int64 `json:"-"`
|
||||
SignCount uint32 `json:"sign_count"`
|
||||
Discoverable bool `json:"discoverable"`
|
||||
}
|
||||
|
||||
// PolicyRuleRecord is the database representation of a policy rule.
|
||||
// RuleJSON holds a JSON-encoded policy.RuleBody (all match and effect fields).
|
||||
// The ID, Priority, and Description are stored as dedicated columns.
|
||||
|
||||
Reference in New Issue
Block a user