Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.
- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14
Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- internal/db/accounts.go: add ListAccountsWithTOTP,
ListAllPGCredentials, TOTPRekeyRow, PGRekeyRow, and
Rekey — atomic transaction that replaces master_key_salt,
signing_key_enc/nonce, all TOTP enc/nonce, and all
pg_password enc/nonce in one SQLite BEGIN/COMMIT
- cmd/mciasdb/rekey.go: runRekey — decrypts all secrets
under old master key, prompts for new passphrase (with
confirmation), derives new key from fresh Argon2id salt,
re-encrypts everything, and commits atomically
- cmd/mciasdb/main.go: wire "rekey" command + update usage
- Tests: DB-layer tests for ListAccountsWithTOTP,
ListAllPGCredentials, Rekey (happy path, empty DB, salt
replacement); command-level TestRekeyCommandRoundTrip
verifies full round-trip and adversarially confirms old
key no longer decrypts after rekey
Security: fresh random salt is always generated so a
reused passphrase still produces an independent key; old
and new master keys are zeroed via defer; no passphrase or
key material appears in logs or audit events; the entire
re-encryption is done in-memory before the single atomic
DB write so the database is never in a mixed state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Web UI admin password reset now enforces admin role
server-side (was cookie-auth + CSRF only; any logged-in
user could previously reset any account's password)
- Added self-service password change UI at GET/PUT /profile:
current_password + new_password + confirm_password;
server-side equality check; lockout + Argon2id verification;
revokes all other sessions on success
- password_change_form.html fragment and profile.html page
- Nav bar actor name now links to /profile
- policy: ActionChangePassword + default rule -7 allowing
human accounts to change their own password
- openapi.yaml: built-in rules count updated to -7
Migration recovery:
- mciasdb schema force --version N: new subcommand to clear
dirty migration state without running SQL (break-glass)
- schema subcommands bypass auto-migration on open so the
tool stays usable when the database is dirty
- Migrate(): shim no longer overrides schema_migrations
when it already has an entry; duplicate-column error on
the latest migration is force-cleaned and treated as
success (handles columns added outside the runner)
Security:
- Admin role is now validated in handleAdminResetPassword
before any DB access; non-admin receives 403
- handleSelfChangePassword follows identical lockout +
constant-time Argon2id path as the REST self-service
handler; current password required to prevent
token-theft account takeover
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- proto/mcias/v1/: AdminService, AuthService, TokenService,
AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
business logic (auth, token, db, crypto) with REST server;
interceptor chain: logging -> auth (JWT alg-first + revocation) ->
rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
(health, pubkey, account, role, token, pgcreds) using TLS with
optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
public RPCs, auth interceptor (no token, invalid, revoked -> 401),
non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
credential fields absent from all responses
Security:
JWT validation path identical to REST: alg header checked before
signature, alg:none rejected, revocation table checked after sig.
Authorization metadata value never logged by any interceptor.
Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
all proto response messages — enforced by proto design and confirmed
by test TestCredentialFieldsAbsentFromAccountResponse.
Login dummy-Argon2 timing guard preserves timing uniformity for
unknown users (same as REST handleLogin).
TLS required at listener level; cmd/mciassrv uses
credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)
