mcias

kyle/mcias

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Isom	db7cd73a6e	Fix WebAuthn login: username pre-fill and policy check - webauthn.js: read #username value before calling mciasWebAuthnLogin so non-discoverable keys work when a username is typed (previously always passed empty string, forcing discoverable/resident-key flow only) - handleWebAuthnLoginFinish: evaluate auth:login policy after credential verification, mirroring the gate in handleLogin; returns 403 on deny so policy rules apply equally to both password and passkey authentication paths Security: policy is checked post-verification so 403 vs 401 distinguishes a policy restriction from a bad credential without leaking account existence. No service context is sent (WebAuthn login carries no service_name/tags), so per-service deny rules don't fire on passkey login; account-level deny rules do. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-17 14:04:51 -07:00
Kyle Isom	446b3df52d	Fix WebAuthn CSRF; clarify security key UI - Fix webauthn.js CSRF token: read HMAC header value from body hx-headers attribute instead of cookie nonce - Update profile labels to mention security keys/FIDO2 alongside passkeys Security: CSRF double-submit was broken for fetch()-based WebAuthn requests — JS was sending the cookie nonce as the header value instead of the HMAC. Fixed by reading the server-rendered header token from the DOM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-16 19:27:44 -07:00
Kyle Isom	25417b24f4	Add FIDO2/WebAuthn passkey authentication Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-16 16:12:59 -07:00

Author

SHA1

Message

Date

Kyle Isom

db7cd73a6e

Fix WebAuthn login: username pre-fill and policy check

- webauthn.js: read #username value before calling
  mciasWebAuthnLogin so non-discoverable keys work when
  a username is typed (previously always passed empty string,
  forcing discoverable/resident-key flow only)

- handleWebAuthnLoginFinish: evaluate auth:login policy after
  credential verification, mirroring the gate in handleLogin;
  returns 403 on deny so policy rules apply equally to both
  password and passkey authentication paths

Security: policy is checked post-verification so 403 vs 401
distinguishes a policy restriction from a bad credential without
leaking account existence. No service context is sent (WebAuthn
login carries no service_name/tags), so per-service deny rules
don't fire on passkey login; account-level deny rules do.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-17 14:04:51 -07:00

Kyle Isom

446b3df52d

Fix WebAuthn CSRF; clarify security key UI

- Fix webauthn.js CSRF token: read HMAC header value from
  body hx-headers attribute instead of cookie nonce
- Update profile labels to mention security keys/FIDO2
  alongside passkeys

Security: CSRF double-submit was broken for fetch()-based
WebAuthn requests — JS was sending the cookie nonce as the
header value instead of the HMAC. Fixed by reading the
server-rendered header token from the DOM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-16 19:27:44 -07:00

Kyle Isom

25417b24f4

Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-16 16:12:59 -07:00

3 Commits