Kyle Isom
25417b24f4
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
53 lines
2.1 KiB
HTML
53 lines
2.1 KiB
HTML
{{define "login"}}<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width,initial-scale=1">
|
|
<title>Sign In — MCIAS</title>
|
|
<link rel="stylesheet" href="/static/style.css">
|
|
</head>
|
|
<body>
|
|
<div class="login-wrapper">
|
|
<div class="login-box">
|
|
<div class="brand-heading">MCIAS</div>
|
|
<div class="brand-subtitle">Metacircular Identity & Access System</div>
|
|
<div class="card" id="login-card">
|
|
{{if .Error}}<div class="alert alert-error" role="alert">{{.Error}}</div>{{end}}
|
|
<form id="login-form" method="POST" action="/login"
|
|
hx-post="/login" hx-target="#login-card" hx-swap="outerHTML" hx-select="#login-card">
|
|
<div class="form-group">
|
|
<label for="username">Username</label>
|
|
<input class="form-control" type="text" id="username" name="username"
|
|
autocomplete="username" required autofocus>
|
|
</div>
|
|
<div class="form-group">
|
|
<label for="password">Password</label>
|
|
<input class="form-control" type="password" id="password" name="password"
|
|
autocomplete="current-password" required>
|
|
</div>
|
|
<div class="form-actions">
|
|
<button class="btn btn-primary" type="submit" style="width:100%">Sign in</button>
|
|
</div>
|
|
</form>
|
|
{{if .WebAuthnEnabled}}
|
|
<div style="margin-top:1rem;text-align:center">
|
|
<div style="display:flex;align-items:center;gap:.75rem;margin-bottom:.75rem">
|
|
<hr style="flex:1;border:0;border-top:1px solid #ddd">
|
|
<span class="text-muted text-small">or</span>
|
|
<hr style="flex:1;border:0;border-top:1px solid #ddd">
|
|
</div>
|
|
<div id="webauthn-login-error" class="alert alert-error" style="display:none" role="alert"></div>
|
|
<button class="btn btn-secondary" type="button" id="webauthn-login-btn" style="width:100%">
|
|
Sign in with passkey
|
|
</button>
|
|
</div>
|
|
{{end}}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script src="/static/htmx.min.js"></script>
|
|
{{if .WebAuthnEnabled}}<script src="/static/webauthn.js"></script>{{end}}
|
|
</body>
|
|
</html>
|
|
{{end}}
|