Kyle Isom
25417b24f4
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
19 lines
771 B
SQL
19 lines
771 B
SQL
CREATE TABLE webauthn_credentials (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
account_id INTEGER NOT NULL REFERENCES accounts(id) ON DELETE CASCADE,
|
|
name TEXT NOT NULL DEFAULT '',
|
|
credential_id_enc BLOB NOT NULL,
|
|
credential_id_nonce BLOB NOT NULL,
|
|
public_key_enc BLOB NOT NULL,
|
|
public_key_nonce BLOB NOT NULL,
|
|
aaguid TEXT NOT NULL DEFAULT '',
|
|
sign_count INTEGER NOT NULL DEFAULT 0,
|
|
discoverable INTEGER NOT NULL DEFAULT 0,
|
|
transports TEXT NOT NULL DEFAULT '',
|
|
created_at TEXT NOT NULL,
|
|
updated_at TEXT NOT NULL,
|
|
last_used_at TEXT
|
|
);
|
|
|
|
CREATE INDEX idx_webauthn_credentials_account_id ON webauthn_credentials(account_id);
|