Kyle Isom
25417b24f4
Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
38 lines
1.2 KiB
Go
38 lines
1.2 KiB
Go
package webauthn
|
|
|
|
import (
|
|
"github.com/go-webauthn/webauthn/webauthn"
|
|
)
|
|
|
|
// AccountUser implements the webauthn.User interface for an MCIAS account.
|
|
// The WebAuthnCredentials field must be populated with decrypted credentials
|
|
// before passing to the library.
|
|
type AccountUser struct {
|
|
id []byte // UUID as bytes
|
|
name string
|
|
displayName string
|
|
credentials []webauthn.Credential
|
|
}
|
|
|
|
// NewAccountUser creates a new AccountUser from account details and decrypted credentials.
|
|
func NewAccountUser(uuidBytes []byte, username string, creds []webauthn.Credential) *AccountUser {
|
|
return &AccountUser{
|
|
id: uuidBytes,
|
|
name: username,
|
|
displayName: username,
|
|
credentials: creds,
|
|
}
|
|
}
|
|
|
|
// WebAuthnID returns the user's unique ID as bytes.
|
|
func (u *AccountUser) WebAuthnID() []byte { return u.id }
|
|
|
|
// WebAuthnName returns the user's login name.
|
|
func (u *AccountUser) WebAuthnName() string { return u.name }
|
|
|
|
// WebAuthnDisplayName returns the user's display name.
|
|
func (u *AccountUser) WebAuthnDisplayName() string { return u.displayName }
|
|
|
|
// WebAuthnCredentials returns the user's registered credentials.
|
|
func (u *AccountUser) WebAuthnCredentials() []webauthn.Credential { return u.credentials }
|