Implement main passkey backend

Hakeem Abdul-Razakrequested to merge
569932-passkey_controller into master

What does this MR do and why?

Why?

  • Introduces support for passkey backend authentication, creation, and deletion
  • Allows for a full-stack demo of the /profile/two_factor_auths page after connecting to the frontend stubs(1,2,3)

What?

  • Implements main passkey backend (controllers, services & concerns)

    • New functionality
      • Passkey registration, authentication, and deletion services
      • Adds a user_policy :disable_passkey for secure admin & user passkey deletion
      • Controller actions for managing passkeys
      • WebAuthn helpers for passkey (resident_key) webauthn options
      • Make sure all passkey & 2FA controller instance variables are available in the /profile/two_factor_auths(profile), passkey(profile) and sessions (sign_in) views
    • Updates to existing code
      • Extends WebAuthn::AuthenticateService to support both 2FA and passwordless sign_in modes
      • Support UI conditional rendering for passkey/webauthn when 2FA is enabled in the /profile/two_factor_auths page
    • Tests and bug fixes
      • Revise previous webauthn tests (Authenticate & Registration) to account for previously untested edge cases
      • Comprehensive specs for all new functionality
      • Fixed the bugfunctional in the delete webauthn service spec (false positive)

  • Integrates with the conditional UX & FE logic for default passkeys when at least 1 2FA method is enabled

Review Structure

groupauthorization

frontend

backend

It looks bloated, but a majority of the lines are tests. Feel free to ask lots of questions & sync if needed.

groupauthentication

This will be the last reviewer & maintainer.

  • /app/views/profiles/two_factor_auths/
  • /app/services/webauthn/
  • /app/controllers/profiles/two_factor_auths_controller.rb
  • /app/controllers/concerns/authenticates_with_two_factor.rb

Screenshots or screen recordings

  • BE demo to create and delete passkeys programmatically
Demo
passkey_controller_demo

How to set up and validate locally

  • Open a rails console
gdk rails console
  • Create a user with a WebAuthn registration and verify model changes.
user = User.first
auth1 = user.passkeys.create(
  name: 'LastPass',
  credential_xid: SecureRandom.hex,
  public_key: SecureRandom.hex,
  counter: 0,
  last_used_at: 20.days.from_now,
  authentication_mode: :passwordless
)

auth1.last_used_at
auth1.passkey_eligible
  • Go to https://gdk.test:3443/-/profile/two_factor_auth
  • Run Feature.enable(:passkeys)
  • Play around with the connected UI
  • Try to log out & log in with & without 2FA
    • You won't be able to test passkey registration & sign_in yet until other frontend tasks are completed
  • As admin, impersonate a user & verify the previous steps

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hakeem Abdul-Razak

Merge request reports