erik/slugkit
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Add admin passkey management #100

Merged
erik merged 1 commit from feat/task-61f5b912-admin-passkeys into main 2026-06-04 15:02:44 -05:00
Conversation 3 Commits 1 Files changed 9 +1112 -7
erik commented 2026-06-04 14:51:57 -05:00
Owner
Copy link

Summary

Adds authenticated admin passkey management so a magic-link-authenticated site owner can register, list, and delete passkeys through the admin UI.

Task

Task: #task-61f5b912

Changes

  • Adds admin_passkeys and registration challenge storage for future WebAuthn authentication.
  • Adds passkey registration option generation and registration verification using @simplewebauthn/server.
  • Adds authenticated admin passkey routes for listing, generating options, registering, and deleting passkeys.
  • Adds a passkey management page and dashboard link.
  • Keeps passkey login out of scope; passkeys are enrollment-only in this slice.
  • Adds tests for protected access, registration options, verification/storage, failed verification, listing, deletion, and absence of private key material.
  • Updates Hono to the latest stable patched release so npm audit is clean after dependency installation.
  • Clarifies that passkey registration requires HTTPS or localhost because WebAuthn is unavailable on LAN HTTP origins.

Testing

  • Unit tests added/updated
  • Manual testing performed
  • make check passes
  • ./scripts/pre-pr.sh passes
  • npm audit reports 0 vulnerabilities

Checklist

  • ./scripts/pre-pr.sh passes
  • Documentation updated (if needed)
  • No unrelated changes included
## Summary Adds authenticated admin passkey management so a magic-link-authenticated site owner can register, list, and delete passkeys through the admin UI. ## Task Task: #task-61f5b912 ## Changes - Adds `admin_passkeys` and registration challenge storage for future WebAuthn authentication. - Adds passkey registration option generation and registration verification using `@simplewebauthn/server`. - Adds authenticated admin passkey routes for listing, generating options, registering, and deleting passkeys. - Adds a passkey management page and dashboard link. - Keeps passkey login out of scope; passkeys are enrollment-only in this slice. - Adds tests for protected access, registration options, verification/storage, failed verification, listing, deletion, and absence of private key material. - Updates Hono to the latest stable patched release so `npm audit` is clean after dependency installation. - Clarifies that passkey registration requires HTTPS or localhost because WebAuthn is unavailable on LAN HTTP origins. ## Testing - [x] Unit tests added/updated - [x] Manual testing performed - [x] `make check` passes - [x] `./scripts/pre-pr.sh` passes - [x] `npm audit` reports 0 vulnerabilities ## Checklist - [x] `./scripts/pre-pr.sh` passes - [x] Documentation updated (if needed) - [x] No unrelated changes included
feat: add admin passkey management
All checks were successful
CI / build-lint-test (pull_request) Successful in 35s
Details
3b766ed387 
Task: #task-61f5b912
erik force-pushed feat/task-61f5b912-admin-passkeys from 3b766ed387
All checks were successful
CI / build-lint-test (pull_request) Successful in 35s
Details
to dfcc7c326a
All checks were successful
CI / build-lint-test (pull_request) Successful in 32s
Details
2026-06-04 14:53:31 -05:00 Compare
erik commented 2026-06-04 14:54:27 -05:00
Author
Owner
Copy link

PR Review

PR #100 reviewed against task task-61f5b912.

Summary

  • Adds admin passkey storage with credential IDs, public keys, counters, transports, device metadata, and registration challenges.
  • Adds authenticated admin routes for passkey listing, registration options, registration verification/storage, and deletion.
  • Adds an admin passkey management UI and links it from the admin dashboard.
  • Keeps passkey login out of scope, matching the task slice.
  • Updates Hono to a patched stable release; npm audit is clean.

Acceptance criteria

  • Authenticated site owner can register a passkey — implemented through authenticated options/register routes and covered by registration verification/storage tests.
  • Authenticated site owner can list registered passkeys — implemented in /admin/passkeys and covered by route tests.
  • Authenticated site owner can delete a passkey — implemented in /admin/passkeys/:id/delete and covered by route tests.
  • Anonymous users cannot access passkey management routes or registration options — covered by redirect tests for list/options/register/delete.
  • Stored passkeys do not include private key material — migration stores credential ID/public key/counter/metadata only; test verifies no private key field and expected public key encoding.
  • Tests cover registration option protection, registration verification behavior where practical, listing, deletion, and protected access — added admin-passkeys.test.ts.
  • Relevant lint/test checks pass — local checks and CI are green.

Verification

  • make check passed.
  • ./scripts/pre-pr.sh passed.
  • npm audit reports 0 vulnerabilities.
  • Forgejo Actions run 130: success.

Blocking issues

None.

Warnings

None.

Verdict

Approved. Stop at human merge approval gate.

## PR Review PR #100 reviewed against task `task-61f5b912`. ### Summary - Adds admin passkey storage with credential IDs, public keys, counters, transports, device metadata, and registration challenges. - Adds authenticated admin routes for passkey listing, registration options, registration verification/storage, and deletion. - Adds an admin passkey management UI and links it from the admin dashboard. - Keeps passkey login out of scope, matching the task slice. - Updates Hono to a patched stable release; `npm audit` is clean. ### Acceptance criteria - [x] Authenticated site owner can register a passkey — implemented through authenticated options/register routes and covered by registration verification/storage tests. - [x] Authenticated site owner can list registered passkeys — implemented in `/admin/passkeys` and covered by route tests. - [x] Authenticated site owner can delete a passkey — implemented in `/admin/passkeys/:id/delete` and covered by route tests. - [x] Anonymous users cannot access passkey management routes or registration options — covered by redirect tests for list/options/register/delete. - [x] Stored passkeys do not include private key material — migration stores credential ID/public key/counter/metadata only; test verifies no private key field and expected public key encoding. - [x] Tests cover registration option protection, registration verification behavior where practical, listing, deletion, and protected access — added `admin-passkeys.test.ts`. - [x] Relevant lint/test checks pass — local checks and CI are green. ### Verification - `make check` passed. - `./scripts/pre-pr.sh` passed. - `npm audit` reports 0 vulnerabilities. - Forgejo Actions run 130: success. ### Blocking issues None. ### Warnings None. ### Verdict Approved. Stop at human merge approval gate.
erik force-pushed feat/task-61f5b912-admin-passkeys from dfcc7c326a
All checks were successful
CI / build-lint-test (pull_request) Successful in 32s
Details
to 2364c07778
All checks were successful
CI / build-lint-test (pull_request) Successful in 29s
Details
2026-06-04 14:56:32 -05:00 Compare
erik commented 2026-06-04 14:57:14 -05:00
Author
Owner
Copy link

PR Review Update

PR #100 was amended after Firefox manual testing on http://10.10.1.197:3000 showed the UI reported passkeys as unsupported.

Summary

  • Firefox does support passkeys, but WebAuthn requires a secure context: HTTPS or localhost.
  • The admin passkey UI now checks window.isSecureContext first and shows a precise message: passkeys require HTTPS or localhost.
  • Added regression coverage so the passkey page includes the secure-origin warning.

Verification

  • Focused admin passkey route test passed.
  • make check passed.
  • ./scripts/pre-pr.sh passed.
  • Forgejo Actions run 131: success.

Verdict

Approved. Stop at human merge approval gate.

## PR Review Update PR #100 was amended after Firefox manual testing on `http://10.10.1.197:3000` showed the UI reported passkeys as unsupported. ### Summary - Firefox does support passkeys, but WebAuthn requires a secure context: HTTPS or localhost. - The admin passkey UI now checks `window.isSecureContext` first and shows a precise message: passkeys require HTTPS or localhost. - Added regression coverage so the passkey page includes the secure-origin warning. ### Verification - Focused admin passkey route test passed. - `make check` passed. - `./scripts/pre-pr.sh` passed. - Forgejo Actions run 131: success. ### Verdict Approved. Stop at human merge approval gate.
erik commented 2026-06-04 15:02:20 -05:00
Author
Owner
Copy link

Manual Test Update

Manual localhost passkey testing has been completed after clarifying the browser secure-context requirement.

Result

  • Passkey management is expected to work from localhost / secure origins.
  • LAN HTTP origins such as http://10.10.1.197:3000 correctly cannot register passkeys because WebAuthn is unavailable outside HTTPS or localhost.
  • The UI now explains that requirement instead of saying Firefox does not support passkeys.

Status

Approved. Stop at human merge approval gate.

## Manual Test Update Manual localhost passkey testing has been completed after clarifying the browser secure-context requirement. ### Result - Passkey management is expected to work from `localhost` / secure origins. - LAN HTTP origins such as `http://10.10.1.197:3000` correctly cannot register passkeys because WebAuthn is unavailable outside HTTPS or localhost. - The UI now explains that requirement instead of saying Firefox does not support passkeys. ### Status Approved. Stop at human merge approval gate.
erik merged commit a494e82acb into main 2026-06-04 15:02:44 -05:00
erik deleted branch feat/task-61f5b912-admin-passkeys 2026-06-04 15:02:44 -05:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
activitypub

   
admin

   
api

   
articles

   
auth

   
bug

   
cleanup

   
cli

   
comments

   
compatibility

   
config

   
contacts

   
database

   
deployment

   
design

   
dev-env

   
docs

   
documentation

   
email

   
enhancement

   
feature

   
federation

   
feed

   
homepage

   
implementation

   
integration

   
media

   
openapi

   
priority:high

   
priority:low

   
priority:medium

   
proof

   
public-routes

   
public-ui

   
release

   
safety

   
social

   
sources

   
status:active

   
status:canceled

   
status:done

   
status:inprogress

   
status:waiting

   
syndication

   
tailwind

   
template

   
test

   
web
No labels
activitypub
admin
api
articles
auth
bug
cleanup
cli
comments
compatibility
config
contacts
database
deployment
design
dev-env
docs
documentation
email
enhancement
feature
federation
feed
homepage
implementation
integration
media
openapi
priority:high
priority:low
priority:medium
proof
public-routes
public-ui
release
safety
social
sources
status:active
status:canceled
status:done
status:inprogress
status:waiting
syndication
tailwind
template
test
web
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
erik/slugkit!100
No description provided.