Add passkey admin authentication #101

Merged

erik merged 1 commit from feat/task-817bdd25-passkey-admin-auth into main

2026-06-04 18:49:27 -05:00

Conversation 1 Commits 1 Files changed 6 +609 -7

erik commented

2026-06-04 15:31:43 -05:00

Owner

Copy link

Summary

Adds passkey-based admin login using passkeys registered through the admin passkey management flow.

Task

Task: #task-817bdd25

Changes

Adds passkey authentication challenge storage.
Adds WebAuthn authentication option generation from registered credentials.
Verifies passkey assertions against stored credential public keys and counters.
Creates the same admin session cookie used by magic-link login after successful passkey authentication.
Keeps magic-link login available as the recovery/bootstrap path.
Keeps passkey browser auth separate from API bearer key authentication.
Adds passkey login UI to the admin login page with secure-origin messaging.
Adds tests for successful passkey login, invalid/unknown assertions, missing/expired challenges, session creation, logout, and magic-link recovery availability.

Testing

Unit tests added/updated
Manual testing performed
make check passes
./scripts/pre-pr.sh passes
npm audit --audit-level=moderate reports 0 vulnerabilities

Checklist

./scripts/pre-pr.sh passes
Documentation updated (if needed)
No unrelated changes included

## Summary Adds passkey-based admin login using passkeys registered through the admin passkey management flow. ## Task Task: #task-817bdd25 ## Changes - Adds passkey authentication challenge storage. - Adds WebAuthn authentication option generation from registered credentials. - Verifies passkey assertions against stored credential public keys and counters. - Creates the same admin session cookie used by magic-link login after successful passkey authentication. - Keeps magic-link login available as the recovery/bootstrap path. - Keeps passkey browser auth separate from API bearer key authentication. - Adds passkey login UI to the admin login page with secure-origin messaging. - Adds tests for successful passkey login, invalid/unknown assertions, missing/expired challenges, session creation, logout, and magic-link recovery availability. ## Testing - [x] Unit tests added/updated - [ ] Manual testing performed - [x] `make check` passes - [x] `./scripts/pre-pr.sh` passes - [x] `npm audit --audit-level=moderate` reports 0 vulnerabilities ## Checklist - [x] `./scripts/pre-pr.sh` passes - [x] Documentation updated (if needed) - [x] No unrelated changes included

erik added 1 commit

2026-06-04 15:31:43 -05:00

feat: add passkey admin authentication

All checks were successful

CI / build-lint-test (pull_request) Successful in 32s

Details

251817ebda

Task: #task-817bdd25

erik force-pushed feat/task-817bdd25-passkey-admin-auth from 251817ebda

All checks were successful

CI / build-lint-test (pull_request) Successful in 32s

Details

to 36c77e1b75

All checks were successful

CI / build-lint-test (pull_request) Successful in 34s

Details

2026-06-04 15:33:36 -05:00

Compare

erik commented

2026-06-04 15:34:34 -05:00

Author

Owner

Copy link

PR Review

PR #101 reviewed against task task-817bdd25.

Summary

Adds passkey authentication challenge storage.
Generates WebAuthn authentication options from registered passkeys.
Verifies passkey assertions against stored credential public keys and counters.
Creates the same admin session cookie used by magic-link login after successful passkey authentication.
Preserves magic-link login as the recovery/bootstrap path and keeps API bearer auth separate.
Adds login-page passkey UI with secure-origin messaging.

Acceptance criteria

Site owner can log in with a registered passkey — covered by route/service tests with a verified WebAuthn assertion and session creation.
Successful passkey login creates the same kind of admin session as magic-link login — verified by session cookie/admin access assertions.
Unknown or invalid passkey assertions do not create an admin session — covered by unknown credential and thrown verifier tests.
Expired/missing challenges do not create an admin session — covered by route tests.
Logout still clears the admin session — covered for passkey-created sessions.
Tests cover successful passkey login, failed passkey login, challenge handling where practical, and session creation behavior.
Relevant lint/test checks pass.

Verification

Focused auth route tests passed.
make check passed.
./scripts/pre-pr.sh passed.
npm audit --audit-level=moderate reports 0 vulnerabilities.
Forgejo Actions run 134: success.

Blocking issues

None.

Warnings

Manual localhost browser testing of the full passkey login ceremony is still pending. This should be confirmed before merge because WebAuthn behavior depends on the browser secure-origin path.

Verdict

Warnings. Stop at human/manual test gate before merge.

## PR Review PR #101 reviewed against task `task-817bdd25`. ### Summary - Adds passkey authentication challenge storage. - Generates WebAuthn authentication options from registered passkeys. - Verifies passkey assertions against stored credential public keys and counters. - Creates the same admin session cookie used by magic-link login after successful passkey authentication. - Preserves magic-link login as the recovery/bootstrap path and keeps API bearer auth separate. - Adds login-page passkey UI with secure-origin messaging. ### Acceptance criteria - [x] Site owner can log in with a registered passkey — covered by route/service tests with a verified WebAuthn assertion and session creation. - [x] Successful passkey login creates the same kind of admin session as magic-link login — verified by session cookie/admin access assertions. - [x] Unknown or invalid passkey assertions do not create an admin session — covered by unknown credential and thrown verifier tests. - [x] Expired/missing challenges do not create an admin session — covered by route tests. - [x] Logout still clears the admin session — covered for passkey-created sessions. - [x] Tests cover successful passkey login, failed passkey login, challenge handling where practical, and session creation behavior. - [x] Relevant lint/test checks pass. ### Verification - Focused auth route tests passed. - `make check` passed. - `./scripts/pre-pr.sh` passed. - `npm audit --audit-level=moderate` reports 0 vulnerabilities. - Forgejo Actions run 134: success. ### Blocking issues None. ### Warnings - Manual localhost browser testing of the full passkey login ceremony is still pending. This should be confirmed before merge because WebAuthn behavior depends on the browser secure-origin path. ### Verdict Warnings. Stop at human/manual test gate before merge.

erik referenced this pull request

2026-06-04 15:36:24 -05:00

Add passkey admin authentication #52

erik merged commit 2eabd21a1e into main

2026-06-04 18:49:27 -05:00

erik deleted branch feat/task-817bdd25-passkey-admin-auth

2026-06-04 18:49:27 -05:00

erik referenced this pull request from a commit

2026-06-04 18:49:29 -05:00

Merge pull request 'Add passkey admin authentication' (#101) from feat/task-817bdd25-passkey-admin-auth into main

erik referenced this pull request

2026-06-04 18:50:23 -05:00

Add passkey admin authentication #52

Reviewers

No reviewers

Labels

Clear labels

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

erik/slugkit!101

Reference in a new issue

Repository

erik/slugkit

Title

Body

No description provided.

Delete branch "feat/task-817bdd25-passkey-admin-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns