erik/slugkit
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Add passkey admin authentication #52

New issue
Closed
opened 2026-05-22 11:43:11 -05:00 by erik · 2 comments
erik commented 2026-05-22 11:43:11 -05:00
Owner
Copy link

Goal

Use registered passkeys as a faster admin login method after the initial magic-link bootstrap and passkey registration flows exist.

Spec: docs/web-specs/03-admin-auth-keys-passkeys.md

Requirements

  • Add passkey-based admin login ceremony using credentials registered by task-d352924e.
  • Add WebAuthn authentication options endpoint for the login page.
  • Verify passkey assertions against stored credential public keys.
  • Create the same server-side admin session used by magic-link login after successful passkey authentication.
  • Preserve logout/session behavior from the admin session foundation.
  • Handle missing credentials, unknown credentials, expired challenges, and invalid assertions with clear UI/API errors.
  • Keep passkey browser authentication separate from API bearer key authentication.
  • Keep magic-link login available as the recovery/bootstrap path unless explicitly disabled later.

Acceptance criteria

  • Site owner can log in with a registered passkey.
  • Successful passkey login creates the same kind of admin session as magic-link login.
  • Unknown or invalid passkey assertions do not create an admin session.
  • Expired/missing challenges do not create an admin session.
  • Logout still clears the admin session.
  • Tests cover successful passkey login, failed passkey login, challenge handling where practical, and session creation behavior.
  • Relevant lint/test checks pass.

Dependencies

  • task-d352924e
## Goal Use registered passkeys as a faster admin login method after the initial magic-link bootstrap and passkey registration flows exist. Spec: `docs/web-specs/03-admin-auth-keys-passkeys.md` ## Requirements - Add passkey-based admin login ceremony using credentials registered by `task-d352924e`. - Add WebAuthn authentication options endpoint for the login page. - Verify passkey assertions against stored credential public keys. - Create the same server-side admin session used by magic-link login after successful passkey authentication. - Preserve logout/session behavior from the admin session foundation. - Handle missing credentials, unknown credentials, expired challenges, and invalid assertions with clear UI/API errors. - Keep passkey browser authentication separate from API bearer key authentication. - Keep magic-link login available as the recovery/bootstrap path unless explicitly disabled later. ## Acceptance criteria - [ ] Site owner can log in with a registered passkey. - [ ] Successful passkey login creates the same kind of admin session as magic-link login. - [ ] Unknown or invalid passkey assertions do not create an admin session. - [ ] Expired/missing challenges do not create an admin session. - [ ] Logout still clears the admin session. - [ ] Tests cover successful passkey login, failed passkey login, challenge handling where practical, and session creation behavior. - [ ] Relevant lint/test checks pass. ## Dependencies - task-d352924e
erik commented 2026-06-04 15:36:24 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-06-04T20:34:40.986Z

PR Review

PR #101 reviewed against acceptance criteria.

Result: warnings

Verification:

  • Focused auth route tests passed.
  • make check passed.
  • ./scripts/pre-pr.sh passed.
  • npm audit --audit-level=moderate reports 0 vulnerabilities.
  • Forgejo Actions run 134 completed successfully.

Blocking issues: 0
Warnings: 1
Acceptance criteria: 7/7 met in automated coverage

Warning:

  • Manual localhost browser testing of the full passkey login ceremony is still pending and should be confirmed before merge because WebAuthn behavior depends on browser secure-origin behavior.

Stopped at human/manual test gate before merge.

_Synced from todu comment by @todu on 2026-06-04T20:34:40.986Z_ ## PR Review PR #101 reviewed against acceptance criteria. Result: warnings Verification: - Focused auth route tests passed. - `make check` passed. - `./scripts/pre-pr.sh` passed. - `npm audit --audit-level=moderate` reports 0 vulnerabilities. - Forgejo Actions run 134 completed successfully. Blocking issues: 0 Warnings: 1 Acceptance criteria: 7/7 met in automated coverage Warning: - Manual localhost browser testing of the full passkey login ceremony is still pending and should be confirmed before merge because WebAuthn behavior depends on browser secure-origin behavior. Stopped at human/manual test gate before merge.
erik commented 2026-06-04 18:50:23 -05:00
Author
Owner
Copy link

Synced from todu comment by @todu on 2026-06-04T23:50:21.077Z

Completed

Acceptance criteria verified:

  • Added passkey-based admin login using registered credentials.
  • Added authentication options and verification endpoints for the login page.
  • Successful passkey authentication creates the same server-side admin session/cookie used by magic-link login.
  • Unknown/invalid assertions and missing/expired challenges do not create sessions.
  • Logout continues to clear passkey-created admin sessions.
  • Magic-link login remains available as recovery/bootstrap.
  • Passkey browser auth remains separate from API bearer key authentication.
  • Tests cover successful passkey login, failed login, challenge handling, session creation, and logout behavior.

PR #101 was merged into main. Verification passed: focused auth tests, make check, ./scripts/pre-pr.sh, npm audit --audit-level=moderate, and Forgejo Actions run 134. The manual localhost browser-login warning was waived by explicit merge approval.

_Synced from todu comment by @todu on 2026-06-04T23:50:21.077Z_ ### Completed Acceptance criteria verified: - Added passkey-based admin login using registered credentials. - Added authentication options and verification endpoints for the login page. - Successful passkey authentication creates the same server-side admin session/cookie used by magic-link login. - Unknown/invalid assertions and missing/expired challenges do not create sessions. - Logout continues to clear passkey-created admin sessions. - Magic-link login remains available as recovery/bootstrap. - Passkey browser auth remains separate from API bearer key authentication. - Tests cover successful passkey login, failed login, challenge handling, session creation, and logout behavior. PR #101 was merged into `main`. Verification passed: focused auth tests, `make check`, `./scripts/pre-pr.sh`, `npm audit --audit-level=moderate`, and Forgejo Actions run 134. The manual localhost browser-login warning was waived by explicit merge approval.
erik 2026-06-04 18:55:45 -05:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/slug-cli-v0.5.0
release/slug-cli-v0.4.0
release/slug-cli-v0.3.0
release/slug-cli-v0.2.0
release/slug-cli-v0.1.2
release/slug-cli-v0.1.1
feat/task-47be19ea-api-meta-route
feat/task-51eaa27f-swagger-api-docs
feat/task-0dbd25d3-site-config-homepage
feat/task-69937fe4-sqlite-migrations
feat/task-a3cd5595-cli-foundation
feat/task-c272cbda-openapi-health
feat/task-d6397b57-template-foundation
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.2
v0.1.1
Labels
Clear labels   
activitypub

   
admin

   
api

   
articles

   
auth

   
bug

   
cleanup

   
cli

   
comments

   
compatibility

   
config

   
contacts

   
database

   
deployment

   
design

   
dev-env

   
docs

   
documentation

   
email

   
enhancement

   
feature

   
federation

   
feed

   
homepage

   
implementation

   
integration

   
media

   
openapi

   
priority:high

   
priority:low

   
priority:medium

   
proof

   
public-routes

   
public-ui

   
release

   
safety

   
social

   
sources

   
status:active

   
status:canceled

   
status:done

   
status:inprogress

   
status:waiting

   
syndication

   
tailwind

   
template

   
test

   
web
No labels
activitypub
admin
api
articles
auth
bug
cleanup
cli
comments
compatibility
config
contacts
database
deployment
design
dev-env
docs
documentation
email
enhancement
feature
federation
feed
homepage
implementation
integration
media
openapi
priority:high
priority:low
priority:medium
proof
public-routes
public-ui
release
safety
social
sources
status:active
status:canceled
status:done
status:inprogress
status:waiting
syndication
tailwind
template
test
web
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
erik/slugkit#52
No description provided.