Passkey autofill support

[janko]

For the past few days I've been trying to hook up WebAuthn autofill UI (officially known as "Conditional UI") to the default Rodauth login flow. I managed to extend the webauthn_login feature to do what I want, so I wanted to share my findings here, and explore the possibility of shipping this in Rodauth.

Firstly, the email field needs to have autocomplete="email webauthn". The navigator.credentials.get should be called already on page load with mediation: "conditional" top-level option, and will resolve if the user passed the user verification check. It's worth noting this doesn't force using passkeys for the user, it just augments the existing flow.

The passkeys.dev docs recommend asking for preferred user verification (userVerification: "preferred") and discoverable credentials (residentKey: "required", requireResidentKey is deprecated).

webauthn_user_verification "preferred"
webauthn_authenticator_selection do
  super().except("requireResidentKey").merge("residentKey" => "required")
end

I rendered the WebAuthn auth form on the initial login page load, and had it point to /webauthn-login. Since at this point we haven't established the user's identity (no email has been entered), I had to override account_webauthn_ids to return an empty array, so that webauthn_credential_options_for_get can get called.

account_webauthn_ids { logged_in? || account ? super() : [] }

Once the user choses a WebAuthn credential, the WebAuthn login form is automatically submitted. Now, WebAuthn protocol doesn't support retrieving the user's email address from the credential (even though it was set when the credential was created), so in the /webauthn-login route we don't know the user's email address. I modified the flow to retrieve the account from WebAuthn user ID, which is found in response.userHandle of the credential.

account_from_login do |login|
  if request.path == webauthn_login_path && login.empty?
    data = JSON.parse(param(webauthn_auth_param))
    user_id = data["response"]["userHandle"]
    account_id = db[webauthn_user_ids_table]
      .where(webauthn_user_ids_webauthn_id_column => user_id)
      .get(webauthn_user_ids_account_id_column)

    account_ds(account_id).first
  else
    super(login)
  end
end

The complete code can be found here, I pushed it to a branch in the rodauth-demo-rails repository. To make things simpler for me, I implemented the JavaScript part using @github/webauthn-json, but of course the code can be adapted not to rely on it.

[jeremyevans]

I open to shipping this with Rodauth, but I think it should be implemented as a separate feature that depends on the webauthn_login feature. The javascript would need to be self contained as well.