feat(web): multiple webauthn credential registration

This implements multiple WebAuthn Credential registrations by means of a generic user settings UI. Closes #275, Closes #4366 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Co-authored-by: Stephen Kent <smkent@smkent.net> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
authelia · Mar 4, 2024 · c0dbdd9 · c0dbdd9
1 parent 358b667
commit c0dbdd9
Show file tree

Hide file tree

Showing 143 changed files with 3,486 additions and 1,706 deletions.
diff --git a/api/openapi.yml b/api/openapi.yml
@@ -808,7 +808,7 @@ paths:
         - Second Factor
       summary: Identity Verification FIDO2 WebAuthn Credential Validation
       description: >
-        This endpoint performs identity and token verification, upon success generates a FIDO2 WebAuthn device
+        This endpoint performs identity and token verification, upon success generates a FIDO2 WebAuthn credential
         attestation challenge (registration).
 
         The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised
@@ -849,6 +849,45 @@ paths:
                 $ref: '#/components/schemas/middlewares.OkResponse'
       security:
         - authelia_auth: []
+  /api/secondfactor/webauthn/credentials/{credentialID}:
+    delete:
+      tags:
+        - Second Factor
+      summary: WebAuthn Credential Deletion
+      description: This endpoint deletes the specified WebAuthn credential.
+      responses:
+        "200":
+          description: Successful Operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.OkResponse'
+      security:
+        - authelia_auth: []
+      parameters:
+        - $ref: '#/components/parameters/deviceID'
+    put:
+      tags:
+        - Second Factor
+      summary: WebAuthn Credential Update
+      description: This endpoint updates the description of the specified WebAuthn credential.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/webauthn.CredentialUpdateRequest'
+      responses:
+        "200":
+          description: Successful Operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/middlewares.OkResponse'
+      security:
+        - authelia_auth: []
+      parameters:
+        - $ref: '#/components/parameters/deviceID'
   {{- end }}
   {{- if .Duo }}
   /api/secondfactor/duo:
@@ -1557,6 +1596,13 @@ paths:
   {{- end }}
 components:
   parameters:
+    deviceID:
+      in: path
+      name: credentialID
+      schema:
+        type: integer
+      required: true
+      description: Numeric WebAuthn Credential ID
     originalMethodParam:
       name: X-Original-Method
       in: header
@@ -2041,23 +2087,28 @@ components:
           type: string
           format: byte
     webauthn.CredentialAttestationResponse:
-      allOf:
-        - $ref: '#/components/schemas/webauthn.PublicKeyCredential'
-        - type: object
-          properties:
-            clientExtensionResults:
-              type: object
+      type: object
+      properties:
+        credential:
+          allOf:
+            - $ref: '#/components/schemas/webauthn.PublicKeyCredential'
+            - type: object
               properties:
-                appidExclude:
-                  type: boolean
-            response:
-              allOf:
-                - $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
-                - type: object
+                clientExtensionResults:
+                  type: object
                   properties:
-                    attestationObject:
-                      type: string
-                      format: byte
+                    appidExclude:
+                      type: boolean
+                response:
+                  allOf:
+                    - $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
+                    - type: object
+                      properties:
+                        attestationObject:
+                          type: string
+                          format: byte
+        description:
+          type: string
     webauthn.CredentialAssertionResponse:
       allOf:
         - $ref: '#/components/schemas/webauthn.PublicKeyCredential'
@@ -2098,6 +2149,11 @@ components:
                       format: uuid
                       pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
                       example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
+    webauthn.CredentialUpdateRequest:
+      type: object
+      properties:
+        description:
+          type: string
     webauthn.PublicKeyCredentialCreationOptions:
       type: object
       properties:

diff --git a/cmd/authelia-gen/cmd_docs_jsonschema.go b/cmd/authelia-gen/cmd_docs_jsonschema.go
@@ -20,7 +20,7 @@ import (
 
 func newDocsJSONSchemaCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "json-schema",
+		Use:   pathJSONSchema,
 		Short: "Generate docs JSON schema",
 		RunE:  rootSubCommandsRunE,
 
@@ -147,7 +147,7 @@ func docsJSONSchemaExportsWebAuthnRunE(cmd *cobra.Command, args []string) (err e
 		return err
 	}
 
-	return docsJSONSchemaGenerateRunE(cmd, args, version, schemaDir, &model.WebAuthnDeviceDataExport{}, dir, file, nil)
+	return docsJSONSchemaGenerateRunE(cmd, args, version, schemaDir, &model.WebAuthnCredentialDataExport{}, dir, file, nil)
 }
 
 func docsJSONSchemaExportsIdentifiersRunE(cmd *cobra.Command, args []string) (err error) {

diff --git a/cmd/authelia-gen/cmd_root_test.go b/cmd/authelia-gen/cmd_root_test.go
@@ -90,7 +90,7 @@ func TestSortCmds(t *testing.T) {
 		{
 			"ShouldSortDocsCmd",
 			newDocsCmd(),
-			[]string{"cli", "data", "json-schema", "date"},
+			[]string{"cli", "data", pathJSONSchema, "date"},
 		},
 		{
 			"ShouldSortGitHubCmd",

diff --git a/cmd/authelia-gen/const.go b/cmd/authelia-gen/const.go
@@ -39,6 +39,11 @@ const (
 	fileGitHubIssueTemplateBR = ".github/ISSUE_TEMPLATE/bug-report.yml"
 )
 
+const (
+	pathJSONSchema = "json-schema"
+	extJSON        = ".json"
+)
+
 const (
 	dateFmtRFC2822 = "Mon, _2 Jan 2006 15:04:05 -0700"
 	dateFmtYAML    = "2006-01-02T15:04:05-07:00"

diff --git a/docs/content/en/configuration/storage/migrations.md b/docs/content/en/configuration/storage/migrations.md
@@ -39,3 +39,8 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel
 |       8        |      4.38.0      |                          OpenID Connect 1.0 Pushed Authorization Requests                          |
 |       9        |      4.38.0      | Fix a PostgreSQL NOT NULL constraint issue on the `aaguid` column of the `webauthn_devices` table  |
 |       10       |      4.38.0      |   Fix constraints on the `oauth2_access_token_session` table for the `client credentials` grant    |
+|       11       |      4.38.0      |             Adjust constraints for JWT Profile for OAuth 2.0 Access Tokens ([RFC9068])             |
+|       12       |      4.38.0      |                        WebAuthn adjustments for multi-cookie domain changes                        |
+
+
+[RFC9068]: https://datatracker.ietf.org/doc/html/rfc9068
diff --git a/docs/content/en/contributing/guidelines/database-schema.md b/docs/content/en/contributing/guidelines/database-schema.md
@@ -2,7 +2,7 @@
 title: "Database Schema"
 description: "Authelia Development Database Schema Guidelines"
 lead: "This section covers the database schema guidelines we use for development."
-date: 2022-11-19T16:47:09+11:00
+date: 2022-11-19T17:42:03+11:00
 draft: false
 images: []
 menu:

diff --git a/docs/content/en/overview/authentication/security-key/index.md b/docs/content/en/overview/authentication/security-key/index.md
@@ -45,14 +45,14 @@ Easy, right?!
 
 ## Frequently Asked Questions
 
-### Can I register multiple FIDO2 WebAuthn devices?
+### Can I register multiple FIDO2 WebAuthn credentials?
 
-At present this is not possible in the frontend. However the backend technically supports it. We plan to add this to the
-frontend in the near future. Subscribe to [this issue](https://github.com/authelia/authelia/issues/275) for updates.
+Yes, as of v4.38.0 and above Authelia supports registering multiple WebAuthn credentials as per the
+[roadmap](../../../roadmap/active/webauthn.md#multi-device-registration).
 
 ### Can I perform a passwordless login?
 
-Not at this time. We will tackle this at a later date.
+Not at this time. We will tackle this at a later date as per the [roadmap](../../../roadmap/active/webauthn.md#passwordless-login).
 
 ### Why don't I have access to the *Security Key* option?
 

diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user.md b/docs/content/en/reference/cli/authelia/authelia_storage_user.md
@@ -63,5 +63,5 @@ authelia storage user --help
 * [authelia storage](authelia_storage.md)	 - Manage the Authelia storage
 * [authelia storage user identifiers](authelia_storage_user_identifiers.md)	 - Manage user opaque identifiers
 * [authelia storage user totp](authelia_storage_user_totp.md)	 - Manage TOTP configurations
-* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn devices
+* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn credentials
 
diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md
@@ -14,13 +14,13 @@ toc: true
 
 ## authelia storage user webauthn
 
-Manage WebAuthn devices
+Manage WebAuthn credentials
 
 ### Synopsis
 
-Manage WebAuthn devices.
+Manage WebAuthn credentials.
 
-This subcommand allows interacting with WebAuthn devices.
+This subcommand allows interacting with WebAuthn credentials.
 
 ### Examples
 
@@ -61,8 +61,8 @@ authelia storage user webauthn --help
 ### SEE ALSO
 
 * [authelia storage user](authelia_storage_user.md)	 - Manages user settings
-* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md)	 - Delete a WebAuthn device
-* [authelia storage user webauthn export](authelia_storage_user_webauthn_export.md)	 - Perform exports of the WebAuthn devices
-* [authelia storage user webauthn import](authelia_storage_user_webauthn_import.md)	 - Perform imports of the WebAuthn devices
-* [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md)	 - List WebAuthn devices
+* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md)	 - Delete a WebAuthn credential
+* [authelia storage user webauthn export](authelia_storage_user_webauthn_export.md)	 - Perform exports of the WebAuthn credentials
+* [authelia storage user webauthn import](authelia_storage_user_webauthn_import.md)	 - Perform imports of the WebAuthn credentials
+* [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md)	 - List WebAuthn credentials
 
diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md
@@ -14,13 +14,13 @@ toc: true
 
 ## authelia storage user webauthn delete
 
-Delete a WebAuthn device
+Delete a WebAuthn credential
 
 ### Synopsis
 
-Delete a WebAuthn device.
+Delete a WebAuthn credential.
 
-This subcommand allows deleting a WebAuthn device directly from the database.
+This subcommand allows deleting a WebAuthn credential directly from the database.
 
 ```
 authelia storage user webauthn delete [username] [flags]
@@ -43,10 +43,10 @@ authelia storage user webauthn delete --kid abc123 --encryption-key b3453fde-ecc
 ### Options
 
 ```
-      --all                  delete all of the users webauthn devices
-      --description string   delete a users webauthn device by description
+      --all                  delete all of the users WebAuthn credentials
+      --description string   delete a users WebAuthn credential by description
   -h, --help                 help for delete
-      --kid string           delete a users webauthn device by key id
+      --kid string           delete a users WebAuthn credential by key id
 ```
 
 ### Options inherited from parent commands
@@ -75,5 +75,5 @@ authelia storage user webauthn delete --kid abc123 --encryption-key b3453fde-ecc
 
 ### SEE ALSO
 
-* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn devices
+* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn credentials
 
diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_export.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_export.md
@@ -14,13 +14,13 @@ toc: true
 
 ## authelia storage user webauthn export
 
-Perform exports of the WebAuthn devices
+Perform exports of the WebAuthn credentials
 
 ### Synopsis
 
-Perform exports of the WebAuthn devices.
+Perform exports of the WebAuthn credentials.
 
-This subcommand allows exporting WebAuthn devices to various formats.
+This subcommand allows exporting WebAuthn credentials to various formats.
 
 ```
 authelia storage user webauthn export [flags]
@@ -68,5 +68,5 @@ authelia storage user webauthn export--encryption-key b3453fde-ecc2-4a1f-9422-27
 
 ### SEE ALSO
 
-* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn devices
+* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn credentials
 
diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_import.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_import.md
@@ -14,13 +14,13 @@ toc: true
 
 ## authelia storage user webauthn import
 
-Perform imports of the WebAuthn devices
+Perform imports of the WebAuthn credentials
 
 ### Synopsis
 
-Perform imports of the WebAuthn devices.
+Perform imports of the WebAuthn credentials.
 
-This subcommand allows importing WebAuthn devices from various formats.
+This subcommand allows importing WebAuthn credentials from various formats.
 
 ```
 authelia storage user webauthn import <filename> [flags]
@@ -67,5 +67,5 @@ authelia storage user webauthn import --file authelia.export.webauthn.yaml --enc
 
 ### SEE ALSO
 
-* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn devices
+* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn credentials
 
diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md
@@ -14,13 +14,13 @@ toc: true
 
 ## authelia storage user webauthn list
 
-List WebAuthn devices
+List WebAuthn credentials
 
 ### Synopsis
 
-List WebAuthn devices.
+List WebAuthn credentials.
 
-This subcommand allows listing WebAuthn devices.
+This subcommand allows listing WebAuthn credentials.
 
 ```
 authelia storage user webauthn list [username] [flags]
@@ -69,5 +69,5 @@ authelia storage user webauthn list john --encryption-key b3453fde-ecc2-4a1f-942
 
 ### SEE ALSO
 
-* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn devices
+* [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage WebAuthn credentials
 
diff --git a/docs/content/en/reference/integrations/database-integrations.md b/docs/content/en/reference/integrations/database-integrations.md
@@ -2,7 +2,7 @@
 title: "Database Integrations"
 description: "A database integration reference guide"
 lead: "This section contains a database integration reference guide for Authelia."
-date: 2022-11-19T16:47:09+11:00
+date: 2022-11-19T17:42:03+11:00
 draft: false
 images: []
 menu:

diff --git a/docs/content/en/reference/integrations/introduction.md b/docs/content/en/reference/integrations/introduction.md
@@ -2,7 +2,7 @@
 title: "Integrations"
 description: "A collection of integration reference guides"
 lead: "This section contains integration reference guides for Authelia."
-date: 2022-11-19T16:47:09+11:00
+date: 2022-11-19T17:42:03+11:00
 draft: false
 images: []
 menu:

diff --git a/docs/data/languages.json b/docs/data/languages.json
@@ -7,14 +7,16 @@
         "namespace": "portal"
     },
     "namespaces": [
-        "portal"
+        "portal",
+        "settings"
     ],
     "languages": [
         {
             "display": "English",
             "locale": "en",
             "namespaces": [
-                "portal"
+                "portal",
+                "settings"
             ],
             "fallbacks": [
                 "en"