feat: Passkey support

[merlindru]

What does this PR do?

Fixes #13342
Fixes CAL-2984

This PR adds passkey support for logging in through Hanko Passkeys.

Type of change

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update (probably)

How should this be tested?

• Go to cloud.hanko.io and create a "Passkey API" project
  • Then create a new API key
    set it to HANKO_PASSKEYS_API_KEY="<api key>"
    (quotes important)
  • Copy the tenant ID to NEXT_PUBLIC_HANKO_PASSKEYS_TENANT_ID=<tenant id>
• Log in as normal (with password/google/...)
• Go to settings > passkeys > create a new passkey
• Log out
• Go to login > sign in with a passkey

Mandatory Tasks

• Make sure you have self-reviewed the code. A decent size PR without self-review might be rejected.

next-auth-options.ts

Please review this file, there are substantial changes that might be unsafe. I am not sure if the file in it's current form is okay:

This PR changes the very important authorize function. I'm not sure if we want to keep it like this, but the authorize function itself does a lot of checks, only some relevant to credentials.

Instead of duplicating it, I added a second parameter, unsafe, intended to only be used from server code like in the PasskeyProvider. Using it is very explicit, you have to pass undefined as a first parameter, so it's clear that you shouldn't be using this functionality unless you're sure what you're doing:

// Example usage of authorize function
const sessionData = authorize(undefined, { unsafe: { userId: 123 }})

When unsafe is used, all the checks dependent on credentials are not being run anymore.

I am not sure how safe this is, or if a larger refactor is needed that properly separates checks dependent on credentials from all other checks. (That would certainly be cleaner, though)

Checklist

• I haven't checked if my PR needs changes to the documentation
• I haven't added tests that prove my fix is effective or that my feature works

Adds passkey button to login page:

Adds "Passkeys" settings section to sidebar:

Adds passkeys settings page

Empty:

• Is the icon alright here? it looks somewhat more chunky than the "link" icon used e.g. for event types and api keys
• On the other hand, it's the same icon we're using for passkeys everywhere (including the login page "Sign in with a passkey" button

---

Clicking on the "add" button and "sign in with a passkey" buttons opens a browser dialog. This looks different for every browser, phone, etc.

For example:

With passkeys added:

• The name is set by the Hanko Passkeys API (our backend). We'll improve the name soon so it's not just a semi-random string and more user friendly
• If the passkey was used, the description says e.g. "Created 3 days ago • Last used 5 minutes ago"

Dropdown stolen straight from API settings page:

[vercel]

Someone is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.

[github-actions]

Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link.

[PeerRich]

hell yeah passkeys babyyyy

excited for this, will review

[merlindru]

Could also replace with

onError: (e: unknown) => {
    showToast(typeof e === "object" && e != null && "message" in e && typeof e.message === "string" ? e.message : t("something_went_wrong"), "error");

to get rid of eslint warning

[merlindru]

This still makes it appear above SSO. Is this position fine?

If we want it to be the last entry in the list, will have to add it below

[PeerRich]

positioning is fine

[merlindru]

Could also move this to an .svg file if preferred

[PeerRich]

this is fine, however, ideally you move this into calcom/components/icon

[PeerRich]

with this PR, can people also make an entire new account with passkeys? or just existing users?

[PeerRich]

added HANKO_PASSKEYS_API_KEY and NEXT_PUBLIC_HANKO_PASSKEYS_TENANT_ID to vercel

[github-actions]

Hey there, there is a merge conflict, can you take a look?

[github-actions]

This PR is being marked as stale due to inactivity.

[github-actions]

This PR is being marked as stale due to inactivity.

[keithwillcode]

Moving to 4.0 based on current priorities.

[keithwillcode]

Converted to draft until the conflicts can be resolved.

[github-actions]

This PR is being marked as stale due to inactivity.

[alishaz-polymath]

Thank you for the PR 🙏
However, upon further investigation, if we roll out we are likely to go with nextauth passkeys implementation for now: https://authjs.dev/reference/core/providers/passkey#resources

This PR touches too many core auth files and we are not feeling 100% comfortable merging something that can potentially affect all users auth negatively

[zomars]

We had a call between Felix and @merlindru from the Hanko team and @keithwillcode and myself. We're expecting a new PR with a much simpler approach in the upcoming weeks.