topaLE/vaultwarden - vaultwarden - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Zaid Marji	019a1adf98	webauthn: passkey-management module + login hardening + Result-typed 2FA lookups - src/api/core/passkeys.rs: extract passkey-management endpoints into their own module from api/core/mod.rs - src/api/core/two_factor/webauthn.rs: add extensions field to the PublicKeyCredentialCopy / RegisterPublicKeyCredentialCopy serde wrappers with serde(default, alias = clientExtensionResults), and propagate through the From impls - src/api/core/two_factor/{authenticator,duo,email,protected_actions,yubikey}.rs: propagate ? cascade for find_by_user_and_type's new Result<Option<TwoFactor>, Error> signature - src/api/core/{accounts,ciphers,mod}.rs: rotate-key PRF rewrap, /sync webauthn_prf_options gating - src/api/identity.rs: webauthn_login grant hardening + defensive documentation justifying unauth-grant 503-vs-AUTH_FAILED asymmetries - src/db/models/two_factor.rs: try_find_by_user, find_by_user_and_type Result-ification, take_by_user_and_type, is_policy_provider* predicates, POLICY_PROVIDER_TYPES const - src/db/models/user.rs: try_find_by_uuid sibling, WebAuthnCredential delete cascade in User::delete - src/db/models/web_authn_credential.rs: model hardening - migrations/*: schema additions for webauthn passkey credentials - playwright/tests/passkey.spec.ts: passkey feature tests - README.md, scss.hbs, config.rs: docs, UI hides, feature flag	2 weeks ago
Zaid Marji	89a9ef9afa	Prevent duplicate passkey credential registration Add a credential_id_hash column containing sha256-hex of the raw WebAuthn credential ID and enforce it with a unique index across all three backends. Check credential_id_hash before saving to return a clean duplicate-passkey error in the common case, and map database unique violations to the same error to close the TOCTOU window. Keep PRF keyset/status unit coverage exhaustive so a refactor cannot accidentally report partial PRF state as enabled.	3 weeks ago
Zaid Marji	ced3520def	Harden passkey login flow Consume passkey challenges before parsing or user lookup so every submission carrying a valid token is single-use, then delay user-scoped event attribution and account-state checks until the assertion is cryptographically bound to a registered credential. Return the generic passkey auth failure for malformed assertions, missing or corrupt challenges, unverified email state, and failed WebAuthn verification; do not send verification-reminder email from this unauthenticated flow. Add WebAuthn DOMAIN compatibility gates, stricter PRF option gating, key-rotation race checks, cascade deletes, login rate limits on authenticated passkey endpoints, and typed credential IDs on delete.	3 weeks ago
Zaid Marji	5760ade325	Fix and harden the passkey login implementation - Wire key rotation to re-encrypt each passkey's PRF keys, with a superset check in validate_keydata so a passkey can't be left stale. - Persist signature-counter updates and rotated PRF keys with column-scoped writes, avoiding a broad full-row credential update. - Compute prfStatus as the full WebAuthnPrfStatus instead of a 1/0 placeholder. - Move the login challenge from an in-memory cache to a DB-backed table with a scheduled cleanup job. - Use webauthn-rs's discoverable-credential API instead of the JSON state-injection workaround. - Make challenge consumption single-use, rate-limit assertion-options, and return a single generic auth-failure message. - Honor SSO_ONLY at every passkey entry point: login grant, enrollment, refresh, and the unauthenticated assertion-options challenge. - Migrations: real MySQL foreign key and indexes. - Add prfStatus unit tests; codebase-consistency pass.	2 weeks ago
Sammy ETUR	1cdf0b7b86	Feat add webauthn login Co-authored-by: zUnixorn <dev@jonascrull.de>	4 months ago