Add passkey (WebAuthn) authentication with self-registration

Enable users to sign up and sign in using passkeys (biometrics/security keys) without needing a manually-created Authentik account. The existing SSO login remains as an alternative. Backend: - Add WebAuthn registration/authentication endpoints via py-webauthn - Issue HS256 JWTs for passkey users, with Redis-backed challenge storage - Dual JWT verification in auth middleware (issuer-based routing: passkey HS256 vs Authentik RS256) - PasskeyCredential model + migration making user.password nullable - UserRepository with full CRUD for users and credentials Frontend: - AuthUser type abstraction unifying OIDC and passkey users - Passkey service using @simplewebauthn/browser for WebAuthn ceremonies - LoginModal redesigned with Sign In / Sign Up tabs - Type migration from oidc-client-ts User to AuthUser across all services and components
2026-02-07 00:34:47 +00:00 · 2026-02-07 00:34:47 +00:00 · a8b7eace48
commit a8b7eace48
parent 95c0ddc4c6
26 changed files with 1229 additions and 129 deletions
--- a/crawler/alembic/versions/b4c7d8e9f0a1_add_passkey_auth.py
+++ b/crawler/alembic/versions/b4c7d8e9f0a1_add_passkey_auth.py
@ -0,0 +1,66 @@
+"""add passkey auth
+
+Revision ID: b4c7d8e9f0a1
+Revises: a1b2c3d4e5f6
+Create Date: 2025-07-15 10:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'b4c7d8e9f0a1'
+down_revision: Union[str, None] = 'a1b2c3d4e5f6'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # Make user.password nullable
+    op.alter_column('user', 'password',
+                    existing_type=sqlmodel.sql.sqltypes.AutoString(),
+                    nullable=True)
+
+    # Add created_at to user table
+    op.add_column('user',
+                  sa.Column('created_at', sa.DateTime(),
+                            nullable=True,
+                            server_default=sa.func.now()))
+
+    # Create passkeycredential table
+    op.create_table('passkeycredential',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('credential_id', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
+        sa.Column('public_key', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
+        sa.Column('sign_count', sa.Integer(), nullable=False),
+        sa.Column('transports', sqlmodel.sql.sqltypes.AutoString(), nullable=True),
+        sa.Column('user_id', sa.Integer(), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=True,
+                  server_default=sa.func.now()),
+        sa.ForeignKeyConstraint(['user_id'], ['user.id']),
+        sa.PrimaryKeyConstraint('id'),
+    )
+    op.create_index(op.f('ix_passkeycredential_credential_id'),
+                    'passkeycredential', ['credential_id'], unique=True)
+    op.create_index(op.f('ix_passkeycredential_user_id'),
+                    'passkeycredential', ['user_id'], unique=False)
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    op.drop_index(op.f('ix_passkeycredential_user_id'),
+                  table_name='passkeycredential')
+    op.drop_index(op.f('ix_passkeycredential_credential_id'),
+                  table_name='passkeycredential')
+    op.drop_table('passkeycredential')
+
+    op.drop_column('user', 'created_at')
+
+    op.alter_column('user', 'password',
+                    existing_type=sqlmodel.sql.sqltypes.AutoString(),
+                    nullable=False)