webao/webAO/ext_packet.ts, branch master WebAO fork Add passkey authentication (WebAuthn) 2026-04-18T16:52:23+00:00 Osmium Sorcerer os@sof.beauty 2026-04-07T13:19:40+00:00 aa4c30bb6d1e46b5019065fba6c0eb3c08aa1f34 Bring in the subprotocol (the same as what's used on the desktop client for public-key authentication) to carry the relevant messages: - AuthRequest: first step in the flow, the client sends it to signal the intent to authenticate to the server. - AssertCredential and AssertionFinish: server's challenge and client's response, respectively, to finalize the flow. - RegisterCredential and RegistrationFinish: same structure as the above. Unlike the simple public-key auth with an out-of-band setup, passkeys require user interaction to register. User must be authorized. Validate all relevant checks on the API side, and hand the data over to the server for it to verify attestations and assertions. Because it's a primary auth mechanism (not a second factor), require user verification. As we don't use any other method on web, add a passkey button as the only sign-in interface. Passkeys are discoverable, we don't even need a username. 
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:

- AuthRequest: first step in the flow, the client sends it to signal the
  intent to authenticate to the server.

- AssertCredential and AssertionFinish: server's challenge and client's
  response, respectively, to finalize the flow.

- RegisterCredential and RegistrationFinish: same structure as the
  above. Unlike the simple public-key auth with an out-of-band setup,
  passkeys require user interaction to register. User must be
  authorized.

Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.

Because it's a primary auth mechanism (not a second factor), require
user verification.

As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.