From aa4c30bb6d1e46b5019065fba6c0eb3c08aa1f34 Mon Sep 17 00:00:00 2001
From: Osmium Sorcerer <os@sof.beauty>
Date: Tue, 7 Apr 2026 13:19:40 +0000
Subject: Add passkey authentication (WebAuthn)

Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:

- AuthRequest: first step in the flow, the client sends it to signal the
  intent to authenticate to the server.

- AssertCredential and AssertionFinish: server's challenge and client's
  response, respectively, to finalize the flow.

- RegisterCredential and RegistrationFinish: same structure as the
  above. Unlike the simple public-key auth with an out-of-band setup,
  passkeys require user interaction to register. User must be
  authorized.

Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.

Because it's a primary auth mechanism (not a second factor), require
user verification.

As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
---
 public/client.html | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'public')

diff --git a/public/client.html b/public/client.html
index a476915..a77132d 100644
--- a/public/client.html
+++ b/public/client.html
@@ -937,6 +937,12 @@
         </span>
         <br />
         <br />
+        <fieldset style="margin: 1rem auto; padding: 1rem; max-width: 200px;">
+        <legend>Authenticate</legend>
+        <div><button type="button" id="use_passkey" class="client_button hover_button">Use passkey</button></div>
+        </fieldset>
+        <br />
+        <br />
         <button id="client_disconnect" onclick="DisconnectButton()">
           Disconnect
         </button>
-- 
cgit