Passkey login handler

Author: tonkku107

crates/handlers/Cargo.toml

@@ -85,7 +85,7 @@ rand.workspace = true
 rand_chacha.workspace = true
 headers.workspace = true
 ulid.workspace = true
-webauthn-rs = { version = "0.5.1", features = ["danger-allow-state-serialisation"]}
+webauthn-rs = { version = "0.5.1", features = ["danger-allow-state-serialisation", "conditional-ui"]}
 webauthn-rs-proto = "0.5.1"
 
 mas-axum-utils.workspace = true

crates/handlers/src/lib.rs

@@ -371,6 +371,10 @@ where
             mas_router::Login::route(),
             get(self::views::login::get).post(self::views::login::post),
         )
+        .route(
+            mas_router::PasskeyLogin::route(),
+            get(self::views::login::passkey::get).post(self::views::login::passkey::post),
+        )
         .route(mas_router::Logout::route(), post(self::views::logout::post))
         .route(
             mas_router::Reauth::route(),

crates/handlers/src/views/login.rs renamed to crates/handlers/src/views/login/mod.rs

@@ -4,7 +4,7 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
-use std::sync::Arc;
+pub mod passkey;
 
 use axum::{
     extract::{Form, Query, State},
@@ -32,6 +32,7 @@ use mas_templates::{
 };
 use rand::Rng;
 use serde::{Deserialize, Serialize};
+use std::sync::Arc;
 use zeroize::Zeroizing;
 
 use super::shared::OptionalPostAuthAction;

crates/handlers/src/views/login/passkey/cookie.rs

@@ -0,0 +1,101 @@
+// Copyright 2025 New Vector Ltd.
+//
+// SPDX-License-Identifier: AGPL-3.0-only
+// Please see LICENSE in the repository root for full details.
+
+use std::collections::BTreeSet;
+
+use chrono::{DateTime, Duration, Utc};
+use mas_axum_utils::cookies::CookieJar;
+use mas_data_model::UserPasskeyChallenge;
+use mas_storage::Clock;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+use ulid::Ulid;
+
+/// Name of the cookie
+static COOKIE_NAME: &str = "user-passkey-challenges";
+
+/// Sessions expire after an hour
+static SESSION_MAX_TIME: Duration = Duration::hours(1);
+
+/// The content of the cookie, which stores a list of user passkey challenge IDs
+#[derive(Serialize, Deserialize, Default, Debug)]
+pub struct UserPasskeyChallenges(BTreeSet<Ulid>);
+
+#[derive(Debug, Error, PartialEq, Eq)]
+#[error("user passkey challenge not found")]
+pub struct UserPasskeyChallengeNotFound;
+
+impl UserPasskeyChallenges {
+    /// Load the user passkey challenges cookie
+    pub fn load(cookie_jar: &CookieJar) -> Self {
+        match cookie_jar.load(COOKIE_NAME) {
+            Ok(Some(challenges)) => challenges,
+            Ok(None) => Self::default(),
+            Err(e) => {
+                tracing::warn!(
+                    error = &e as &dyn std::error::Error,
+                    "Invalid passkey challenges cookie"
+                );
+                Self::default()
+            }
+        }
+    }
+
+    /// Returns true if the cookie is empty
+    pub fn is_empty(&self) -> bool {
+        self.0.is_empty()
+    }
+
+    /// Save the user passkey challenges to the cookie jar
+    pub fn save<C>(self, cookie_jar: CookieJar, clock: &C) -> CookieJar
+    where
+        C: Clock,
+    {
+        let this = self.expire(clock.now());
+
+        if this.is_empty() {
+            cookie_jar.remove(COOKIE_NAME)
+        } else {
+            cookie_jar.save(COOKIE_NAME, &this, false)
+        }
+    }
+
+    fn expire(mut self, now: DateTime<Utc>) -> Self {
+        self.0.retain(|id| {
+            let Ok(ts) = id.timestamp_ms().try_into() else {
+                return false;
+            };
+            let Some(when) = DateTime::from_timestamp_millis(ts) else {
+                return false;
+            };
+            now - when < SESSION_MAX_TIME
+        });
+
+        self
+    }
+
+    /// Add a new challenge
+    pub fn add(mut self, passkey_challenge: &UserPasskeyChallenge) -> Self {
+        self.0.insert(passkey_challenge.id);
+        self
+    }
+
+    /// Check if the challenge is in the list
+    pub fn contains(&self, passkey_challenge: &UserPasskeyChallenge) -> bool {
+        self.0.contains(&passkey_challenge.id)
+    }
+
+    /// Mark a challenge as consumed to avoid replay
+    pub fn consume_challenge(
+        mut self,
+        passkey_challenge: &UserPasskeyChallenge,
+    ) -> Result<Self, UserPasskeyChallengeNotFound> {
+        if !self.0.remove(&passkey_challenge.id) {
+            return Err(UserPasskeyChallengeNotFound);
+        }
+
+        Ok(self)
+    }
+}