Passkey login handler

Author: tonkku107

crates/handlers/src/lib.rs

@@ -48,6 +48,7 @@ use opentelemetry::metrics::Meter;
 use sqlx::PgPool;
 use tower::util::AndThenLayer;
 use tower_http::cors::{Any, CorsLayer};
+use webauthn::Webauthn;
 
 use self::{graphql::ExtraRouterParameters, passwords::PasswordManager};
 
@@ -329,6 +330,7 @@ where
     Limiter: FromRef<S>,
     reqwest::Client: FromRef<S>,
     Arc<dyn HomeserverConnection>: FromRef<S>,
+    Webauthn: FromRef<S>,
     BoxClock: FromRequestParts<S>,
     BoxRng: FromRequestParts<S>,
     Policy: FromRequestParts<S>,
@@ -371,6 +373,10 @@ where
             mas_router::Login::route(),
             get(self::views::login::get).post(self::views::login::post),
         )
+        .route(
+            mas_router::PasskeyLogin::route(),
+            get(self::views::login::passkey::get).post(self::views::login::passkey::post),
+        )
         .route(mas_router::Logout::route(), post(self::views::logout::post))
         .route(
             mas_router::Reauth::route(),

crates/handlers/src/test_utils.rs

@@ -111,6 +111,7 @@ pub(crate) struct TestState {
     pub rng: Arc<Mutex<ChaChaRng>>,
     pub http_client: reqwest::Client,
     pub task_tracker: TaskTracker,
+    pub webauthn: Webauthn,
 
     #[allow(dead_code)] // It is used, as it will cancel the CancellationToken when dropped
     cancellation_drop_guard: Arc<DropGuard>,
@@ -253,6 +254,7 @@ impl TestState {
             rng,
             http_client,
             task_tracker,
+            webauthn,
             cancellation_drop_guard: Arc::new(shutdown_token.drop_guard()),
         })
     }
@@ -548,6 +550,12 @@ impl FromRef<TestState> for reqwest::Client {
     }
 }
 
+impl FromRef<TestState> for Webauthn {
+    fn from_ref(input: &TestState) -> Self {
+        input.webauthn.clone()
+    }
+}
+
 impl FromRequestParts<TestState> for ActivityTracker {
     type Rejection = Infallible;
 

crates/handlers/src/views/login.rs renamed to crates/handlers/src/views/login/mod.rs

@@ -4,6 +4,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 // Please see LICENSE in the repository root for full details.
 
+pub mod passkey;
+
 use std::sync::Arc;
 
 use axum::{

crates/handlers/src/views/login/passkey/cookie.rs

@@ -0,0 +1,101 @@
+// Copyright 2025 New Vector Ltd.
+//
+// SPDX-License-Identifier: AGPL-3.0-only
+// Please see LICENSE in the repository root for full details.
+
+use std::collections::BTreeSet;
+
+use chrono::{DateTime, Duration, Utc};
+use mas_axum_utils::cookies::CookieJar;
+use mas_data_model::UserPasskeyChallenge;
+use mas_storage::Clock;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+use ulid::Ulid;
+
+/// Name of the cookie
+static COOKIE_NAME: &str = "user-passkey-challenges";
+
+/// Sessions expire after an hour
+static SESSION_MAX_TIME: Duration = Duration::hours(1);
+
+/// The content of the cookie, which stores a list of user passkey challenge IDs
+#[derive(Serialize, Deserialize, Default, Debug)]
+pub struct UserPasskeyChallenges(BTreeSet<Ulid>);
+
+#[derive(Debug, Error, PartialEq, Eq)]
+#[error("user passkey challenge not found")]
+pub struct UserPasskeyChallengeNotFound;
+
+impl UserPasskeyChallenges {
+    /// Load the user passkey challenges cookie
+    pub fn load(cookie_jar: &CookieJar) -> Self {
+        match cookie_jar.load(COOKIE_NAME) {
+            Ok(Some(challenges)) => challenges,
+            Ok(None) => Self::default(),
+            Err(e) => {
+                tracing::warn!(
+                    error = &e as &dyn std::error::Error,
+                    "Invalid passkey challenges cookie"
+                );
+                Self::default()
+            }
+        }
+    }
+
+    /// Returns true if the cookie is empty
+    pub fn is_empty(&self) -> bool {
+        self.0.is_empty()
+    }
+
+    /// Save the user passkey challenges to the cookie jar
+    pub fn save<C>(self, cookie_jar: CookieJar, clock: &C) -> CookieJar
+    where
+        C: Clock,
+    {
+        let this = self.expire(clock.now());
+
+        if this.is_empty() {
+            cookie_jar.remove(COOKIE_NAME)
+        } else {
+            cookie_jar.save(COOKIE_NAME, &this, false)
+        }
+    }
+
+    fn expire(mut self, now: DateTime<Utc>) -> Self {
+        self.0.retain(|id| {
+            let Ok(ts) = id.timestamp_ms().try_into() else {
+                return false;
+            };
+            let Some(when) = DateTime::from_timestamp_millis(ts) else {
+                return false;
+            };
+            now - when < SESSION_MAX_TIME
+        });
+
+        self
+    }
+
+    /// Add a new challenge
+    pub fn add(mut self, passkey_challenge: &UserPasskeyChallenge) -> Self {
+        self.0.insert(passkey_challenge.id);
+        self
+    }
+
+    /// Check if the challenge is in the list
+    pub fn contains(&self, passkey_challenge: &UserPasskeyChallenge) -> bool {
+        self.0.contains(&passkey_challenge.id)
+    }
+
+    /// Mark a challenge as consumed to avoid replay
+    pub fn consume_challenge(
+        mut self,
+        passkey_challenge: &UserPasskeyChallenge,
+    ) -> Result<Self, UserPasskeyChallengeNotFound> {
+        if !self.0.remove(&passkey_challenge.id) {
+            return Err(UserPasskeyChallengeNotFound);
+        }
+
+        Ok(self)
+    }
+}