NNTmux
diff --git a/‎app/Actions/Passkeys/ConfigureCeremonyStepManagerFactoryAction.php‎
Lines changed: 32 additions & 0 deletions b/‎app/Actions/Passkeys/ConfigureCeremonyStepManagerFactoryAction.php‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎app/Actions/Passkeys/FindPasskeyToAuthenticateAction.php‎
Lines changed: 51 additions & 0 deletions b/‎app/Actions/Passkeys/FindPasskeyToAuthenticateAction.php‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎app/Actions/Passkeys/GeneratePasskeyAuthenticationOptionsAction.php‎
Lines changed: 32 additions & 0 deletions b/‎app/Actions/Passkeys/GeneratePasskeyAuthenticationOptionsAction.php‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎app/Actions/Passkeys/GeneratePasskeyRegisterOptionsAction.php‎
Lines changed: 59 additions & 0 deletions b/‎app/Actions/Passkeys/GeneratePasskeyRegisterOptionsAction.php‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎app/Http/Controllers/Admin/AdminUserController.php‎
Lines changed: 65 additions & 1 deletion b/‎app/Http/Controllers/Admin/AdminUserController.php‎
Lines changed: 65 additions & 1 deletion
diff --git a/‎app/Http/Controllers/Auth/PasskeyLoginController.php‎
Lines changed: 108 additions & 0 deletions b/‎app/Http/Controllers/Auth/PasskeyLoginController.php‎
Lines changed: 108 additions & 0 deletions
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Actions\Passkeys;
+
+use App\Support\Passkeys\RelyingPartyIdResolver;
+use Webauthn\CeremonyStep\CeremonyStepManagerFactory;
+
+final class ConfigureCeremonyStepManagerFactoryAction extends \Spatie\LaravelPasskeys\Actions\ConfigureCeremonyStepManagerFactoryAction
+{
+    public function execute(): CeremonyStepManagerFactory
+    {
+        $factory = parent::execute();
+
+        $request = request();
+        $rpId = RelyingPartyIdResolver::resolve($request);
+        $origins = [$request->getSchemeAndHttpHost()];
+
+        // HTTPS origins for normal environments.
+        $origins[] = "https://{$rpId}";
+
+        // Local development allowance for localhost over HTTP.
+        if ($rpId === 'localhost') {
+            $origins[] = 'http://localhost';
+        }
+
+        $factory->setAllowedOrigins(array_values(array_unique($origins)));
+
+        return $factory;
+    }
+}
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Actions\Passkeys;
+
+use App\Support\Passkeys\RelyingPartyIdResolver;
+use Spatie\LaravelPasskeys\Actions\ConfigureCeremonyStepManagerFactoryAction;
+use Spatie\LaravelPasskeys\Actions\FindPasskeyToAuthenticateAction as BaseFindPasskeyToAuthenticateAction;
+use Spatie\LaravelPasskeys\Models\Passkey;
+use Spatie\LaravelPasskeys\Support\Config;
+use Spatie\LaravelPasskeys\Support\CredentialRecordConverter;
+use Throwable;
+use Webauthn\AuthenticatorAssertionResponseValidator;
+use Webauthn\PublicKeyCredential;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialSource;
+
+final class FindPasskeyToAuthenticateAction extends BaseFindPasskeyToAuthenticateAction
+{
+    protected function determinePublicKeyCredentialSource(
+        PublicKeyCredential $publicKeyCredential,
+        PublicKeyCredentialRequestOptions $passkeyOptions,
+        Passkey $passkey,
+    ): ?PublicKeyCredentialSource {
+        $configureCeremonyStepManagerFactoryAction = Config::getAction(
+            'configure_ceremony_step_manager_factory',
+            ConfigureCeremonyStepManagerFactoryAction::class
+        );
+        $csmFactory = $configureCeremonyStepManagerFactoryAction->execute();
+        $requestCsm = $csmFactory->requestCeremony();
+
+        $host = RelyingPartyIdResolver::resolve();
+
+        try {
+            $validator = AuthenticatorAssertionResponseValidator::create($requestCsm);
+
+            $publicKeyCredentialSource = $validator->check(
+                $passkey->data,
+                $publicKeyCredential->response,
+                $passkeyOptions,
+                $host,
+                null,
+            );
+        } catch (Throwable) {
+            return null;
+        }
+
+        return CredentialRecordConverter::toPublicKeyCredentialSource($publicKeyCredentialSource);
+    }
+}
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Actions\Passkeys;
+
+use App\Support\Passkeys\RelyingPartyIdResolver;
+use Illuminate\Support\Facades\Session;
+use Illuminate\Support\Str;
+use Spatie\LaravelPasskeys\Actions\GeneratePasskeyAuthenticationOptionsAction as BaseGeneratePasskeyAuthenticationOptionsAction;
+use Spatie\LaravelPasskeys\Support\Serializer;
+use Webauthn\PublicKeyCredentialRequestOptions;
+
+final class GeneratePasskeyAuthenticationOptionsAction extends BaseGeneratePasskeyAuthenticationOptionsAction
+{
+    public function execute(): string
+    {
+        $rpId = RelyingPartyIdResolver::resolve();
+
+        $options = new PublicKeyCredentialRequestOptions(
+            challenge: Str::random(),
+            rpId: $rpId,
+            allowCredentials: [],
+        );
+
+        $options = Serializer::make()->toJson($options);
+
+        Session::flash('passkey-authentication-options', $options);
+
+        return $options;
+    }
+}
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Actions\Passkeys;
+
+use App\Support\Passkeys\RelyingPartyIdResolver;
+use Spatie\LaravelPasskeys\Actions\GeneratePasskeyRegisterOptionsAction as BaseGeneratePasskeyRegisterOptionsAction;
+use Spatie\LaravelPasskeys\Models\Concerns\HasPasskeys;
+use Spatie\LaravelPasskeys\Support\Config;
+use Webauthn\PublicKeyCredentialCreationOptions;
+use Webauthn\PublicKeyCredentialRpEntity;
+
+final class GeneratePasskeyRegisterOptionsAction extends BaseGeneratePasskeyRegisterOptionsAction
+{
+    public function execute(
+        HasPasskeys $authenticatable,
+        bool $asJson = true,
+    ): string|PublicKeyCredentialCreationOptions {
+        $options = parent::execute($authenticatable, $asJson);
+
+        if (! $asJson || ! is_string($options)) {
+            return $options;
+        }
+
+        $decoded = json_decode($options, true);
+        if (! is_array($decoded)) {
+            return $options;
+        }
+
+        $supportedAlgorithms = [
+            ['type' => 'public-key', 'alg' => -7],   // ES256
+            ['type' => 'public-key', 'alg' => -257], // RS256
+        ];
+
+        // Different serializer/browser integrations can use either shape:
+        // - options.pubKeyCredParams (WebAuthn JSON)
+        // - options.publicKey.pubKeyCredParams (navigator.credentials.create payload)
+        // Enforce valid algorithms for both to prevent "alg undefined" errors.
+        $decoded['pubKeyCredParams'] = $supportedAlgorithms;
+
+        if (isset($decoded['publicKey']) && is_array($decoded['publicKey'])) {
+            $decoded['publicKey']['pubKeyCredParams'] = $supportedAlgorithms;
+        }
+
+        return json_encode($decoded, JSON_THROW_ON_ERROR);
+    }
+
+    protected function relatedPartyEntity(): PublicKeyCredentialRpEntity
+    {
+        $rpId = RelyingPartyIdResolver::resolve();
+
+        return new PublicKeyCredentialRpEntity(
+            name: (string) Config::getRelyingPartyName(),
+            id: $rpId,
+            icon: Config::getRelyingPartyIcon(),
+        );
+    }
+}
@@ -12,9 +12,12 @@
 use App\Models\UserDownload;
 use App\Models\UserRequest;
 use Illuminate\Contracts\View\View;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Log;
+use Spatie\LaravelPasskeys\Models\Passkey;
 use Spatie\Permission\Models\Role;
 
 class AdminUserController extends BasePageController
@@ -148,7 +151,7 @@ public function edit(Request $request)
                     // Check if role is changing and get stack preference
                     $roleChanged = $editedUser->roles_id != $request->input('role');
                     $stackRole = $request->input('stack_role') ? true : false; // Check if checkbox is checked
-                    $changedBy = auth()->check() ? auth()->id() : null;
+                    $changedBy = Auth::check() ? Auth::id() : null;
 
                     // CRITICAL: Capture the ORIGINAL rolechangedate BEFORE any updates
                     // This is needed for accurate role history tracking
@@ -269,6 +272,8 @@ public function edit(Request $request)
 
                     // Add daily API and download counts
                     if ($user) {
+                        $user->load('passkeys');
+
                         try {
                             $user->daily_api_count = UserRequest::getApiRequests($user->id);
                             $user->daily_download_count = UserDownload::getDownloadRequests($user->id);
@@ -349,4 +354,63 @@ public function verify(Request $request): RedirectResponse
 
         return redirect()->back()->with('error', 'User is invalid');
     }
+
+    public function destroyPasskey(Request $request, Passkey $passkey): RedirectResponse|JsonResponse
+    {
+        $targetUser = $passkey->authenticatable;
+        $targetUserId = $targetUser?->id;
+        $targetUsername = $targetUser?->username;
+        $passkeyName = $passkey->name;
+
+        $passkey->delete();
+
+        Log::channel('admin')->info('Admin deleted user passkey', [
+            'admin_user_id' => Auth::id(),
+            'target_user_id' => $targetUserId,
+            'target_username' => $targetUsername,
+            'passkey_id' => $passkey->id,
+            'passkey_name' => $passkeyName,
+        ]);
+
+        if ($request->expectsJson()) {
+            return response()->json(['ok' => true]);
+        }
+
+        $redirectUrl = $targetUserId
+            ? 'admin/user-edit?id='.$targetUserId
+            : 'admin/user-list';
+
+        return redirect()->to($redirectUrl)->with('success', 'Passkey deleted successfully.');
+    }
+
+    public function wipePasskeys(Request $request): RedirectResponse|JsonResponse
+    {
+        $validated = $request->validate([
+            'user_id' => ['required', 'integer', 'exists:users,id'],
+            'confirmation' => ['required', 'string', 'in:WIPE'],
+        ]);
+
+        $target = User::findOrFail((int) $validated['user_id']);
+        $wipedCount = $target->passkeys()->count();
+        $target->passkeys()->delete();
+
+        Log::channel('admin')->warning('Admin wiped user passkeys', [
+            'admin_user_id' => Auth::id(),
+            'target_user_id' => $target->id,
+            'target_username' => $target->username,
+            'wiped_count' => $wipedCount,
+        ]);
+
+        $message = "{$wipedCount} passkeys removed from {$target->username}. They can now regain access with their password or an admin-issued reset.";
+
+        if ($request->expectsJson()) {
+            return response()->json([
+                'ok' => true,
+                'wiped_count' => $wipedCount,
+                'message' => $message,
+            ]);
+        }
+
+        return redirect()->to('admin/user-edit?id='.$target->id)->with('success', $message);
+    }
 }
@@ -0,0 +1,108 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Auth;
+
+use App\Events\UserLoggedIn;
+use App\Http\Controllers\Controller;
+use App\Models\User;
+use App\Support\CaptchaHelper;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Session;
+use Illuminate\Support\Facades\Validator;
+use Spatie\LaravelPasskeys\Actions\FindPasskeyToAuthenticateAction;
+use Spatie\LaravelPasskeys\Events\PasskeyUsedToAuthenticateEvent;
+use Spatie\LaravelPasskeys\Http\Requests\AuthenticateUsingPasskeysRequest;
+use Spatie\LaravelPasskeys\Support\Config;
+
+final class PasskeyLoginController extends Controller
+{
+    public function __invoke(AuthenticateUsingPasskeysRequest $request): RedirectResponse
+    {
+        $captchaRules = CaptchaHelper::getValidationRules();
+        $captchaField = CaptchaHelper::getResponseFieldName();
+        $captchaValue = $request->input($captchaField);
+
+        // Passkey login should not be blocked when captcha widgets rotate/expire
+        // during WebAuthn prompts. If a captcha token is present, still validate it.
+        if ($captchaRules !== [] && is_string($captchaValue) && trim($captchaValue) !== '') {
+            $validator = Validator::make($request->all(), $captchaRules);
+            if ($validator->fails()) {
+                Log::channel('failed_login')->error(
+                    'Failed passkey login captcha check from IP address: '.$request->ip()
+                );
+
+                session()->flash('authenticatePasskey::message', $validator->errors()->first());
+                session()->flash('authenticatePasskey::reason', 'captcha');
+
+                return back();
+            }
+        }
+
+        $findAuthenticatableUsingPasskey = Config::getAction(
+            'find_passkey',
+            FindPasskeyToAuthenticateAction::class
+        );
+
+        $passkey = $findAuthenticatableUsingPasskey->execute(
+            $request->input('start_authentication_response'),
+            Session::get('passkey-authentication-options'),
+        );
+
+        if (! $passkey || ! $passkey->authenticatable instanceof User) {
+            Log::channel('failed_login')->error(
+                'Failed passkey login attempt from IP address: '.$request->ip()
+            );
+
+            session()->flash('authenticatePasskey::message', __('passkeys::passkeys.invalid'));
+            session()->flash('authenticatePasskey::reason', 'invalid_passkey');
+
+            return back();
+        }
+
+        $user = $passkey->authenticatable;
+
+        if ($user->trashed()) {
+            Log::channel('failed_login')->error(
+                'Failed passkey login for deactivated user: '.$user->username.' from IP address: '.$request->ip()
+            );
+
+            session()->flash(
+                'authenticatePasskey::message',
+                'This account has been deactivated. Please contact us through contact form to have your account reactivated.'
+            );
+
+            return back();
+        }
+
+        if (! $user->hasVerifiedEmail()) {
+            Log::channel('failed_login')->error(
+                'Failed passkey login for unverified user: '.$user->username.' from IP address: '.$request->ip()
+            );
+
+            session()->flash('authenticatePasskey::message', 'You have not verified your email address!');
+
+            return back();
+        }
+
+        Auth::login($user, $request->boolean('remember'));
+        $request->session()->regenerate();
+
+        // Passkey auth is treated as sufficient MFA, so skip additional OTP gate.
+        session([config('google2fa.session_var') => true]);
+        session([config('google2fa.session_var').'.auth.passed_at' => time()]);
+
+        $userIp = config('nntmux:settings.store_user_ip') ? ($request->ip() ?? $request->getClientIp()) : '';
+        event(new UserLoggedIn($user, $userIp));
+        event(new PasskeyUsedToAuthenticateEvent($passkey, $request));
+
+        $url = Session::has('passkeys.redirect')
+            ? (string) Session::pull('passkeys.redirect')
+            : (string) config('passkeys.redirect_to_after_login', '/');
+
+        return redirect($url)->with('info', 'You have been logged in');
+    }
+}