feat(passkeys): add audit, metering, webauthn primitives

Author: fadymak

internal/api/passkey_webauthn.go

@@ -0,0 +1,72 @@
+package api
+
+import (
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/supabase/auth/internal/models"
+)
+
+// getPasskeyWebAuthn creates a *webauthn.WebAuthn instance from the shared server-side WebAuthn configuration.
+func (a *API) getPasskeyWebAuthn() (*webauthn.WebAuthn, error) {
+	rpConfig := a.config.WebAuthn
+
+	return webauthn.New(&webauthn.Config{
+		RPDisplayName:         rpConfig.RPDisplayName,
+		RPID:                  rpConfig.RPID,
+		RPOrigins:             rpConfig.RPOrigins,
+		AttestationPreference: protocol.PreferNoAttestation,
+		AuthenticatorSelection: protocol.AuthenticatorSelection{
+			// required to support discoverable credentials
+			ResidentKey:      protocol.ResidentKeyRequirementRequired,
+			UserVerification: protocol.VerificationPreferred,
+		},
+	})
+}
+
+// TODO(fm): webAuthnUser is a thin adapter that wraps a *models.User and returns passkey
+// credentials (from the webauthn_credentials table) instead of MFA factor
+// credentials. This is necessary because the existing User.WebAuthnCredentials()
+// method returns MFA WebAuthn factor credentials until they are consolidated.
+type webAuthnUser struct {
+	user        *models.User
+	credentials []webauthn.Credential
+}
+
+func newWebAuthnUser(user *models.User, passkeyCredentials []*models.WebAuthnCredential) *webAuthnUser {
+	credentials := make([]webauthn.Credential, len(passkeyCredentials))
+
+	for i, pc := range passkeyCredentials {
+		credentials[i] = pc.ToWebAuthnCredential()
+	}
+
+	return &webAuthnUser{
+		user:        user,
+		credentials: credentials,
+	}
+}
+
+func (u *webAuthnUser) WebAuthnID() []byte {
+	return u.user.WebAuthnID()
+}
+
+func (u *webAuthnUser) WebAuthnName() string {
+	if email := u.user.GetEmail(); email != "" {
+		return email
+	}
+
+	return u.user.GetPhone()
+}
+
+func (u *webAuthnUser) WebAuthnDisplayName() string {
+	if meta := u.user.UserMetaData; meta != nil {
+		if name, ok := meta["name"].(string); ok && name != "" {
+			return name
+		}
+	}
+
+	return u.WebAuthnName()
+}
+
+func (u *webAuthnUser) WebAuthnCredentials() []webauthn.Credential {
+	return u.credentials
+}

internal/api/passkey_webauthn_test.go

@@ -0,0 +1,192 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/gofrs/uuid"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/models"
+)
+
+type PasskeyWebAuthnTestSuite struct {
+	suite.Suite
+	API    *API
+	Config *conf.GlobalConfiguration
+}
+
+func TestPasskeyWebAuthn(t *testing.T) {
+	api, config, err := setupAPIForTest()
+	require.NoError(t, err)
+	ts := &PasskeyWebAuthnTestSuite{
+		API:    api,
+		Config: config,
+	}
+	defer api.db.Close()
+	suite.Run(t, ts)
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestGetPasskeyWebAuthn() {
+	ts.API.config.WebAuthn = conf.WebAuthnConfiguration{
+		RPID:          "example.com",
+		RPDisplayName: "Example App",
+		RPOrigins:     []string{"https://example.com"},
+	}
+
+	wn, err := ts.API.getPasskeyWebAuthn()
+	ts.Require().NoError(err)
+	ts.Require().NotNil(wn)
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestGetPasskeyWebAuthnMultipleOrigins() {
+	ts.API.config.WebAuthn = conf.WebAuthnConfiguration{
+		RPID:          "example.com",
+		RPDisplayName: "Example App",
+		RPOrigins:     []string{"https://example.com", "https://app.example.com"},
+	}
+
+	wn, err := ts.API.getPasskeyWebAuthn()
+	ts.Require().NoError(err)
+	ts.Require().NotNil(wn)
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnUserWithEmail() {
+	userID := uuid.Must(uuid.NewV4())
+	user := &models.User{
+		ID: userID,
+	}
+	user.Email = "user@example.com"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal([]byte(userID.String()), wu.WebAuthnID())
+	ts.Equal("user@example.com", wu.WebAuthnName())
+	ts.Equal("user@example.com", wu.WebAuthnDisplayName())
+	ts.Empty(wu.WebAuthnCredentials())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnUserWithPhone() {
+	userID := uuid.Must(uuid.NewV4())
+	user := &models.User{
+		ID: userID,
+	}
+	user.Phone = "+1234567890"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("+1234567890", wu.WebAuthnName())
+	ts.Equal("+1234567890", wu.WebAuthnDisplayName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnUserEmailTakesPrecedence() {
+	user := &models.User{
+		ID: uuid.Must(uuid.NewV4()),
+	}
+	user.Email = "user@example.com"
+	user.Phone = "+1234567890"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("user@example.com", wu.WebAuthnName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnDisplayNameFromMetadata() {
+	user := &models.User{
+		ID: uuid.Must(uuid.NewV4()),
+		UserMetaData: map[string]any{
+			"name": "John Doe",
+		},
+	}
+	user.Email = "user@example.com"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("user@example.com", wu.WebAuthnName())
+	ts.Equal("John Doe", wu.WebAuthnDisplayName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnDisplayNameFallsBackToEmail() {
+	user := &models.User{
+		ID:           uuid.Must(uuid.NewV4()),
+		UserMetaData: map[string]any{},
+	}
+	user.Email = "user@example.com"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("user@example.com", wu.WebAuthnDisplayName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnDisplayNameSkipsEmptyMetadataName() {
+	user := &models.User{
+		ID: uuid.Must(uuid.NewV4()),
+		UserMetaData: map[string]any{
+			"name": "",
+		},
+	}
+	user.Email = "user@example.com"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("user@example.com", wu.WebAuthnDisplayName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnDisplayNameNilMetadata() {
+	user := &models.User{
+		ID: uuid.Must(uuid.NewV4()),
+	}
+	user.Phone = "+1234567890"
+
+	wu := newWebAuthnUser(user, nil)
+
+	ts.Equal("+1234567890", wu.WebAuthnDisplayName())
+}
+
+func (ts *PasskeyWebAuthnTestSuite) TestWebAuthnUserWithCredentials() {
+	user := &models.User{
+		ID: uuid.Must(uuid.NewV4()),
+	}
+	user.Email = "user@example.com"
+
+	creds := []*models.WebAuthnCredential{
+		{
+			ID:              uuid.Must(uuid.NewV4()),
+			UserID:          user.ID,
+			CredentialID:    []byte("cred-1"),
+			PublicKey:       []byte("pk-1"),
+			AttestationType: "none",
+			SignCount:       5,
+			Transports:      models.WebAuthnTransports{protocol.USB},
+			BackupEligible:  true,
+			BackedUp:        false,
+		},
+		{
+			ID:              uuid.Must(uuid.NewV4()),
+			UserID:          user.ID,
+			CredentialID:    []byte("cred-2"),
+			PublicKey:       []byte("pk-2"),
+			AttestationType: "none",
+			SignCount:       0,
+			Transports:      models.WebAuthnTransports{protocol.Internal},
+			BackupEligible:  true,
+			BackedUp:        true,
+		},
+	}
+
+	wu := newWebAuthnUser(user, creds)
+
+	webauthnCreds := wu.WebAuthnCredentials()
+	ts.Require().Len(webauthnCreds, 2)
+
+	ts.Equal([]byte("cred-1"), webauthnCreds[0].ID)
+	ts.Equal([]byte("pk-1"), webauthnCreds[0].PublicKey)
+	ts.Equal(uint32(5), webauthnCreds[0].Authenticator.SignCount)
+	ts.True(webauthnCreds[0].Flags.BackupEligible)
+	ts.False(webauthnCreds[0].Flags.BackupState)
+
+	ts.Equal([]byte("cred-2"), webauthnCreds[1].ID)
+	ts.True(webauthnCreds[1].Flags.BackupEligible)
+	ts.True(webauthnCreds[1].Flags.BackupState)
+}

internal/metering/record.go

@@ -21,6 +21,7 @@ const (
 	LoginTypePKCE      LoginType = "pkce"
 	LoginTypeToken     LoginType = "token" // for refresh token flows, to be backward-compatible with existing data
 	LoginTypeMFA       LoginType = "mfa"   // for MFA verifications
+	LoginTypePasskey   LoginType = "passkey"
 )
 
 // Provider constants for consistent login analytics

internal/models/audit_log_entry.go

@@ -45,6 +45,9 @@ const (
 	UpdateFactorAction              AuditAction = "factor_updated"
 	MFACodeLoginAction              AuditAction = "mfa_code_login"
 	IdentityUnlinkAction            AuditAction = "identity_unlinked"
+	PasskeyCreatedAction            AuditAction = "passkey_created"
+	PasskeyUpdatedAction            AuditAction = "passkey_updated"
+	PasskeyDeletedAction            AuditAction = "passkey_deleted"
 
 	account       auditLogType = "account"
 	team          auditLogType = "team"
@@ -77,6 +80,9 @@ var ActionLogTypeMap = map[AuditAction]auditLogType{
 	UpdateFactorAction:              factor,
 	MFACodeLoginAction:              factor,
 	DeleteRecoveryCodesAction:       recoveryCodes,
+	PasskeyCreatedAction:            user,
+	PasskeyUpdatedAction:            user,
+	PasskeyDeletedAction:            user,
 }
 
 // AuditLogEntry is the database model for audit log entries.

internal/models/factor.go

@@ -56,6 +56,7 @@ const (
 	Anonymous
 	Web3
 	OAuthProviderAuthorizationCode
+	PasskeyLogin
 )
 
 func (authMethod AuthenticationMethod) String() string {
@@ -92,6 +93,8 @@ func (authMethod AuthenticationMethod) String() string {
 		return "web3"
 	case OAuthProviderAuthorizationCode:
 		return "oauth_provider/authorization_code"
+	case PasskeyLogin:
+		return "passkey"
 	}
 	return ""
 }
@@ -131,7 +134,8 @@ func ParseAuthenticationMethod(authMethod string) (AuthenticationMethod, error)
 		return Web3, nil
 	case "oauth_provider/authorization_code":
 		return OAuthProviderAuthorizationCode, nil
-
+	case "passkey":
+		return PasskeyLogin, nil
 	}
 	return 0, fmt.Errorf("unsupported authentication method %q", authMethod)
 }