feat(auth): B-2.6 WebAuthn / Passkey support (FIDO2 + biometric 2FA)

Adds phishing-resistant 2nd factor via FIDO2 hardware keys (YubiKey etc.) and device biometrics (Touch ID, Windows Hello, etc.). Reuses the existing B-2.5 TOTP gate so a passkey is a 3rd valid option on /2fa/verify, alongside TOTP code and recovery code. Post-login enrolment lives at /2fa/passkey/setup. Wraps python-webauthn==2.5.2 in a thin service layer (src/auth/webauthn.py) that persists credentials in the existing User.webauthn_credentials JSON column (added in B-2.1 — no schema change). Each credential dict carries id, public_key, sign_count, transports, name, and created_at. sign_count is updated after every successful authentication for WebAuthn anti-cloning (§6.1.1). Backend: 6 new auth routes (passkey_setup, register/begin, register/finish, delete, auth/begin, auth/finish). The 4 JSON endpoints are CSRF-exempt at Flask-WTF level because CSRFProtect cannot read tokens from a JSON body without app-wide config; the X-CSRFToken header is still sent as defence-in-depth. The form-POST delete route DOES enforce CSRF. The @csrf_exempt decorator was previously a no-op label; init_auth_extensions now walks module-level functions and applies real csrf.exempt() to any flagged with _csrf_exempt=True. Login gate now fires when the user has TOTP enabled OR at least one passkey, and totp_verify_login passes has_passkeys + has_totp flags so the template can show only the relevant sections. Frontend: templates/auth/totp_verify.html updated IN PLACE with a passkey button section (above TOTP) and an "ou" divider. New templates/auth/passkey_setup.html for managing/enrolling passkeys. New static/js/webauthn-client.js (no external deps, ES2020) wraps navigator.credentials and exchanges base64url payloads with the backend. Tailwind CSS rebuilt. Tests: 22 new tests in tests/test_webauthn_passkey.py covering the service layer (b64url helpers, RP config, list/has, begin/finish for both registration and authentication, delete) and the route flow (CSRF-exempt JSON endpoints, login gate redirection, sign_count anti-cloning persistence). Mocks python-webauthn's verify_* functions so tests run without a real authenticator. Windows manual driver follows the existing no-conftest pattern. Self-review: 22/22 new tests pass; 21/21 prior TOTP, 16/16 email, 21/21 OAuth tests still pass (no regression). Env: config/env.oauth.example documents WEBAUTHN_RP_ID, WEBAUTHN_RP_NAME, WEBAUTHN_ORIGIN with full deployment notes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 00:27:09 -04:00
parent aa269c5bc0
commit b8fa321edd
9 changed files with 1580 additions and 7 deletions
--- a/tests/_run_webauthn_passkey_windows.py
+++ b/tests/_run_webauthn_passkey_windows.py
@@ -0,0 +1,77 @@
+"""Windows manual driver for tests/test_webauthn_passkey.py.
+
+src/init_db.py imports `fcntl`, which is POSIX-only. On Windows we stub it
+before src.app gets imported, then run each test_* function and report.
+
+Run from the repo root:
+    py -3 tests/_run_webauthn_passkey_windows.py
+
+This script is local-dev only (not picked up by pytest collection).
+"""
+import os
+import sys
+import types
+import traceback
+
+# 1) Stub fcntl BEFORE any import of src.* happens.
+if 'fcntl' not in sys.modules:
+    fcntl_stub = types.ModuleType('fcntl')
+    fcntl_stub.LOCK_EX = 2
+    fcntl_stub.LOCK_NB = 4
+    fcntl_stub.LOCK_UN = 8
+    fcntl_stub.LOCK_SH = 1
+    fcntl_stub.flock = lambda *_args, **_kw: None
+    fcntl_stub.fcntl = lambda *_args, **_kw: 0
+    sys.modules['fcntl'] = fcntl_stub
+
+# 2) Make repo root importable
+HERE = os.path.dirname(os.path.abspath(__file__))
+REPO = os.path.dirname(HERE)
+sys.path.insert(0, REPO)
+
+# 3) Set test config
+os.environ.setdefault('SQLALCHEMY_DATABASE_URI', 'sqlite:///:memory:')
+os.environ.setdefault('SECRET_KEY', 'test-secret-key-webauthn')
+os.environ.setdefault('ENABLE_EMAIL_VERIFICATION', 'false')
+os.environ.setdefault('REQUIRE_EMAIL_VERIFICATION', 'false')
+os.environ.setdefault('TRANSCRIPTION_BASE_URL', 'http://test-stub')
+os.environ.setdefault('TRANSCRIPTION_API_KEY', 'test-stub')
+os.environ.setdefault('RATELIMIT_ENABLED', 'false')
+# Force UTF-8 stdout so src.app's emoji prints don't crash on cp1252 Windows.
+try:
+    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
+    sys.stderr.reconfigure(encoding='utf-8', errors='replace')
+except Exception:
+    pass
+
+# 4) Import the test module and run every test_* function it defines
+import importlib.util  # noqa: E402
+spec = importlib.util.spec_from_file_location(
+    'test_webauthn_passkey',
+    os.path.join(HERE, 'test_webauthn_passkey.py'),
+)
+mod = importlib.util.module_from_spec(spec)
+spec.loader.exec_module(mod)
+
+tests = [(name, fn) for name, fn in vars(mod).items()
+         if name.startswith('test_') and callable(fn)]
+
+passed = 0
+failed = []
+for name, fn in tests:
+    try:
+        fn()
+        print(f'  PASS  {name}')
+        passed += 1
+    except Exception as e:  # noqa: BLE001
+        print(f'  FAIL  {name}: {type(e).__name__}: {e}')
+        failed.append((name, traceback.format_exc()))
+
+total = len(tests)
+print()
+print(f'Result: {passed}/{total} passed, {len(failed)} failed')
+if failed:
+    print('\n--- Failures ---\n')
+    for name, tb in failed:
+        print(f'### {name}\n{tb}\n')
+sys.exit(0 if not failed else 1)