feat: add webauthn

[justin-jiajia]

closes #613

[muety]

No idea how Copilot came up with the idea of reviewing this (should be disabled 🤔), but please ignore those comments. I'll give this a review as soon as possible. Thanks for your contribution.

[justin-jiajia]

No idea how Copilot came up with the idea of reviewing this (should be disabled 🤔), but please ignore those comments. I'll give this a review as soon as possible. Thanks for your contribution.

Well I've opened it on my side as I wondered how it worked :)

Don't be that hurry as I'm going to take a exam and maybe work on it again next weekend or later.

BTW: I'm aware that I forgot to use snake-case for attestation json somewhere, and I should brotil the webauthn library too. Will fix them next time I'm free.

[justin-jiajia]

BTW: I'm aware that I forgot to use snake-case for attestation json somewhere, and I should brotil the webauthn library too. Will fix them next time I'm free.

Done

[muety]

Thanks a lot for this PR! Sorry for taking so long with this review and sorry in advance for the number of comments I put. Please have a look at them anyway.

Also, could you please:

• Add some basic tests for this, if possible? Perhaps do some research how to best tests stuff like this.
• Add a config option to explicitly enable / disable WebAuthn login, just like you can disable OIDC.

[justin-jiajia]

• Add some basic tests for this, if possible? Perhaps do some research how to best tests stuff like this.

Will do some research next time I'm free. A questions while browsing existing tests: how do you generate the mocks? Are they generated by a program (like mockery )? Or are they written by hand?

• Add a config option to explicitly enable / disable WebAuthn login, just like you can disable OIDC.

Before implementing it, I want to know: should the users registered through OIDC be allowed to set up passkeys and log in with a passkey? (and why OIDC users should not be able to set a password for themselves, BTW)

[justin-jiajia]

• Add some basic tests for this, if possible? Perhaps do some research how to best tests stuff like this.

Will do some research next time I'm free. A questions while browsing existing tests: how do you generate the mocks? Are they generated by a program (like mockery )? Or are they written by hand?

Should it be a unit test or an API test? And found a library descope/virtualwebauthn for virtual testing.

• Add a config option to explicitly enable / disable WebAuthn login, just like you can disable OIDC.

Before implementing it, I want to know: should the users registered through OIDC be allowed to set up passkeys and log in with a passkey? (and why OIDC users should not be able to set a password for themselves, BTW)

Done. There's currently a security.disable_webauthn option. But OIDC users ARE allowed to register passkeys if the option is set to false (the default value). I'm not sure if you think this behavior is expected by you.