FreedomBox

nik/FreedomBox

Fork 0

mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00

Commit Graph

Author	SHA1	Message	Date
Sunil Mohan Adapa	9d6c74c887	users: Add support for logging in with passkeys Tests: - Login - Login using passkeys works on testing container and stable container. - Login page show 'Log in with passkey' button as expected along with key icon. - On GNOME's Web browser, the login page does not show an error on load. Clicking on 'Log in with passkey' shows the error: 'Logging in with passkey failed: Browser does not support passkeys.' - On Chromium browser, with invalid TLS certficiate, the login page does not show an error on load. Clicking on 'Log in with passkey' shows the error: 'Logging in with passkey failed: NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors.' - Raising an error in the passkey_login_begin() method shows the error message when login page is loaded. Raising an error in the passkey_login_complete method shows the error message after passkey is unlocked. In both cases, 500 is HTTP status code. - With primary hardware key register passkey each for 'tester' and 'tester2' accounts. - With secondary hardware key register passkey for 'tester' account. - In login page, loading the page shows the console message 'Signing in with a passkey. Condition: true'. - In login page, when username field is clicked, 'passkey' is shown in the autofill popup options. Selecting it prompts for hardware PIN and touch. User is logged in. - In login page, when 'Log in with passkey' is clicked, console message is show 'Log in initiated with button, conditional mediation aborted.'. Hardware PIN and touch is prompted. User is logged in. - During autofill login, canceling the hardware key PIN shows no error alert. Autofill passkey login is not available. - During autofill login, canceling the hardware touch prompt shows no error alert. Autofill passkey login is not available. - During button login, canceling the hardware key PIN shows '...user denied permission' error alert. Autofill passkey login is not available. - During button login, canceling the hardware touch prompt shows no '...user denied permission' error alert. Autofill passkey login is not available. - When multiple attempts fail, multiple error alerts are shown. - During login, with primary key account selection dialog is shown. Selecting 'tester' logs into 'tester' account. Selecting 'tester2' logs into 'tester2' account. - During login, with secondary key, account selection dialog is not shown. User is logged into the 'tester' account. - Password based login continues to work as usual on Firefox, Chromium, and GNOME's web. - Logout, then visit /freedombox/sys/. This redirects to login page. After login with passkey the browser is redirected to /freedombox/sys page. - After passkey login, 'Last Used' for that key is updated. The value is not updated for remaining keys of the account. - After successful login, database is updated with the latest signature counter. - After successful login, for a user account with Spanish set as language, the UI language changes to Spanish. - If a key has been removed from list of passkeys and that passkey is attempted for login, 'Passkey used is not known' error alert is shown. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2026-03-31 07:48:54 -04:00
Sunil Mohan Adapa	1a8868f0cd	users: Add support registering, editing, and deleting passkeys Tests: - Setup: add domain name mystable.example. Add an entry in /etc/hosts on the test machine. In Firefox, in about:config, set 'security.webauthn.allow_with_certificate_override' to 'true'. - Registration - Passkey successful registration: - After passkey registration, created time is time at which key is created. - After passkey registration, domain is the domain with which the interface is accessed at the time of addition of passkey. - After passkey registration, Added and Last Used columns show the current time in UTC. Signature counter and extensions and aaguid values in the DB are as expected. - First key's name is 'Key 1'. After that it is 'Key 2' and so on. If a key is renamed as 'Key 4', then next key will be named 'Key 5'. - Registering passkeys using testing container stable container works. - Links: - 'Manage passkeys' link is show in the user menu in navbar in both desktop mode and mobile mode. Clicking on it redirects the browser to current user's passkey management page. - User's edit page shows 'Use passkeys for better security'. Clicking on the link redirects the browser to passkey management page for the user who's account is being edited. - Listing: - All passkeys are show properly. Name, domain, added, last used, and operations show correctly. - When using a browser without Javascript script shows an error alert. - If not passkeys are present "No passkeys added to user account." message is shown. - Editing the passkey shows correct page. Title, heading, form labels, form value, and buttons are as expected. After editing, passkey is updated properly. - Deleting the passkey shows a model dialog with correct details. After confirmation, passkey is removed and page is refreshed. - Error handling: - On GNOME's Web, clicking the 'Add Passkey' shows the error 'Browser does not support passkeys'. - On Chromium, clicking the 'Add passkey' shows the error 'NotAllowedError: WebAuthn is not supported on sites with TLS certificate errors.' - Raising an error in passkey_add_begin() results in correct error message shown with 'Add passkey' button is clicked. Status code is 500. - Raising an error in passkey_add_complete() results in correct error message shown after unlocking the hardware token. Status code is 500. - Canceling the PIN dialog results in '...user denied permission' error alert. - Canceling the touch dialog results in '...user denied permission' error alert. - Multiple failed attempts result in multiple alerts being shown at the same time. - Editing another user's passkeys: - Listing passkeys show correct list of passkeys for the user account being managed. - Adding passkeys adds correctly to the user account being managed. - Editing passkey correctly edits passkey of the user account being managed. Redirect happens to the correct page after. - Deleting passkey correctly edits passkey of the user account being managed. Redirect happens to the correct page after. - If a non-admin user tries to access passkeys list/edit/delete URL of another user, 403 Forbidden error is raised Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2026-03-31 07:48:50 -04:00

Author

SHA1

Message

Date

Sunil Mohan Adapa

9d6c74c887

users: Add support for logging in with passkeys

Tests:

- Login
  - Login using passkeys works on testing container and stable container.
  - Login page show 'Log in with passkey' button as expected along with key
    icon.
  - On GNOME's Web browser, the login page does not show an error on load.
    Clicking on 'Log in with passkey' shows the error: 'Logging in with passkey
    failed: Browser does not support passkeys.'
  - On Chromium browser, with invalid TLS certficiate, the login page does not
    show an error on load. Clicking on 'Log in with passkey' shows the error:
    'Logging in with passkey failed: NotAllowedError: WebAuthn is not supported
    on sites with TLS certificate errors.'
  - Raising an error in the passkey_login_begin() method shows the error message
    when login page is loaded. Raising an error in the passkey_login_complete
    method shows the error message after passkey is unlocked. In both cases, 500
    is HTTP status code.
  - With primary hardware key register passkey each for 'tester' and 'tester2'
    accounts.
  - With secondary hardware key register passkey for 'tester' account.
  - In login page, loading the page shows the console message 'Signing in with a
    passkey. Condition: true'.
  - In login page, when username field is clicked, 'passkey' is shown in the
    autofill popup options. Selecting it prompts for hardware PIN and touch.
    User is logged in.
  - In login page, when 'Log in with passkey' is clicked, console message is
    show 'Log in initiated with button, conditional mediation aborted.'.
    Hardware PIN and touch is prompted. User is logged in.
  - During autofill login, canceling the hardware key PIN shows no error alert.
    Autofill passkey login is not available.
  - During autofill login, canceling the hardware touch prompt shows no error
    alert. Autofill passkey login is not available.
  - During button login, canceling the hardware key PIN shows '...user denied
    permission' error alert. Autofill passkey login is not available.
  - During button login, canceling the hardware touch prompt shows no '...user
    denied permission' error alert. Autofill passkey login is not available.
  - When multiple attempts fail, multiple error alerts are shown.
  - During login, with primary key account selection dialog is shown. Selecting
    'tester' logs into 'tester' account. Selecting 'tester2' logs into 'tester2'
    account.
  - During login, with secondary key, account selection dialog is not shown.
    User is logged into the 'tester' account.
  - Password based login continues to work as usual on Firefox, Chromium, and
    GNOME's web.
  - Logout, then visit /freedombox/sys/. This redirects to login page. After
    login with passkey the browser is redirected to /freedombox/sys page.
  - After passkey login, 'Last Used' for that key is updated. The value is not
    updated for remaining keys of the account.
  - After successful login, database is updated with the latest signature
    counter.
  - After successful login, for a user account with Spanish set as language, the
    UI language changes to Spanish.
  - If a key has been removed from list of passkeys and that passkey is
    attempted for login, 'Passkey used is not known' error alert is shown.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2026-03-31 07:48:54 -04:00

Sunil Mohan Adapa

1a8868f0cd

users: Add support registering, editing, and deleting passkeys

Tests:

- Setup: add domain name mystable.example. Add an entry in /etc/hosts on the
  test machine. In Firefox, in about:config, set
  'security.webauthn.allow_with_certificate_override' to 'true'.
- Registration
  - Passkey successful registration:
    - After passkey registration, created time is time at which key is created.
    - After passkey registration, domain is the domain with which the interface
      is accessed at the time of addition of passkey.
    - After passkey registration, Added and Last Used columns show the current
      time in UTC. Signature counter and extensions and aaguid values in the DB
      are as expected.
    - First key's name is 'Key 1'. After that it is 'Key 2' and so on. If a key
      is renamed as 'Key 4', then next key will be named 'Key 5'.
    - Registering passkeys using testing container stable container works.
  - Links:
    - 'Manage passkeys' link is show in the user menu in navbar in both desktop
      mode and mobile mode. Clicking on it redirects the browser to current
      user's passkey management page.
    - User's edit page shows 'Use passkeys for better security'. Clicking on the
      link redirects the browser to passkey management page for the user who's
      account is being edited.
  - Listing:
    - All passkeys are show properly. Name, domain, added, last used, and
      operations show correctly.
    - When using a browser without Javascript script shows an error alert.
    - If not passkeys are present "No passkeys added to user account." message
      is shown.
  - Editing the passkey shows correct page. Title, heading, form labels, form
    value, and buttons are as expected. After editing, passkey is updated
    properly.
  - Deleting the passkey shows a model dialog with correct details. After
    confirmation, passkey is removed and page is refreshed.
  - Error handling:
    - On GNOME's Web, clicking the 'Add Passkey' shows the error 'Browser does
      not support passkeys'.
    - On Chromium, clicking the 'Add passkey' shows the error 'NotAllowedError:
      WebAuthn is not supported on sites with TLS certificate errors.'
    - Raising an error in passkey_add_begin() results in correct error message
      shown with 'Add passkey' button is clicked. Status code is 500.
    - Raising an error in passkey_add_complete() results in correct error
      message shown after unlocking the hardware token. Status code is 500.
    - Canceling the PIN dialog results in '...user denied permission' error
      alert.
    - Canceling the touch dialog results in '...user denied permission' error
      alert.
    - Multiple failed attempts result in multiple alerts being shown at the same
      time.
  - Editing another user's passkeys:
    - Listing passkeys show correct list of passkeys for the user account being
      managed.
    - Adding passkeys adds correctly to the user account being managed.
    - Editing passkey correctly edits passkey of the user account being managed.
      Redirect happens to the correct page after.
    - Deleting passkey correctly edits passkey of the user account being
      managed. Redirect happens to the correct page after.
    - If a non-admin user tries to access passkeys list/edit/delete URL of
      another user, 403 Forbidden error is raised

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2026-03-31 07:48:50 -04:00

2 Commits