feat: add passkey support

docs/passkey.go

@@ -0,0 +1,54 @@
+//lint:file-ignore U1000 ignore go-swagger template
+package docs
+
+import (
+	"github.com/supabase/auth/internal/api"
+)
+
+// swagger:route POST /passkeys/sign-in user passkeySignIn
+// Begin a passkey sign-in challenge.
+// responses:
+//   200: PasskeySignInChallengeResponse
+//   400: BadRequestResponse
+//   429: RateLimitResponse
+
+type passkeySignInParamsWrapper struct {
+	// in:body
+	Body api.PasskeySignInRequest
+}
+
+// swagger:route POST /passkeys/sign-in/verify user passkeySignInVerify
+// Complete a passkey sign-in challenge.
+// responses:
+//   200: AccessTokenResponseSchema
+//   400: BadRequestResponse
+//   429: RateLimitResponse
+
+type passkeySignInVerifyParamsWrapper struct {
+	// in:body
+	Body api.PasskeySignInVerifyRequest
+}
+
+// swagger:route POST /passkeys user passkeyRegister
+// Begin passkey registration for the authenticated user.
+// responses:
+//   200: PasskeyRegistrationResponse
+//   400: BadRequestResponse
+//   429: RateLimitResponse
+
+type passkeyRegisterParamsWrapper struct {
+	// in:body
+	Body api.PasskeyRegistrationRequest
+}
+
+// swagger:route POST /passkeys/{passkey_id}/verify user passkeyVerify
+// Verify a passkey registration challenge.
+// responses:
+//   200: PasskeyVerifyResponse
+//   400: BadRequestResponse
+//   429: RateLimitResponse
+
+type passkeyVerifyParamsWrapper struct {
+	// in:body
+	Body api.PasskeyVerifyRequest
+}

example.env

@@ -262,3 +262,7 @@ GOTRUE_SMS_TEST_OTP_VALID_UNTIL="<ISO date time>" # (e.g. 2023-09-29T08:14:06Z)
 
 GOTRUE_MFA_WEB_AUTHN_ENROLL_ENABLED="false"
 GOTRUE_MFA_WEB_AUTHN_VERIFY_ENABLED="false"
+
+# Passkey configuration
+GOTRUE_PASSKEY_ENABLED="false"
+GOTRUE_PASSKEY_CHALLENGE_EXPIRY_DURATION="300"

internal/api/admin.go

@@ -92,6 +92,28 @@ func (a *API) loadFactor(w http.ResponseWriter, r *http.Request) (context.Contex
 	return withFactor(ctx, factor), nil
 }
 
+func (a *API) loadPasskey(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+	ctx := r.Context()
+	db := a.db.WithContext(ctx)
+	user := getUser(ctx)
+	passkeyID, err := uuid.FromString(chi.URLParam(r, "passkey_id"))
+	if err != nil {
+		return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeValidationFailed, "passkey_id must be an UUID")
+	}
+
+	observability.LogEntrySetField(r, "passkey_id", passkeyID)
+
+	factor, err := user.FindOwnedPasskeyByID(db, passkeyID)
+	if err != nil {
+		if models.IsNotFoundError(err) {
+			return nil, apierrors.NewNotFoundError(apierrors.ErrorCodeMFAFactorNotFound, "Passkey not found")
+		}
+		return nil, apierrors.NewInternalServerError("Database error loading passkey").WithInternalError(err)
+	}
+
+	return withFactor(ctx, factor), nil
+}
+
 func (a *API) getAdminParams(r *http.Request) (*AdminUserParams, error) {
 	params := &AdminUserParams{}
 	if err := retrieveRequestParams(r, params); err != nil {

internal/api/api.go

@@ -277,6 +277,22 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			})
 		})
 
+		r.Route("/passkeys", func(r *router) {
+			r.With(api.limitHandler(api.limiterOpts.PasskeySignIn)).Post("/sign-in", api.PasskeySignIn)
+			r.With(api.limitHandler(api.limiterOpts.PasskeySignIn)).Post("/sign-in/verify", api.PasskeySignInVerify)
+
+			r.With(api.requireAuthentication).With(api.requireNotAnonymous).Route("/", func(r *router) {
+				r.Get("/", api.ListPasskeys)
+				r.With(api.limitHandler(api.limiterOpts.PasskeyChallenge)).Post("/", api.CreatePasskey)
+
+				r.Route("/{passkey_id}", func(r *router) {
+					r.Use(api.loadPasskey)
+					r.With(api.limitHandler(api.limiterOpts.PasskeyChallenge)).Post("/verify", api.VerifyPasskey)
+					r.Delete("/", api.DeletePasskey)
+				})
+			})
+		})
+
 		r.Route("/sso", func(r *router) {
 			r.Use(api.requireSAMLEnabled)
 			r.With(api.limitHandler(api.limiterOpts.SSO)).

internal/api/helpers.go

@@ -70,6 +70,10 @@ type RequestParams interface {
 		adminUserDeleteParams |
 		security.GotrueRequest |
 		ChallengeFactorParams |
+		PasskeyRegistrationRequest |
+		PasskeyVerifyRequest |
+		PasskeySignInRequest |
+		PasskeySignInVerifyRequest |
 
 		struct {
 			Email string `json:"email"`

internal/api/mfa.go

@@ -133,10 +133,14 @@ func validateFactors(db *storage.Connection, user *models.User, newFactorName st
 	if err := db.Load(user, "Factors"); err != nil {
 		return err
 	}
-	factorCount := len(user.Factors)
+	factorCount := 0
 	numVerifiedFactors := 0
 
 	for _, factor := range user.Factors {
+		if factor.IsPasskeyFactor() {
+			continue
+		}
+		factorCount++
 		if factor.FriendlyName == newFactorName {
 			return apierrors.NewUnprocessableEntityError(
 				apierrors.ErrorCodeMFAFactorNameConflict,

internal/api/options.go

@@ -46,6 +46,8 @@ type LimiterOptions struct {
 	User                *limiter.Limiter
 	FactorVerify        *limiter.Limiter
 	FactorChallenge     *limiter.Limiter
+	PasskeySignIn       *limiter.Limiter
+	PasskeyChallenge    *limiter.Limiter
 	SSO                 *limiter.Limiter
 	SAMLAssertion       *limiter.Limiter
 	Web3                *limiter.Limiter
@@ -85,6 +87,16 @@ func NewLimiterOptions(gc *conf.GlobalConfiguration) *LimiterOptions {
 			DefaultExpirationTTL: time.Minute,
 		}).SetBurst(30)
 
+	o.PasskeySignIn = tollbooth.NewLimiter(gc.RateLimitVerify/(60*5),
+		&limiter.ExpirableOptions{
+			DefaultExpirationTTL: time.Hour,
+		}).SetBurst(30)
+
+	o.PasskeyChallenge = tollbooth.NewLimiter(gc.RateLimitVerify/(60*5),
+		&limiter.ExpirableOptions{
+			DefaultExpirationTTL: time.Hour,
+		}).SetBurst(30)
+
 	o.SSO = tollbooth.NewLimiter(gc.RateLimitSso/(60*5),
 		&limiter.ExpirableOptions{
 			DefaultExpirationTTL: time.Hour,