starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-01 11:19:52 +03:00
Code Issues 32 Packages Projects Releases 12 Wiki Activity

[PR #5929] Add support for the "Login with passkey" option #3654

New Issue
Open
opened 2026-02-05 05:38:45 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 05:38:45 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/5929
Author: @zUnixorn
Created: 6/4/2025
Status: 🔄 Open

Base: mainHead: webauthn_login

📝 Commits (5)

  • f5bf0ed implement working webauthn login
  • 9d4b94b delete schema.rs
  • a4b480d implement webauthn login deletion (untested)
  • 22a3571 implement unecrypted passkey login and cleanup code a bit mor
  • bbe3a7b rebase onto main

📊 Changes

10 files changed (+589 additions, -23 deletions)

View changed files

migrations/sqlite/2025-06-03-173809_create_web_authn_credentials_table/down.sql (+1 -0)
migrations/sqlite/2025-06-03-173809_create_web_authn_credentials_table/up.sql (+11 -0)
📝 src/api/core/mod.rs (+127 -8)
📝 src/api/core/two_factor/webauthn.rs (+30 -7)
📝 src/api/identity.rs (+288 -4)
📝 src/db/models/mod.rs (+2 -0)
📝 src/db/models/user.rs (+2 -1)
src/db/models/web_authn_credential.rs (+110 -0)
📝 src/db/schemas/sqlite/schema.rs (+15 -0)
📝 src/static/templates/scss/vaultwarden.scss.hbs (+3 -3)

📄 Description

Hello,

This PR implements the endpoints needed for passkey login into the Bitwarden webclient.

I marked this as a draft for now, since I'd like to first get some feedback on this PR before I start pursuing this further or if this is even a wanted feature for Vaultwarden.

Working Features

  • Login with passkey without using it for encryption
  • Login with passkey while using it for encryption
  • Adding a new passkey
  • Listing all registered passkeys
  • Deleting a passkey

Testing this Branch

To test this branch, the fronted needs to be build with this line appended, to allow for passkey registration.

Open TODOs

  • Cleanup the code
    • there is a bunch of duplicate code between _login_password() and _login_webauthn()
    • the webauthn stuff could be moved into its own file / module
    • Resolve the TODOs
  • Figure out how to handle the intermidate webauthn state:
    • Saved in the database (I think that's what's already done in the 2FA webauthn), but this probably would only work for registration, not login
    • Passed around as an encrypted string in the token field (I think this is what bitwarden does with this C# Api)
  • Decide what to do about the unimplemented endpoints that are implemented by upstream (they don't seem to be used currently by the webclient)
  • Figure out why the frontend doesn't work in firefox for passkeys

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/5929 **Author:** [@zUnixorn](https://github.com/zUnixorn) **Created:** 6/4/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `webauthn_login` --- ### 📝 Commits (5) - [`f5bf0ed`](https://github.com/dani-garcia/vaultwarden/commit/f5bf0edf8c3e87d1b0e6d51e6d1753fa25a2bc50) implement working webauthn login - [`9d4b94b`](https://github.com/dani-garcia/vaultwarden/commit/9d4b94bb95844cac0d686b547d55912d1c98b0af) delete schema.rs - [`a4b480d`](https://github.com/dani-garcia/vaultwarden/commit/a4b480dc9ff7647c06de8f6d1edf6a281b3cc977) implement webauthn login deletion (untested) - [`22a3571`](https://github.com/dani-garcia/vaultwarden/commit/22a3571c46bd0044a017bdac8abb8dcb424a7555) implement unecrypted passkey login and cleanup code a bit mor - [`bbe3a7b`](https://github.com/dani-garcia/vaultwarden/commit/bbe3a7b244daad30424e2447e2be7cdb28c35f69) rebase onto main ### 📊 Changes **10 files changed** (+589 additions, -23 deletions) <details> <summary>View changed files</summary> ➕ `migrations/sqlite/2025-06-03-173809_create_web_authn_credentials_table/down.sql` (+1 -0) ➕ `migrations/sqlite/2025-06-03-173809_create_web_authn_credentials_table/up.sql` (+11 -0) 📝 `src/api/core/mod.rs` (+127 -8) 📝 `src/api/core/two_factor/webauthn.rs` (+30 -7) 📝 `src/api/identity.rs` (+288 -4) 📝 `src/db/models/mod.rs` (+2 -0) 📝 `src/db/models/user.rs` (+2 -1) ➕ `src/db/models/web_authn_credential.rs` (+110 -0) 📝 `src/db/schemas/sqlite/schema.rs` (+15 -0) 📝 `src/static/templates/scss/vaultwarden.scss.hbs` (+3 -3) </details> ### 📄 Description Hello, This PR implements the endpoints needed for passkey login into the Bitwarden webclient. I marked this as a draft for now, since I'd like to first get some feedback on this PR before I start pursuing this further or if this is even a wanted feature for Vaultwarden. ## Working Features * Login with passkey without using it for encryption * Login with passkey while using it for encryption * Adding a new passkey * Listing all registered passkeys * Deleting a passkey ## Testing this Branch To test this branch, the fronted needs to be build with [this](https://github.com/vaultwarden/vw_web_builds/commit/08498dd2059d10f1eed7dd6082619686f4118bd7) line appended, to allow for passkey registration. ## Open TODOs - [ ] Cleanup the code - [ ] there is a bunch of duplicate code between _login_password() and _login_webauthn() - [ ] the webauthn stuff could be moved into its own file / module - [ ] Resolve the TODOs - [ ] Figure out how to handle the intermidate webauthn state: - [ ] Saved in the database (I think that's what's already done in the 2FA webauthn), but this probably would only work for registration, not login - [ ] Passed around as an encrypted string in the `token` field (I think this is what bitwarden does with [this C# Api](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-9.0)) - [ ] Decide what to do about the unimplemented [endpoints](https://github.com/bitwarden/server/blob/v2025.5.3/src/Api/Auth/Controllers/WebAuthnController.cs) that are implemented by upstream (they don't seem to be used currently by the webclient) - [ ] Figure out why the frontend doesn't work in firefox for passkeys --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 05:38:45 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
troubleshooting
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#3654
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?