scalableminds · robert-oleynik · Feb 11, 2025 · Feb 11, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/app/controllers/AuthenticationController.scala b/app/controllers/AuthenticationController.scala
diff --git a/app/models/user/MultiUser.scala b/app/models/user/MultiUser.scala
@@ -136,6 +136,13 @@ class MultiUserDAO @Inject()(sqlClient: SqlClient)(implicit ec: ExecutionContext
                      (SELECT _id FROM webknossos.users WHERE _organization = $organizationId)""".asUpdate)
     } yield ()
 
+  def findOneById(id: ObjectId)(implicit ctx: DBAccessContext): Fox[MultiUser] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(q"SELECT $columns FROM $existingCollectionName WHERE _id = $id AND $accessQuery".as[MultiusersRow])
+      parsed <- parseFirst(r, id)
+    } yield parsed
+
   def findOneByEmail(email: String)(implicit ctx: DBAccessContext): Fox[MultiUser] =
     for {
       accessQuery <- readAccessQuery

diff --git a/app/models/user/WebAuthnCredentials.scala b/app/models/user/WebAuthnCredentials.scala
@@ -0,0 +1,159 @@
+package models.user
+
+import com.fasterxml.jackson.core.`type`.TypeReference
+import com.fasterxml.jackson.annotation._
+import com.scalableminds.util.accesscontext.DBAccessContext
+import com.scalableminds.util.objectid.ObjectId
+import com.scalableminds.util.tools.{JsonHelper, Fox, FoxImplicits}
+import com.scalableminds.webknossos.schema.Tables._
+import com.webauthn4j.converter.AttestedCredentialDataConverter
+import com.webauthn4j.converter.util.ObjectConverter
+import com.webauthn4j.credential.{CredentialRecordImpl => WebAuthnCredentialRecord}
+import com.webauthn4j.data.attestation.statement._
+import com.webauthn4j.data.extension.authenticator.{
+  AuthenticationExtensionsAuthenticatorOutputs,
+  RegistrationExtensionAuthenticatorOutput
+}
+import com.scalableminds.util.tools.Box.tryo
+import slick.lifted.Rep
+import utils.sql.{SQLDAO, SqlClient}
+import play.api.libs.json._
+
+import javax.inject.Inject
+import scala.concurrent.ExecutionContext
+
+case class WebAuthnCredential(
+    _id: ObjectId,
+    _multiUser: ObjectId,
+    name: String,
+    credentialRecord: WebAuthnCredentialRecord,
+    isDeleted: Boolean,
+) extends FoxImplicits {
+  def serializeAttestedCredential(objectConverter: ObjectConverter): Array[Byte] = {
+    val converter = new AttestedCredentialDataConverter(objectConverter);
+    converter.convert(credentialRecord.getAttestedCredentialData)
+  }
+
+  def serializeAttestationStatement(objectConverter: ObjectConverter)(implicit ec: ExecutionContext): Fox[JsObject] = {
+    val envelope = new AttestationStatementEnvelope()
+    envelope.fmt = credentialRecord.getAttestationStatement.getFormat
+    envelope.attestationStatement = credentialRecord.getAttestationStatement
+    val rawJson = objectConverter.getJsonConverter.writeValueAsString(envelope)
+    JsonHelper.parseAs[JsObject](rawJson).toFox
+  }
+
+  def serializedExtensions(converter: ObjectConverter)(implicit ec: ExecutionContext): Fox[JsObject] = {
+    val rawJson = converter.getJsonConverter.writeValueAsString(credentialRecord.getAuthenticatorExtensions)
+    JsonHelper.parseAs[JsObject](rawJson).toFox
+  }
+}
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+class AttestationStatementEnvelope {
+
+  @JsonProperty("fmt")
+  var fmt: String = _
+
+  @JsonProperty("attestationStatement")
+  @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, include = JsonTypeInfo.As.EXTERNAL_PROPERTY, property = "fmt")
+  @JsonSubTypes(
+    Array(
+      new JsonSubTypes.Type(value = classOf[NoneAttestationStatement], name = "none"),
+      new JsonSubTypes.Type(value = classOf[PackedAttestationStatement], name = "packed"),
+      new JsonSubTypes.Type(value = classOf[AndroidKeyAttestationStatement], name = "android-key"),
+      new JsonSubTypes.Type(value = classOf[AndroidSafetyNetAttestationStatement], name = "android-safetynet"),
+      new JsonSubTypes.Type(value = classOf[AppleAnonymousAttestationStatement], name = "apple"),
+      new JsonSubTypes.Type(value = classOf[FIDOU2FAttestationStatement], name = "fido-u2f"),
+      new JsonSubTypes.Type(value = classOf[TPMAttestationStatement], name = "tpm")
+    ))
+  var attestationStatement: AttestationStatement = _
+
+  def getFormat: String = fmt
+  def getAttestationStatement: AttestationStatement = attestationStatement
+}
+
+class WebAuthnCredentialDAO @Inject()(sqlClient: SqlClient)(implicit ec: ExecutionContext)
+    extends SQLDAO[WebAuthnCredential, WebauthncredentialsRow, Webauthncredentials](sqlClient) {
+  protected val collection = Webauthncredentials
+
+  override protected def idColumn(x: Webauthncredentials): Rep[String] = x._Id
+  override protected def isDeletedColumn(x: Webauthncredentials): Rep[Boolean] = x.isdeleted
+
+  protected def parse(r: WebauthncredentialsRow): Fox[WebAuthnCredential] = {
+    val objectConverter = new ObjectConverter()
+    val converter = objectConverter.getJsonConverter
+    val attestedCredentialDataConverter = new AttestedCredentialDataConverter(objectConverter)
+    for {
+      attestedCredential <- tryo(attestedCredentialDataConverter.convert(r.serializedattestedcredential)).toFox
+      authenticatorExtensions <- tryo(
+        converter.readValue(r.serializedextensions,
+                            new TypeReference[AuthenticationExtensionsAuthenticatorOutputs[
+                              RegistrationExtensionAuthenticatorOutput]] {})).toFox
+      attestationStatement <- tryo(
+        converter.readValue(r.serializedattestationstatement, new TypeReference[AttestationStatementEnvelope] {})).toFox
+      record = new WebAuthnCredentialRecord(
+        attestationStatement.getAttestationStatement,
+        r.userverified,
+        r.backupeligible,
+        r.backupstate,
+        r.signaturecount.toLong,
+        attestedCredential,
+        authenticatorExtensions,
+        null, // clientData - No client data is collected during registration.
+        null, // clientExtensions - Client extensions are ignored.
+        null // transports - All transport methods are allowed.
+      )
+    } yield WebAuthnCredential(ObjectId(r._Id), ObjectId(r._Multiuser), r.name, record, r.isdeleted)
+  }
+
+  def findAllForUser(multiUserId: ObjectId)(implicit ctx: DBAccessContext): Fox[List[WebAuthnCredential]] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(
+        q"SELECT $columns FROM $existingCollectionName WHERE _multiUser = $multiUserId AND $accessQuery"
+          .as[WebauthncredentialsRow])
+      parsed <- parseAll(r)
+    } yield parsed
+
+  def findByCredentialId(multiUserId: ObjectId, credentialId: Array[Byte])(
+      implicit ctx: DBAccessContext): Fox[WebAuthnCredential] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(
+        q"SELECT $columns FROM $existingCollectionName WHERE _multiUser = $multiUserId AND credentialId = $credentialId AND $accessQuery"
+          .as[WebauthncredentialsRow])
+      parsed <- parseFirst(r, multiUserId)
+    } yield parsed
+
+  def insertOne(c: WebAuthnCredential): Fox[Unit] = {
+    val converter = new ObjectConverter()
+    val serializedAttestedCredential = c.serializeAttestedCredential(converter)
+    val credentialId = c.credentialRecord.getAttestedCredentialData.getCredentialId
+    val userVerified = c.credentialRecord.isUvInitialized.booleanValue
+    val backupEligible = c.credentialRecord.isBackupEligible.booleanValue
+    val backupState = c.credentialRecord.isBackedUp.booleanValue
+    for {
+      serializedAuthenticatorExtensions <- c.serializedExtensions(converter)
+      serializedAttestationStatement <- c.serializeAttestationStatement(converter)
+      _ <- run(
+        q"""INSERT INTO $existingCollectionName (_id, _multiUser, credentialId, name, userVerified, backupEligible, backupState,
+                                                 serializedAttestationStatement, serializedAttestedCredential, serializedExtensions, signatureCount)
+                       VALUES(${c._id}, ${c._multiUser}, ${credentialId}, ${c.name}, ${userVerified}, ${backupEligible}, ${backupState}, ${serializedAttestationStatement},
+                         ${serializedAttestedCredential}, ${serializedAuthenticatorExtensions}, ${c.credentialRecord.getCounter.toInt})""".asUpdate)
+    } yield ()
+  }
+
+  def updateSignCount(c: WebAuthnCredential): Fox[Unit] = {
+    val signatureCount = c.credentialRecord.getCounter
+    for {
+      _ <- run(q"""UPDATE $existingCollectionName SET signatureCount = $signatureCount WHERE _id = ${c._id}""".asUpdate)
+    } yield ()
+  }
+
+  def removeById(id: ObjectId, multiUser: ObjectId): Fox[Unit] =
+    for {
+      _ <- run(
+        q"""UPDATE $existingCollectionName SET isDeleted = true WHERE _id = ${id} AND _multiUser=${multiUser}""".asUpdate)
+    } yield ()
+
+}
diff --git a/app/utils/WkConf.scala b/app/utils/WkConf.scala
@@ -143,6 +143,7 @@ class WkConf @Inject()(configuration: Configuration, certificateValidationServic
     val openIdConnectEnabled: Boolean = get[Boolean]("features.openIdConnectEnabled")
     val editableMappingsEnabled: Boolean = get[Boolean]("features.editableMappingsEnabled")
     val segmentAnythingEnabled: Boolean = get[Boolean]("features.segmentAnythingEnabled")
+    val passkeysEnabled: Boolean = get[Boolean]("features.passkeysEnabled")
   }
 
   object Datastore {

diff --git a/build.sbt b/build.sbt
@@ -59,6 +59,7 @@ lazy val copyMessagesFilesSetting = {
 lazy val util = (project in file("util")).settings(
   commonSettings,
   libraryDependencies ++= Dependencies.utilDependencies,
+  dependencyOverrides ++= Dependencies.dependencyOverrides
 )
 
 lazy val webknossosJni = (project in file("webknossos-jni"))
@@ -78,6 +79,7 @@ lazy val webknossosDatastore = (project in file("webknossos-datastore"))
     generateReverseRouter := false,
     BuildInfoSettings.webknossosDatastoreBuildInfoSettings,
     libraryDependencies ++= Dependencies.webknossosDatastoreDependencies,
+    dependencyOverrides ++= Dependencies.dependencyOverrides,
     protocolBufferSettings,
     Compile / unmanagedJars ++= {
       val libs = baseDirectory.value / "lib"
@@ -102,6 +104,7 @@ lazy val webknossosTracingstore = (project in file("webknossos-tracingstore"))
     generateReverseRouter := false,
     BuildInfoSettings.webknossosTracingstoreBuildInfoSettings,
     libraryDependencies ++= Dependencies.webknossosTracingstoreDependencies,
+    dependencyOverrides ++= Dependencies.dependencyOverrides,
     copyMessagesFilesSetting,
   )
 
@@ -117,6 +120,7 @@ lazy val webknossos = (project in file("."))
     AssetCompilation.settings,
     BuildInfoSettings.webknossosBuildInfoSettings,
     libraryDependencies ++= Dependencies.webknossosDependencies,
+    dependencyOverrides ++= Dependencies.dependencyOverrides,
     Assets / sourceDirectory := file("none"),
     // The following two assignments avoid that the public assets
     // appear in two output jars. Namely, target/universal/stage/lib/webknossos.webknossos-wk-sans-externalized.jar

diff --git a/conf/application.conf b/conf/application.conf
@@ -1,5 +1,5 @@
 http {
-  uri = "http://localhost:9000"
+  uri = "https://localhost:9000"
   port = 9000
 }
 
@@ -171,6 +171,8 @@ features {
   optInTabs = ["ConnectomeView"]
   openIdConnectEnabled = false
   segmentAnythingEnabled = false
+  # Enable Authentication with Passkeys and WebAuthn
+  passkeysEnabled = true
 }
 
 # Serve annotations. Only active if the corresponding play module is enabled

diff --git a/conf/evolutions/136-add-webauthn-credentials.sql b/conf/evolutions/136-add-webauthn-credentials.sql
@@ -0,0 +1,28 @@
+START TRANSACTION;
+
+do $$ begin ASSERT (select schemaVersion from webknossos.releaseInformation) = 135, 'Previous schema version mismatch'; end; $$ LANGUAGE plpgsql;
+
+CREATE TABLE webknossos.webauthnCredentials(
+  _id TEXT PRIMARY KEY,
+  _multiUser TEXT NOT NULL,
+  credentialId BYTEA NOT NULL,
+  name TEXT NOT NULL,
+  userVerified BOOLEAN NOT NULL,
+  backupEligible BOOLEAN NOT NULL,
+  backupState BOOLEAN NOT NULL,
+  serializedAttestationStatement JSONB NOT NULL,
+  serializedAttestedCredential BYTEA NOT NULL,
+  serializedExtensions JSONB NOT NULL,
+  signatureCount INTEGER NOT NULL,
+  isDeleted BOOLEAN NOT NULL DEFAULT false,
+  UNIQUE (_id, credentialId)
+);
+
+CREATE VIEW webknossos.webauthnCredentials_ as SELECT * FROM webknossos.webauthnCredentials WHERE NOT isDeleted;
+
+ALTER TABLE webknossos.webauthnCredentials
+  ADD FOREIGN KEY (_multiUser) REFERENCES webknossos.multiUsers(_id) ON DELETE CASCADE ON UPDATE CASCADE DEFERRABLE;
+
+UPDATE webknossos.releaseInformation SET schemaVersion = 136;
+
+COMMIT TRANSACTION;
diff --git a/conf/evolutions/reversions/136-add-webauthn-credentials.sql b/conf/evolutions/reversions/136-add-webauthn-credentials.sql
@@ -0,0 +1,10 @@
+START TRANSACTION;
+
+do $$ begin ASSERT (select schemaVersion from webknossos.releaseInformation) = 136, 'Previous schema version mismatch'; end; $$ LANGUAGE plpgsql;
+
+DROP TABLE webknossos.webauthnCredentials;
+DROP VIEW webknossos.webauthnCredentials_;
+
+UPDATE webknossos.releaseInformation SET schemaVersion = 135;
+
+COMMIT TRANSACTION;
diff --git a/conf/messages b/conf/messages
@@ -19,6 +19,9 @@ image.create.failed=Failed to create image
 auth.tokenDeleted=Token was deleted
 auth.invalidToken=The token is invalid
 auth.token.noUser=Could not determine user for access token
+auth.passkeys.disabled=Passkeys disabled.
+auth.passkeys.requiresHttps=Passkeys are only supported with HTTPS.
+auth.passkeys.unauthorized=Passkey Authentication Failed.
 
 team.created=Team was created successfully
 team.admin.notPossibleBy=User {1} cannot be assigned administrative rights in team {0} because he does not belong to the teams parent team.

diff --git a/conf/webknossos.latest.routes b/conf/webknossos.latest.routes
@@ -35,6 +35,15 @@ POST          /auth/resetPassword
 GET           /auth/logout                                                                      controllers.AuthenticationController.logout()
 GET           /auth/sso                                                                         controllers.AuthenticationController.singleSignOn(sso: String, sig: String)
 GET           /auth/oidc/login                                                                  controllers.AuthenticationController.loginViaOpenIdConnect()
+
+# Routes for WebAuthn
+POST          /auth/webauthn/auth/start                                                         controllers.AuthenticationController.webauthnAuthStart()
+POST          /auth/webauthn/auth/finalize                                                      controllers.AuthenticationController.webauthnAuthFinalize()
+POST          /auth/webauthn/register/start                                                     controllers.AuthenticationController.webauthnRegisterStart()
+POST          /auth/webauthn/register/finalize                                                  controllers.AuthenticationController.webauthnRegisterFinalize()
+GET           /auth/webauthn/keys                                                               controllers.AuthenticationController.webauthnListKeys()
+DELETE        /auth/webauthn/keys/:id                                                           controllers.AuthenticationController.webauthnRemoveKey(id: ObjectId)
+
 # /auth/oidc/callback route is used literally in code
 GET           /auth/oidc/callback                                                               controllers.AuthenticationController.openIdCallback()
 POST          /auth/createOrganizationWithAdmin                                                 controllers.AuthenticationController.createOrganizationWithAdmin()

diff --git a/docs/users/index.md b/docs/users/index.md
@@ -1,9 +1,10 @@
 # Managing Users & Access Permissions
 
-WEBKNOSSOS offers a built-in user management system to administer different user roles and permissions. In the following pages, you will learn more about: 
+WEBKNOSSOS offers a built-in user management system to administer different user roles and permissions. In the following pages, you will learn more about:
 
 - [Organizations](organizations.md)
 - [Teams](teams.md)
 - [Access rights and roles](access_rights.md)
 - [Users](new_users.md)
 - [Password and account](password.md)
+- [Passkeys](passkeys.md)
diff --git a/docs/users/passkeys.md b/docs/users/passkeys.md
@@ -0,0 +1,15 @@
+# Passkeys
+
+Passkeys are a new, more secure way to log in to websites and apps without using a password.
+Instead of typing a password, you use a fingerprint, face scan, or a device PIN to authenticate.
+
+## Adding and Removing Passkeys
+
+Users can _add_ and _remove_ their passkeys as long as they are logged in.
+Passkeys can be found by clicking on the user's avatar in the navigation bar in the top-right corner of the screen and selecting `Change Password`.
+Users find their passkeys below the change password form.
+To add a new passkey user can press the `Register Passkey` button and then set a name for the passkey.
+These passkeys can be deleted by pressing the `Delete` button next to the passkey's name.
+
+In case the user lost access to its passkey and can not sign in.
+Please use the `Forgot Password` button in the log in screen (see [Password and Account](./password.md)).
diff --git a/frontend/javascripts/admin/account/account_password_view.tsx b/frontend/javascripts/admin/account/account_password_view.tsx
@@ -1,6 +1,7 @@
 import { EditOutlined, LockOutlined } from "@ant-design/icons";
 import { changePassword, logoutUser } from "admin/rest_api";
 import { Alert, Button, Col, Form, Input, Row, Space } from "antd";
+import features from "features";
 import Toast from "libs/toast";
 import messages from "messages";
 import { useState } from "react";
@@ -11,6 +12,7 @@ import { SettingsCard } from "./helpers/settings_card";
 import { SettingsTitle } from "./helpers/settings_title";
 const FormItem = Form.Item;
 const { Password } = Input;
+import PasskeysView from "../auth/passkeys_view";
 
 const MIN_PASSWORD_LENGTH = 8;
 
@@ -155,14 +157,7 @@ function AccountPasswordView() {
     setResetPasswordVisible(true);
   }
 
-  const passKeyList = [
-    {
-      title: "Coming soon",
-      value: "Passwordless login with passkeys is coming soon",
-      // action: <Button type="default" shape="circle" icon={<DeleteOutlined />} size="small" />,
-      action: undefined,
-    },
-  ];
+  const { passkeysEnabled } = features();
 
   return (
     <div>
@@ -185,14 +180,16 @@ function AccountPasswordView() {
         </Col>
       </Row>
 
-      <SettingsTitle title="Passkeys" description="Login passwordless with Passkeys" />
-      <Row gutter={[24, 24]} style={{ marginBottom: 24 }}>
-        {passKeyList.map((item) => (
-          <Col span={12} key={item.title}>
-            <SettingsCard title={item.title} description={item.value} action={item.action} />
-          </Col>
-        ))}
-      </Row>
+      {passkeysEnabled && (
+        <>
+          <SettingsTitle title="Passkeys" description="Login passwordless with Passkeys" />
+          <Row gutter={[24, 24]} style={{ marginBottom: 24 }}>
+            <Col span={12}>
+              <SettingsCard title="Passkeys" description={<PasskeysView />} />
+            </Col>
+          </Row>
+        </>
+      )}
     </div>
   );
 }

diff --git a/...ipts/admin/api/certificate_validation.tsx → ...ripts/admin/api/certificate_validation.ts b/...ipts/admin/api/certificate_validation.tsx → ...ripts/admin/api/certificate_validation.ts
diff --git a/.../admin/api/disambiguate_legacy_routes.tsx → ...s/admin/api/disambiguate_legacy_routes.ts b/.../admin/api/disambiguate_legacy_routes.tsx → ...s/admin/api/disambiguate_legacy_routes.ts