feat: login with passkey (biometrics, face ID, etc)

Author: YasharF

README.md

@@ -71,7 +71,7 @@ I also tried to make it as **generic** and **reusable** as possible to cover mos
 ## Features
 
 - Login
-  - **Local Authentication** Sign in with Email and Password, Passwordless
+  - **Local Authentication** Sign in with Email and Password, Passwordless, Passkey / Biometrics
   - **OAuth 2.0 Authentication:** Sign in with Google, Microsoft, Facebook, LinkedIn, X (Twitter), Twitch, GitHub, Discord
 - **User Profile and Account Management**
   - Gravatar
@@ -549,13 +549,14 @@ The metadata for Open Graph is only set up for the home page (`home.pug`). Updat
 | **controllers**/contact.js       | Controller for contact form.                                         |
 | **controllers**/home.js          | Controller for home page (index).                                    |
 | **controllers**/user.js          | Controller for user account management.                              |
+| **controllers**/webauthn.js      | Controller for webauthn management (passkey / biometrics login)      |
 | **models**/User.js               | Mongoose schema and model for User.                                  |
 | **public**/                      | Static assets (fonts, css, js, img).                                 |
 | **public**/**js**/application.js | Specify client-side JavaScript dependencies.                         |
 | **public**/**js**/app.js         | Place your client-side JavaScript here.                              |
 | **public**/**css**/main.scss     | Main stylesheet for your app.                                        |
 | **test**/\*.js                   | Tests, related configs and helpers.                                  |
-| **views/account**/               | Templates for _login, password reset, signup, profile_.              |
+| **views/account**/               | Templates for _login, password reset, signup, profile, webauthn_     |
 | **views/ai**/                    | Templates for AI examples and boilerplates.                          |
 | **views/api**/                   | Templates for API examples.                                          |
 | **views/partials**/flash.pug     | Error, info and success flash notifications.                         |
@@ -591,6 +592,7 @@ Required to run the project before your modifications
 | @googleapis/drive             | Google Drive API integration library.                                 |
 | @googleapis/sheets            | Google Sheets API integration library.                                |
 | @huggingface/inference        | Client library for Hugging Face Inference providers                   |
+| @keyv/mongo                   | MongoDB storage adapter for Keyv                                      |
 | @langchain/community          | Third party integrations for Langchain                                |
 | @langchain/core               | Base LangChain abstractions and Expression Language                   |
 | @langchain/mongodb            | MongoDB integrations for LangChain                                    |
@@ -600,6 +602,8 @@ Required to run the project before your modifications
 | @octokit/rest                 | GitHub API library.                                                   |
 | @passport-js/passport-twitter | X (Twitter) login support (OAuth 2).                                  |
 | @popperjs/core                | Frontend js library for poppers and tooltips.                         |
+| @simplewebauthn/browser       | WebAuthn frontend library (passkey / biometrics authentication)       |
+| @simplewebauthn/server        | WebAuthn backend library (passkey / biometrics authentication)        |
 | bootstrap                     | CSS Framework.                                                        |
 | bootstrap-social              | Social buttons library.                                               |
 | bowser                        | User agent parser                                                     |
@@ -613,6 +617,7 @@ Required to run the project before your modifications
 | express-rate-limit            | Rate limiting middleware for abuse protection.                        |
 | express-session               | Simple session middleware for Express.                                |
 | jquery                        | Front-end JS library to interact with HTML elements.                  |
+| keyv                          | key-value storage with support for multiple backends                  |
 | langchain                     | Framework for developing LLM applications                             |
 | lastfm                        | Last.fm API library.                                                  |
 | lusca                         | CSRF middleware.                                                      |

app.js

@@ -72,6 +72,7 @@ const userController = require('./controllers/user');
 const apiController = require('./controllers/api');
 const aiController = require('./controllers/ai');
 const contactController = require('./controllers/contact');
+const webauthnController = require('./controllers/webauthn');
 
 /**
  * API keys and Passport configuration.
@@ -149,7 +150,7 @@ app.use((req, res, next) => {
 const isSafeRedirect = (url) => /^\/[a-zA-Z0-9/_-]*$/.test(url);
 app.use((req, res, next) => {
   // After successful login, redirect back to the intended page
-  if (!req.user && req.path !== '/login' && req.path !== '/signup' && !req.path.startsWith('/auth') && !req.path.includes('.')) {
+  if (!req.user && req.path !== '/login' && !req.path.startsWith('/login/webauthn-') && req.path !== '/signup' && !req.path.startsWith('/auth') && !req.path.includes('.')) {
     const returnTo = req.originalUrl;
     if (isSafeRedirect(returnTo)) {
       req.session.returnTo = returnTo;
@@ -175,6 +176,7 @@ app.use('/js/lib', express.static(path.join(__dirname, 'node_modules/chart.js/di
 app.use('/js/lib', express.static(path.join(__dirname, 'node_modules/@popperjs/core/dist/umd'), { maxAge: 31557600000 }));
 app.use('/js/lib', express.static(path.join(__dirname, 'node_modules/bootstrap/dist/js'), { maxAge: 31557600000 }));
 app.use('/js/lib', express.static(path.join(__dirname, 'node_modules/jquery/dist'), { maxAge: 31557600000 }));
+app.use('/js/lib', express.static(path.join(__dirname, 'node_modules/@simplewebauthn/browser/dist/bundle'), { maxAge: 31557600000 }));
 app.use('/webfonts', express.static(path.join(__dirname, 'node_modules/@fortawesome/fontawesome-free/webfonts'), { maxAge: 31557600000 }));
 app.use('/image-cache', express.static(path.join(__dirname, 'tmp/image-cache'), { maxAge: 31557600000 }));
 
@@ -192,6 +194,9 @@ app.get('/', homeController.index);
 app.get('/login', userController.getLogin);
 app.post('/login', loginLimiter, userController.postLogin);
 app.get('/login/verify/:token', loginLimiter, userController.getLoginByEmail);
+app.post('/login/webauthn-start', loginLimiter, webauthnController.postLoginStart);
+app.get('/login/webauthn-start', (req, res) => res.redirect('/login')); // webauthn-start requires a POST
+app.post('/login/webauthn-verify', loginLimiter, webauthnController.postLoginVerify);
 app.get('/logout', userController.logout);
 app.get('/forgot', userController.getForgot);
 app.post('/forgot', strictLimiter, userController.postForgot);
@@ -209,6 +214,10 @@ app.post('/account/password', passportConfig.isAuthenticated, userController.pos
 app.post('/account/delete', passportConfig.isAuthenticated, userController.postDeleteAccount);
 app.post('/account/logout-everywhere', passportConfig.isAuthenticated, userController.postLogoutEverywhere);
 app.get('/account/unlink/:provider', passportConfig.isAuthenticated, userController.getOauthUnlink);
+app.post('/account/webauthn/register', passportConfig.isAuthenticated, webauthnController.postRegisterStart);
+app.get('/account/webauthn/register', (req, res) => res.redirect('/account')); // webauthn/register start requires a POST
+app.post('/account/webauthn/verify', passportConfig.isAuthenticated, webauthnController.postRegisterVerify);
+app.post('/account/webauthn/remove', passportConfig.isAuthenticated, webauthnController.postRemove);
 
 /**
  * API examples routes.

controllers/webauthn.js

@@ -0,0 +1,244 @@
+const crypto = require('node:crypto');
+const { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse } = require('@simplewebauthn/server');
+const User = require('../models/User');
+
+function generateDefaultPublicKey() {
+  // Dummy COSE public key used to force uniform WebAuthn verification on failed logins.
+  const { publicKey } = crypto.generateKeyPairSync('ec', {
+    namedCurve: 'P-256',
+    publicKeyEncoding: { format: 'jwk' },
+  });
+  const x = Buffer.from(publicKey.x, 'base64url'); // 32 bytes
+  const y = Buffer.from(publicKey.y, 'base64url'); // 32 bytes
+  // COSE_Key: map(5) {1:2, 3:-7, -1:1, -2:x, -3:y}
+  return Buffer.concat([Buffer.from([0xa5, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20]), x, Buffer.from([0x22, 0x58, 0x20]), y]);
+}
+const DUMMY_COSE_PUBLIC_KEY = generateDefaultPublicKey();
+
+const rpName = 'Hackathon Starter';
+const rpID = new URL(process.env.BASE_URL).hostname;
+const expectedOrigin = new URL(process.env.BASE_URL).origin;
+
+/**
+ * POST /login/webauthn-start
+ */
+exports.postLoginStart = async (req, res) => {
+  try {
+    const { email, useEmailWithBiometrics } = req.body;
+    req.session.webauthnLoginEmail = useEmailWithBiometrics && email ? email.toLowerCase().trim() : null;
+    const options = await generateAuthenticationOptions({
+      rpID,
+      userVerification: 'preferred',
+    });
+    req.session.loginChallenge = options.challenge;
+    res.render('account/webauthn-login', {
+      title: 'Biometric Login',
+      publicKey: JSON.stringify(options),
+    });
+  } catch (err) {
+    console.error('Error in postLoginStart:', err);
+    req.flash('errors', { msg: 'Passkey / Biometric Failure.' });
+    res.redirect('/login');
+  }
+};
+
+/**
+ * POST /login/webauthn-verify
+ */
+exports.postLoginVerify = async (req, res) => {
+  try {
+    let noUserFound = false;
+    const { credential } = req.body;
+    const expectedChallenge = req.session.loginChallenge;
+    const scopedEmail = req.session.webauthnLoginEmail;
+    delete req.session.webauthnLoginEmail;
+    if (!credential || !expectedChallenge) {
+      delete req.session.loginChallenge;
+      req.flash('errors', { msg: 'Passkey / Biometric authentication failed - invalid request.' });
+      return res.redirect('/login');
+    }
+    const parsedCredential = JSON.parse(credential);
+    const credentialId = Buffer.from(parsedCredential.id, 'base64url');
+    const user = await User.findOne({ 'webauthnCredentials.credentialId': credentialId });
+    let userCredential;
+    if (!user) {
+      noUserFound = true;
+      userCredential = { credentialId: credentialId, publicKey: DUMMY_COSE_PUBLIC_KEY, counter: 0, transports: [] };
+    } else {
+      userCredential = user.webauthnCredentials.find((c) => c.credentialId.equals(credentialId));
+    }
+    const verification = await verifyAuthenticationResponse({
+      response: parsedCredential,
+      expectedChallenge,
+      expectedOrigin,
+      expectedRPID: rpID,
+      requireUserVerification: false,
+      credential: {
+        id: userCredential.credentialId,
+        publicKey: userCredential.publicKey,
+        counter: userCredential.counter,
+        transports: userCredential.transports,
+      },
+    });
+    delete req.session.loginChallenge;
+    if (!verification.verified || noUserFound || (scopedEmail && user.email !== scopedEmail)) {
+      if (scopedEmail) {
+        req.flash('errors', { msg: 'Passkey / Biometric authentication failed, or did not match the provided email.' });
+      } else {
+        req.flash('errors', { msg: 'Passkey / Biometric authentication failed.' });
+      }
+      return res.redirect('/login');
+    }
+    userCredential.counter = verification.authenticationInfo.newCounter;
+    userCredential.lastUsedAt = new Date();
+    await user.save();
+    req.logIn(user, (err) => {
+      if (err) {
+        console.error('Error in postLoginVerify - Login session error:', err);
+        req.flash('errors', { msg: 'Login failed. Please try again.' });
+        return res.redirect('/login');
+      }
+      req.flash('success', { msg: 'Success! You are logged in.' });
+      res.redirect(req.session.returnTo || '/');
+    });
+  } catch (err) {
+    console.error('Error in postLoginVerify:', err);
+    delete req.session.loginChallenge;
+    req.flash('errors', { msg: 'Passkey / Biometric authentication failed - system error.' });
+    res.redirect('/login');
+  }
+};
+
+/**
+ * POST /account/webauthn/register
+ */
+exports.postRegisterStart = async (req, res) => {
+  try {
+    const { user } = req;
+    if (!user.emailVerified) {
+      req.flash('errors', { msg: 'Please verify your email address before enabling passkey login.' });
+      return res.redirect('/account');
+    }
+    if (!user.webauthnUserID) {
+      user.webauthnUserID = crypto.randomBytes(32);
+      await user.save();
+    }
+    const existingCredentials = (user.webauthnCredentials || []).map((cred) => ({
+      id: cred.credentialId,
+      type: 'public-key',
+      transports: cred.transports,
+    }));
+    const options = await generateRegistrationOptions({
+      rpName,
+      rpID,
+      userID: user.webauthnUserID,
+      userName: user.email,
+      userDisplayName: user.profile?.name || user.email,
+      excludeCredentials: existingCredentials,
+      authenticatorSelection: {
+        residentKey: 'discouraged',
+        userVerification: 'preferred',
+      },
+    });
+    req.session.registerChallenge = options.challenge;
+    res.render('account/webauthn-register', {
+      title: 'Enable Biometric Login',
+      publicKey: JSON.stringify(options),
+    });
+  } catch (err) {
+    console.error('Error in postRegisterStart:', err);
+    req.flash('errors', { msg: 'Failed to start passkey registration. Please try again.' });
+    res.redirect('/account');
+  }
+};
+
+/**
+ * POST /account/webauthn/verify
+ */
+exports.postRegisterVerify = async (req, res) => {
+  try {
+    if (!req.user.emailVerified) {
+      req.flash('errors', { msg: 'Please verify your email address before enabling passkey login.' });
+      return res.redirect('/account');
+    }
+    const { credential } = req.body;
+    const expectedChallenge = req.session.registerChallenge;
+    if (!credential || !expectedChallenge) {
+      delete req.session.registerChallenge;
+      req.flash('errors', { msg: 'Registration failed. Please try again.' });
+      return res.redirect('/account');
+    }
+    const parsedCredential = JSON.parse(credential);
+    const verification = await verifyRegistrationResponse({
+      response: parsedCredential,
+      expectedChallenge,
+      expectedOrigin,
+      expectedRPID: rpID,
+      requireUserVerification: false,
+    });
+    delete req.session.registerChallenge;
+    if (!verification?.verified || !verification.registrationInfo?.credential) {
+      req.flash('errors', { msg: 'Registration failed. Please try again.' });
+      return res.redirect('/account');
+    }
+    const c = verification.registrationInfo.credential;
+    if (!c.id || !c.publicKey) {
+      console.error('Error in postRegisterVerify - registrationInfo payload:', verification.registrationInfo);
+      req.flash('errors', { msg: 'Registration failed. Please try again.' });
+      return res.redirect('/account');
+    }
+    req.user.webauthnCredentials = Array.isArray(req.user.webauthnCredentials) ? req.user.webauthnCredentials : [];
+
+    const newCredentialId = Buffer.from(c.id, 'base64url');
+    const alreadyOnUser = req.user.webauthnCredentials.some((cred) => Buffer.isBuffer(cred.credentialId) && cred.credentialId.equals(newCredentialId));
+    if (alreadyOnUser) {
+      req.flash('errors', { msg: 'This passkey is already registered to your account.' });
+      return res.redirect('/account');
+    }
+
+    req.user.webauthnCredentials.push({
+      credentialId: newCredentialId,
+      publicKey: Buffer.from(c.publicKey),
+      counter: typeof c.counter === 'number' ? c.counter : 0,
+      transports: Array.isArray(c.transports) ? c.transports : [],
+      deviceType: verification.registrationInfo.credentialDeviceType,
+      backedUp: Boolean(verification.registrationInfo.credentialBackedUp),
+      deviceName: 'Biometric Device',
+      createdAt: new Date(),
+      lastUsedAt: new Date(),
+    });
+    try {
+      await req.user.save();
+    } catch (err) {
+      if (err.code === 11000) {
+        req.flash('errors', { msg: 'This passkey is already registered to an account.' });
+        return res.redirect('/account');
+      }
+      throw err;
+    }
+    req.flash('success', { msg: 'Biometric login has been enabled successfully.' });
+    return res.redirect('/account');
+  } catch (err) {
+    console.error('Error in postRegisterVerify:', err);
+    delete req.session.registerChallenge;
+    req.flash('errors', { msg: 'Registration failed. Please try again.' });
+    return res.redirect('/account');
+  }
+};
+
+/**
+ * POST /account/webauthn/remove
+ */
+exports.postRemove = async (req, res) => {
+  try {
+    req.user.webauthnCredentials = [];
+    req.user.webauthnUserID = undefined;
+    await req.user.save();
+    req.flash('success', { msg: 'Biometric login has been removed successfully.' });
+    res.redirect('/account');
+  } catch (err) {
+    console.error('Error in postRemove:', err);
+    req.flash('errors', { msg: 'Failed to remove biometric login. Please try again.' });
+    res.redirect('/account');
+  }
+};

models/User.js

@@ -20,6 +20,21 @@ const userSchema = new mongoose.Schema(
     loginExpires: Date,
     loginIpHash: String,
 
+    webauthnUserID: { type: Buffer, minlength: 16, maxlength: 64 },
+    webauthnCredentials: [
+      {
+        credentialId: { type: Buffer, required: true },
+        publicKey: { type: Buffer, required: true },
+        counter: { type: Number, required: true, default: 0 },
+        transports: { type: [String], default: [] },
+        deviceType: String,
+        backedUp: Boolean,
+        deviceName: String,
+        createdAt: { type: Date, default: Date.now },
+        lastUsedAt: { type: Date, default: Date.now },
+      },
+    ],
+
     discord: String,
     facebook: String,
     github: String,
@@ -46,7 +61,10 @@ const userSchema = new mongoose.Schema(
   { timestamps: true },
 );
 
-// Indexes for verification fileds that are queried
+// Webauthn credential Id should be globally unique across all users
+userSchema.index({ 'webauthnCredentials.credentialId': 1 }, { unique: true, sparse: true });
+
+// Indexes for verification fields that are queried
 userSchema.index({ passwordResetToken: 1 });
 userSchema.index({ emailVerificationToken: 1 });
 userSchema.index({ loginToken: 1 });