Add option for persisting sign-in when using passkeys.

Author: bitbound

ControlR.Web.Server/Components/Account/Pages/Login.razor

@@ -3,6 +3,7 @@
 @using ControlR.Web.Server.Components.Account.Shared
 
 @inject SignInManager<AppUser> SignInManager
+@inject PasskeySignInManager PasskeySignInManager
 @inject ILogger<Login> Logger
 @inject NavigationManager NavigationManager
 @inject IdentityRedirectManager RedirectManager
@@ -38,13 +39,10 @@
                     </MudStaticCheckBox>
                 </MudItem>
                 <MudItem xs="12" Class="d-flex gap-4">
-                    <MudStaticButton Variant="Variant.Outlined" Color="Color.Primary"
-                        FormAction="FormAction.Submit">Log in</MudStaticButton>
-                    <PasskeySubmit Operation="PasskeyOperation.Request"
-                                   Name="Input.Passkey"
-                                   EmailName="Input.Email"
-                                   Variant="Variant.Outlined"
-                                   Color="Color.Secondary">
+                    <MudStaticButton Variant="Variant.Outlined" Color="Color.Primary" FormAction="FormAction.Submit">Log
+                        in</MudStaticButton>
+                    <PasskeySubmit Operation="PasskeyOperation.Request" Name="Input.Passkey" EmailName="Input.Email"
+                        Variant="Variant.Outlined" Color="Color.Secondary">
                         Sign in with a passkey
                     </PasskeySubmit>
                 </MudItem>
@@ -115,11 +113,17 @@
 
     public async Task LoginUser()
     {
-        Microsoft.AspNetCore.Identity.SignInResult result;
+        if (!string.IsNullOrEmpty(Input.Passkey?.Error))
+        {
+            _errorMessage = $"Error: {Input.Passkey.Error}";
+            return;
+        }
+
+        SignInResult result;
 
         if (!string.IsNullOrEmpty(Input.Passkey?.CredentialJson))
         {
-            result = await SignInManager.PasskeySignInAsync(Input.Passkey.CredentialJson);
+            result = await PasskeySignInManager.PasskeySignInAsync(Input.Passkey.CredentialJson);
         }
         else
         {

ControlR.Web.Server/Components/Account/PasskeySignInManager.cs

@@ -0,0 +1,38 @@
+using System;
+using Microsoft.AspNetCore.Authentication;
+
+namespace ControlR.Web.Server.Components.Account;
+
+public class PasskeySignInManager(
+  UserManager<AppUser> userManager,
+  IOptionsMonitor<AppOptions> appOptions,
+  IHttpContextAccessor contextAccessor,
+  IUserClaimsPrincipalFactory<AppUser> claimsFactory,
+  IOptions<IdentityOptions> optionsAccessor,
+  ILogger<SignInManager<AppUser>> logger,
+  IAuthenticationSchemeProvider schemes,
+  IUserConfirmation<AppUser> confirmation)
+  : SignInManager<AppUser>(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes, confirmation)
+{
+  public override async Task<SignInResult> PasskeySignInAsync(string credentialJson)
+  {
+    ArgumentException.ThrowIfNullOrEmpty(credentialJson);
+
+    var assertionResult = await PerformPasskeyAssertionAsync(credentialJson);
+    if (!assertionResult.Succeeded)
+    {
+      return SignInResult.Failed;
+    }
+
+    // After a successful assertion, we need to update the passkey so that it has the latest
+    // sign count and authenticator data.
+    var setPasskeyResult = await UserManager.AddOrUpdatePasskeyAsync(assertionResult.User, assertionResult.Passkey);
+    if (!setPasskeyResult.Succeeded)
+    {
+      return SignInResult.Failed;
+    }
+    
+    var persistLogin = appOptions.CurrentValue.PersistPasskeyLogin;
+    return await SignInOrTwoFactorAsync(assertionResult.User, isPersistent: persistLogin, bypassTwoFactor: true);
+  }
+}

ControlR.Web.Server/Options/AppOptions.cs

@@ -18,6 +18,7 @@ public class AppOptions
   public long MaxFileTransferSize { get; init; } = 100 * 1024 * 1024; // 100 MB default
   public string? MicrosoftClientId { get; init; }
   public string? MicrosoftClientSecret { get; init; }
+  public bool PersistPasskeyLogin { get; init; }
   public bool RequireUserEmailConfirmation { get; init; }
   public bool SmtpCheckCertificateRevocation { get; init; } = true;
   public string? SmtpDisplayName { get; init; }

ControlR.Web.Server/Startup/WebApplicationBuilderExtensions.cs

@@ -143,7 +143,6 @@ public static async Task<IHostApplicationBuilder> AddControlrServer(
 
     authBuilder.AddIdentityCookies();
 
-    // Add this to your WebApplicationBuilderExtensions.cs
     builder.Services.ConfigureApplicationCookie(options =>
     {
       options.Events.OnRedirectToLogin = context =>
@@ -212,7 +211,9 @@ public static async Task<IHostApplicationBuilder> AddControlrServer(
       .AddSignInManager()
       .AddDefaultTokenProviders();
 
-    builder.Services.AddScoped<IUserCreator, UserCreator>();
+    builder.Services
+      .AddScoped<PasskeySignInManager>()
+      .AddScoped<IUserCreator, UserCreator>();
 
     // Configure DataProtection.
     builder.Services

ControlR.Web.Server/appsettings.Development.json

@@ -19,6 +19,7 @@
     "AllowAgentsToSelfBootstrap": true,
     "AuthenticatorIssuerName": "ControlR",
     "EnablePublicRegistration": false,
+    "PersistPasskeyLogin": true,
     "MaxFileTransferSize": -1,
     "EnableCloudflareProxySupport": false,
     "MicrosoftClientId": "",

docker-compose/docker-compose.yml

@@ -37,6 +37,9 @@ services:
       # The name that appears in TOTP authenticator apps.
       ControlR_AppOptions__AuthenticatorIssuerName: "ControlR"
 
+      # If enabled, signing in with a passkey will effectively add the "remember me" option.
+      ControlR_AppOptions__PersistPasskeyLogin: false
+
       # Automatically obtain Cloudflare IPs from https://www.cloudflare.com/ips-v4
       # and add them to the KnownNetworks list for forwarded headers.
       ControlR_AppOptions__EnableCloudflareProxySupport: false