Passkey login handler

Author: tonkku107

crates/handlers/src/lib.rs

@@ -48,6 +48,7 @@ use opentelemetry::metrics::Meter;
 use sqlx::PgPool;
 use tower::util::AndThenLayer;
 use tower_http::cors::{Any, CorsLayer};
+use webauthn::Webauthn;
 
 use self::{graphql::ExtraRouterParameters, passwords::PasswordManager};
 
@@ -348,6 +349,7 @@ where
     Limiter: FromRef<S>,
     reqwest::Client: FromRef<S>,
     Arc<dyn HomeserverConnection>: FromRef<S>,
+    Webauthn: FromRef<S>,
     BoxClock: FromRequestParts<S>,
     BoxRng: FromRequestParts<S>,
     Policy: FromRequestParts<S>,

crates/handlers/src/test_utils.rs

@@ -113,6 +113,7 @@ pub(crate) struct TestState {
     pub rng: Arc<Mutex<ChaChaRng>>,
     pub http_client: reqwest::Client,
     pub task_tracker: TaskTracker,
+    pub webauthn: Webauthn,
     queue_worker: Arc<tokio::sync::Mutex<QueueWorker>>,
 
     #[allow(dead_code)] // It is used, as it will cancel the CancellationToken when dropped
@@ -280,6 +281,7 @@ impl TestState {
             rng,
             http_client,
             task_tracker,
+            webauthn,
             queue_worker,
             cancellation_drop_guard: Arc::new(shutdown_token.drop_guard()),
         })
@@ -585,6 +587,12 @@ impl FromRef<TestState> for reqwest::Client {
     }
 }
 
+impl FromRef<TestState> for Webauthn {
+    fn from_ref(input: &TestState) -> Self {
+        input.webauthn.clone()
+    }
+}
+
 impl FromRequestParts<TestState> for ActivityTracker {
     type Rejection = Infallible;
 

crates/handlers/src/views/login/cookie.rs

@@ -0,0 +1,89 @@
+// Copyright 2025 New Vector Ltd.
+//
+// SPDX-License-Identifier: AGPL-3.0-only
+// Please see LICENSE in the repository root for full details.
+
+use std::collections::BTreeSet;
+
+use chrono::{DateTime, Duration, Utc};
+use mas_axum_utils::cookies::CookieJar;
+use mas_data_model::{Clock, UserPasskeyChallenge};
+use serde::{Deserialize, Serialize};
+use ulid::Ulid;
+
+/// Name of the cookie
+static COOKIE_NAME: &str = "user-passkey-challenges";
+
+/// Sessions expire after an hour
+static SESSION_MAX_TIME: Duration = Duration::hours(1);
+
+/// The content of the cookie, which stores a list of user passkey challenge IDs
+#[derive(Serialize, Deserialize, Default, Debug)]
+pub struct UserPasskeyChallenges(BTreeSet<Ulid>);
+
+impl UserPasskeyChallenges {
+    /// Load the user passkey challenges cookie
+    pub fn load(cookie_jar: &CookieJar) -> Self {
+        match cookie_jar.load(COOKIE_NAME) {
+            Ok(Some(challenges)) => challenges,
+            Ok(None) => Self::default(),
+            Err(e) => {
+                tracing::warn!(
+                    error = &e as &dyn std::error::Error,
+                    "Invalid passkey challenges cookie"
+                );
+                Self::default()
+            }
+        }
+    }
+
+    /// Returns true if the cookie is empty
+    pub fn is_empty(&self) -> bool {
+        self.0.is_empty()
+    }
+
+    /// Save the user passkey challenges to the cookie jar
+    pub fn save<C>(self, cookie_jar: CookieJar, clock: &C) -> CookieJar
+    where
+        C: Clock,
+    {
+        let this = self.expire(clock.now());
+
+        if this.is_empty() {
+            cookie_jar.remove(COOKIE_NAME)
+        } else {
+            cookie_jar.save(COOKIE_NAME, &this, false)
+        }
+    }
+
+    fn expire(mut self, now: DateTime<Utc>) -> Self {
+        self.0.retain(|id| {
+            let Ok(ts) = id.timestamp_ms().try_into() else {
+                return false;
+            };
+            let Some(when) = DateTime::from_timestamp_millis(ts) else {
+                return false;
+            };
+            now - when < SESSION_MAX_TIME
+        });
+
+        self
+    }
+
+    /// Add a new challenge
+    pub fn add(mut self, passkey_challenge: &UserPasskeyChallenge) -> Self {
+        self.0.insert(passkey_challenge.id);
+        self
+    }
+
+    /// Check if the challenge is in the list
+    pub fn contains(&self, passkey_challenge_id: &Ulid) -> bool {
+        self.0.contains(passkey_challenge_id)
+    }
+
+    /// Mark a challenge as consumed to avoid replay
+    pub fn consume_challenge(mut self, passkey_challenge_id: &Ulid) -> Self {
+        self.0.remove(passkey_challenge_id);
+        self
+    }
+}