Experimental configuration toggle for passkeys

tonkku107 · tonkku107 · commit 8714ddb51946 · 2025-03-15T13:19:55.000+02:00
diff --git a/crates/cli/src/util.rs b/crates/cli/src/util.rs
@@ -214,6 +214,7 @@ pub fn site_config_from_config(
         captcha,
         minimum_password_complexity: password_config.minimum_complexity(),
         session_expiration,
+        passkeys_enabled: experimental_config.passkeys,
     })
 }
 
diff --git a/crates/config/src/sections/experimental.rs b/crates/config/src/sections/experimental.rs
@@ -75,6 +75,12 @@ pub struct ExperimentalConfig {
     /// Disabled by default
     #[serde(skip_serializing_if = "Option::is_none")]
     pub inactive_session_expiration: Option<InactiveSessionExpirationConfig>,
+
+    /// Experimental passkey support
+    ///
+    /// Disabled by default
+    #[serde(default, skip_serializing_if = "std::ops::Not::not")]
+    pub passkeys: bool,
 }
 
 impl Default for ExperimentalConfig {
@@ -83,6 +89,7 @@ impl Default for ExperimentalConfig {
             access_token_ttl: default_token_ttl(),
             compat_token_ttl: default_token_ttl(),
             inactive_session_expiration: None,
+            passkeys: false,
         }
     }
 }
@@ -92,6 +99,7 @@ impl ExperimentalConfig {
         is_default_token_ttl(&self.access_token_ttl)
             && is_default_token_ttl(&self.compat_token_ttl)
             && self.inactive_session_expiration.is_none()
+            && !self.passkeys
     }
 }
 
diff --git a/crates/data-model/src/site_config.rs b/crates/data-model/src/site_config.rs
@@ -87,4 +87,7 @@ pub struct SiteConfig {
     pub minimum_password_complexity: u8,
 
     pub session_expiration: Option<SessionExpirationConfig>,
+
+    /// Whether passkeys are enabled
+    pub passkeys_enabled: bool,
 }
diff --git a/crates/handlers/src/graphql/model/site_config.rs b/crates/handlers/src/graphql/model/site_config.rs
@@ -53,6 +53,9 @@ pub struct SiteConfig {
     /// The exact scorer (including dictionaries and other data tables)
     /// in use is <https://crates.io/crates/zxcvbn>.
     minimum_password_complexity: u8,
+
+    /// Whether passkeys are enabled
+    passkeys_enabled: bool,
 }
 
 #[derive(SimpleObject)]
@@ -98,6 +101,7 @@ impl SiteConfig {
             password_registration_enabled: data_model.password_registration_enabled,
             account_deactivation_allowed: data_model.account_deactivation_allowed,
             minimum_password_complexity: data_model.minimum_password_complexity,
+            passkeys_enabled: data_model.passkeys_enabled,
         }
     }
 }
diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs
@@ -141,6 +141,7 @@ pub fn test_site_config() -> SiteConfig {
         captcha: None,
         minimum_password_complexity: 1,
         session_expiration: None,
+        passkeys_enabled: false,
     }
 }
 
diff --git a/crates/handlers/src/views/login.rs b/crates/handlers/src/views/login.rs
@@ -89,9 +89,10 @@ pub(crate) async fn get(
 
     let providers = repo.upstream_oauth_provider().all_enabled().await?;
 
-    // If password-based login is disabled, and there is only one upstream provider,
+    // If password-based login and passkeys are disabled, and there is only one upstream provider,
     // we can directly start an authorization flow
-    if !site_config.password_login_enabled && providers.len() == 1 {
+    if !site_config.password_login_enabled && !site_config.passkeys_enabled && providers.len() == 1
+    {
         let provider = providers.into_iter().next().unwrap();
 
         let mut destination = UpstreamOAuth2Authorize::new(provider.id);
diff --git a/crates/templates/src/context/ext.rs b/crates/templates/src/context/ext.rs
@@ -47,6 +47,7 @@ impl SiteConfigExt for SiteConfig {
             password_registration: self.password_registration_enabled,
             password_login: self.password_login_enabled,
             account_recovery: self.account_recovery_allowed,
+            passkeys_enabled: self.passkeys_enabled,
         }
     }
 }
diff --git a/crates/templates/src/context/features.rs b/crates/templates/src/context/features.rs
@@ -13,6 +13,7 @@ use minijinja::{
 
 /// Site features information.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[allow(clippy::struct_excessive_bools)]
 pub struct SiteFeatures {
     /// Whether local password-based registration is enabled.
     pub password_registration: bool,
@@ -22,6 +23,9 @@ pub struct SiteFeatures {
 
     /// Whether email-based account recovery is enabled.
     pub account_recovery: bool,
+
+    /// Whether passkeys are enabled
+    pub passkeys_enabled: bool,
 }
 
 impl Object for SiteFeatures {
@@ -30,6 +34,7 @@ impl Object for SiteFeatures {
             "password_registration" => Some(Value::from(self.password_registration)),
             "password_login" => Some(Value::from(self.password_login)),
             "account_recovery" => Some(Value::from(self.account_recovery)),
+            "passkeys_enabled" => Some(Value::from(self.passkeys_enabled)),
             _ => None,
         }
     }
@@ -39,6 +44,7 @@ impl Object for SiteFeatures {
             "password_registration",
             "password_login",
             "account_recovery",
+            "passkeys_enabled",
         ])
     }
 }
diff --git a/crates/templates/src/lib.rs b/crates/templates/src/lib.rs
@@ -487,6 +487,7 @@ mod tests {
             password_login: true,
             password_registration: true,
             account_recovery: true,
+            passkeys_enabled: true,
         };
         let vite_manifest_path =
             Utf8Path::new(env!("CARGO_MANIFEST_DIR")).join("../../frontend/dist/manifest.json");
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -2495,6 +2495,10 @@
               "$ref": "#/definitions/InactiveSessionExpirationConfig"
             }
           ]
+        },
+        "passkeys": {
+          "description": "Experimental passkey support\n\nDisabled by default",
+          "type": "boolean"
         }
       }
     },
diff --git a/frontend/locales/en.json b/frontend/locales/en.json
@@ -64,7 +64,10 @@
         "button": "Sign out of account",
         "dialog": "Sign out of this account?"
       },
-      "title": "Your account"
+      "title": "Your account",
+      "passkeys": {
+        "title": "Passkeys"
+      }
     },
     "add_email_form": {
       "email_denied_error": "The entered email is not allowed by the server policy",
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
@@ -1662,6 +1662,10 @@ type SiteConfig implements Node {
   """
   minimumPasswordComplexity: Int!
   """
+  Whether passkeys are enabled
+  """
+  passkeysEnabled: Boolean!
+  """
   The ID of the site configuration.
   """
   id: ID!
diff --git a/frontend/src/gql/gql.ts b/frontend/src/gql/gql.ts
@@ -47,7 +47,7 @@ type Documents = {
     "\n  fragment UserEmailList_user on User {\n    hasPassword\n  }\n": typeof types.UserEmailList_UserFragmentDoc,
     "\n  fragment UserEmailList_siteConfig on SiteConfig {\n    emailChangeAllowed\n    passwordLoginEnabled\n  }\n": typeof types.UserEmailList_SiteConfigFragmentDoc,
     "\n  fragment BrowserSessionsOverview_user on User {\n    id\n\n    browserSessions(first: 0, state: ACTIVE) {\n      totalCount\n    }\n  }\n": typeof types.BrowserSessionsOverview_UserFragmentDoc,
-    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": typeof types.UserProfileDocument,
+    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": typeof types.UserProfileDocument,
     "\n  query BrowserSessionList(\n    $first: Int\n    $after: String\n    $last: Int\n    $before: String\n    $lastActive: DateFilter\n  ) {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n\n        user {\n          id\n\n          browserSessions(\n            first: $first\n            after: $after\n            last: $last\n            before: $before\n            lastActive: $lastActive\n            state: ACTIVE\n          ) {\n            totalCount\n\n            edges {\n              cursor\n              node {\n                id\n                ...BrowserSession_session\n              }\n            }\n\n            pageInfo {\n              hasNextPage\n              hasPreviousPage\n              startCursor\n              endCursor\n            }\n          }\n        }\n      }\n    }\n  }\n": typeof types.BrowserSessionListDocument,
     "\n  query SessionsOverview {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        ...BrowserSessionsOverview_user\n      }\n    }\n  }\n": typeof types.SessionsOverviewDocument,
     "\n  query AppSessionsList(\n    $before: String\n    $after: String\n    $first: Int\n    $last: Int\n    $lastActive: DateFilter\n  ) {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        appSessions(\n          before: $before\n          after: $after\n          first: $first\n          last: $last\n          lastActive: $lastActive\n          state: ACTIVE\n        ) {\n          edges {\n            cursor\n            node {\n              __typename\n              ...CompatSession_session\n              ...OAuth2Session_session\n            }\n          }\n\n          totalCount\n          pageInfo {\n            startCursor\n            endCursor\n            hasNextPage\n            hasPreviousPage\n          }\n        }\n      }\n    }\n  }\n": typeof types.AppSessionsListDocument,
@@ -101,7 +101,7 @@ const documents: Documents = {
     "\n  fragment UserEmailList_user on User {\n    hasPassword\n  }\n": types.UserEmailList_UserFragmentDoc,
     "\n  fragment UserEmailList_siteConfig on SiteConfig {\n    emailChangeAllowed\n    passwordLoginEnabled\n  }\n": types.UserEmailList_SiteConfigFragmentDoc,
     "\n  fragment BrowserSessionsOverview_user on User {\n    id\n\n    browserSessions(first: 0, state: ACTIVE) {\n      totalCount\n    }\n  }\n": types.BrowserSessionsOverview_UserFragmentDoc,
-    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": types.UserProfileDocument,
+    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": types.UserProfileDocument,
     "\n  query BrowserSessionList(\n    $first: Int\n    $after: String\n    $last: Int\n    $before: String\n    $lastActive: DateFilter\n  ) {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n\n        user {\n          id\n\n          browserSessions(\n            first: $first\n            after: $after\n            last: $last\n            before: $before\n            lastActive: $lastActive\n            state: ACTIVE\n          ) {\n            totalCount\n\n            edges {\n              cursor\n              node {\n                id\n                ...BrowserSession_session\n              }\n            }\n\n            pageInfo {\n              hasNextPage\n              hasPreviousPage\n              startCursor\n              endCursor\n            }\n          }\n        }\n      }\n    }\n  }\n": types.BrowserSessionListDocument,
     "\n  query SessionsOverview {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        ...BrowserSessionsOverview_user\n      }\n    }\n  }\n": types.SessionsOverviewDocument,
     "\n  query AppSessionsList(\n    $before: String\n    $after: String\n    $first: Int\n    $last: Int\n    $lastActive: DateFilter\n  ) {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        appSessions(\n          before: $before\n          after: $after\n          first: $first\n          last: $last\n          lastActive: $lastActive\n          state: ACTIVE\n        ) {\n          edges {\n            cursor\n            node {\n              __typename\n              ...CompatSession_session\n              ...OAuth2Session_session\n            }\n          }\n\n          totalCount\n          pageInfo {\n            startCursor\n            endCursor\n            hasNextPage\n            hasPreviousPage\n          }\n        }\n      }\n    }\n  }\n": types.AppSessionsListDocument,
@@ -254,7 +254,7 @@ export function graphql(source: "\n  fragment BrowserSessionsOverview_user on Us
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n"): typeof import('./graphql').UserProfileDocument;
+export function graphql(source: "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n"): typeof import('./graphql').UserProfileDocument;
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/src/gql/graphql.ts b/frontend/src/gql/graphql.ts
@@ -1224,6 +1224,8 @@ export type SiteConfig = Node & {
    * in use is <https://crates.io/crates/zxcvbn>.
    */
   minimumPasswordComplexity: Scalars['Int']['output'];
+  /** Whether passkeys are enabled */
+  passkeysEnabled: Scalars['Boolean']['output'];
   /** Whether passwords are enabled and users can change their own passwords. */
   passwordChangeAllowed: Scalars['Boolean']['output'];
   /** Whether passwords are enabled for login. */
@@ -1772,7 +1774,7 @@ export type UserProfileQuery = { __typename?: 'Query', viewerSession: { __typena
       { __typename?: 'User', hasPassword: boolean, emails: { __typename?: 'UserEmailConnection', totalCount: number } }
       & { ' $fragmentRefs'?: { 'AddEmailForm_UserFragment': AddEmailForm_UserFragment;'UserEmailList_UserFragment': UserEmailList_UserFragment;'AccountDeleteButton_UserFragment': AccountDeleteButton_UserFragment } }
     ) } | { __typename: 'Oauth2Session' }, siteConfig: (
-    { __typename?: 'SiteConfig', emailChangeAllowed: boolean, passwordLoginEnabled: boolean, accountDeactivationAllowed: boolean }
+    { __typename?: 'SiteConfig', emailChangeAllowed: boolean, passwordLoginEnabled: boolean, passkeysEnabled: boolean, accountDeactivationAllowed: boolean }
     & { ' $fragmentRefs'?: { 'AddEmailForm_SiteConfigFragment': AddEmailForm_SiteConfigFragment;'UserEmailList_SiteConfigFragment': UserEmailList_SiteConfigFragment;'PasswordChange_SiteConfigFragment': PasswordChange_SiteConfigFragment;'AccountDeleteButton_SiteConfigFragment': AccountDeleteButton_SiteConfigFragment } }
   ) };
 
@@ -1952,13 +1954,9 @@ export class TypedDocumentString<TResult, TVariables>
   implements DocumentTypeDecoration<TResult, TVariables>
 {
   __apiType?: DocumentTypeDecoration<TResult, TVariables>['__apiType'];
-  private value: string;
-  public __meta__?: Record<string, any> | undefined;
 
-  constructor(value: string, __meta__?: Record<string, any> | undefined) {
+  constructor(private value: string, public __meta__?: Record<string, any> | undefined) {
     super(value);
-    this.value = value;
-    this.__meta__ = __meta__;
   }
 
   toString(): string & DocumentTypeDecoration<TResult, TVariables> {
@@ -2438,6 +2436,7 @@ export const UserProfileDocument = new TypedDocumentString(`
   siteConfig {
     emailChangeAllowed
     passwordLoginEnabled
+    passkeysEnabled
     accountDeactivationAllowed
     ...AddEmailForm_siteConfig
     ...UserEmailList_siteConfig
diff --git a/frontend/src/routes/_account.index.lazy.tsx b/frontend/src/routes/_account.index.lazy.tsx
@@ -118,6 +118,16 @@ function Index(): React.ReactElement {
           </>
         )}
 
+        {siteConfig.passkeysEnabled && (
+          <>
+            <Collapsible.Section title={t("frontend.account.passkeys.title")}>
+              placeholder text
+            </Collapsible.Section>
+
+            <Separator kind="section" />
+          </>
+        )}
+
         <Collapsible.Section title={t("common.e2ee")}>
           <Text className="text-secondary" size="md">
             {t("frontend.reset_cross_signing.description")}
diff --git a/frontend/src/routes/_account.index.tsx b/frontend/src/routes/_account.index.tsx
@@ -32,6 +32,7 @@ const QUERY = graphql(/* GraphQL */ `
     siteConfig {
       emailChangeAllowed
       passwordLoginEnabled
+      passkeysEnabled
       accountDeactivationAllowed
       ...AddEmailForm_siteConfig
       ...UserEmailList_siteConfig
diff --git a/templates/pages/login.html b/templates/pages/login.html
@@ -42,11 +42,11 @@ <h1 class="title">{{ _("mas.login.headline") }}</h1>
 
       <input type="hidden" name="csrf" value="{{ csrf_token }}" />
 
-      {% call(f) field.field(label=_("common.username"), name="username", form_state=form) %}
-        <input {{ field.attributes(f) }} class="cpd-text-control" type="text" autocomplete="username" autocorrect="off" autocapitalize="off" required />
-      {% endcall %}
-
       {% if features.password_login %}
+        {% call(f) field.field(label=_("common.username"), name="username", form_state=form) %}
+          <input {{ field.attributes(f) }} class="cpd-text-control" type="text" autocomplete="username" autocorrect="off" autocapitalize="off" required />
+        {% endcall %}
+
         {% call(f) field.field(label=_("common.password"), name="password", form_state=form) %}
           <input {{ field.attributes(f) }} class="cpd-text-control" type="password" autocomplete="password" required />
         {% endcall %}
@@ -62,7 +62,15 @@ <h1 class="title">{{ _("mas.login.headline") }}</h1>
         {{ button.button(text=_("action.continue")) }}
       {% endif %}
 
-      {% if features.password_login and providers %}
+      {% if features.password_login and features.passkeys_enabled %}
+        {{ field.separator() }}
+      {% endif %}
+
+      {% if features.passkeys_enabled %}
+        {{ button.link(text=_("mas.login.with_passkey")) }}
+      {% endif %}
+
+      {% if (features.password_login or features.passkeys_enabled) and providers %}
         {{ field.separator() }}
       {% endif %}
 
diff --git a/translations/en.json b/translations/en.json

Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,7 @@ pub fn site_config_from_config(`
`214`	`214`	`captcha,`
`215`	`215`	`minimum_password_complexity: password_config.minimum_complexity(),`
`216`	`216`	`session_expiration,`
	`217`	`+ passkeys_enabled: experimental_config.passkeys,`
`217`	`218`	`})`
`218`	`219`	`}`
`219`	`220`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,12 @@ pub struct ExperimentalConfig {`
`75`	`75`	`/// Disabled by default`
`76`	`76`	`#[serde(skip_serializing_if = "Option::is_none")]`
`77`	`77`	`pub inactive_session_expiration: Option<InactiveSessionExpirationConfig>,`
	`78`	`+`
	`79`	`+ /// Experimental passkey support`
	`80`	`+ ///`
	`81`	`+ /// Disabled by default`
	`82`	`+ #[serde(default, skip_serializing_if = "std::ops::Not::not")]`
	`83`	`+ pub passkeys: bool,`
`78`	`84`	`}`
`79`	`85`
`80`	`86`	`impl Default for ExperimentalConfig {`
`@@ -83,6 +89,7 @@ impl Default for ExperimentalConfig {`
`83`	`89`	`access_token_ttl: default_token_ttl(),`
`84`	`90`	`compat_token_ttl: default_token_ttl(),`
`85`	`91`	`inactive_session_expiration: None,`
	`92`	`+ passkeys: false,`
`86`	`93`	`}`
`87`	`94`	`}`
`88`	`95`	`}`
`@@ -92,6 +99,7 @@ impl ExperimentalConfig {`
`92`	`99`	`is_default_token_ttl(&self.access_token_ttl)`
`93`	`100`	`&& is_default_token_ttl(&self.compat_token_ttl)`
`94`	`101`	`&& self.inactive_session_expiration.is_none()`
	`102`	`+ && !self.passkeys`
`95`	`103`	`}`
`96`	`104`	`}`
`97`	`105`
Original file line number	Diff line number	Diff line change
`@@ -87,4 +87,7 @@ pub struct SiteConfig {`
`87`	`87`	`pub minimum_password_complexity: u8,`
`88`	`88`
`89`	`89`	`pub session_expiration: Option<SessionExpirationConfig>,`
	`90`	`+`
	`91`	`+ /// Whether passkeys are enabled`
	`92`	`+ pub passkeys_enabled: bool,`
`90`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ pub struct SiteConfig {`
`53`	`53`	`/// The exact scorer (including dictionaries and other data tables)`
`54`	`54`	`/// in use is <https://crates.io/crates/zxcvbn>.`
`55`	`55`	`minimum_password_complexity: u8,`
	`56`	`+`
	`57`	`+ /// Whether passkeys are enabled`
	`58`	`+ passkeys_enabled: bool,`
`56`	`59`	`}`
`57`	`60`
`58`	`61`	`#[derive(SimpleObject)]`
`@@ -98,6 +101,7 @@ impl SiteConfig {`
`98`	`101`	`password_registration_enabled: data_model.password_registration_enabled,`
`99`	`102`	`account_deactivation_allowed: data_model.account_deactivation_allowed,`
`100`	`103`	`minimum_password_complexity: data_model.minimum_password_complexity,`
	`104`	`+ passkeys_enabled: data_model.passkeys_enabled,`
`101`	`105`	`}`
`102`	`106`	`}`
`103`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,7 @@ pub fn test_site_config() -> SiteConfig {`
`141`	`141`	`captcha: None,`
`142`	`142`	`minimum_password_complexity: 1,`
`143`	`143`	`session_expiration: None,`
	`144`	`+ passkeys_enabled: false,`
`144`	`145`	`}`
`145`	`146`	`}`
`146`	`147`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ impl SiteConfigExt for SiteConfig {`
`47`	`47`	`password_registration: self.password_registration_enabled,`
`48`	`48`	`password_login: self.password_login_enabled,`
`49`	`49`	`account_recovery: self.account_recovery_allowed,`
	`50`	`+ passkeys_enabled: self.passkeys_enabled,`
`50`	`51`	`}`
`51`	`52`	`}`
`52`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ use minijinja::{`
`13`	`13`
`14`	`14`	`/// Site features information.`
`15`	`15`	`#[derive(Debug, Clone, Copy, PartialEq, Eq)]`
	`16`	`+#[allow(clippy::struct_excessive_bools)]`
`16`	`17`	`pub struct SiteFeatures {`
`17`	`18`	`/// Whether local password-based registration is enabled.`
`18`	`19`	`pub password_registration: bool,`
`@@ -22,6 +23,9 @@ pub struct SiteFeatures {`
`22`	`23`
`23`	`24`	`/// Whether email-based account recovery is enabled.`
`24`	`25`	`pub account_recovery: bool,`
	`26`	`+`
	`27`	`+ /// Whether passkeys are enabled`
	`28`	`+ pub passkeys_enabled: bool,`
`25`	`29`	`}`
`26`	`30`
`27`	`31`	`impl Object for SiteFeatures {`
`@@ -30,6 +34,7 @@ impl Object for SiteFeatures {`
`30`	`34`	`"password_registration" => Some(Value::from(self.password_registration)),`
`31`	`35`	`"password_login" => Some(Value::from(self.password_login)),`
`32`	`36`	`"account_recovery" => Some(Value::from(self.account_recovery)),`
	`37`	`+ "passkeys_enabled" => Some(Value::from(self.passkeys_enabled)),`
`33`	`38`	`_ => None,`
`34`	`39`	`}`
`35`	`40`	`}`
`@@ -39,6 +44,7 @@ impl Object for SiteFeatures {`
`39`	`44`	`"password_registration",`
`40`	`45`	`"password_login",`
`41`	`46`	`"account_recovery",`
	`47`	`+ "passkeys_enabled",`
`42`	`48`	`])`
`43`	`49`	`}`
`44`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2495,6 +2495,10 @@`
`2495`	`2495`	`"$ref": "#/definitions/InactiveSessionExpirationConfig"`
`2496`	`2496`	`}`
`2497`	`2497`	`]`
	`2498`	`+ },`
	`2499`	`+ "passkeys": {`
	`2500`	`+ "description": "Experimental passkey support\n\nDisabled by default",`
	`2501`	`+ "type": "boolean"`
`2498`	`2502`	`}`
`2499`	`2503`	`}`
`2500`	`2504`	`},`