Experimental configuration toggle for passkeys

tonkku107 · tonkku107 · commit f05916f81234 · 2025-08-19T11:58:51.000+03:00
diff --git a/crates/cli/src/util.rs b/crates/cli/src/util.rs
@@ -222,6 +222,10 @@ pub fn site_config_from_config(
         minimum_password_complexity: password_config.minimum_complexity(),
         session_expiration,
         login_with_email_allowed: account_config.login_with_email_allowed,
+        passkeys_enabled: experimental_config
+            .passkeys
+            .as_ref()
+            .is_some_and(|c| c.enabled),
     })
 }
 
diff --git a/crates/config/src/sections/experimental.rs b/crates/config/src/sections/experimental.rs
@@ -45,6 +45,15 @@ pub struct InactiveSessionExpirationConfig {
     pub expire_user_sessions: bool,
 }
 
+/// Configuration options for passkeys
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
+pub struct PasskeysConfig {
+    /// Whether passkeys are enabled or not
+    #[serde(default)]
+    pub enabled: bool,
+}
+
 /// Configuration sections for experimental options
 ///
 /// Do not change these options unless you know what you are doing.
@@ -75,6 +84,12 @@ pub struct ExperimentalConfig {
     /// Disabled by default
     #[serde(skip_serializing_if = "Option::is_none")]
     pub inactive_session_expiration: Option<InactiveSessionExpirationConfig>,
+
+    /// Experimental passkey support
+    ///
+    /// Disabled by default
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub passkeys: Option<PasskeysConfig>,
 }
 
 impl Default for ExperimentalConfig {
@@ -83,6 +98,7 @@ impl Default for ExperimentalConfig {
             access_token_ttl: default_token_ttl(),
             compat_token_ttl: default_token_ttl(),
             inactive_session_expiration: None,
+            passkeys: None,
         }
     }
 }
@@ -92,6 +108,7 @@ impl ExperimentalConfig {
         is_default_token_ttl(&self.access_token_ttl)
             && is_default_token_ttl(&self.compat_token_ttl)
             && self.inactive_session_expiration.is_none()
+            && self.passkeys.is_none()
     }
 }
 
diff --git a/crates/data-model/src/site_config.rs b/crates/data-model/src/site_config.rs
@@ -90,4 +90,7 @@ pub struct SiteConfig {
 
     /// Whether users can log in with their email address.
     pub login_with_email_allowed: bool,
+
+    /// Whether passkeys are enabled
+    pub passkeys_enabled: bool,
 }
diff --git a/crates/handlers/src/graphql/model/site_config.rs b/crates/handlers/src/graphql/model/site_config.rs
@@ -56,6 +56,9 @@ pub struct SiteConfig {
 
     /// Whether users can log in with their email address.
     login_with_email_allowed: bool,
+
+    /// Whether passkeys are enabled
+    passkeys_enabled: bool,
 }
 
 #[derive(SimpleObject)]
@@ -102,6 +105,7 @@ impl SiteConfig {
             account_deactivation_allowed: data_model.account_deactivation_allowed,
             minimum_password_complexity: data_model.minimum_password_complexity,
             login_with_email_allowed: data_model.login_with_email_allowed,
+            passkeys_enabled: data_model.passkeys_enabled,
         }
     }
 }
diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs
@@ -145,6 +145,7 @@ pub fn test_site_config() -> SiteConfig {
         minimum_password_complexity: 1,
         session_expiration: None,
         login_with_email_allowed: true,
+        passkeys_enabled: false,
     }
 }
 
diff --git a/crates/handlers/src/views/login.rs b/crates/handlers/src/views/login.rs
@@ -99,9 +99,10 @@ pub(crate) async fn get(
 
     let providers = repo.upstream_oauth_provider().all_enabled().await?;
 
-    // If password-based login is disabled, and there is only one upstream provider,
-    // we can directly start an authorization flow
-    if !site_config.password_login_enabled && providers.len() == 1 {
+    // If password-based login and passkeys are disabled, and there is only one
+    // upstream provider, we can directly start an authorization flow
+    if !site_config.password_login_enabled && !site_config.passkeys_enabled && providers.len() == 1
+    {
         let provider = providers.into_iter().next().unwrap();
 
         let mut destination = UpstreamOAuth2Authorize::new(provider.id);
diff --git a/crates/templates/src/context/ext.rs b/crates/templates/src/context/ext.rs
@@ -48,6 +48,7 @@ impl SiteConfigExt for SiteConfig {
             password_login: self.password_login_enabled,
             account_recovery: self.account_recovery_allowed,
             login_with_email_allowed: self.login_with_email_allowed,
+            passkeys_enabled: self.passkeys_enabled,
         }
     }
 }
diff --git a/crates/templates/src/context/features.rs b/crates/templates/src/context/features.rs
@@ -26,6 +26,9 @@ pub struct SiteFeatures {
 
     /// Whether users can log in with their email address.
     pub login_with_email_allowed: bool,
+
+    /// Whether passkeys are enabled
+    pub passkeys_enabled: bool,
 }
 
 impl Object for SiteFeatures {
@@ -35,6 +38,7 @@ impl Object for SiteFeatures {
             "password_login" => Some(Value::from(self.password_login)),
             "account_recovery" => Some(Value::from(self.account_recovery)),
             "login_with_email_allowed" => Some(Value::from(self.login_with_email_allowed)),
+            "passkeys_enabled" => Some(Value::from(self.passkeys_enabled)),
             _ => None,
         }
     }
@@ -45,6 +49,7 @@ impl Object for SiteFeatures {
             "password_login",
             "account_recovery",
             "login_with_email_allowed",
+            "passkeys_enabled",
         ])
     }
 }
diff --git a/crates/templates/src/lib.rs b/crates/templates/src/lib.rs
@@ -494,6 +494,7 @@ mod tests {
             password_registration: true,
             account_recovery: true,
             login_with_email_allowed: true,
+            passkeys_enabled: true,
         };
         let vite_manifest_path =
             Utf8Path::new(env!("CARGO_MANIFEST_DIR")).join("../../frontend/dist/manifest.json");
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -2561,6 +2561,14 @@
               "$ref": "#/definitions/InactiveSessionExpirationConfig"
             }
           ]
+        },
+        "passkeys": {
+          "description": "Experimental passkey support\n\nDisabled by default",
+          "allOf": [
+            {
+              "$ref": "#/definitions/PasskeysConfig"
+            }
+          ]
         }
       }
     },
@@ -2594,6 +2602,17 @@
           "type": "boolean"
         }
       }
+    },
+    "PasskeysConfig": {
+      "description": "Configuration options for passkeys",
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "description": "Whether passkeys are enabled or not",
+          "default": false,
+          "type": "boolean"
+        }
+      }
     }
   }
 }
diff --git a/frontend/locales/en.json b/frontend/locales/en.json
@@ -64,7 +64,10 @@
         "button": "Sign out of account",
         "dialog": "Sign out of this account?"
       },
-      "title": "Your account"
+      "title": "Your account",
+      "passkeys": {
+        "title": "Passkeys"
+      }
     },
     "add_email_form": {
       "email_denied_error": "The entered email is not allowed by the server policy",
diff --git a/frontend/schema.graphql b/frontend/schema.graphql
@@ -1758,6 +1758,10 @@ type SiteConfig implements Node {
   """
   loginWithEmailAllowed: Boolean!
   """
+  Whether passkeys are enabled
+  """
+  passkeysEnabled: Boolean!
+  """
   The ID of the site configuration.
   """
   id: ID!
diff --git a/frontend/src/gql/gql.ts b/frontend/src/gql/gql.ts
@@ -49,7 +49,7 @@ type Documents = {
     "\n  fragment UserEmailList_user on User {\n    hasPassword\n  }\n": typeof types.UserEmailList_UserFragmentDoc,
     "\n  fragment UserEmailList_siteConfig on SiteConfig {\n    emailChangeAllowed\n    passwordLoginEnabled\n  }\n": typeof types.UserEmailList_SiteConfigFragmentDoc,
     "\n  fragment BrowserSessionsOverview_user on User {\n    id\n\n    browserSessions(first: 0, state: ACTIVE) {\n      totalCount\n    }\n  }\n": typeof types.BrowserSessionsOverview_UserFragmentDoc,
-    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": typeof types.UserProfileDocument,
+    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": typeof types.UserProfileDocument,
     "\n  query BrowserSessionList(\n    $first: Int\n    $after: String\n    $last: Int\n    $before: String\n    $lastActive: DateFilter\n  ) {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n\n        user {\n          id\n\n          browserSessions(\n            first: $first\n            after: $after\n            last: $last\n            before: $before\n            lastActive: $lastActive\n            state: ACTIVE\n          ) {\n            totalCount\n\n            edges {\n              cursor\n              node {\n                id\n                ...BrowserSession_session\n              }\n            }\n\n            pageInfo {\n              hasNextPage\n              hasPreviousPage\n              startCursor\n              endCursor\n            }\n          }\n        }\n      }\n    }\n  }\n": typeof types.BrowserSessionListDocument,
     "\n  query SessionsOverview {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        ...BrowserSessionsOverview_user\n      }\n    }\n  }\n": typeof types.SessionsOverviewDocument,
     "\n  query AppSessionsList(\n    $before: String\n    $after: String\n    $first: Int\n    $last: Int\n    $lastActive: DateFilter\n  ) {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        appSessions(\n          before: $before\n          after: $after\n          first: $first\n          last: $last\n          lastActive: $lastActive\n          state: ACTIVE\n        ) {\n          edges {\n            cursor\n            node {\n              __typename\n              ...CompatSession_session\n              ...OAuth2Session_session\n            }\n          }\n\n          totalCount\n          pageInfo {\n            startCursor\n            endCursor\n            hasNextPage\n            hasPreviousPage\n          }\n        }\n      }\n    }\n  }\n": typeof types.AppSessionsListDocument,
@@ -105,7 +105,7 @@ const documents: Documents = {
     "\n  fragment UserEmailList_user on User {\n    hasPassword\n  }\n": types.UserEmailList_UserFragmentDoc,
     "\n  fragment UserEmailList_siteConfig on SiteConfig {\n    emailChangeAllowed\n    passwordLoginEnabled\n  }\n": types.UserEmailList_SiteConfigFragmentDoc,
     "\n  fragment BrowserSessionsOverview_user on User {\n    id\n\n    browserSessions(first: 0, state: ACTIVE) {\n      totalCount\n    }\n  }\n": types.BrowserSessionsOverview_UserFragmentDoc,
-    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": types.UserProfileDocument,
+    "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n": types.UserProfileDocument,
     "\n  query BrowserSessionList(\n    $first: Int\n    $after: String\n    $last: Int\n    $before: String\n    $lastActive: DateFilter\n  ) {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n\n        user {\n          id\n\n          browserSessions(\n            first: $first\n            after: $after\n            last: $last\n            before: $before\n            lastActive: $lastActive\n            state: ACTIVE\n          ) {\n            totalCount\n\n            edges {\n              cursor\n              node {\n                id\n                ...BrowserSession_session\n              }\n            }\n\n            pageInfo {\n              hasNextPage\n              hasPreviousPage\n              startCursor\n              endCursor\n            }\n          }\n        }\n      }\n    }\n  }\n": types.BrowserSessionListDocument,
     "\n  query SessionsOverview {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        ...BrowserSessionsOverview_user\n      }\n    }\n  }\n": types.SessionsOverviewDocument,
     "\n  query AppSessionsList(\n    $before: String\n    $after: String\n    $first: Int\n    $last: Int\n    $lastActive: DateFilter\n  ) {\n    viewer {\n      __typename\n\n      ... on User {\n        id\n        appSessions(\n          before: $before\n          after: $after\n          first: $first\n          last: $last\n          lastActive: $lastActive\n          state: ACTIVE\n        ) {\n          edges {\n            cursor\n            node {\n              __typename\n              ...CompatSession_session\n              ...OAuth2Session_session\n            }\n          }\n\n          totalCount\n          pageInfo {\n            startCursor\n            endCursor\n            hasNextPage\n            hasPreviousPage\n          }\n        }\n      }\n    }\n  }\n": types.AppSessionsListDocument,
@@ -266,7 +266,7 @@ export function graphql(source: "\n  fragment BrowserSessionsOverview_user on Us
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n"): typeof import('./graphql').UserProfileDocument;
+export function graphql(source: "\n  query UserProfile {\n    viewerSession {\n      __typename\n      ... on BrowserSession {\n        id\n        user {\n          ...AddEmailForm_user\n          ...UserEmailList_user\n          ...AccountDeleteButton_user\n          hasPassword\n          emails(first: 0) {\n            totalCount\n          }\n        }\n      }\n    }\n\n    siteConfig {\n      emailChangeAllowed\n      passwordLoginEnabled\n      passkeysEnabled\n      accountDeactivationAllowed\n      ...AddEmailForm_siteConfig\n      ...UserEmailList_siteConfig\n      ...PasswordChange_siteConfig\n      ...AccountDeleteButton_siteConfig\n    }\n  }\n"): typeof import('./graphql').UserProfileDocument;
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/src/gql/graphql.ts b/frontend/src/gql/graphql.ts
@@ -1290,6 +1290,8 @@ export type SiteConfig = Node & {
    * in use is <https://crates.io/crates/zxcvbn>.
    */
   minimumPasswordComplexity: Scalars['Int']['output'];
+  /** Whether passkeys are enabled */
+  passkeysEnabled: Scalars['Boolean']['output'];
   /** Whether passwords are enabled and users can change their own passwords. */
   passwordChangeAllowed: Scalars['Boolean']['output'];
   /** Whether passwords are enabled for login. */
@@ -1854,7 +1856,7 @@ export type UserProfileQuery = { __typename?: 'Query', viewerSession: { __typena
       { __typename?: 'User', hasPassword: boolean, emails: { __typename?: 'UserEmailConnection', totalCount: number } }
       & { ' $fragmentRefs'?: { 'AddEmailForm_UserFragment': AddEmailForm_UserFragment;'UserEmailList_UserFragment': UserEmailList_UserFragment;'AccountDeleteButton_UserFragment': AccountDeleteButton_UserFragment } }
     ) } | { __typename: 'Oauth2Session' }, siteConfig: (
-    { __typename?: 'SiteConfig', emailChangeAllowed: boolean, passwordLoginEnabled: boolean, accountDeactivationAllowed: boolean }
+    { __typename?: 'SiteConfig', emailChangeAllowed: boolean, passwordLoginEnabled: boolean, passkeysEnabled: boolean, accountDeactivationAllowed: boolean }
     & { ' $fragmentRefs'?: { 'AddEmailForm_SiteConfigFragment': AddEmailForm_SiteConfigFragment;'UserEmailList_SiteConfigFragment': UserEmailList_SiteConfigFragment;'PasswordChange_SiteConfigFragment': PasswordChange_SiteConfigFragment;'AccountDeleteButton_SiteConfigFragment': AccountDeleteButton_SiteConfigFragment } }
   ) };
 
@@ -2542,6 +2544,7 @@ export const UserProfileDocument = new TypedDocumentString(`
   siteConfig {
     emailChangeAllowed
     passwordLoginEnabled
+    passkeysEnabled
     accountDeactivationAllowed
     ...AddEmailForm_siteConfig
     ...UserEmailList_siteConfig
diff --git a/frontend/src/routes/_account.index.tsx b/frontend/src/routes/_account.index.tsx
@@ -51,6 +51,7 @@ const QUERY = graphql(/* GraphQL */ `
     siteConfig {
       emailChangeAllowed
       passwordLoginEnabled
+      passkeysEnabled
       accountDeactivationAllowed
       ...AddEmailForm_siteConfig
       ...UserEmailList_siteConfig
@@ -227,6 +228,16 @@ function Index(): React.ReactElement {
           </>
         )}
 
+        {siteConfig.passkeysEnabled && (
+          <>
+            <Collapsible.Section title={t("frontend.account.passkeys.title")}>
+              placeholder text
+            </Collapsible.Section>
+
+            <Separator kind="section" />
+          </>
+        )}
+
         <Collapsible.Section title={t("common.e2ee")}>
           <Text className="text-secondary" size="md">
             {t("frontend.reset_cross_signing.description")}
diff --git a/templates/pages/login.html b/templates/pages/login.html
diff --git a/translations/en.json b/translations/en.json

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,15 @@ pub struct InactiveSessionExpirationConfig {`
`45`	`45`	`pub expire_user_sessions: bool,`
`46`	`46`	`}`
`47`	`47`
	`48`	`+/// Configuration options for passkeys`
	`49`	`+#[serde_as]`
	`50`	`+#[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]`
	`51`	`+pub struct PasskeysConfig {`
	`52`	`+ /// Whether passkeys are enabled or not`
	`53`	`+ #[serde(default)]`
	`54`	`+ pub enabled: bool,`
	`55`	`+}`
	`56`	`+`
`48`	`57`	`/// Configuration sections for experimental options`
`49`	`58`	`///`
`50`	`59`	`/// Do not change these options unless you know what you are doing.`
`@@ -75,6 +84,12 @@ pub struct ExperimentalConfig {`
`75`	`84`	`/// Disabled by default`
`76`	`85`	`#[serde(skip_serializing_if = "Option::is_none")]`
`77`	`86`	`pub inactive_session_expiration: Option<InactiveSessionExpirationConfig>,`
	`87`	`+`
	`88`	`+ /// Experimental passkey support`
	`89`	`+ ///`
	`90`	`+ /// Disabled by default`
	`91`	`+ #[serde(skip_serializing_if = "Option::is_none")]`
	`92`	`+ pub passkeys: Option<PasskeysConfig>,`
`78`	`93`	`}`
`79`	`94`
`80`	`95`	`impl Default for ExperimentalConfig {`
`@@ -83,6 +98,7 @@ impl Default for ExperimentalConfig {`
`83`	`98`	`access_token_ttl: default_token_ttl(),`
`84`	`99`	`compat_token_ttl: default_token_ttl(),`
`85`	`100`	`inactive_session_expiration: None,`
	`101`	`+ passkeys: None,`
`86`	`102`	`}`
`87`	`103`	`}`
`88`	`104`	`}`
`@@ -92,6 +108,7 @@ impl ExperimentalConfig {`
`92`	`108`	`is_default_token_ttl(&self.access_token_ttl)`
`93`	`109`	`&& is_default_token_ttl(&self.compat_token_ttl)`
`94`	`110`	`&& self.inactive_session_expiration.is_none()`
	`111`	`+ && self.passkeys.is_none()`
`95`	`112`	`}`
`96`	`113`	`}`
`97`	`114`
Original file line number	Diff line number	Diff line change
`@@ -90,4 +90,7 @@ pub struct SiteConfig {`
`90`	`90`
`91`	`91`	`/// Whether users can log in with their email address.`
`92`	`92`	`pub login_with_email_allowed: bool,`
	`93`	`+`
	`94`	`+ /// Whether passkeys are enabled`
	`95`	`+ pub passkeys_enabled: bool,`
`93`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,9 @@ pub struct SiteConfig {`
`56`	`56`
`57`	`57`	`/// Whether users can log in with their email address.`
`58`	`58`	`login_with_email_allowed: bool,`
	`59`	`+`
	`60`	`+ /// Whether passkeys are enabled`
	`61`	`+ passkeys_enabled: bool,`
`59`	`62`	`}`
`60`	`63`
`61`	`64`	`#[derive(SimpleObject)]`
`@@ -102,6 +105,7 @@ impl SiteConfig {`
`102`	`105`	`account_deactivation_allowed: data_model.account_deactivation_allowed,`
`103`	`106`	`minimum_password_complexity: data_model.minimum_password_complexity,`
`104`	`107`	`login_with_email_allowed: data_model.login_with_email_allowed,`
	`108`	`+ passkeys_enabled: data_model.passkeys_enabled,`
`105`	`109`	`}`
`106`	`110`	`}`
`107`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,7 @@ pub fn test_site_config() -> SiteConfig {`
`145`	`145`	`minimum_password_complexity: 1,`
`146`	`146`	`session_expiration: None,`
`147`	`147`	`login_with_email_allowed: true,`
	`148`	`+ passkeys_enabled: false,`
`148`	`149`	`}`
`149`	`150`	`}`
`150`	`151`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ impl SiteConfigExt for SiteConfig {`
`48`	`48`	`password_login: self.password_login_enabled,`
`49`	`49`	`account_recovery: self.account_recovery_allowed,`
`50`	`50`	`login_with_email_allowed: self.login_with_email_allowed,`
	`51`	`+ passkeys_enabled: self.passkeys_enabled,`
`51`	`52`	`}`
`52`	`53`	`}`
`53`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ pub struct SiteFeatures {`
`26`	`26`
`27`	`27`	`/// Whether users can log in with their email address.`
`28`	`28`	`pub login_with_email_allowed: bool,`
	`29`	`+`
	`30`	`+ /// Whether passkeys are enabled`
	`31`	`+ pub passkeys_enabled: bool,`
`29`	`32`	`}`
`30`	`33`
`31`	`34`	`impl Object for SiteFeatures {`
`@@ -35,6 +38,7 @@ impl Object for SiteFeatures {`
`35`	`38`	`"password_login" => Some(Value::from(self.password_login)),`
`36`	`39`	`"account_recovery" => Some(Value::from(self.account_recovery)),`
`37`	`40`	`"login_with_email_allowed" => Some(Value::from(self.login_with_email_allowed)),`
	`41`	`+ "passkeys_enabled" => Some(Value::from(self.passkeys_enabled)),`
`38`	`42`	`_ => None,`
`39`	`43`	`}`
`40`	`44`	`}`
`@@ -45,6 +49,7 @@ impl Object for SiteFeatures {`
`45`	`49`	`"password_login",`
`46`	`50`	`"account_recovery",`
`47`	`51`	`"login_with_email_allowed",`
	`52`	`+ "passkeys_enabled",`
`48`	`53`	`])`
`49`	`54`	`}`
`50`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2561,6 +2561,14 @@`
`2561`	`2561`	`"$ref": "#/definitions/InactiveSessionExpirationConfig"`
`2562`	`2562`	`}`
`2563`	`2563`	`]`
	`2564`	`+ },`
	`2565`	`+ "passkeys": {`
	`2566`	`+ "description": "Experimental passkey support\n\nDisabled by default",`
	`2567`	`+ "allOf": [`
	`2568`	`+ {`
	`2569`	`+ "$ref": "#/definitions/PasskeysConfig"`
	`2570`	`+ }`
	`2571`	`+ ]`
`2564`	`2572`	`}`
`2565`	`2573`	`}`
`2566`	`2574`	`},`
`@@ -2594,6 +2602,17 @@`
`2594`	`2602`	`"type": "boolean"`
`2595`	`2603`	`}`
`2596`	`2604`	`}`
	`2605`	`+ },`
	`2606`	`+ "PasskeysConfig": {`
	`2607`	`+ "description": "Configuration options for passkeys",`
	`2608`	`+ "type": "object",`
	`2609`	`+ "properties": {`
	`2610`	`+ "enabled": {`
	`2611`	`+ "description": "Whether passkeys are enabled or not",`
	`2612`	`+ "default": false,`
	`2613`	`+ "type": "boolean"`
	`2614`	`+ }`
	`2615`	`+ }`
`2597`	`2616`	`}`
`2598`	`2617`	`}`
`2599`	`2618`	`}`