Skip to content

feat: WebAuthn/passkey support on Linux via electron-webauthn-linux #2337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
phelix001 wants to merge 9 commits into
base: develop
Choose a base branch
from
+184 −4
Open

feat: WebAuthn/passkey support on Linux via electron-webauthn-linux #2337

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
11c1868
fix: add explicit permission handlers for service webview sessions
phelix001 Feb 11, 2026
e422b73
feat: integrate electron-webauthn-linux for passkey support on Linux
phelix001 Feb 11, 2026
ade7de3
fix: conditionally inject WebAuthn page script only when credentials …
phelix001 Feb 16, 2026
c11d8a7
feat: extend WebAuthn CDP injection to popup windows
phelix001 Feb 17, 2026
b1db549
fix: address Copilot review -- remove DIAG, fix eTLD+1, fix comment
phelix001 Feb 24, 2026
f4a7561
Merge branch 'develop' into fix/webview-permission-handlers
phelix001 Feb 24, 2026
ec6b7d6
chore: replace file: dependency with published electron-webauthn-linu…
phelix001 Feb 24, 2026
9c4ec9e
fix: replace CDP debugger with preload-based WebAuthn injection
phelix001 Feb 28, 2026
0781c76
chore: bump electron-webauthn-linux to 0.1.1
phelix001 Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@
"electron-find": "1.0.7",
"electron-react-titlebar": "1.2.1",
"electron-updater": "6.3.9",
"electron-webauthn-linux": "0.1.1",
"electron-window-state": "5.0.3",
"fast-folder-size": "2.2.0",
"fs-extra": "11.2.0",
Expand Down Expand Up @@ -127,6 +128,7 @@
"sqlite3": "5.1.6",
"tar": "6.2.1",
"tinycolor2": "1.6.0",
"tldts": "7.0.23",
"tslib": "2.7.0",
"useragent-generator": "1.1.1-amkt-22079-finish.0",
"uuid": "9.0.1",
Expand Down
29 changes: 29 additions & 0 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion src/components/util/ErrorBoundary/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ class ErrorBoundary extends Component<ErrorBoundaryProps, ErrorBoundaryState> {
};
}

componentDidCatch(): void {
componentDidCatch(error: Error, errorInfo: React.ErrorInfo): void {
console.error('ErrorBoundary caught:', error);
console.error('Component stack:', errorInfo.componentStack);
this.setState({ hasError: true });
}

Expand Down
97 changes: 97 additions & 0 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@ import {
} from 'electron';

import { initialize } from 'electron-react-titlebar/main';
import { setupWebAuthn } from 'electron-webauthn-linux';
import windowStateKeeper from 'electron-window-state';
import { emptyDirSync, ensureFileSync } from 'fs-extra';
import minimist from 'minimist';
import ms from 'ms';
import { getDomain } from 'tldts';
import { enableWebContents, initializeRemote } from './electron-util';
import enforceMacOSAppLocation from './enforce-macos-app-location';

Expand Down Expand Up @@ -257,7 +259,92 @@ const createWindow = () => {
app.on('web-contents-created', (_e, contents) => {
if (contents.getType() === 'webview') {
enableWebContents(contents);

// Set permission handlers on service webview sessions.
// setPermissionRequestHandler allows safe permissions and denies unknown ones.
// setPermissionCheckHandler additionally allows hid/serial/usb feature detection
// (actual device access is gated by select-hid-device/select-usb-device events).
const ses = contents.session;
if (!(ses as any)._permissionHandlersSet) {
(ses as any)._permissionHandlersSet = true;

ses.setPermissionRequestHandler((webContents, permission, callback) => {
const allowedPermissions = [
'media',
'notifications',
'fullscreen',
'pointerLock',
'display-capture',
'idle-detection',
'clipboard-read',
'clipboard-sanitized-write',
'speaker-selection',
];

if (allowedPermissions.includes(permission)) {
callback(true);
return;
}

debug(
`Denied permission request: ${permission} from ${webContents?.getURL()}`,
);
callback(false);
});

ses.setPermissionCheckHandler((_webContents, permission) => {
const allowedChecks = [
'media',
'notifications',
'fullscreen',
'pointerLock',
'display-capture',
'idle-detection',
'clipboard-read',
'clipboard-sanitized-write',
'hid',
'serial',
'usb',
'speaker-selection',
];

return allowedChecks.includes(permission);
});
}

contents.setWindowOpenHandler(({ url }) => {
// Allow same-domain popups (e.g. Google auth) to open
// as child windows within Ferdium instead of the external browser.
// Uses tldts for correct eTLD+1 matching (handles .co.uk, .com.au, etc.)
try {
const popupHost = new URL(url).hostname;
const currentHost = new URL(contents.getURL()).hostname;
const popupDomain = getDomain(popupHost);
const currentDomain = getDomain(currentHost);
if (popupDomain && currentDomain && popupDomain === currentDomain) {
// On Linux, give popup windows a WebAuthn preload so passkey
// flows work in auth popups (they don't get the recipe preload).
if (isLinux) {
return {
action: 'allow',
overrideBrowserWindowOptions: {
webPreferences: {
preload: join(
__dirname,
'webview',
'webauthn-popup-preload.js',
),
contextIsolation: true,
sandbox: true,
},
},
};
}
return { action: 'allow' };
}
} catch {
// fall through
}
openExternalUrl(url);
return { action: 'deny' };
});
Expand Down Expand Up @@ -531,6 +618,16 @@ app.on('ready', () => {

initialize();

// Initialize WebAuthn/passkey support on Linux
if (isLinux) {
setupWebAuthn({
storagePath: userDataPath(),
enableHardwareKeys: true,
}).catch(error => {
debug('WebAuthn setup failed:', error.message);
});
}

createWindow();
});

Expand Down
5 changes: 2 additions & 3 deletions src/stores/AppStore.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -410,9 +410,8 @@ export default class AppStore extends TypedStore {
}

_readSandboxes() {
this.sandboxServices = readJsonSync(
userDataPath('config', 'sandboxes.json'),
);
const data = readJsonSync(userDataPath('config', 'sandboxes.json'));
this.sandboxServices = Array.isArray(data) ? data : [];
}

_writeSandboxes() {
Expand Down
23 changes: 23 additions & 0 deletions src/webview/recipe.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,29 @@ contextBridge.exposeInMainWorld('ferdium', {
getDisplayMediaSelector,
});

// WebAuthn/passkey support on Linux.
// Expose the IPC bridge and inject the page script into the main world
// BEFORE page scripts run, so navigator.credentials is patched in time.
if (process.platform === 'linux') {
contextBridge.exposeInMainWorld('electronWebAuthn', {
create: (options: any) => ipcRenderer.invoke('webauthn:create', options),
get: (options: any) => ipcRenderer.invoke('webauthn:get', options),
hasCredentials: (rpId: string) =>
ipcRenderer.invoke('webauthn:hasCredentials', rpId),
});

// Inject page script at document-start (before any page JS).
// The <script> element runs in the main world (world 0), not the
// isolated preload world, which is what we need for monkey-patching.
const { webauthnPageScript } = require('electron-webauthn-linux');
process.once('document-start', () => {
const script = document.createElement('script');
script.textContent = webauthnPageScript;
document.documentElement.append(script);
script.remove();
});
}

ipcRenderer.sendToHost(
'inject-js-unsafe',
'window.open = window.ferdium.open;',
Expand Down
28 changes: 28 additions & 0 deletions src/webview/webauthn-popup-preload.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Minimal preload for popup windows (e.g. Google auth popups) on Linux.
* Injects the WebAuthn page script into the main world via DOM script element
* and exposes the electronWebAuthn IPC bridge via contextBridge.
*
* This runs in popup BrowserWindows opened by setWindowOpenHandler with
* { action: 'allow' } -- these windows don't get the recipe preload.
*/
import { contextBridge, ipcRenderer } from 'electron';
import { webauthnPageScript } from 'electron-webauthn-linux';

// Inject the WebAuthn page script into the main world BEFORE page scripts run.
// process.once('document-start') fires at document creation, before any <script> tags.
// The DOM <script> element executes in world 0 (main world), not the isolated preload world.
process.once('document-start', () => {
const script = document.createElement('script');
script.textContent = webauthnPageScript;
document.documentElement.append(script);
script.remove();
});

// Expose the IPC bridge so the page script can route WebAuthn calls to main process.
contextBridge.exposeInMainWorld('electronWebAuthn', {
create: (options: any) => ipcRenderer.invoke('webauthn:create', options),
get: (options: any) => ipcRenderer.invoke('webauthn:get', options),
hasCredentials: (rpId: string) =>
ipcRenderer.invoke('webauthn:hasCredentials', rpId),
});