Skip to content

Implement WebAuthn signals #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Implement WebAuthn signals #96

wants to merge 21 commits into from

Conversation

@Stormheg
Copy link
Member

@Stormheg Stormheg commented Oct 24, 2025

Refs: #38

@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.0%. Comparing base (51b2050) to head (7174f1b).
⚠️ Report is 35 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #96   +/-   ##
=======================================
  Coverage   100.0%   100.0%           
=======================================
  Files          13       13           
  Lines         747      777   +30     
  Branches       65       65           
=======================================
+ Hits          747      777   +30

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Stormheg
Update node dependencies
efca73b
@Stormheg
Remove deprecated pip flag
db3b8f0
@Stormheg
Add ability to signal unknown credentials to the browser
362c8f0 
Refs: Stormbase#38
@Stormheg
Show response data in case of assertion failure
0db000c
@Stormheg
Fix coverage run documentation
c40570f
@Stormheg
Add support for signaling current user details and credentials
5c57f1d 
Refs: Stormbase#38
This uses the `PublicKeyCredential.signalCurrentUserDetails`
and `PublicKeyCredential.signalAllAcceptedCredentials` browser apis
to 'sync' user details like name and currently registered credentials.

This is useful to stop the browser from suggesting a credential was
removed and to ensure saved information like a username remains
up-to-date.
@Stormheg
Add properties to base64 encode handle and credential id
51e23d6
@Stormheg
Fix selector bug
d0365af
@Stormheg
Add playwright_manipulate_session fixture
5ad9d80 
And update `playwright_force_login` to use it.
@Stormheg
Reimplement wait_for_console_message fixture
ac0a496 
To support waiting for multiple messages at the same time.

This code was 90% generated by Copilot.
@Stormheg
Add test for checking WebAuthn signal apis are called
d408069
@Stormheg
Add user-facing error message when security error occurs...
9238525 
...during passkey verification through the button.
@Stormheg
Avoid final newlines in templatetag templates
7be1db9 
Don't need no noise.
@Stormheg
fixup! Add support for signaling current user details and credentials
10881b3
@Stormheg
Request user details sync after Passkey login and registration
36789b4
@Stormheg Stormheg force-pushed the feature/38-use-webauthn-signal-api branch 2 times, most recently from 643e81f to 2a840eb Compare November 22, 2025 16:15
Stormheg added a commit to Stormheg/django-otp-webauthn that referenced this pull request Nov 22, 2025
@Stormheg
Update changelog entry for Stormbase#96
461f2a6
Stormheg added a commit to Stormheg/django-otp-webauthn that referenced this pull request Nov 22, 2025
@Stormheg
Update changelog entry for Stormbase#96
4d7af41
@Stormheg Stormheg force-pushed the feature/38-use-webauthn-signal-api branch from 461f2a6 to 4d7af41 Compare November 22, 2025 16:27
@Stormheg Stormheg force-pushed the feature/38-use-webauthn-signal-api branch from 4d7af41 to 39f3153 Compare November 22, 2025 16:34
@Stormheg Stormheg marked this pull request as ready for review November 22, 2025 16:36
@activus-d activus-d self-requested a review November 25, 2025 07:03
activus-d
activus-d reviewed Nov 25, 2025
View reviewed changes
docs/how_to_guides/keeping_passkeys_in_sync.rst
Comment on lines +120 to +140
How does this work from a technical perspective?
------------------------------------------------

The ``render_otp_webauthn_sync_signals_scripts`` template tag is a convenience
wrapper that ends up calling the
``PublicKeyCredential.signalAllAcceptedCredentials`` and
``PublicKeyCredential.signalCurrentUserDetails`` WebAuthn browser APIs. It
automatically retrieves a list of currently registered credentials and the
current user details in the format these APIs expect.

For more information about these APIs, refer to the following resources:

- `PublicKeyCredential.signalCurrentUserDetails <https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/signalCurrentUserDetails_static>`_
- `PublicKeyCredential.signalAllAcceptedCredentials <https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/signalAllAcceptedCredentials_static>`_

.. note::

As of November 2025, these APIs are still relatively new and don't enjoy
broad support from all browsers. Please see `Web authentication signal
methods on caniuse.com <https://caniuse.com/wf-webauthn-signals>`_ for the
most up-to-date browser support information.
Copy link
Collaborator

@activus-d activus-d Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should move this to the Reference section of the docs and link to it here.

Stormheg and others added 2 commits November 25, 2025 15:07
@Stormheg @activus-d
Apply Damilola's suggestions
3876fc1 
Thank you Damilola for your editing!

Co-authored-by: Damilola Oladele <98895460+activus-d@users.noreply.github.com>
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
dcc12cf 
for more information, see https://pre-commit.ci
activus-d
activus-d reviewed Nov 25, 2025
View reviewed changes
activus-d
activus-d previously requested changes Nov 25, 2025
View reviewed changes
Copy link
Collaborator

@activus-d activus-d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this consistent with the preceding headings:

@activus-d activus-d dismissed their stale review November 25, 2025 18:44

I've commited the suggested changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@activus-d activus-d activus-d left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Stormheg @activus-d