mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 01:12:27 -05:00
[PR #7370] Add passwordless webauthn login #37070
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/dani-garcia/vaultwarden/pull/7370
Author: @RaphaelRoumezin
Created: 6/23/2026
Status: 🔄 Open
Base:
main← Head:feat/webauthn_login📝 Commits (9)
7711b02feat: passwordless login007ac4ffix: Correct attestation options8cba57afeat(config): Add passkey_login_allowed config option224ad8afix: typos05c9af4fix: Allowed Chromium extensions as origins for passwordless login3b66926fix(clippy): few refactors9e4aa5efeat: Added support for passkey vault unlock feature89a25c4Merge branch 'main' of https://github.com/dani-garcia/vaultwarden into feat/webauthn_login89bcfe6Merge branch 'main' of https://github.com/dani-garcia/vaultwarden into feat/webauthn_login📊 Changes
22 files changed (+811 additions, -57 deletions)
View changed files
📝
.env.template(+3 -0)➕
migrations/mysql/2026-06-23-120000_add_webauthn/down.sql(+1 -0)➕
migrations/mysql/2026-06-23-120000_add_webauthn/up.sql(+10 -0)➕
migrations/postgresql/2026-06-23-120000_add_webauthn/down.sql(+1 -0)➕
migrations/postgresql/2026-06-23-120000_add_webauthn/up.sql(+10 -0)➕
migrations/sqlite/2026-06-23-120000_add_webauthn/down.sql(+1 -0)➕
migrations/sqlite/2026-06-23-120000_add_webauthn/up.sql(+10 -0)📝
src/api/core/ciphers.rs(+23 -7)📝
src/api/core/mod.rs(+9 -13)📝
src/api/core/two_factor/mod.rs(+2 -1)📝
src/api/core/two_factor/webauthn.rs(+22 -25)➕
src/api/core/webauthn.rs(+286 -0)📝
src/api/identity.rs(+221 -8)📝
src/api/web.rs(+1 -0)📝
src/auth.rs(+32 -2)📝
src/config.rs(+4 -0)📝
src/db/models/mod.rs(+2 -0)📝
src/db/models/two_factor.rs(+1 -0)📝
src/db/models/user.rs(+2 -1)➕
src/db/models/webauthn_credential.rs(+153 -0)...and 2 more files
📄 Description
This PR is my attempt at providing passwordless login, taking heavy inspiration from the work of @samos667 (#6820), who I believe has its work inspired from @zUnixorn (#5929).
I'm looking forward to your feedback on this work !
Working features
(same as #5929 and #6820)
New
passkey_login_allowedbackend option was added, which can disable passkey-related endpoints and remove passkey-related settings and passkey login button from the web vaultMain differences from #6820
web_authntowebauthn, andWebAuthntoWebauthnfor all related symbolsTwoFactortable (with typeTwoFactorType::WebauthnPasskeyRegisterChallenge), as a replay could allow a deleted passkey to be recreated.src/api/core/mod.rstosrc/api/core/webauthn.rsget_prf_status()function was added, following the C# bitwarden implementation.Open questions
TwoFactor. The safest would be to store everything in the DB, but I think stateless auth would be preferrable if its secure. Using a dedicated table for webauthn_rs states is an option too.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.