Add webauthn

app/models/webauthn_credential.rb

@@ -0,0 +1,96 @@
+class WebauthnCredential < ApplicationRecord
+  belongs_to :user
+
+  # Validations
+  validates :external_id, presence: true, uniqueness: true
+  validates :public_key, presence: true
+  validates :sign_count, presence: true, numericality: { greater_than_or_equal_to: 0, only_integer: true }
+  validates :nickname, presence: true
+  validates :authenticator_type, inclusion: { in: %w[platform cross-platform] }
+
+  # Scopes for querying
+  scope :active, -> { where(nil) } # All credentials are active (we can add revoked_at later if needed)
+  scope :platform_authenticators, -> { where(authenticator_type: "platform") }
+  scope :roaming_authenticators, -> { where(authenticator_type: "cross-platform") }
+  scope :recently_used, -> { where.not(last_used_at: nil).order(last_used_at: :desc) }
+  scope :never_used, -> { where(last_used_at: nil) }
+
+  # Update last used timestamp and sign count after successful authentication
+  def update_usage!(sign_count:, ip_address: nil, user_agent: nil)
+    update!(
+      last_used_at: Time.current,
+      last_used_ip: ip_address,
+      sign_count: sign_count,
+      user_agent: user_agent
+    )
+  end
+
+  # Check if this is a platform authenticator (built-in device)
+  def platform_authenticator?
+    authenticator_type == "platform"
+  end
+
+  # Check if this is a roaming authenticator (USB/NFC/Bluetooth key)
+  def roaming_authenticator?
+    authenticator_type == "cross-platform"
+  end
+
+  # Check if this credential is backed up (synced passkeys)
+  def backed_up?
+    backup_eligible? && backup_state?
+  end
+
+  # Human readable description
+  def description
+    if nickname.present?
+      "#{nickname} (#{authenticator_type.humanize})"
+    else
+      "#{authenticator_type.humanize} Authenticator"
+    end
+  end
+
+  # Check if sign count is suspicious (clone detection)
+  def suspicious_sign_count?(new_sign_count)
+    return false if sign_count.zero? && new_sign_count > 0 # First use
+    return false if new_sign_count > sign_count # Normal increment
+
+    # Sign count didn't increase - possible clone
+    true
+  end
+
+  # Format for display in UI
+  def display_name
+    nickname || "#{authenticator_type&.humanize} Authenticator"
+  end
+
+  # When was this credential created?
+  def created_recently?
+    created_at > 1.week.ago
+  end
+
+  # How long ago was this last used?
+  def last_used_ago
+    return "Never" unless last_used_at
+
+    time_ago_in_words(last_used_at)
+  end
+
+  private
+
+  def time_ago_in_words(time)
+    seconds = Time.current - time
+    minutes = seconds / 60
+    hours = minutes / 60
+    days = hours / 24
+
+    if days > 0
+      "#{days.floor} day#{'s' if days > 1} ago"
+    elsif hours > 0
+      "#{hours.floor} hour#{'s' if hours > 1} ago"
+    elsif minutes > 0
+      "#{minutes.floor} minute#{'s' if minutes > 1} ago"
+    else
+      "Just now"
+    end
+  end
+end