Add webauthn

config/initializers/webauthn.rb

@@ -0,0 +1,54 @@
+# WebAuthn configuration for Clinch Identity Provider
+WebAuthn.configure do |config|
+  # Relying Party name (displayed in authenticator prompts)
+  # For development, use http://localhost to match passkey in Passwords app
+  origin_host = ENV.fetch("CLINCH_HOST", "http://localhost")
+  config.allowed_origins = [origin_host]
+
+  # Relying Party ID (must match origin domain)
+  # Extract domain from origin for RP ID
+  origin_uri = URI.parse(origin_host)
+  config.rp_id = ENV.fetch("CLINCH_RP_ID", "localhost")
+
+  # For development, we also allow localhost with common ports and without port
+  if Rails.env.development?
+    config.allowed_origins += [
+      "http://localhost",
+      "http://localhost:3000",
+      "http://localhost:3035",
+      "http://127.0.0.1",
+      "http://127.0.0.1:3000",
+      "http://127.0.0.1:3035"
+    ]
+  end
+
+  # Relying Party name shown in authenticator prompts
+  config.rp_name = ENV.fetch("CLINCH_RP_NAME", "Clinch Identity Provider")
+
+  # Credential timeout in milliseconds (60 seconds)
+  # Users have 60 seconds to complete the authentication ceremony
+  config.credential_options_timeout = 60_000
+
+  # Supported algorithms for credential creation
+  # ES256: ECDSA with P-256 and SHA-256 (most common, secure)
+  # RS256: RSASSA-PKCS1-v1_5 with SHA-256 (hardware keys often use this)
+  config.algorithms = ["ES256", "RS256"]
+
+  # Encoding for credential IDs and other data
+  config.encoding = :base64url
+
+  # Custom verifier for additional security checks if needed
+  # config.verifier = MyCustomVerifier.new
+end
+
+# Security note: WebAuthn requires HTTPS in production
+# The WebAuthn API will not work on non-secure origins in production browsers
+# Ensure CLINCH_HOST uses https:// in production environments
+
+# Example environment variables:
+# CLINCH_HOST=https://auth.example.com
+# CLINCH_RP_ID=example.com
+# CLINCH_RP_NAME="Example Company Identity Provider"
+# CLINCH_WEBAUTHN_ATTESTATION=none
+# CLINCH_WEBAUTHN_USER_VERIFICATION=preferred
+# CLINCH_WEBAUTHN_RESIDENT_KEY=preferred

config/routes.rb

@@ -19,6 +19,10 @@ Rails.application.routes.draw do
   get "/totp-verification", to: "sessions#verify_totp", as: :totp_verification
   post "/totp-verification", to: "sessions#verify_totp"
 
+  # WebAuthn authentication routes
+  post "/sessions/webauthn/challenge", to: "sessions#webauthn_challenge"
+  post "/sessions/webauthn/verify", to: "sessions#webauthn_verify"
+
   # OIDC (OpenID Connect) routes
   get "/.well-known/openid-configuration", to: "oidc#discovery"
   get "/.well-known/jwks.json", to: "oidc#jwks"
@@ -61,6 +65,13 @@ Rails.application.routes.draw do
   get '/totp/backup_codes', to: 'totp#backup_codes', as: :backup_codes_totp
   post '/totp/verify_password', to: 'totp#verify_password', as: :verify_password_totp
 
+  # WebAuthn (Passkeys) routes
+  get '/webauthn/new', to: 'webauthn#new', as: :new_webauthn
+  post '/webauthn/challenge', to: 'webauthn#challenge'
+  post '/webauthn/create', to: 'webauthn#create'
+  delete '/webauthn/:id', to: 'webauthn#destroy', as: :webauthn_credential
+  get '/webauthn/check', to: 'webauthn#check'
+
   # Admin routes
   namespace :admin do
     root "dashboard#index"