mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-19 21:31:46 +00:00
Maurice
a876fb2634
* feat(auth): passkey (WebAuthn) login — server endpoints, schema + admin toggle Add @simplewebauthn/server registration and primary (discoverable) login ceremonies under /api/auth/passkey, a webauthn_credentials + single-use webauthn_challenges schema (migration), the instance-wide passkey_login toggle (default off) enforced before auth by a guard, and require_mfa satisfaction via a verified passkey. RP ID/origin come only from server config (webauthn_rp_id/origins -> APP_URL), never request headers. * feat(auth): passkey enrolment, login button + admin settings UI PasskeysSection in account settings (add/rename/remove with a current-password step-up), a 'Sign in with a passkey' button on the login page, the admin enable + RP-ID/origins controls, and a per-user admin reset action. * i18n(auth): passkey strings across all locales Add login/settings/admin passkey keys to en and all 19 translated locales.
23 lines
902 B
TypeScript
23 lines
902 B
TypeScript
import { CanActivate, HttpException, Injectable } from '@nestjs/common';
|
|
import { resolveAuthToggles } from '../../services/authService';
|
|
|
|
/**
|
|
* Server-side enforcement of the instance-wide `passkey_login` toggle. Placed
|
|
* BEFORE the auth guard on every passkey ceremony route so a disabled feature
|
|
* returns 404 (not "auth required") and cannot be driven by direct API calls —
|
|
* hiding the button in the UI is not enough. Mirrors JourneyAddonGuard.
|
|
*
|
|
* The credential-management routes (list/rename/delete) are deliberately NOT
|
|
* gated by this guard so users can still clean up their passkeys after an admin
|
|
* turns the feature off.
|
|
*/
|
|
@Injectable()
|
|
export class PasskeyEnabledGuard implements CanActivate {
|
|
canActivate(): boolean {
|
|
if (!resolveAuthToggles().passkey_login) {
|
|
throw new HttpException({ error: 'Passkey login is not enabled' }, 404);
|
|
}
|
|
return true;
|
|
}
|
|
}
|