devondragon
diff --git a/‎CHANGELOG.md‎
Lines changed: 52 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎CONFIG.md‎
Lines changed: 40 additions & 0 deletions b/‎CONFIG.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 53 additions & 3 deletions b/‎README.md‎
Lines changed: 53 additions & 3 deletions
diff --git a/‎build.gradle‎
Lines changed: 30 additions & 6 deletions b/‎build.gradle‎
Lines changed: 30 additions & 6 deletions
diff --git a/‎db-scripts/mariadb-schema.sql‎
Lines changed: 36 additions & 0 deletions b/‎db-scripts/mariadb-schema.sql‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎gradle.properties‎
Lines changed: 1 addition & 1 deletion b/‎gradle.properties‎
Lines changed: 1 addition & 1 deletion
@@ -1,3 +1,55 @@
+## [4.2.0] - 2026-02-21
+### Features
+- WebAuthn / Passkey support (opt-in, disabled by default)
+  - Passwordless authentication via platform authenticators (Touch ID, Face ID, Windows Hello) and roaming security keys (YubiKey)
+  - Synced passkey support (iCloud Keychain, Google Password Manager, etc.)
+  - Passkey management REST API under `/user/webauthn/*` (auth required):
+    - GET `/user/webauthn/credentials` — List user's registered passkeys
+    - GET `/user/webauthn/has-credentials` — Check if user has any passkeys
+    - PUT `/user/webauthn/credentials/{id}/label` — Rename a passkey (max 64 chars)
+    - DELETE `/user/webauthn/credentials/{id}` — Delete a passkey (with last-credential protection)
+  - `WebAuthnAuthenticationToken` — Custom authentication token that distinguishes passkey sessions from password-based sessions, enabling downstream code to check how a user authenticated
+  - Automatic cleanup of passkey data when a user account is deleted via `WebAuthnPreDeleteEventListener` (listens for `UserPreDeleteEvent`)
+  - Configuration properties under `user.webauthn.*` (enabled, rpId, rpName, allowedOrigins)
+  - Database schema additions: `user_entities` and `user_credentials` tables with `ON DELETE CASCADE` for referential integrity
+
+### Fixes
+- Safety and input handling
+  - Safe-parse `AuthenticatorTransport` enum values to prevent `IllegalArgumentException` on unknown transport types
+  - Default passkey label to "Passkey" when no label is provided instead of leaving it blank
+  - Trim passkey labels before enforcing the 64-character length limit
+  - Fixed TOCTOU race condition in last-credential protection by recounting credentials inside the `@Transactional` boundary
+- Data integrity
+  - Added `ON DELETE CASCADE` to WebAuthn foreign keys so credential data is cleaned up at the database level when a user is deleted
+  - Added `WebAuthnPreDeleteEventListener` to clean up WebAuthn user entities and credentials via JPA before user deletion, complementing the cascade
+- API quality
+  - `transports` field in credential responses is now `List<String>` instead of a single comma-delimited string
+  - Added `@NotBlank` validation on path variable parameters in management API endpoints
+  - `WebAuthnManagementAPIAdvice` is now `@ConditionalOnProperty(name = "user.webauthn.enabled")` so it is not loaded when WebAuthn is disabled
+- Design improvements
+  - `WebAuthnException` now extends `RuntimeException` (was checked `Exception`), simplifying error handling throughout the WebAuthn stack
+  - User handle generation uses `SecureRandom` bytes instead of deterministic user ID mapping, improving privacy
+  - Credential operations use `@Transactional(propagation = MANDATORY)` to enforce that callers provide a transaction context
+
+### Breaking Changes
+- None. WebAuthn is a new opt-in feature disabled by default. Existing APIs and behavior are unchanged.
+
+### Documentation
+- Added WebAuthn/Passkey sections to README (setup, features, API endpoints) and CONFIG (settings, examples, important notes)
+- Updated CHANGELOG with 4.2.0 entry
+
+### Testing
+- New test suites for all WebAuthn components:
+  - `WebAuthnManagementAPITest` — REST endpoint behavior, validation, error handling
+  - `WebAuthnCredentialManagementServiceTest` — Service-layer logic, TOCTOU protection, transports parsing
+  - `WebAuthnAuthenticationSuccessHandlerTest` — Authentication token creation, user resolution
+  - `WebAuthnUserEntityBridgeTest` — User entity bridge and handle generation
+  - `WebAuthnPreDeleteEventListenerTest` — Cleanup on user deletion
+
+### Other Changes
+- Version bumped to 4.2.0-SNAPSHOT in gradle.properties
+- Test output noise reduced with context-aware verbosity for expected WebAuthn exceptions
+
 ## [4.1.0] - 2026-02-02
 ### Features
 - GDPR compliance (opt‑in, disabled by default)
 
@@ -65,6 +65,46 @@ user:
 - **Account Lockout Duration (`spring.security.accountLockoutDuration`)**: Duration (in minutes) for account lockout.
 - **BCrypt Strength (`spring.security.bcryptStrength`)**: Adjust the bcrypt strength for password hashing. Default is `12`.
 
+## WebAuthn / Passkey Settings
+
+Provides passwordless login using biometrics, security keys, or device authentication. **HTTPS is required** for WebAuthn to function.
+
+- **Enabled (`user.webauthn.enabled`)**: Enable or disable WebAuthn/Passkey support. Defaults to `false`. Must be explicitly enabled along with the required database schema.
+- **Relying Party ID (`user.webauthn.rpId`)**: For development, use `localhost`. For production, use your domain (e.g., `example.com`). Defaults to `localhost`.
+- **Relying Party Name (`user.webauthn.rpName`)**: The display name.
+- **Allowed Origins (`user.webauthn.allowedOrigins`)**: Comma-separated list of allowed origins. Defaults to `https://localhost:8443`.
+
+**Development Example:**
+```properties
+user.webauthn.enabled=true
+user.webauthn.rpId=localhost
+user.webauthn.rpName=My Application
+user.webauthn.allowedOrigins=https://localhost:8443
+```
+
+**Production Example:**
+```properties
+user.webauthn.enabled=true
+user.webauthn.rpId=example.com
+user.webauthn.rpName=My Application
+user.webauthn.allowedOrigins=https://example.com
+```
+
+**Database Schema:**
+
+WebAuthn requires two additional tables: `user_entities` and `user_credentials`. If using `ddl-auto: update`, Hibernate will create them automatically. For manual schema management, see `db-scripts/mariadb-schema.sql`.
+
+**Important Notes:**
+- WebAuthn is **disabled by default** and must be explicitly enabled along with the required database tables.
+- WebAuthn requires HTTPS in production. HTTP is allowed on `localhost` for development.
+- For local HTTPS development, generate a self-signed certificate: `keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650`
+- Configure SSL in `application.properties`: `server.ssl.enabled=true`, `server.ssl.key-store=classpath:keystore.p12`
+- Alternatively, use ngrok (`ngrok http 8080`) for HTTPS without certificates. Note: HTTP also works on localhost with most browsers.
+- Users must be authenticated before they can register a passkey. Passkeys enhance existing authentication, not replace initial registration.
+- You must add `/webauthn/authenticate/**` and `/login/webauthn` to your `unprotectedURIs` for passkey login to work.
+- Passkey labels are limited to 64 characters.
+- When a user account is deleted, all associated WebAuthn credentials and user entities are automatically cleaned up via the `UserPreDeleteEvent` listener. The database schema also uses `ON DELETE CASCADE` as a safety net.
+
 ## Mail Configuration
 
 - **From Address (`spring.mail.fromAddress`)**: The email address used as the sender in outgoing emails.
 
@@ -46,6 +46,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - [Email Verification](#email-verification)
   - [Authentication](#authentication)
     - [Local Authentication](#local-authentication)
+    - [WebAuthn / Passkeys](#webauthn--passkeys)
     - [OAuth2/SSO](#oauth2sso)
       - [**SSO OIDC with Keycloak**](#sso-oidc-with-keycloak)
   - [Extensibility](#extensibility)
@@ -76,6 +77,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - SSO support for Google
   - SSO support for Facebook
   - SSO support for Keycloak
+  - WebAuthn/Passkey support for passwordless login (biometrics, security keys, device authentication)
   - Configuration options to control anonymous access, whitelist URIs, and protect specific URIs requiring a logged-in user session.
   - CSRF protection enabled by default, with example jQuery AJAX calls passing the CSRF token from the Thymeleaf page context.
   - Audit event framework for recording and logging security events, customizable to store audit events in a database or publish them via a REST API.
@@ -88,6 +90,7 @@ Check out the [Spring User Framework Demo Application](https://github.com/devond
   - Account lockout after failed login attempts
   - Audit logging for security events
   - CSRF protection out of the box
+  - WebAuthn/Passkey credential management (register, rename, delete)
 
 - **Extensible Architecture**
   - Easily extend user profiles with custom data
@@ -126,13 +129,13 @@ Spring Boot 4.0 brings significant changes including Spring Security 7 and requi
 <dependency>
     <groupId>com.digitalsanctuary</groupId>
     <artifactId>ds-spring-user-framework</artifactId>
-    <version>4.1.0</version>
+    <version>4.2.0</version>
 </dependency>
 ```
 
 **Gradle:**
 ```groovy
-implementation 'com.digitalsanctuary:ds-spring-user-framework:4.1.0'
+implementation 'com.digitalsanctuary:ds-spring-user-framework:4.2.0'
 ```
 
 #### Spring Boot 4.0 Key Changes
@@ -203,7 +206,7 @@ Follow these steps to get up and running with the Spring User Framework in your
 
    **Spring Boot 4.0 (Java 21+):**
    ```groovy
-   implementation 'com.digitalsanctuary:ds-spring-user-framework:4.1.0'
+   implementation 'com.digitalsanctuary:ds-spring-user-framework:4.2.0'
    ```
 
    **Spring Boot 3.5 (Java 17+):**
@@ -595,6 +598,53 @@ Username/password authentication with:
 - Account lockout protection
 - Remember-me functionality
 
+### WebAuthn / Passkeys
+
+Passwordless authentication using biometrics (Touch ID, Face ID, Windows Hello), security keys (YubiKey), or device-based credentials. Built on Spring Security's WebAuthn support.
+
+**Features:**
+- Passwordless login via platform authenticators and roaming security keys
+- Passkey management REST API (list, rename, delete credentials)
+- Last-credential protection (prevents lockout if user has no password)
+- Synced passkey support (iCloud Keychain, Google Password Manager, etc.)
+- Automatic cleanup of passkey data when a user account is deleted
+- Disabled by default; must be explicitly enabled with required database tables
+
+**Setup:**
+
+1. Enable WebAuthn in your configuration:
+   ```yaml
+   user:
+     webauthn:
+       enabled: true
+       rpId: localhost                           # Your domain in production
+       rpName: My Application
+       allowedOrigins: https://localhost:8443    # Must match browser origin
+   ```
+
+2. Add the WebAuthn authentication endpoints to your unprotected URIs:
+   ```yaml
+   user:
+     security:
+       unprotectedURIs: ...,/webauthn/authenticate/**,/login/webauthn
+   ```
+
+3. Create the required database tables. If using `ddl-auto: update`, Hibernate will create them automatically. Otherwise, apply the schema manually (see `db-scripts/mariadb-schema.sql`).
+
+**Requirements:**
+- HTTPS is required in production (HTTP works on `localhost` for development)
+- Users must be authenticated before registering a passkey
+- See the [Configuration Guide](CONFIG.md) for all WebAuthn settings
+
+**Management API Endpoints** (all require authentication):
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/user/webauthn/credentials` | GET | List user's passkeys |
+| `/user/webauthn/has-credentials` | GET | Check if user has passkeys |
+| `/user/webauthn/credentials/{id}/label` | PUT | Rename a passkey (max 64 chars) |
+| `/user/webauthn/credentials/{id}` | DELETE | Delete a passkey |
+
 ### OAuth2/SSO
 
 Support for social login providers:
 
@@ -13,7 +13,6 @@ import com.vanniktech.maven.publish.JavaLibrary
 import com.vanniktech.maven.publish.JavadocJar
 
 group = 'com.digitalsanctuary'
-// version = '3.0.0-SNAPSHOT'
 description = 'Spring User Framework'
 
 ext {
@@ -52,6 +51,10 @@ dependencies {
     compileOnly 'jakarta.validation:jakarta.validation-api:3.1.1'
     compileOnly 'org.springframework.retry:spring-retry:2.0.12'
 
+    // WebAuthn support (Passkey authentication)
+    compileOnly 'org.springframework.security:spring-security-webauthn'
+    implementation 'com.webauthn4j:webauthn4j-core:0.30.2.RELEASE'
+
     // Lombok dependencies
     compileOnly "org.projectlombok:lombok:$lombokVersion"
     annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'
@@ -70,6 +73,7 @@ dependencies {
     testImplementation 'org.springframework.boot:spring-boot-starter-security'
     testImplementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
     testImplementation 'org.springframework.security:spring-security-test'
+    testImplementation 'org.springframework.security:spring-security-webauthn'
     testImplementation 'org.springframework.retry:spring-retry:2.0.12'
     testImplementation 'jakarta.validation:jakarta.validation-api:3.1.1'
     testImplementation 'org.hibernate.validator:hibernate-validator:9.1.0.Final'
@@ -102,18 +106,27 @@ tasks.named('bootJar') {
 
 test {
 	useJUnitPlatform()
+	jvmArgs '-XX:+EnableDynamicAgentLoading', '-Xshare:off'
 	// Enable parallel execution for faster test runs
 	systemProperty 'junit.jupiter.execution.parallel.enabled', 'true'
 	systemProperty 'junit.jupiter.execution.parallel.mode.default', 'concurrent'
 	systemProperty 'junit.jupiter.execution.parallel.mode.classes.default', 'concurrent'
 	// Use available CPU cores - 1 for parallel execution
 	systemProperty 'junit.jupiter.execution.parallel.config.strategy', 'dynamic'
 	maxParallelForks = Runtime.runtime.availableProcessors().intdiv(2) ?: 1
-	  testLogging {
-        events "PASSED", "FAILED", "SKIPPED"
-        exceptionFormat "full"
-        showStandardStreams true
-    }
+
+	def isExplicitTest = gradle.startParameter.taskNames.any {
+		it == 'test' || it == 'testAll' || it.startsWith('testJdk')
+	}
+	testLogging {
+		events "PASSED", "FAILED", "SKIPPED"
+		if (isExplicitTest) {
+			exceptionFormat "full"
+			showStandardStreams true
+		} else {
+			exceptionFormat "short"
+		}
+	}
 }
 
 tasks.named('jar') {
@@ -136,14 +149,25 @@ def registerJdkTestTask(name, jdkVersion) {
         testClassesDirs = sourceSets.test.output.classesDirs
         classpath = sourceSets.test.runtimeClasspath
         useJUnitPlatform()
+        jvmArgs '-XX:+EnableDynamicAgentLoading', '-Xshare:off'
         // Enable parallel execution for JDK-specific tests
         systemProperty 'junit.jupiter.execution.parallel.enabled', 'true'
         systemProperty 'junit.jupiter.execution.parallel.mode.default', 'concurrent'
         systemProperty 'junit.jupiter.execution.parallel.mode.classes.default', 'concurrent'
         systemProperty 'junit.jupiter.execution.parallel.config.strategy', 'dynamic'
         maxParallelForks = Runtime.runtime.availableProcessors().intdiv(2) ?: 1
+
+        def isExplicitTest = gradle.startParameter.taskNames.any {
+            it == 'test' || it == 'testAll' || it.startsWith('testJdk')
+        }
         testLogging {
             events "PASSED", "FAILED", "SKIPPED"
+            if (isExplicitTest) {
+                exceptionFormat "full"
+                showStandardStreams true
+            } else {
+                exceptionFormat "short"
+            }
         }
         doFirst {
             println("Running tests with JDK $jdkVersion")
 
@@ -92,3 +92,39 @@ CREATE TABLE `verification_token` (
   KEY `FK_VERIFY_USER` (`user_id`),
   CONSTRAINT `FK_VERIFY_USER` FOREIGN KEY (`user_id`) REFERENCES `user_account` (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+
+-- WebAuthn / Passkey tables (only needed if user.webauthn.enabled=true)
+
+DROP TABLE IF EXISTS `user_credentials`;
+DROP TABLE IF EXISTS `user_entities`;
+
+CREATE TABLE `user_entities` (
+  `id` VARCHAR(255) NOT NULL,
+  `name` VARCHAR(255) NOT NULL,
+  `display_name` VARCHAR(255) NOT NULL,
+  `user_account_id` BIGINT(20) NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `UK_user_entities_name` (`name`),
+  KEY `FK_user_entities_user` (`user_account_id`),
+  CONSTRAINT `FK_user_entities_user` FOREIGN KEY (`user_account_id`) REFERENCES `user_account` (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+
+CREATE TABLE `user_credentials` (
+  `credential_id` VARCHAR(512) NOT NULL,
+  `user_entity_user_id` VARCHAR(255) NOT NULL,
+  `public_key` BLOB NOT NULL,
+  `signature_count` BIGINT(20) NOT NULL,
+  `uv_initialized` BIT(1) NOT NULL,
+  `backup_eligible` BIT(1) NOT NULL,
+  `backup_state` BIT(1) NOT NULL,
+  `authenticator_transports` VARCHAR(1000) DEFAULT NULL,
+  `public_key_credential_type` VARCHAR(100) DEFAULT NULL,
+  `attestation_object` BLOB DEFAULT NULL,
+  `attestation_client_data_json` BLOB DEFAULT NULL,
+  `created` DATETIME(6) NOT NULL,
+  `last_used` DATETIME(6) DEFAULT NULL,
+  `label` VARCHAR(64) NOT NULL,
+  PRIMARY KEY (`credential_id`),
+  KEY `FK_user_credentials_entity` (`user_entity_user_id`),
+  CONSTRAINT `FK_user_credentials_entity` FOREIGN KEY (`user_entity_user_id`) REFERENCES `user_entities` (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
@@ -1,3 +1,3 @@
-version=4.1.1-SNAPSHOT
+version=4.2.0-SNAPSHOT
 mavenCentralPublishing=true
 mavenCentralAutomaticPublishing=true