feat(auth): add WebAuthn MFA credentials (#1628)

* feat(auth): add WebAuthn MFA credentials * fix(auth): harden WebAuthn MFA review paths * fix(auth): polish WebAuthn error handling * fix(auth): handle duplicate WebAuthn credential races * fix(auth): permit WebAuthn credential params * fix(auth): trim WebAuthn registration controller cleanup * fix(auth): tighten WebAuthn MFA handling * fix(auth): pin WebAuthn relying party config
2026-05-12 07:05:00 +00:00 · 2026-05-03 14:13:28 -06:00
parent faf31b9c91
commit 911aa34ba9
29 changed files with 1117 additions and 10 deletions
--- a/.env.example
+++ b/.env.example
@@ -115,6 +115,12 @@ REDIS_URL=redis://localhost:6379/1
 # This is the domain that your Sure instance will be hosted at. It is used to generate links in emails and other places.
 APP_DOMAIN=

+# WebAuthn / passkey MFA configuration
+# RP ID is usually the registrable domain (example.com), not a full URL.
+# Allowed origins are full HTTPS origins where users access Sure.
+WEBAUTHN_RP_ID=
+WEBAUTHN_ALLOWED_ORIGINS=
+
 # OpenID Connect configuration
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=