github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-06 01:11:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

Internal User - Passwordless Login for Org Members #1276

New Issue
Closed
opened 2026-04-05 18:42:30 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 18:42:30 +02:00
Owner
Copy Link

Originally created by @adrianeastles on 7/4/2025

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content.

Description

This pull request introduces a secure Passkey Authentication system for internal users, leveraging the WebAuthn standard to enable passwordless login. This modern approach provides a robust and secure alternative to traditional password-based authentication. The system includes a interface allowing users to easily register, view, and remove their keys, complemented by clear visual feedback.

Key Features & Changes

1. Authentication Flow

  • Login Integration: A new Security Key login option is now available alongside the traditional password login.
  • Selective Availability: Security Key authentication is currently restricted to internal users only.

2. Security Key Management Interface

  • Dedicated Management Dialog: A modern user interface has been implemented for viewing and managing all registered Security keys.
  • Visual Status Indicators: The interface clearly displays passkey names and their last usage dates for easy identification.
  • Security Measures: Sensitive operations within the management interface (e.g., Security Key registration or deletion) require re-verification of the user's password for added security.

3. Security Considerations

  • Challenge-Response Protocol: The system fully implements the WebAuthn challenge-response protocol to ensure strong, cryptographically secure authentication.
  • Expiration Controls: Authentication challenges have a strict 5-minute expiration period, mitigating replay attacks.
  • Access Controls: Strict verification of user permissions and ownership for passkey operations is enforced.

4. User Experience Enhancements

  • Clear Success/Error Messaging: Users receive comprehensive and easy-to-understand feedback for all security keys operations.
  • Multiple Device Support: The system includes recommendations for users to register backup Security Key, promoting resilience in case a primary device is lost or inaccessible.

Visual Improvements

https://github.com/user-attachments/assets/014236e2-a08e-493f-9143-1a019d24ed4b

How to Test?

Scenario 1: Registering a Security Key.

  1. Login: Log in as an internal user using your traditional password.
  2. Navigate to Security Keys Management: Go to user profile section and locate the new Manage Security Keys option.
  3. Initiate Registration: Click on "Add New Passkey (+) " button.
  4. Password Verification: You should be prompted to re-enter your password to confirm your identity. Enter your password.
  5. Passkey Device Interaction: Follow the prompts from your device (e.g., fingerprint, face ID, PIN) to register the Security Key.
  6. Confirmation: Verify that the new passkey appears in the "Security Key Management" list with its name (e.g., "This Device") and a "Last Used" date.
  7. Register a Second Security Key (Optional): Repeat the process to register a Security Key from a different device if available (e.g., another computer, phone). Observe the recommendation to register backup Security Keys.

Scenario 2: Logging in with a Security Key.

  1. Logout: Log out of your current session.
  2. Initiate Security Key Sign In: On the login page, select the option to "Sign In with Security Key."
  3. Device Selection (if multiple): If you registered multiple passkeys, you might be prompted to choose which one to use. Select one.
  4. Security Key Device Interaction: Complete the authentication process using your device (e.g., fingerprint, face ID, phone).
  5. Successful Login: Confirm that you are successfully logged into your account without needing to enter a password.

Scenario 3: Deleting a Passkey

  1. Login: Log in to your account (either with password or passkey).
  2. Navigate to Security Key Management: Go back to the Security Key Management section.
  3. Initiate Deletion: Click the "Delete" option next to one of your registered Security Keys.
  4. Password Verification: You should again be prompted to re-enter your password for confirmation. Enter your password.
  5. Confirmation: Verify that the Security Key is successfully removed from the list.

Scenario 4: Login Prompts & Edge Cases

  1. Attempt Password Login with Existing Security Key:
    • Ensure the user you are testing with has at least one passkey registered (from Scenario 1).
    • On the login page, enter the user's username and password in the traditional login fields.
    • Instead of immediate login, verify that the system prompts the user to authenticate with their Security Key. Follow the passkey prompt to complete the login.
  2. Failed Security Key Registration: During registration, try to cancel the passkey prompt on your device or intentionally fail the biometric verification. Observe the error message and ensure it's user-friendly.
  3. Failed Security Key Login: On the login page, attempt to use a Security Key but intentionally fail the device prompt. Verify that the error message is clear and guides the user.
  4. Expired Challenge: Attempt to register a passkey, but delay the device interaction for more than 5 minutes. Observe the error indicating the challenge has expired.
*Originally created by @adrianeastles on 7/4/2025* ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This pull request introduces a secure **Passkey Authentication system** for internal users, leveraging the WebAuthn standard to enable passwordless login. This modern approach provides a robust and secure alternative to traditional password-based authentication. The system includes a interface allowing users to easily register, view, and remove their keys, complemented by clear visual feedback. ## Key Features & Changes ### 1\. Authentication Flow * **Login Integration:** A new Security Key login option is now available alongside the traditional password login. * **Selective Availability:** Security Key authentication is currently restricted to internal users only. ### 2\. Security Key Management Interface * **Dedicated Management Dialog:** A modern user interface has been implemented for viewing and managing all registered Security keys. * **Visual Status Indicators:** The interface clearly displays passkey names and their last usage dates for easy identification. * **Security Measures:** Sensitive operations within the management interface (e.g., Security Key registration or deletion) require re-verification of the user's password for added security. ### 3\. Security Considerations * **Challenge-Response Protocol:** The system fully implements the **WebAuthn** challenge-response protocol to ensure strong, cryptographically secure authentication. * **Expiration Controls:** Authentication challenges have a strict 5-minute expiration period, mitigating replay attacks. * **Access Controls:** Strict verification of user permissions and ownership for passkey operations is enforced. ### 4\. User Experience Enhancements * **Clear Success/Error Messaging:** Users receive comprehensive and easy-to-understand feedback for all security keys operations. * **Multiple Device Support:** The system includes recommendations for users to register backup Security Key, promoting resilience in case a primary device is lost or inaccessible. ## Visual Improvements https://github.com/user-attachments/assets/014236e2-a08e-493f-9143-1a019d24ed4b ## How to Test? ### Scenario 1: Registering a Security Key. 1. **Login:** Log in as an internal user using your traditional password. 2. **Navigate to Security Keys Management:** Go to user profile section and locate the new `Manage Security Keys` option. 3. **Initiate Registration:** Click on "Add New Passkey (+) " button. 4. **Password Verification:** You should be prompted to re-enter your password to confirm your identity. Enter your password. 5. **Passkey Device Interaction:** Follow the prompts from your device (e.g., fingerprint, face ID, PIN) to register the Security Key. 6. **Confirmation:** Verify that the new passkey appears in the "Security Key Management" list with its name (e.g., "This Device") and a "Last Used" date. 7. **Register a Second Security Key (Optional):** Repeat the process to register a Security Key from a different device if available (e.g., another computer, phone). Observe the recommendation to register backup Security Keys. ### Scenario 2: Logging in with a Security Key. 1. **Logout:** Log out of your current session. 2. **Initiate Security Key Sign In:** On the login page, select the option to "Sign In with Security Key." 3. **Device Selection (if multiple):** If you registered multiple passkeys, you might be prompted to choose which one to use. Select one. 4. **Security Key Device Interaction:** Complete the authentication process using your device (e.g., fingerprint, face ID, phone). 5. **Successful Login:** Confirm that you are successfully logged into your account without needing to enter a password. ### Scenario 3: Deleting a Passkey 1. **Login:** Log in to your account (either with password or passkey). 2. **Navigate to Security Key Management:** Go back to the `Security Key Management` section. 3. **Initiate Deletion:** Click the "Delete" option next to one of your registered Security Keys. 4. **Password Verification:** You should again be prompted to re-enter your password for confirmation. Enter your password. 5. **Confirmation:** Verify that the Security Key is successfully removed from the list. ### Scenario 4: Login Prompts & Edge Cases 1. **Attempt Password Login with Existing Security Key:** * Ensure the user you are testing with has at least one passkey registered (from Scenario 1). * On the login page, enter the user's **username and password** in the traditional login fields. * Instead of immediate login, verify that the system **prompts the user to authenticate with their Security Key**. Follow the passkey prompt to complete the login. 2. **Failed Security Key Registration:** During registration, try to cancel the passkey prompt on your device or intentionally fail the biometric verification. Observe the error message and ensure it's user-friendly. 3. **Failed Security Key Login:** On the login page, attempt to use a Security Key but intentionally fail the device prompt. Verify that the error message is clear and guides the user. 4. **Expired Challenge:** Attempt to register a passkey, but delay the device interaction for more than 5 minutes. Observe the error indicating the challenge has expired.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#1276
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?