diff --git a/app/assets/javascripts/discourse/tests/acceptance/user-preferences-security-test.js b/app/assets/javascripts/discourse/tests/acceptance/user-preferences-security-test.js
index 4c10cf390e2..ee0c6cf725e 100644
--- a/app/assets/javascripts/discourse/tests/acceptance/user-preferences-security-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/user-preferences-security-test.js
@@ -17,6 +17,10 @@ acceptance("User Preferences - Security", function (needs) {
server.get("/u/eviltrout/activity.json", () => {
return helper.response({});
});
+
+ server.get("/u/trusted-session.json", () => {
+ return helper.response({ failed: "FAILED" });
+ });
});
test("recently connected devices", async function (assert) {
@@ -93,4 +97,84 @@ acceptance("User Preferences - Security", function (needs) {
"displays the last used at date for the API key"
);
});
+
+ test("Viewing Passkeys - user has a key", async function (assert) {
+ this.siteSettings.experimental_passkeys = true;
+
+ updateCurrentUser({
+ user_passkeys: [
+ {
+ id: 1,
+ name: "Password Manager",
+ last_used: "2023-10-09T20:03:20.986Z",
+ created_at: "2023-10-09T20:01:37.578Z",
+ },
+ ],
+ });
+
+ await visit("/u/eviltrout/preferences/security");
+
+ assert.strictEqual(
+ query(".pref-passkeys__rows .row-passkey__name").innerText.trim(),
+ "Password Manager",
+ "displays the passkey name"
+ );
+
+ assert
+ .dom(".row-passkey__created-date")
+ .exists("displays the created at date for the passkey");
+
+ assert
+ .dom(".row-passkey__used-date")
+ .exists("displays the last used at date for the passkey");
+
+ await click(".pref-passkeys__add button");
+
+ assert
+ .dom(".dialog-body .confirm-session")
+ .exists(
+ "displays a dialog to confirm the user's identity before adding a passkey"
+ );
+
+ await click(".dialog-close");
+
+ const dropdown = selectKit(".passkey-options-dropdown");
+ await dropdown.expand();
+ await dropdown.selectRowByName("Edit");
+
+ assert
+ .dom(".dialog-body .rename-passkey__form")
+ .exists("clicking Edit displays a dialog to rename the passkey");
+
+ await click(".dialog-close");
+
+ await dropdown.expand();
+ await dropdown.selectRowByName("Delete");
+
+ assert
+ .dom(".dialog-body .confirm-session")
+ .exists(
+ "displays a dialog to confirm the user's identity before deleting a passkey"
+ );
+
+ await click(".dialog-close");
+ });
+
+ test("Viewing Passkeys - empty state", async function (assert) {
+ this.siteSettings.experimental_passkeys = true;
+
+ await visit("/u/eviltrout/preferences/security");
+
+ assert
+ .dom(".pref-passkeys__add .btn")
+ .exists("shows a button to add a passkey");
+
+ await click(".pref-passkeys__add .btn");
+
+ assert
+ .dom(".dialog-body .confirm-session")
+ .exists(
+ "displays a dialog to confirm the user's identity before adding a passkey"
+ );
+ });
});
diff --git a/app/assets/stylesheets/common/base/discourse.scss b/app/assets/stylesheets/common/base/discourse.scss
index 0d465316fd5..48117342310 100644
--- a/app/assets/stylesheets/common/base/discourse.scss
+++ b/app/assets/stylesheets/common/base/discourse.scss
@@ -711,55 +711,6 @@ table {
}
}
-.pref-auth-tokens {
- .row {
- border-bottom: 1px solid #ddd;
- margin: 5px 0px;
- padding-bottom: 5px;
-
- &:last-child {
- border-bottom: 0;
- }
- }
-
- .auth-token-icon {
- color: var(--primary-medium);
- font-size: 2.25em;
- float: left;
- margin-right: 10px;
- }
-
- .auth-token-first {
- font-size: 1.1em;
-
- .auth-token-device {
- font-weight: bold;
- }
- }
-
- .auth-token-second {
- color: var(--primary-medium);
-
- .active {
- color: var(--success);
- font-weight: bold;
- }
- }
-
- .auth-token-dropdown {
- float: right;
-
- .btn,
- .btn:hover {
- background: transparent;
-
- .d-icon {
- color: var(--primary-high);
- }
- }
- }
-}
-
.topic-statuses {
// avoid adding margin/padding on this parent; sometimes it appears as an empty container
float: left;
diff --git a/app/assets/stylesheets/common/base/modal.scss b/app/assets/stylesheets/common/base/modal.scss
index 201f0ab5289..59f43e70c70 100644
--- a/app/assets/stylesheets/common/base/modal.scss
+++ b/app/assets/stylesheets/common/base/modal.scss
@@ -790,3 +790,19 @@
@extend .btn-flat;
@extend .btn-small;
}
+
+.confirm-session {
+ &__instructions {
+ margin-bottom: 1.5em;
+ }
+
+ form {
+ margin: 1.5em 0;
+ }
+
+ &__fine-print {
+ font-size: var(--font-down-1);
+ color: var(--primary-medium);
+ max-width: 500px;
+ }
+}
diff --git a/app/assets/stylesheets/common/base/user.scss b/app/assets/stylesheets/common/base/user.scss
index 0a84aae2c9c..0bb4bf8197e 100644
--- a/app/assets/stylesheets/common/base/user.scss
+++ b/app/assets/stylesheets/common/base/user.scss
@@ -651,6 +651,90 @@
align-items: center;
gap: 1em;
}
+
+ .pref-auth-tokens {
+ .auth-token-icon {
+ color: var(--primary-medium);
+ font-size: 2.25em;
+ float: left;
+ margin-right: 10px;
+ }
+
+ .auth-token-first {
+ font-size: 1.1em;
+
+ .auth-token-device {
+ font-weight: bold;
+ }
+ }
+
+ .auth-token-second {
+ color: var(--primary-medium);
+
+ .active {
+ color: var(--success);
+ font-weight: bold;
+ }
+ }
+
+ .auth-token-dropdown {
+ float: right;
+
+ .btn,
+ .btn:hover {
+ background: transparent;
+
+ .d-icon {
+ color: var(--primary-high);
+ }
+ }
+ }
+ }
+
+ .pref-passkeys,
+ .pref-auth-tokens {
+ .row {
+ border-top: 1px solid var(--primary-low);
+ padding: 0.5em 0;
+ margin: 0.5em 0;
+
+ &:last-child {
+ border-bottom: 1px solid var(--primary-low);
+ }
+ }
+ }
+
+ .pref-passkeys {
+ .row {
+ display: flex;
+ justify-content: space-between;
+ align-items: flex-start;
+
+ .row-passkey__name {
+ font-weight: bold;
+ }
+
+ .row-passkey__created-date,
+ .row-passkey__used-date {
+ color: var(--primary-medium);
+ }
+ }
+
+ &__add {
+ margin-top: 1em;
+ }
+
+ .passkey-options-dropdown {
+ .btn,
+ .btn:hover {
+ background: transparent;
+
+ .d-icon {
+ color: var(--primary-high);
+ }
+ }
+ }
+ }
}
.paginated-topics-list {
diff --git a/app/assets/stylesheets/common/foundation/base.scss b/app/assets/stylesheets/common/foundation/base.scss
index 0a68f0d2f6c..8cf9e0dcab2 100644
--- a/app/assets/stylesheets/common/foundation/base.scss
+++ b/app/assets/stylesheets/common/foundation/base.scss
@@ -180,7 +180,8 @@ input[type="submit"] {
}
> input[type="text"],
- > input[type="search"] {
+ > input[type="search"],
+ > input[type="password"] {
display: inline-flex;
flex: 1;
}
@@ -188,6 +189,7 @@ input[type="submit"] {
> .select-kit,
> input[type="text"],
> input[type="search"],
+ > input[type="password"],
> label,
> .btn,
> .d-date-input {
diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb
index 38e21e9ac73..f47c7b70032 100644
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@@ -168,6 +168,7 @@ class UserSerializer < UserCardSerializer
def user_passkeys
UserSecurityKey
.where(user_id: object.id, factor_type: UserSecurityKey.factor_types[:first_factor])
+ .order("created_at ASC")
.map do |usk|
{ id: usk.id, name: usk.name, last_used: usk.last_used, created_at: usk.created_at }
end
diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml
index 812b1133bb7..41a566c4f07 100644
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@@ -1471,7 +1471,7 @@ en:
disable_description: "Please enter the authentication code from your app"
show_key_description: "Enter manually"
short_description: |
- Protect your account with one-time use security codes.
+ Protect your account with one-time use security codes or physical security keys.
extended_description: |
Two-factor authentication adds extra security to your account by requiring a one-time token in addition to your password. Tokens can be generated on
Android and
iOS devices.
oauth_enabled_warning: "Please note that social logins will be disabled once two-factor authentication has been enabled on your account."
@@ -1510,6 +1510,24 @@ en:
save: "Save"
edit_description: "Physical Security Key Name"
name_required_error: "You must provide a name for your security key."
+ passkeys:
+ rename_passkey: "Rename Passkey"
+ add_passkey: "Add Passkey"
+ confirm_delete_passkey: "Are you sure you want to delete this passkey?"
+ passkey_successfully_created: "Success! Your new passkey was created."
+ rename_passkey_instructions: "Pick a passkey name that will easily identify it for you, for example, use the name of your password manager."
+ name:
+ default: "Main Passkey"
+ google_password_manager: "Google Password Manager"
+ icloud_keychain: "iCloud Keychain"
+ save: "Save"
+ title: "Passkeys"
+ short_description: "Passkeys are password replacements that validate your identity biometrically (e.g. touch, faceID) or via a device PIN/password."
+ added_prefix: "Added"
+ last_used_prefix: "Last Used"
+ never_used: "Never Used"
+ not_allowed_error: "The passkey registration process either timed out or was cancelled."
+ already_added_error: "You have already registered this passkey. You don’t have to register it again."
change_about:
title: "Change About Me"
@@ -1635,6 +1653,7 @@ en:
auth_tokens:
title: "Recently Used Devices"
+ short_description: "This is a list of devices that have recently logged into your account."
details: "Details"
log_out_all: "Log out all"
not_you: "Not you?"
@@ -1825,6 +1844,12 @@ en:
success: "File uploaded successfully. You will be notified via message when the process is complete."
error: "Sorry, file should be CSV format."
+ confirm_access:
+ title: "Confirm access"
+ incorrect_password: "The entered password is incorrect."
+ logged_in_as: "You are logged in as: "
+ instructions: "Please confirm your identity in order to complete this action."
+ fine_print: "We are asking you to confirm your identity because this is a potentially sensitive action. Once authenticated, you will only be asked to re-authenticate again after a few hours of inactivity."
password:
title: "Password"
too_short: "Your password is too short."
@@ -1834,6 +1859,8 @@ en:
ok: "Your password looks good."
instructions: "at least %{count} characters"
required: "Please enter a password"
+ confirm: "Confirm"
+ incorrect_password: "The entered password is incorrect."
summary:
title: "Summary"
@@ -2233,6 +2260,8 @@ en:
name: "Discord"
title: "Log in with Discord"
sr_title: "Log in with Discord"
+ passkey:
+ name: "Login with a passkey"
second_factor_toggle:
totp: "Use an authenticator app instead"
backup_code: "Use a backup code instead"
@@ -5145,7 +5174,7 @@ en:
install: "Install"
delete: "Delete"
delete_confirm: 'Are you sure you want to delete "%{theme_name}"?'
- bulk_delete: 'Are you sure?'
+ bulk_delete: "Are you sure?"
bulk_themes_delete_confirm: "This will uninstall the following themes, they will no longer be useable by any users on your site:"
bulk_components_delete_confirm: "This will uninstall the following components, they will no longer be useable by any users on your site:"
color: "Color"
diff --git a/spec/serializers/user_serializer_spec.rb b/spec/serializers/user_serializer_spec.rb
index 6d74f3b680d..9551ce589f4 100644
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@@ -442,7 +442,12 @@ RSpec.describe UserSerializer do
context "with user_passkeys" do
fab!(:user) { Fabricate(:user) }
- fab!(:passkey) { Fabricate(:passkey_with_random_credential, user: user) }
+ fab!(:passkey0) do
+ Fabricate(:passkey_with_random_credential, user: user, created_at: 5.hours.ago)
+ end
+ fab!(:passkey1) do
+ Fabricate(:passkey_with_random_credential, user: user, created_at: 2.hours.ago)
+ end
it "does not include them if feature is disabled" do
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
@@ -455,9 +460,10 @@ RSpec.describe UserSerializer do
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
- expect(json[:user_passkeys][0][:id]).to eq(passkey.id)
- expect(json[:user_passkeys][0][:name]).to eq(passkey.name)
- expect(json[:user_passkeys][0][:last_used]).to eq(passkey.last_used)
+ expect(json[:user_passkeys][0][:id]).to eq(passkey0.id)
+ expect(json[:user_passkeys][0][:name]).to eq(passkey0.name)
+ expect(json[:user_passkeys][0][:last_used]).to eq(passkey0.last_used)
+ expect(json[:user_passkeys][1][:id]).to eq(passkey1.id)
end
end
diff --git a/spec/system/user_page/user_preferences_security_spec.rb b/spec/system/user_page/user_preferences_security_spec.rb
index 619d2415e8b..ccd7a10e9c8 100644
--- a/spec/system/user_page/user_preferences_security_spec.rb
+++ b/spec/system/user_page/user_preferences_security_spec.rb
@@ -10,16 +10,15 @@ describe "User preferences for Security", type: :system do
before do
user.activate
sign_in(user)
+
+ # system specs run on their own host + port
+ DiscourseWebauthn.stubs(:origin).returns(current_host + ":" + Capybara.server_port.to_s)
end
describe "Security keys" do
- it "adds a 2F security key and logs in with it" do
- # system specs run on their own host + port
- DiscourseWebauthn.stubs(:origin).returns(current_host + ":" + Capybara.server_port.to_s)
-
- # simulate browser credential authorization
+ it "adds a 2FA security key and logs in with it" do
options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new
- page.driver.browser.add_virtual_authenticator(options)
+ authenticator = page.driver.browser.add_virtual_authenticator(options)
user_preferences_security_page.visit(user)
user_preferences_security_page.visit_second_factor(password)
@@ -43,6 +42,59 @@ describe "User preferences for Security", type: :system do
find("#security-key .btn-primary").click
expect(page).to have_css(".header-dropdown-toggle.current-user")
+
+ # clear authenticator (otherwise it will interfere with other tests)
+ authenticator.remove!
+ end
+ end
+
+ describe "Passkeys" do
+ before { SiteSetting.experimental_passkeys = true }
+
+ it "adds a passkey and logs in with it" do
+ options =
+ ::Selenium::WebDriver::VirtualAuthenticatorOptions.new(
+ user_verification: true,
+ user_verified: true,
+ resident_key: true,
+ )
+ authenticator = page.driver.browser.add_virtual_authenticator(options)
+
+ user_preferences_security_page.visit(user)
+
+ find(".pref-passkeys__add .btn").click
+ expect(user_preferences_security_page).to have_css("input#password")
+
+ find(".dialog-body input#password").fill_in(with: password)
+ find(".confirm-session .btn-primary").click
+
+ expect(user_preferences_security_page).to have_css(".rename-passkey__form")
+
+ find(".dialog-close").click
+
+ expect(user_preferences_security_page).to have_css(".pref-passkeys__rows .row")
+
+ select_kit = PageObjects::Components::SelectKit.new(".passkey-options-dropdown")
+ select_kit.expand
+ select_kit.select_row_by_name("Delete")
+
+ # confirm deletion screen shown without requiring session confirmation
+ # since this was already done when adding the passkey
+ expect(user_preferences_security_page).to have_css(".dialog-footer .btn-danger")
+
+ # close the dialog (don't delete the key, we need it to login in the next step)
+ find(".dialog-close").click
+
+ user_menu.sign_out
+
+ # login with the key we just created
+ find(".d-header .login-button").click
+ find(".passkey-login-button").click
+
+ expect(page).to have_css(".header-dropdown-toggle.current-user")
+
+ # clear authenticator (otherwise it will interfere with other tests)
+ authenticator.remove!
end
end
end