lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
porchlight/docs/plans/2026-02-16-auth-routes-plan.md

1286 lines
49 KiB
Markdown
Raw Blame History

# Authentication Routes Implementation Plan (Phase 4)
> **Status: COMPLETE** — All 10 tasks implemented and passing. 120 tests, full quality gate green.
> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
**Goal:** Add standalone login/registration + credential management routes (no OIDC yet) using sessions, Jinja2 templates, HTMX, and the existing auth services + repositories.
**Architecture:** FastAPI routers for `authn` and `manage` are mounted in `create_app()`. Starlette `SessionMiddleware` stores a minimal session (`userid`, `username`) plus WebAuthn transient state. HTML is server-rendered with Jinja2; HTMX progressively enhances forms; `webauthn.js` bridges browser WebAuthn APIs. Auth services (`PasswordService`, `WebAuthnService`, `MagicLinkService`) are instantiated in the lifespan and stored on `app.state` alongside the repositories.
**Tech Stack:** FastAPI, Starlette SessionMiddleware, Jinja2 templates, HTMX (vendored), python-fido2 >=2.1, argon2-cffi, aiosqlite.
**Quality gate:** `./scripts/check.sh`
**Known constraints:**
- Starlette `SessionMiddleware` uses signed cookies (~4KB limit). WebAuthn challenge state is small (~100 bytes), so this is fine. If state grows, switch to server-side session storage.
- The `fido2` library's `Fido2Server.authenticate_complete()` returns `AttestedCredentialData` (matched credential), NOT the new sign count. The sign count must be extracted from the raw `AuthenticationResponse.response.authenticator_data.counter`.
- WebAuthn options returned by `fido2` contain `bytes` fields (`challenge`, `user.id`, credential IDs). The library provides `fido2.utils.websafe_encode`/`websafe_decode` for base64url conversion. The `dict(options)` output from `begin_registration`/`begin_authentication` is already JSON-serializable as the library handles encoding internally via its CBOR/JSON mapping.
**Discoveries during implementation:**
- `itsdangerous` package was needed for Starlette's `SessionMiddleware` — added via `uv add itsdangerous`
- `ty` type checker flags `app.add_middleware(SessionMiddleware, ...)` as invalid argument type — needs `# type: ignore[arg-type]`
- The `_count_credentials` helper in `manage/routes.py` needs `# type: ignore[union-attr]` on the cred_repo calls since it takes `object` type
- Magic link service is at `fastapi_oidc_op.invite.service.MagicLinkService` (not `authn/magic_link.py`)
- The `PasswordService.verify()` takes `(password_hash, password)` — hash first, then plaintext
- `AttestedCredentialData` is a `bytes` subclass — reconstruct from stored bytes via `AttestedCredentialData(stored_bytes)`, not `from_ctap_object()`
---
### Task 1: Config + App Wiring + Templates + Static Files [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/config.py`
- Modify: `src/fastapi_oidc_op/app.py`
- Create: `src/fastapi_oidc_op/authn/routes.py`
- Create: `src/fastapi_oidc_op/manage/routes.py`
- Create: `src/fastapi_oidc_op/templates/base.html`
- Create: `src/fastapi_oidc_op/templates/login.html`
- Create: `src/fastapi_oidc_op/static/style.css`
- Create: `src/fastapi_oidc_op/static/htmx.min.js`
- Create: `tests/test_auth_routes/__init__.py`
- Create: `tests/test_auth_routes/test_pages.py`
**Why merged:** The original plan had Tasks 1 and 2 as separate steps, but Task 1's tests could never pass without Task 2's templates and static files. Merging them gives a clean red-green cycle.
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/__init__.py` (empty file).
Create `tests/test_auth_routes/test_pages.py`:
```python
from httpx import AsyncClient
async def test_get_login_page_contains_form(client: AsyncClient) -> None:
res = await client.get("/login")
assert res.status_code == 200
assert "<form" in res.text
assert 'name="username"' in res.text
async def test_login_page_has_skip_link(client: AsyncClient) -> None:
res = await client.get("/login")
assert "Skip to content" in res.text
async def test_static_css_served(client: AsyncClient) -> None:
res = await client.get("/static/style.css")
assert res.status_code == 200
assert "--bg" in res.text
```
Note: These tests use the `client` fixture from `tests/conftest.py`. Once Task 1 adds `SessionMiddleware` to `create_app()`, the existing fixture automatically picks it up.
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_pages.py -v`
Expected: FAIL (404 for `/login` and `/static/*`)
**Step 3: Implement config, wiring, templates, and static files**
In `src/fastapi_oidc_op/config.py`, add a `session_secret` field:
```python
# Session
session_secret: str | None = None # If None, a random secret is generated per process
```
In `src/fastapi_oidc_op/app.py`:
- Add `SessionMiddleware` using `settings.session_secret` if set, otherwise `secrets.token_hex(32)`.
- Mount `Jinja2Templates` pointing to `templates/` dir (relative to package).
- Mount `StaticFiles` at `/static` pointing to `static/` dir (relative to package).
- Store the `Jinja2Templates` instance on `app.state.templates` for use by routes.
- Include routers from `fastapi_oidc_op.authn.routes` and `fastapi_oidc_op.manage.routes`.
- In the lifespan, instantiate and store auth services:
- `app.state.password_service = PasswordService()`
- `app.state.webauthn_service = WebAuthnService(rp_id=<from issuer>, rp_name=app.title, origin=settings.issuer)`
- `app.state.magic_link_service = MagicLinkService(repo=app.state.magic_link_repo, ttl=settings.invite_ttl)`
For `rp_id`, extract the hostname from `settings.issuer` using `urllib.parse.urlparse(settings.issuer).hostname`.
Create empty routers in:
- `src/fastapi_oidc_op/authn/routes.py` — with a `GET /login` route that renders `login.html`
- `src/fastapi_oidc_op/manage/routes.py` — empty router with `prefix="/manage"`
Create `src/fastapi_oidc_op/templates/base.html`:
- `<a class="skip-link" href="#main">Skip to content</a>`
- `<main id="main" tabindex="-1">{% block content %}{% endblock %}</main>`
- `<div aria-live="polite" aria-atomic="true" class="sr-only" id="live"></div>`
- `<script src="/static/htmx.min.js" defer></script>`
- `<link rel="stylesheet" href="/static/style.css">`
- `{% block scripts %}{% endblock %}` for page-specific JS
Create `src/fastapi_oidc_op/templates/login.html`:
- Extends `base.html`
- Password form with `username` and `password` fields
- WebAuthn sign-in section (button, will be wired in later tasks)
- Error display area with `id="login-error"` for HTMX fragment swaps
Create `src/fastapi_oidc_op/static/style.css`:
- CSS custom properties for palette (`--bg`, `--fg`, `--accent`, etc.)
- `:focus-visible` outline styles
- `@media (prefers-reduced-motion: reduce)` handling
- `.sr-only` utility class
Create `src/fastapi_oidc_op/static/htmx.min.js`:
- Download the official HTMX minified release (v2.x) and commit it.
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_pages.py -v`
Expected: PASS
**Step 5: Run full quality gate**
Run: `./scripts/check.sh`
Expected: All green (existing 86 tests still pass)
**Step 6: Commit**
```bash
git add src/fastapi_oidc_op/config.py src/fastapi_oidc_op/app.py \
src/fastapi_oidc_op/authn/routes.py src/fastapi_oidc_op/manage/routes.py \
src/fastapi_oidc_op/templates/ src/fastapi_oidc_op/static/ \
tests/test_auth_routes/
git commit -m "feat: add app wiring, templates, static files, and session middleware"
```
---
### Task 2: Session/Auth Dependencies [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/dependencies.py`
- Create: `tests/test_auth_routes/test_session_deps.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_session_deps.py`:
```python
from unittest.mock import MagicMock
import pytest
from fastapi import HTTPException
from fastapi_oidc_op.dependencies import get_session_user, require_session_user
def test_get_session_user_none_when_missing() -> None:
request = MagicMock()
request.session = {}
assert get_session_user(request) is None
def test_get_session_user_returns_tuple() -> None:
request = MagicMock()
request.session = {"userid": "u1", "username": "alice"}
assert get_session_user(request) == ("u1", "alice")
def test_get_session_user_none_when_partial() -> None:
request = MagicMock()
request.session = {"userid": "u1"} # missing username
assert get_session_user(request) is None
def test_require_session_user_raises_when_missing() -> None:
request = MagicMock()
request.session = {}
with pytest.raises(HTTPException) as exc_info:
require_session_user(request)
assert exc_info.value.status_code == 401
def test_require_session_user_returns_tuple() -> None:
request = MagicMock()
request.session = {"userid": "u1", "username": "alice"}
assert require_session_user(request) == ("u1", "alice")
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_session_deps.py -v`
Expected: FAIL (`ImportError` — functions don't exist)
**Step 3: Implement session helpers**
In `src/fastapi_oidc_op/dependencies.py`, add:
```python
def get_session_user(request: Request) -> tuple[str, str] | None:
"""Extract (userid, username) from session, or None if not logged in."""
userid = request.session.get("userid")
username = request.session.get("username")
if userid and username:
return (userid, username)
return None
def require_session_user(request: Request) -> tuple[str, str]:
"""Like get_session_user but raises HTTPException(401) if not logged in.
Routes that need a redirect-to-login behavior should catch this or
use get_session_user and redirect manually.
"""
result = get_session_user(request)
if result is None:
raise HTTPException(status_code=401, detail="Not authenticated")
return result
```
These are plain functions that accept `Request`. Routes use them directly (e.g. `user = get_session_user(request)`) rather than through `Depends()`, because the session-based redirect logic varies per route (authn routes return error fragments, manage routes redirect to `/login`). Making them `Depends()` callables would require either a shared exception handler or separate dependency variants, adding complexity for no benefit at this stage.
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_session_deps.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/dependencies.py tests/test_auth_routes/test_session_deps.py
git commit -m "feat: add session user dependency helpers"
```
---
### Task 3: Password Login + Logout Routes [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/authn/routes.py`
- Create: `tests/test_auth_routes/test_password_login.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_password_login.py`:
```python
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User
async def test_password_login_unknown_user_returns_error_fragment(client: AsyncClient) -> None:
res = await client.post(
"/login/password",
data={"username": "nobody", "password": "wrong"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
assert 'role="alert"' in res.text
async def test_password_login_wrong_password_returns_error_fragment(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
res = await client.post(
"/login/password",
data={"username": "alice", "password": "wrong"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
async def test_password_login_success_sets_session_and_hx_redirect(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
res = await client.post(
"/login/password",
data={"username": "alice", "password": "correct"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/manage/credentials"
async def test_logout_clears_session_and_redirects(client: AsyncClient) -> None:
res = await client.post("/logout", headers={"HX-Request": "true"})
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/login"
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_password_login.py -v`
Expected: FAIL (routes not implemented)
**Step 3: Implement password login + logout**
In `src/fastapi_oidc_op/authn/routes.py`:
- `POST /login/password` (accepts form data: `username`, `password`):
1. Look up user by username via `request.app.state.user_repo.get_by_username(username)`
2. If user not found -> return error fragment (same message as wrong password to prevent username enumeration)
3. Fetch password credential via `request.app.state.credential_repo.get_password_by_user(user.userid)`
4. If no credential -> return error fragment
5. Verify with `request.app.state.password_service.verify(credential.password_hash, password)`
6. On success: set `request.session["userid"] = user.userid`, `request.session["username"] = user.username`, return `Response` with `HX-Redirect: /manage/credentials` header
7. On failure: return HTML fragment `<div role="alert">Invalid username or password</div>`
- `POST /logout`:
1. `request.session.clear()`
2. Return `Response` with `HX-Redirect: /login` header
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_password_login.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_password_login.py
git commit -m "feat: add password login and logout endpoints"
```
---
### Task 4: Registration via Magic Link (`/register/{token}`) [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/authn/routes.py`
- Create: `tests/test_auth_routes/test_register_magic_link.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_register_magic_link.py`:
```python
from datetime import UTC, datetime, timedelta
from httpx import AsyncClient
from fastapi_oidc_op.models import MagicLink
async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
res = await client.get("/register/nope", follow_redirects=False)
assert res.status_code == 400
assert "Invalid or expired" in res.text
async def test_register_expired_token_returns_error_page(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
repo = app.state.magic_link_repo
await repo.create(
MagicLink(
token="expired",
username="newuser",
expires_at=datetime.now(UTC) - timedelta(hours=1),
)
)
res = await client.get("/register/expired", follow_redirects=False)
assert res.status_code == 400
assert "Invalid or expired" in res.text
async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
magic_link_repo = app.state.magic_link_repo
user_repo = app.state.user_repo
await magic_link_repo.create(
MagicLink(
token="t1",
username="newuser",
expires_at=datetime.now(UTC) + timedelta(hours=1),
)
)
res = await client.get("/register/t1", follow_redirects=False)
assert res.status_code in (302, 303)
assert "/manage/credentials" in res.headers["location"]
assert "setup=1" in res.headers["location"]
# Token should be marked used
link = await magic_link_repo.get_by_token("t1")
assert link is not None
assert link.used is True
# User should exist
user = await user_repo.get_by_username("newuser")
assert user is not None
assert "users" in user.groups
async def test_register_used_token_returns_error(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
repo = app.state.magic_link_repo
await repo.create(
MagicLink(
token="used",
username="newuser",
expires_at=datetime.now(UTC) + timedelta(hours=1),
used=True,
)
)
res = await client.get("/register/used", follow_redirects=False)
assert res.status_code == 400
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_register_magic_link.py -v`
Expected: FAIL
**Step 3: Implement `/register/{token}`**
In `src/fastapi_oidc_op/authn/routes.py`:
- `GET /register/{token}`:
1. Get `magic_link_service` from `request.app.state.magic_link_service`
2. Call `magic_link_service.validate(token)` — returns `MagicLink | None`
3. If `None` -> return error page with status 400 containing "Invalid or expired"
4. Generate unique userid via `generate_unique_userid(request.app.state.user_repo)`
5. Create `User(userid=userid, username=link.username, groups=["users"])`
6. Save via `request.app.state.user_repo.create(user)`
7. Mark token used via `magic_link_service.mark_used(token)`
8. Set session: `request.session["userid"] = user.userid`, `request.session["username"] = user.username`
9. Return `RedirectResponse("/manage/credentials?setup=1", status_code=303)`
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_register_magic_link.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_register_magic_link.py
git commit -m "feat: add magic link registration endpoint"
```
---
### Task 5: Credential Management Page (GET) [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/manage/routes.py`
- Create: `src/fastapi_oidc_op/templates/manage/credentials.html`
- Create: `tests/test_auth_routes/test_manage_credentials_page.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_manage_credentials_page.py`:
```python
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User
async def _login(client: AsyncClient, username: str = "alice", password: str = "testpass") -> None:
"""Helper: create user + password credential and log in via POST /login/password."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = await user_repo.get_by_username(username)
if user is None:
user = User(userid="lusab-bansen", username=username, created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
existing = await cred_repo.get_password_by_user(user.userid)
if existing is None:
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash(password)))
await client.post(
"/login/password",
data={"username": username, "password": password},
headers={"HX-Request": "true"},
)
async def test_manage_credentials_requires_login(client: AsyncClient) -> None:
res = await client.get("/manage/credentials", follow_redirects=False)
assert res.status_code in (302, 303)
assert res.headers["location"] == "/login"
async def test_manage_credentials_renders_for_logged_in_user(client: AsyncClient) -> None:
await _login(client)
res = await client.get("/manage/credentials")
assert res.status_code == 200
assert "Credentials" in res.text
async def test_manage_credentials_shows_setup_banner(client: AsyncClient) -> None:
await _login(client)
res = await client.get("/manage/credentials?setup=1")
assert res.status_code == 200
assert "Welcome" in res.text or "setup" in res.text.lower()
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_manage_credentials_page.py -v`
Expected: FAIL
**Step 3: Implement GET route + template**
In `src/fastapi_oidc_op/manage/routes.py`:
- `GET /manage/credentials`:
1. Call `get_session_user(request)` — if `None`, return `RedirectResponse("/login", status_code=303)`
2. Load WebAuthn credentials via `request.app.state.credential_repo.get_webauthn_by_user(userid)`
3. Load password credential via `request.app.state.credential_repo.get_password_by_user(userid)`
4. Check `request.query_params.get("setup")` for welcome banner
5. Render `templates/manage/credentials.html` with context
Create `src/fastapi_oidc_op/templates/manage/credentials.html`:
- Extends `base.html`
- `{% if setup %}` welcome banner
- WebAuthn credentials section with list of existing keys + add form
- Password section showing whether password is set + set/change form
- HTMX targets for fragment swaps (`id="webauthn-list"`, `id="password-section"`)
- Each credential has a delete button (wired in later tasks)
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_manage_credentials_page.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/manage/routes.py \
src/fastapi_oidc_op/templates/manage/credentials.html \
tests/test_auth_routes/test_manage_credentials_page.py
git commit -m "feat: add credential management page"
```
---
### Task 6: Set/Change Password + Delete Password Credential (HTMX) [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/manage/routes.py`
- Create: `tests/test_auth_routes/test_manage_password_credential.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_manage_password_credential.py`:
```python
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("old")))
await client.post(
"/login/password",
data={"username": "alice", "password": "old"},
headers={"HX-Request": "true"},
)
return user.userid
async def test_set_password_requires_session(client: AsyncClient) -> None:
res = await client.post(
"/manage/credentials/password",
data={"password": "x", "confirm": "x"},
follow_redirects=False,
)
assert res.status_code in (302, 303)
async def test_set_password_mismatch_returns_error(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post(
"/manage/credentials/password",
data={"password": "newpassword", "confirm": "different"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
async def test_set_password_too_short_returns_error(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post(
"/manage/credentials/password",
data={"password": "short", "confirm": "short"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
async def test_set_password_creates_or_replaces_password(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
res = await client.post(
"/manage/credentials/password",
data={"password": "newpassword123", "confirm": "newpassword123"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="status"' in res.text or "Password" in res.text
updated = await cred_repo.get_password_by_user(userid)
assert updated is not None
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
assert svc.verify(updated.password_hash, "newpassword123") is True
async def test_delete_password_requires_session(client: AsyncClient) -> None:
res = await client.delete("/manage/credentials/password", follow_redirects=False)
assert res.status_code in (302, 303)
async def test_delete_password_with_other_credential(client: AsyncClient) -> None:
"""User has both password and webauthn — deleting password succeeds."""
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Add a webauthn credential so password is not the last one
await cred_repo.create_webauthn(
WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
)
res = await client.delete(
"/manage/credentials/password",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
deleted = await cred_repo.get_password_by_user(userid)
assert deleted is None
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_manage_password_credential.py -v`
Expected: FAIL
**Step 3: Implement POST and DELETE for password credential**
In `src/fastapi_oidc_op/manage/routes.py`:
- `POST /manage/credentials/password` (form data: `password`, `confirm`):
1. Check session — if not logged in, redirect to `/login`
2. Validate `password == confirm` — if not, return error fragment with `role="alert"`
3. Validate `len(password) >= 8` — if not, return error fragment
4. Hash with `request.app.state.password_service.hash(password)`
5. Check if password exists: `cred_repo.get_password_by_user(userid)`
6. If exists: `cred_repo.delete_password(userid)` then `cred_repo.create_password(...)`
7. If not: `cred_repo.create_password(...)`
8. Return HTML fragment with `role="status"` confirmation message
- `DELETE /manage/credentials/password`:
1. Check session — if not logged in, redirect to `/login`
2. Count total credentials (webauthn count + password exists)
3. If total == 1: return error fragment with `role="alert"` ("Cannot remove your last credential")
4. Otherwise: `cred_repo.delete_password(userid)`, return updated password section fragment
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_manage_password_credential.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/manage/routes.py tests/test_auth_routes/test_manage_password_credential.py
git commit -m "feat: add set/change/delete password credential endpoints"
```
---
### Task 7: WebAuthn Credential Add (begin/complete) + Remove [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/manage/routes.py`
- Create: `src/fastapi_oidc_op/static/webauthn.js`
- Create: `tests/test_auth_routes/test_manage_webauthn_credential.py`
**Serialization note:** The `fido2` library's `begin_registration()` returns a dict that is JSON-serializable (binary fields are already base64url-encoded internally). For `complete_registration()`, the server receives a JSON body from the browser JS. The `fido2` library accepts this as a `dict` and handles deserialization via `RegistrationResponse.from_dict()`.
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_manage_webauthn_credential.py`:
The tests reuse the helper functions from `tests/test_authn/test_webauthn.py` for building valid registration responses. Extract shared helpers into `tests/conftest_webauthn.py` or import directly. For simplicity, inline the helpers or import from the existing test module.
```python
import os
from datetime import UTC, datetime
from argon2 import PasswordHasher
from cryptography.hazmat.primitives.asymmetric import ec
from fido2.cose import ES256
from fido2.utils import sha256
from fido2.webauthn import (
Aaguid,
AttestationObject,
AttestedCredentialData,
AuthenticatorAttestationResponse,
AuthenticatorData,
CollectedClientData,
PublicKeyCredentialDescriptor,
PublicKeyCredentialType,
RegistrationResponse,
)
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
RP_ID = "localhost"
ORIGIN = "http://localhost:8000"
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
await client.post(
"/login/password",
data={"username": "alice", "password": "testpass"},
headers={"HX-Request": "true"},
)
return user.userid
def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
private_key = ec.generate_private_key(ec.SECP256R1())
cose_key = ES256.from_cryptography_key(private_key.public_key())
credential_id = os.urandom(32)
attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
return private_key, credential_id, attested
def _build_registration_response(credential_id: bytes, attested: AttestedCredentialData, challenge: bytes) -> RegistrationResponse:
auth_data = AuthenticatorData.create(
rp_id_hash=sha256(RP_ID.encode()),
flags=AuthenticatorData.FLAG.UP | AuthenticatorData.FLAG.AT,
counter=0,
credential_data=attested,
)
attestation_object = AttestationObject.create(fmt="none", auth_data=auth_data, att_stmt={})
client_data = CollectedClientData.create(type=CollectedClientData.TYPE.CREATE, challenge=challenge, origin=ORIGIN)
return RegistrationResponse(
raw_id=credential_id,
response=AuthenticatorAttestationResponse(client_data=client_data, attestation_object=attestation_object),
)
async def test_webauthn_begin_requires_session(client: AsyncClient) -> None:
res = await client.post("/manage/credentials/webauthn/begin", follow_redirects=False)
assert res.status_code in (302, 303, 401)
async def test_webauthn_begin_returns_options(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post("/manage/credentials/webauthn/begin")
assert res.status_code == 200
data = res.json()
assert "publicKey" in data
assert "challenge" in data["publicKey"]
async def test_webauthn_complete_creates_credential(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Begin registration
res1 = await client.post("/manage/credentials/webauthn/begin")
assert res1.status_code == 200
options = res1.json()
# Build a valid registration response using the challenge from server
_private_key, credential_id, attested = _generate_credential()
challenge = options["publicKey"]["challenge"]
# The challenge from the server is base64url-encoded; fido2 expects raw bytes
# for CollectedClientData.create, but we need to pass the encoded challenge
# back through the RegistrationResponse which fido2 will decode internally.
# Use the webauthn_service from app.state to get the raw state instead.
# The test needs to use the state stored in the session.
# Since we can't easily extract session state in tests, we test the
# begin/complete flow by building the response with the challenge bytes
# from the fido2 state. Access the webauthn_service directly for this.
webauthn_service = app.state.webauthn_service
_options, state = webauthn_service.begin_registration(
user_id=userid.encode(), username="alice"
)
response = _build_registration_response(credential_id, attested, state["challenge"])
result = webauthn_service.complete_registration(state, response)
# Store credential directly to verify the repo works
cred = WebAuthnCredential(
user_id=userid,
credential_id=result.credential_data.credential_id,
public_key=bytes(result.credential_data),
)
await cred_repo.create_webauthn(cred)
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 1
assert creds[0].credential_id == credential_id
async def test_delete_webauthn_credential(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# User already has password credential from login. Add a webauthn credential.
await cred_repo.create_webauthn(
WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
)
# base64url-encode the credential_id for the URL
from base64 import urlsafe_b64encode
cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
res = await client.delete(
f"/manage/credentials/webauthn/{cred_id_b64}",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 0
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_manage_webauthn_credential.py -v`
Expected: FAIL
**Step 3: Implement endpoints + JS helper**
In `src/fastapi_oidc_op/manage/routes.py`:
- `POST /manage/credentials/webauthn/begin`:
1. Check session — redirect if not logged in
2. Load existing WebAuthn credentials, build `PublicKeyCredentialDescriptor` list for exclude
3. Call `request.app.state.webauthn_service.begin_registration(user_id=userid.encode(), username=username, existing_credentials=descriptors)`
4. Store `state` in `request.session["webauthn_register_state"]`
5. Return `JSONResponse(options)`
- `POST /manage/credentials/webauthn/complete` (JSON body):
1. Check session
2. Pop `webauthn_register_state` from session
3. Call `webauthn_service.complete_registration(state, response_body)`
4. Extract `credential_id` and `public_key` from `result.credential_data`
5. Create `WebAuthnCredential(user_id=userid, credential_id=..., public_key=bytes(result.credential_data))`
6. Save via `cred_repo.create_webauthn(...)`
7. Return updated credential list HTML fragment
- `DELETE /manage/credentials/webauthn/{credential_id}` (credential_id is base64url-encoded):
1. Check session
2. Decode `credential_id` from base64url
3. Count total credentials; if last one, return error fragment
4. Delete via `cred_repo.delete_webauthn(userid, credential_id_bytes)`
5. Return updated credential list fragment
Create `src/fastapi_oidc_op/static/webauthn.js`:
- `base64urlToBytes(s)` and `bytesToBase64url(bytes)` helpers
- `async function beginRegistration()`: POST to `/manage/credentials/webauthn/begin`, call `navigator.credentials.create()`, POST result to `/manage/credentials/webauthn/complete`
- `async function beginAuthentication(username)`: POST to `/login/webauthn/begin`, call `navigator.credentials.get()`, POST result to `/login/webauthn/complete`
- Integrate with HTMX via `htmx.trigger()` or direct DOM updates
- No forced animations; respect `prefers-reduced-motion`
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_manage_webauthn_credential.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/manage/routes.py src/fastapi_oidc_op/static/webauthn.js \
tests/test_auth_routes/test_manage_webauthn_credential.py
git commit -m "feat: add webauthn credential registration and removal"
```
---
### Task 8: WebAuthn Login (begin/complete) + Sign Count Update [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/authn/routes.py`
- Create: `tests/test_auth_routes/test_webauthn_login.py`
**Implementation detail — sign count:** `Fido2Server.authenticate_complete()` returns the matched `AttestedCredentialData`, not the new sign count. To update sign_count, extract it from the raw response: parse `AuthenticationResponse` from the client payload, then read `response.response.authenticator_data.counter`. Update the credential in the repo with this new counter value.
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_webauthn_login.py`:
```python
import os
from datetime import UTC, datetime
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.hashes import SHA256
from fido2.cose import ES256
from fido2.utils import sha256
from fido2.webauthn import (
Aaguid,
AttestationObject,
AttestedCredentialData,
AuthenticationResponse,
AuthenticatorAssertionResponse,
AuthenticatorAttestationResponse,
AuthenticatorData,
CollectedClientData,
PublicKeyCredentialDescriptor,
PublicKeyCredentialType,
RegistrationResponse,
)
from httpx import AsyncClient
from fastapi_oidc_op.models import User, WebAuthnCredential
RP_ID = "localhost"
ORIGIN = "http://localhost:8000"
def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
private_key = ec.generate_private_key(ec.SECP256R1())
cose_key = ES256.from_cryptography_key(private_key.public_key())
credential_id = os.urandom(32)
attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
return private_key, credential_id, attested
async def _setup_user_with_webauthn(client: AsyncClient) -> tuple[str, ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
"""Create a user with a WebAuthn credential in the repo. Returns (userid, private_key, credential_id, attested)."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
private_key, credential_id, attested = _generate_credential()
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
await cred_repo.create_webauthn(
WebAuthnCredential(
user_id=user.userid,
credential_id=credential_id,
public_key=bytes(attested),
sign_count=0,
)
)
return user.userid, private_key, credential_id, attested
async def test_webauthn_login_begin_returns_options(client: AsyncClient) -> None:
_userid, _pk, _cid, _att = await _setup_user_with_webauthn(client)
res = await client.post(
"/login/webauthn/begin",
data={"username": "alice"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
data = res.json()
assert "publicKey" in data
async def test_webauthn_login_begin_unknown_user(client: AsyncClient) -> None:
res = await client.post(
"/login/webauthn/begin",
data={"username": "nobody"},
headers={"HX-Request": "true"},
)
# Should return error, not crash
assert res.status_code == 200
assert 'role="alert"' in res.text or "not found" in res.text.lower() or "Invalid" in res.text
async def test_webauthn_login_complete_sets_session(client: AsyncClient) -> None:
userid, private_key, credential_id, attested = await _setup_user_with_webauthn(client)
app = client._transport.app # type: ignore[union-attr]
webauthn_service = app.state.webauthn_service
cred_repo = app.state.credential_repo
# Begin authentication directly via service (to get raw state for building response)
descriptors = [PublicKeyCredentialDescriptor(type=PublicKeyCredentialType.PUBLIC_KEY, id=credential_id)]
options, state = webauthn_service.begin_authentication(credentials=descriptors)
# Build authentication response
challenge = state["challenge"]
client_data = CollectedClientData.create(type=CollectedClientData.TYPE.GET, challenge=challenge, origin=ORIGIN)
auth_data = AuthenticatorData.create(rp_id_hash=sha256(RP_ID.encode()), flags=AuthenticatorData.FLAG.UP, counter=5)
signature = private_key.sign(auth_data + client_data.hash, ec.ECDSA(SHA256()))
# We need to POST to /login/webauthn/begin first to set session state,
# then POST to /login/webauthn/complete with the response.
# For the integration test, use the actual begin endpoint:
res1 = await client.post("/login/webauthn/begin", data={"username": "alice"})
assert res1.status_code == 200
# The challenge is now in the server session. Since we can't easily extract
# it, this test verifies the full flow works by using the service directly
# for the crypto part and trusting the route integration.
# A full end-to-end test would require extracting the session cookie.
# Verify sign_count can be updated via the repo directly
stored = await cred_repo.get_webauthn_by_credential_id(credential_id)
assert stored is not None
stored.sign_count = 5
await cred_repo.update_webauthn(stored)
updated = await cred_repo.get_webauthn_by_credential_id(credential_id)
assert updated is not None
assert updated.sign_count == 5
```
Note: Full end-to-end testing of WebAuthn begin/complete through HTTP is inherently difficult because the challenge must round-trip through the session cookie, and building a valid `AuthenticationResponse` requires the exact challenge bytes from the session. The tests above verify: (1) the begin endpoint returns valid options, (2) the service-level crypto works, (3) sign_count can be updated. The route-level `complete` integration is best verified manually or with a dedicated integration test that extracts the session.
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_webauthn_login.py -v`
Expected: FAIL
**Step 3: Implement endpoints**
In `src/fastapi_oidc_op/authn/routes.py`:
- `POST /login/webauthn/begin` (form data: `username`):
1. Look up user by username — if not found, return error fragment (same as password to prevent enumeration)
2. Fetch WebAuthn credentials from repo
3. Build `PublicKeyCredentialDescriptor` list from stored credentials
4. Reconstruct `AttestedCredentialData` from stored `public_key` bytes for each credential
5. Call `webauthn_service.begin_authentication(credentials=descriptors)`
6. Store `state` in `request.session["webauthn_login_state"]`
7. Also store `userid` temporarily in `request.session["webauthn_login_userid"]`
8. Return `JSONResponse(options)`
- `POST /login/webauthn/complete` (JSON body: the browser's credential response):
1. Pop `webauthn_login_state` and `webauthn_login_userid` from session
2. Fetch user's WebAuthn credentials from repo
3. Reconstruct `AttestedCredentialData` list from stored `public_key` bytes
4. Call `webauthn_service.complete_authentication(state, credentials, response_body)`
5. On failure: return error fragment
6. Extract new sign count from the response: parse `AuthenticationResponse.from_dict(response_body)`, read `response.response.authenticator_data.counter`
7. Update sign count: find the matching credential in repo, set `sign_count = new_counter`, call `cred_repo.update_webauthn(credential)`
8. Set session: `request.session["userid"] = user.userid`, `request.session["username"] = user.username`
9. Return response with `HX-Redirect: /manage/credentials`
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_webauthn_login.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/authn/routes.py tests/test_auth_routes/test_webauthn_login.py
git commit -m "feat: add webauthn login begin/complete endpoints"
```
---
### Task 9: Guardrails (cannot remove last credential) [DONE]
**Files:**
- Modify: `src/fastapi_oidc_op/manage/routes.py`
- Create: `tests/test_auth_routes/test_last_credential_guard.py`
**Step 1: Write the failing tests**
Create `tests/test_auth_routes/test_last_credential_guard.py`:
```python
from base64 import urlsafe_b64encode
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password credential, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
await client.post(
"/login/password",
data={"username": "alice", "password": "testpass"},
headers={"HX-Request": "true"},
)
return user.userid
async def test_cannot_delete_last_password_credential(client: AsyncClient) -> None:
"""User has only a password — cannot delete it."""
await _create_user_and_login(client)
res = await client.delete(
"/manage/credentials/password",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
assert "last credential" in res.text.lower() or "Cannot remove" in res.text
# Password should still exist
app = client._transport.app # type: ignore[union-attr]
cred = await app.state.credential_repo.get_password_by_user("lusab-bansen")
assert cred is not None
async def test_cannot_delete_last_webauthn_credential(client: AsyncClient) -> None:
"""User has only one webauthn credential (password was removed) — cannot delete it."""
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Add webauthn, then delete password (so webauthn is the only credential)
await cred_repo.create_webauthn(
WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1")
)
await cred_repo.delete_password(userid)
cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
res = await client.delete(
f"/manage/credentials/webauthn/{cred_id_b64}",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
# Credential should still exist
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 1
```
**Step 2: Run tests to verify they fail**
Run: `uv run pytest tests/test_auth_routes/test_last_credential_guard.py -v`
Expected: FAIL (delete endpoints exist from Tasks 6-7 but don't enforce the guardrail yet)
**Step 3: Implement guardrails**
In `src/fastapi_oidc_op/manage/routes.py`:
Add a helper function used by both DELETE routes:
```python
async def _count_credentials(cred_repo, userid: str) -> int:
"""Count total credentials (password + webauthn) for a user."""
webauthn = await cred_repo.get_webauthn_by_user(userid)
password = await cred_repo.get_password_by_user(userid)
return len(webauthn) + (1 if password else 0)
```
In `DELETE /manage/credentials/password` and `DELETE /manage/credentials/webauthn/{credential_id}`:
- Before deleting, call `_count_credentials()`
- If count == 1, return error fragment: `<div role="alert">Cannot remove your last credential</div>`
- Otherwise proceed with deletion
**Step 4: Run tests to verify they pass**
Run: `uv run pytest tests/test_auth_routes/test_last_credential_guard.py -v`
Expected: PASS
**Step 5: Commit**
```bash
git add src/fastapi_oidc_op/manage/routes.py tests/test_auth_routes/test_last_credential_guard.py
git commit -m "fix: prevent removing the last credential"
```
---
### Task 10: Full Quality Gate [DONE]
**Files:**
- All touched
**Step 1: Run full quality checks**
Run: `./scripts/check.sh`
Expected: All green (formatting, linting, type checking, all tests pass)
**Step 2: Fix any issues**
If ruff format or ruff check made changes, review them. If ty reports type errors, fix them.
**Step 3: Commit any fixes**
```bash
git add -A
git diff --cached --quiet || git commit -m "style: apply formatting and fix lint issues"
```
Reference in a new issue View git blame Copy permalink