stages/authenticator_webauthn: add option to configure max attempts (#15041)

* house keeping - migrate to session part 1

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup v2

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add max_attempts

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* teeny tiny cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Author: BeryJu

authentik/core/management/commands/change_user_type.py

@@ -13,7 +13,6 @@ def add_arguments(self, parser):
         parser.add_argument("usernames", nargs="*", type=str)
 
     def handle_per_tenant(self, **options):
-        print(options)
         new_type = UserTypes(options["type"])
         qs = (
             User.objects.exclude_anonymous()

authentik/stages/authenticator_validate/challenge.py

@@ -1,6 +1,7 @@
 """Validation stage challenge checking"""
 
 from json import loads
+from typing import TYPE_CHECKING
 from urllib.parse import urlencode
 
 from django.http import HttpRequest
@@ -36,10 +37,12 @@
 from authentik.stages.authenticator_sms.models import SMSDevice
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_webauthn.models import UserVerification, WebAuthnDevice
-from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
+from authentik.stages.authenticator_webauthn.stage import PLAN_CONTEXT_WEBAUTHN_CHALLENGE
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
 
 LOGGER = get_logger()
+if TYPE_CHECKING:
+    from authentik.stages.authenticator_validate.stage import AuthenticatorValidateStageView
 
 
 class DeviceChallenge(PassiveSerializer):
@@ -52,38 +55,42 @@ class DeviceChallenge(PassiveSerializer):
 
 
 def get_challenge_for_device(
-    request: HttpRequest, stage: AuthenticatorValidateStage, device: Device
+    stage_view: "AuthenticatorValidateStageView", stage: AuthenticatorValidateStage, device: Device
 ) -> dict:
     """Generate challenge for a single device"""
     if isinstance(device, WebAuthnDevice):
-        return get_webauthn_challenge(request, stage, device)
+        return get_webauthn_challenge(stage_view, stage, device)
     if isinstance(device, EmailDevice):
         return {"email": mask_email(device.email)}
     # Code-based challenges have no hints
     return {}
 
 
 def get_webauthn_challenge_without_user(
-    request: HttpRequest, stage: AuthenticatorValidateStage
+    stage_view: "AuthenticatorValidateStageView", stage: AuthenticatorValidateStage
 ) -> dict:
     """Same as `get_webauthn_challenge`, but allows any client device. We can then later check
     who the device belongs to."""
-    request.session.pop(SESSION_KEY_WEBAUTHN_CHALLENGE, None)
+    stage_view.executor.plan.context.pop(PLAN_CONTEXT_WEBAUTHN_CHALLENGE, None)
     authentication_options = generate_authentication_options(
-        rp_id=get_rp_id(request),
+        rp_id=get_rp_id(stage_view.request),
         allow_credentials=[],
         user_verification=UserVerificationRequirement(stage.webauthn_user_verification),
     )
-    request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
+    stage_view.executor.plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = (
+        authentication_options.challenge
+    )
 
     return loads(options_to_json(authentication_options))
 
 
 def get_webauthn_challenge(
-    request: HttpRequest, stage: AuthenticatorValidateStage, device: WebAuthnDevice | None = None
+    stage_view: "AuthenticatorValidateStageView",
+    stage: AuthenticatorValidateStage,
+    device: WebAuthnDevice | None = None,
 ) -> dict:
     """Send the client a challenge that we'll check later"""
-    request.session.pop(SESSION_KEY_WEBAUTHN_CHALLENGE, None)
+    stage_view.executor.plan.context.pop(PLAN_CONTEXT_WEBAUTHN_CHALLENGE, None)
 
     allowed_credentials = []
 
@@ -94,12 +101,14 @@ def get_webauthn_challenge(
             allowed_credentials.append(user_device.descriptor)
 
     authentication_options = generate_authentication_options(
-        rp_id=get_rp_id(request),
+        rp_id=get_rp_id(stage_view.request),
         allow_credentials=allowed_credentials,
         user_verification=UserVerificationRequirement(stage.webauthn_user_verification),
     )
 
-    request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
+    stage_view.executor.plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = (
+        authentication_options.challenge
+    )
 
     return loads(options_to_json(authentication_options))
 
@@ -146,7 +155,7 @@ def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Dev
 def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -> Device:
     """Validate WebAuthn Challenge"""
     request = stage_view.request
-    challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
+    challenge = stage_view.executor.plan.context.get(PLAN_CONTEXT_WEBAUTHN_CHALLENGE)
     stage: AuthenticatorValidateStage = stage_view.executor.current_stage
     try:
         credential = parse_authentication_credential_json(data)

authentik/stages/authenticator_validate/stage.py

@@ -224,7 +224,7 @@ def get_device_challenges(self) -> list[dict]:
                 data={
                     "device_class": device_class,
                     "device_uid": device.pk,
-                    "challenge": get_challenge_for_device(self.request, stage, device),
+                    "challenge": get_challenge_for_device(self, stage, device),
                     "last_used": device.last_used,
                 }
             )
@@ -243,7 +243,7 @@ def get_webauthn_challenge_without_user(self) -> list[dict]:
                 "device_class": DeviceClasses.WEBAUTHN,
                 "device_uid": -1,
                 "challenge": get_webauthn_challenge_without_user(
-                    self.request,
+                    self,
                     self.executor.current_stage,
                 ),
                 "last_used": None,

authentik/stages/authenticator_validate/tests/test_webauthn.py

@@ -31,7 +31,7 @@
     WebAuthnDevice,
     WebAuthnDeviceType,
 )
-from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
+from authentik.stages.authenticator_webauthn.stage import PLAN_CONTEXT_WEBAUTHN_CHALLENGE
 from authentik.stages.authenticator_webauthn.tasks import webauthn_mds_import
 from authentik.stages.identification.models import IdentificationStage, UserFields
 from authentik.stages.user_login.models import UserLoginStage
@@ -103,7 +103,11 @@ def test_device_challenge_webauthn(self):
             device_classes=[DeviceClasses.WEBAUTHN],
             webauthn_user_verification=UserVerification.PREFERRED,
         )
-        challenge = get_challenge_for_device(request, stage, webauthn_device)
+        plan = FlowPlan("")
+        stage_view = AuthenticatorValidateStageView(
+            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
+        )
+        challenge = get_challenge_for_device(stage_view, stage, webauthn_device)
         del challenge["challenge"]
         self.assertEqual(
             challenge,
@@ -122,7 +126,9 @@ def test_device_challenge_webauthn(self):
 
         with self.assertRaises(ValidationError):
             validate_challenge_webauthn(
-                {}, StageView(FlowExecutorView(current_stage=stage), request=request), self.user
+                {},
+                StageView(FlowExecutorView(current_stage=stage, plan=plan), request=request),
+                self.user,
             )
 
     def test_device_challenge_webauthn_restricted(self):
@@ -193,22 +199,35 @@ def test_raw_get_challenge(self):
             sign_count=0,
             rp_id=generate_id(),
         )
-        challenge = get_challenge_for_device(request, stage, webauthn_device)
-        webauthn_challenge = request.session[SESSION_KEY_WEBAUTHN_CHALLENGE]
+        plan = FlowPlan("")
+        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+            "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
+        )
+        stage_view = AuthenticatorValidateStageView(
+            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
+        )
+        challenge = get_challenge_for_device(stage_view, stage, webauthn_device)
         self.assertEqual(
-            challenge,
-            {
-                "allowCredentials": [
-                    {
-                        "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
-                        "type": "public-key",
-                    }
-                ],
-                "challenge": bytes_to_base64url(webauthn_challenge),
-                "rpId": "testserver",
-                "timeout": 60000,
-                "userVerification": "preferred",
-            },
+            challenge["allowCredentials"],
+            [
+                {
+                    "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
+                    "type": "public-key",
+                }
+            ],
+        )
+        self.assertIsNotNone(challenge["challenge"])
+        self.assertEqual(
+            challenge["rpId"],
+            "testserver",
+        )
+        self.assertEqual(
+            challenge["timeout"],
+            60000,
+        )
+        self.assertEqual(
+            challenge["userVerification"],
+            "preferred",
         )
 
     def test_get_challenge_userless(self):
@@ -228,18 +247,16 @@ def test_get_challenge_userless(self):
             sign_count=0,
             rp_id=generate_id(),
         )
-        challenge = get_webauthn_challenge_without_user(request, stage)
-        webauthn_challenge = request.session[SESSION_KEY_WEBAUTHN_CHALLENGE]
-        self.assertEqual(
-            challenge,
-            {
-                "allowCredentials": [],
-                "challenge": bytes_to_base64url(webauthn_challenge),
-                "rpId": "testserver",
-                "timeout": 60000,
-                "userVerification": "preferred",
-            },
-        )
+        plan = FlowPlan("")
+        stage_view = AuthenticatorValidateStageView(
+            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
+        )
+        challenge = get_webauthn_challenge_without_user(stage_view, stage)
+        self.assertEqual(challenge["allowCredentials"], [])
+        self.assertIsNotNone(challenge["challenge"])
+        self.assertEqual(challenge["rpId"], "testserver")
+        self.assertEqual(challenge["timeout"], 60000)
+        self.assertEqual(challenge["userVerification"], "preferred")
 
     def test_validate_challenge_unrestricted(self):
         """Test webauthn authentication (unrestricted webauthn device)"""
@@ -275,10 +292,10 @@ def test_validate_challenge_unrestricted(self):
                 "last_used": None,
             }
         ]
-        session[SESSION_KEY_PLAN] = plan
-        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
             "aCC6ak_DP45xMH1qyxzUM5iC2xc4QthQb09v7m4qDBmY8FvWvhxFzSuFlDYQmclrh5fWS5q0TPxgJGF4vimcFQ"
         )
+        session[SESSION_KEY_PLAN] = plan
         session.save()
 
         response = self.client.post(
@@ -352,10 +369,10 @@ def test_validate_challenge_restricted(self):
                 "last_used": None,
             }
         ]
-        session[SESSION_KEY_PLAN] = plan
-        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
             "aCC6ak_DP45xMH1qyxzUM5iC2xc4QthQb09v7m4qDBmY8FvWvhxFzSuFlDYQmclrh5fWS5q0TPxgJGF4vimcFQ"
         )
+        session[SESSION_KEY_PLAN] = plan
         session.save()
 
         response = self.client.post(
@@ -433,10 +450,10 @@ def test_validate_challenge_userless(self):
                 "last_used": None,
             }
         ]
-        session[SESSION_KEY_PLAN] = plan
-        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
             "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
         )
+        session[SESSION_KEY_PLAN] = plan
         session.save()
 
         response = self.client.post(
@@ -496,17 +513,14 @@ def test_validate_challenge_invalid(self):
             not_configured_action=NotConfiguredAction.CONFIGURE,
             device_classes=[DeviceClasses.WEBAUTHN],
         )
-        stage_view = AuthenticatorValidateStageView(
-            FlowExecutorView(flow=flow, current_stage=stage), request=request
-        )
-        request = get_request("/")
-        request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        plan = FlowPlan(flow.pk.hex)
+        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
             "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
         )
-        request.session.save()
+        request = get_request("/")
 
         stage_view = AuthenticatorValidateStageView(
-            FlowExecutorView(flow=flow, current_stage=stage), request=request
+            FlowExecutorView(flow=flow, current_stage=stage, plan=plan), request=request
         )
         request.META["SERVER_NAME"] = "localhost"
         request.META["SERVER_PORT"] = "9000"

authentik/stages/authenticator_webauthn/api/stages.py

@@ -25,6 +25,7 @@ class Meta:
             "resident_key_requirement",
             "device_type_restrictions",
             "device_type_restrictions_obj",
+            "max_attempts",
         ]
 
 

authentik/stages/authenticator_webauthn/migrations/0013_authenticatorwebauthnstage_max_attempts.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.1.11 on 2025-06-13 22:41
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0012_webauthndevice_created_webauthndevice_last_updated_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="authenticatorwebauthnstage",
+            name="max_attempts",
+            field=models.PositiveIntegerField(default=0),
+        ),
+    ]

authentik/stages/authenticator_webauthn/models.py

@@ -84,6 +84,8 @@ class AuthenticatorWebAuthnStage(ConfigurableStage, FriendlyNamedStage, Stage):
 
     device_type_restrictions = models.ManyToManyField("WebAuthnDeviceType", blank=True)
 
+    max_attempts = models.PositiveIntegerField(default=0)
+
     @property
     def serializer(self) -> type[BaseSerializer]:
         from authentik.stages.authenticator_webauthn.api.stages import (