Skip to content

Add Passkey Authentication backend with FIDO2/WebAuthn#5

Merged
gwho merged 1 commit intomasterfrom
claude/passkey-authentication-backend-MFeNG
Dec 24, 2025
Merged

Add Passkey Authentication backend with FIDO2/WebAuthn#5
gwho merged 1 commit intomasterfrom
claude/passkey-authentication-backend-MFeNG

Conversation

@gwho
Copy link
Owner

@gwho gwho commented Dec 24, 2025

Implemented a complete passwordless authentication system using FastAPI
and the WebAuthn protocol. This production-ready prototype demonstrates
modern security best practices for passkey-based authentication.

Features:

  • Clean separation of Registration and Authentication ceremonies
  • Pydantic V2 models for User and Credential entities
  • Cryptographic challenge/response flow with detailed security docs
  • In-memory database (easily replaceable with PostgreSQL/MongoDB)
  • Comprehensive inline documentation explaining crypto operations
  • Minimal HTML/JS frontend using navigator.credentials API
  • Clone detection via signature counters
  • User verification enforcement (biometric/PIN)

Security Architecture:

  • Asymmetric cryptography (public/private key pairs)
  • One-time challenges prevent replay attacks
  • Origin validation prevents phishing
  • No passwords or shared secrets transmitted
  • Signature verification using stored public keys

Files added:

  • main.py: Complete FastAPI backend with WebAuthn endpoints
  • requirements.txt: Python dependencies
  • README.md: Comprehensive setup and security documentation
  • .gitignore: Standard Python/project ignores

@claude
Add Passkey Authentication backend with FIDO2/WebAuthn
57fd6ff 
Implemented a complete passwordless authentication system using FastAPI
and the WebAuthn protocol. This production-ready prototype demonstrates
modern security best practices for passkey-based authentication.

Features:
- Clean separation of Registration and Authentication ceremonies
- Pydantic V2 models for User and Credential entities
- Cryptographic challenge/response flow with detailed security docs
- In-memory database (easily replaceable with PostgreSQL/MongoDB)
- Comprehensive inline documentation explaining crypto operations
- Minimal HTML/JS frontend using navigator.credentials API
- Clone detection via signature counters
- User verification enforcement (biometric/PIN)

Security Architecture:
- Asymmetric cryptography (public/private key pairs)
- One-time challenges prevent replay attacks
- Origin validation prevents phishing
- No passwords or shared secrets transmitted
- Signature verification using stored public keys

Files added:
- main.py: Complete FastAPI backend with WebAuthn endpoints
- requirements.txt: Python dependencies
- README.md: Comprehensive setup and security documentation
- .gitignore: Standard Python/project ignores
@gwho gwho merged commit 0355c69 into master Dec 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gwho @claude