Disable passkeys in production unless WEBAUTHN_RP_ID is set.

Author: frjo

docs/setup/deployment/production/stand-alone.md

@@ -185,6 +185,11 @@ SERVER_EMAIL:                                  app@example.org
 SEND_MESSAGES:                                 true
 ```
 
+**Passkeys:**
+
+To activate passkeys in production you must set at least `WEBAUTHN_RP_ID` to the relying party domain, e.g. "example.com" (no port, no scheme).
+
+
 **Turn on Hypha features that are off by default:**
 
 ```text

hypha/apply/users/passkey_views.py

@@ -1,13 +1,14 @@
 import base64
 import json
 import logging
+from functools import wraps
 
 from django.conf import settings
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
-from django.http import JsonResponse
+from django.http import Http404, JsonResponse
 from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
 from django.utils.http import url_has_allowed_host_and_scheme
@@ -43,6 +44,23 @@
 SESSION_CHALLENGE_KEY_AUTH = "webauthn_challenge_auth"
 
 
+def passkeys_enabled() -> bool:
+    """Passkeys require WEBAUTHN_RP_ID in production. In DEBUG (local/dev)
+    we fall back to the request host so the feature can be exercised locally.
+    """
+    return bool(getattr(settings, "WEBAUTHN_RP_ID", None)) or settings.DEBUG
+
+
+def passkeys_required(view_func):
+    @wraps(view_func)
+    def _wrapped(request, *args, **kwargs):
+        if not passkeys_enabled():
+            raise Http404
+        return view_func(request, *args, **kwargs)
+
+    return _wrapped
+
+
 def _get_rp_id(request):
     rp_id = getattr(settings, "WEBAUTHN_RP_ID", None)
     if rp_id:
@@ -90,6 +108,7 @@ def _clean_transports(raw) -> list[str]:
 MAX_PASSKEYS_PER_USER = 10
 
 
+@passkeys_required
 @login_required
 @require_POST
 @ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
@@ -127,6 +146,7 @@ def passkey_register_begin(request):
     return JsonResponse(json.loads(options_to_json(options)))
 
 
+@passkeys_required
 @login_required
 @require_POST
 @ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
@@ -195,6 +215,7 @@ def passkey_register_complete(request):
 # ---------------------------------------------------------------------------
 
 
+@passkeys_required
 @require_POST
 @ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
 def passkey_auth_begin(request):
@@ -206,6 +227,7 @@ def passkey_auth_begin(request):
     return JsonResponse(json.loads(options_to_json(options)))
 
 
+@passkeys_required
 @require_POST
 @ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
 def passkey_auth_complete(request):
@@ -315,13 +337,15 @@ def passkey_auth_complete(request):
 # ---------------------------------------------------------------------------
 
 
+@passkeys_required
 @login_required
 @require_GET
 def passkey_list(request):
     passkeys = request.user.passkeys.all()
     return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
+@passkeys_required
 @login_required
 @require_POST
 def passkey_delete(request, pk):
@@ -337,6 +361,7 @@ def passkey_delete(request, pk):
     return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
 
 
+@passkeys_required
 @login_required
 @require_POST
 def passkey_rename(request, pk):

hypha/apply/users/templates/users/account.html

@@ -93,18 +93,20 @@ <h3 class="mb-2 text-sm font-semibold">
                 {% endif %}
             </p>
 
-            <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
-            <p class="mb-2 text-sm text-fg-muted">
-                {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
-            </p>
+            {% if PASSKEYS_ENABLED %}
+                <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
+                <p class="mb-2 text-sm text-fg-muted">
+                    {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
+                </p>
 
-            <div
-                hx-get="{% url 'users:passkey_list' %}"
-                hx-trigger="load"
-                hx-swap="innerHTML"
-            >
-                <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
-            </div>
+                <div
+                    hx-get="{% url 'users:passkey_list' %}"
+                    hx-trigger="load"
+                    hx-swap="innerHTML"
+                >
+                    <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
+                </div>
+            {% endif %}
 
             {# Remove the comment block tags below when such need arises. e.g. adding new providers #}
             {% comment %}
@@ -123,5 +125,7 @@ <h3 class="mb-2 text-base">{% trans "Manage OAuth" %}</h3>
 {% endblock %}
 
 {% block extra_js %}
-    <script src="{% static 'js/passkeys.js' %}"></script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+    {% endif %}
 {% endblock %}

hypha/apply/users/templates/users/login.html

@@ -91,7 +91,9 @@ <h1 class="mb-4 text-h1">
 
                     <section class="flex-wrap card-actions">
                         {% include "users/includes/passwordless_login_button.html" %}
-                        {% include "users/includes/passkey_login_button.html" %}
+                        {% if PASSKEYS_ENABLED %}
+                            {% include "users/includes/passkey_login_button.html" %}
+                        {% endif %}
                         {% if GOOGLE_OAUTH2 %}
                             {% include "users/includes/org_login_button.html" %}
                         {% endif %}
@@ -143,12 +145,14 @@ <h1 class="mb-4 text-h1">
 
 {% block extra_js %}
     {{ block.super }}
-    <script src="{% static 'js/passkeys.js' %}"></script>
-    <script>
-        document.addEventListener("DOMContentLoaded", function () {
-            hypha.passkeys.initUI();
-        });
-    </script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+        <script>
+            document.addEventListener("DOMContentLoaded", function () {
+                hypha.passkeys.initUI();
+            });
+        </script>
+    {% endif %}
     {# Fix copy of dynamic fields label #}
     <script>
         var labelOtpToken = document.querySelector("label[for=id_token-otp_token]");

hypha/apply/users/templates/users/passwordless_login_signup.html

@@ -51,7 +51,9 @@ <h1 class="mb-4 text-h1">
 
                 <section class="flex-wrap card-actions">
                     {% include "users/includes/password_login_button.html" %}
-                    {% include "users/includes/passkey_login_button.html" %}
+                    {% if PASSKEYS_ENABLED %}
+                        {% include "users/includes/passkey_login_button.html" %}
+                    {% endif %}
                     {% if GOOGLE_OAUTH2 %}
                         {% include "users/includes/org_login_button.html" %}
                     {% endif %}
@@ -62,10 +64,12 @@ <h1 class="mb-4 text-h1">
 {% endblock %}
 
 {% block extra_js %}
-    <script src="{% static 'js/passkeys.js' %}"></script>
-    <script>
-        document.addEventListener("DOMContentLoaded", function () {
-            hypha.passkeys.initUI();
-        });
-    </script>
+    {% if PASSKEYS_ENABLED %}
+        <script src="{% static 'js/passkeys.js' %}"></script>
+        <script>
+            document.addEventListener("DOMContentLoaded", function () {
+                hypha.passkeys.initUI();
+            });
+        </script>
+    {% endif %}
 {% endblock %}

hypha/apply/users/tests/test_passkey_views.py

@@ -661,3 +661,83 @@ def test_without_passkey_flag_unverified_user_is_blocked(self):
 
         response = self.client.get(settings.LOGIN_REDIRECT_URL, follow=True)
         self.assertContains(response, "Permission Denied")
+
+
+# ---------------------------------------------------------------------------
+# Production gate — passkeys disabled unless WEBAUTHN_RP_ID is set
+# ---------------------------------------------------------------------------
+
+
+@override_settings(DEBUG=False, WEBAUTHN_RP_ID=None, RATELIMIT_ENABLE=False)
+class TestPasskeysDisabledInProduction(TestCase):
+    """Without WEBAUTHN_RP_ID and DEBUG=False, all passkey views must 404."""
+
+    def setUp(self):
+        self.user = UserFactory()
+
+    def test_auth_begin_returns_404(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_auth_complete_returns_404(self):
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps({}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_register_begin_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_register_complete_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps({}),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_passkey_list_returns_404(self):
+        self.client.force_login(self.user)
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 404)
+
+    def test_passkey_delete_returns_404(self):
+        passkey = make_passkey(self.user)
+        self.client.force_login(self.user)
+        response = self.client.post(reverse("users:passkey_delete", args=[passkey.pk]))
+        self.assertEqual(response.status_code, 404)
+        self.assertTrue(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_passkey_rename_returns_404(self):
+        passkey = make_passkey(self.user, name="Original")
+        self.client.force_login(self.user)
+        response = self.client.post(
+            reverse("users:passkey_rename", args=[passkey.pk]),
+            {"name": "New Name"},
+        )
+        self.assertEqual(response.status_code, 404)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+
+@override_settings(DEBUG=True, WEBAUTHN_RP_ID=None, RATELIMIT_ENABLE=False)
+class TestPasskeysEnabledInDev(TestCase):
+    """DEBUG=True falls back to the request host even without WEBAUTHN_RP_ID."""
+
+    def test_auth_begin_works_in_debug_without_rp_id(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+
+
+@override_settings(DEBUG=False, WEBAUTHN_RP_ID="example.com", RATELIMIT_ENABLE=False)
+class TestPasskeysEnabledWhenRpIdSet(TestCase):
+    """DEBUG=False with WEBAUTHN_RP_ID set enables passkeys in production."""
+
+    def test_auth_begin_works_in_production_with_rp_id(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)

hypha/core/context_processors.py

@@ -1,5 +1,6 @@
 from django.conf import settings
 
+from hypha.apply.users.passkey_views import passkeys_enabled
 from hypha.home.models import ApplyHomePage
 
 
@@ -15,6 +16,7 @@ def global_vars(request):
         "HIDE_IDENTITY_FROM_REVIEWERS": settings.HIDE_IDENTITY_FROM_REVIEWERS,
         "GOOGLE_OAUTH2": settings.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY,
         "ENABLE_PUBLIC_SIGNUP": settings.ENABLE_PUBLIC_SIGNUP,
+        "PASSKEYS_ENABLED": passkeys_enabled(),
         "SENTRY_TRACES_SAMPLE_RATE": settings.SENTRY_TRACES_SAMPLE_RATE,
         "SENTRY_ENVIRONMENT": settings.SENTRY_ENVIRONMENT,
         "SENTRY_DENY_URLS": settings.SENTRY_DENY_URLS,

hypha/settings/base.py

@@ -35,15 +35,18 @@
 ENFORCE_TWO_FACTOR = env.bool("ENFORCE_TWO_FACTOR", False)
 
 # WebAuthn / Passkey settings.
+# Passkeys are disabled in production unless WEBAUTHN_RP_ID is set. In local
+# development (DEBUG=True) they fall back to the request host so the feature
+# can be tried without extra configuration.
+#
 # WEBAUTHN_RP_ID: the relying party domain, e.g. "example.com" (no port, no scheme).
-#   Defaults to the request host if not set. OBS! Do not use default in production!
 # WEBAUTHN_ORIGIN: the full origin, e.g. "https://example.com".
 #   Defaults to the request origin if not set.
 # WEBAUTHN_RP_NAME: display name shown in the browser passkey UI.
 #   Defaults to ORG_LONG_NAME.
 WEBAUTHN_RP_ID = env.str("WEBAUTHN_RP_ID", None)
-WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
 WEBAUTHN_ORIGIN = env.str("WEBAUTHN_ORIGIN", None)
+WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
 
 # Set the allowed file extension for all uploads fields.
 FILE_ALLOWED_EXTENSIONS = [

hypha/settings/test.py

@@ -35,6 +35,9 @@
 
 ENFORCE_TWO_FACTOR = False
 
+# Enable passkeys in tests so feature views are exercisable without DEBUG.
+WEBAUTHN_RP_ID = "testserver"
+
 SECURE_SSL_REDIRECT = False
 
 # No async celery workers