Add support for passkeys to Hypha (#4772)

Fixes #4563

This implementation uses [duo-labs/py_webauthn: Pythonic
WebAuthn](https://github.com/duo-labs/py_webauthn) directly implementing
its own Django wrapper. This is so passkeys are used as a stand alone
login method and not as a 2FA option.

The interesting parts are in `passkey_views.py` and `passkeys.js`.

## Test Steps

- [ ] Test that setting up and logging in with passkeys works on Mac,
Windows, iPhone, Android and Linux.
 - [ ] Using built in OS support, using usb keys etc.
- [ ] Test that ENFORCE_TWO_FACTOR are bypassed for passkey users.
Passkeys are more secure than 2FA.
 - [ ] Audit the implementation for any issues.

---------

Co-authored-by: Wes Appler <145372368+wes-otf@users.noreply.github.com>

Author: frjo

docs/setup/deployment/production/stand-alone.md

@@ -185,6 +185,11 @@ SERVER_EMAIL:                                  app@example.org
 SEND_MESSAGES:                                 true
 ```
 
+**Passkeys:**
+
+To activate passkeys in production you must set at least `WEBAUTHN_RP_ID` to the relying party domain, e.g. "example.com" (no port, no scheme).
+
+
 **Turn on Hypha features that are off by default:**
 
 ```text

hypha/apply/users/forms.py

@@ -36,6 +36,8 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.user_settings = AuthSettings.load(request_or_site=self.request)
         self.extra_text = self.user_settings.extra_text
+        # Enable passkey autofill (conditional mediation) on the username field
+        self.fields["username"].widget.attrs["autocomplete"] = "username webauthn"
         if self.user_settings.consent_show:
             self.fields["consent"] = forms.BooleanField(
                 label=self.user_settings.consent_text,
@@ -55,7 +57,9 @@ class PasswordlessAuthForm(forms.Form):
         label=_("Email address"),
         required=True,
         max_length=254,
-        widget=forms.EmailInput(attrs={"autofocus": True, "autocomplete": "email"}),
+        widget=forms.EmailInput(
+            attrs={"autofocus": True, "autocomplete": "username webauthn"}
+        ),
     )
 
     if settings.SESSION_COOKIE_AGE <= settings.SESSION_COOKIE_AGE_LONG:

hypha/apply/users/middleware.py

@@ -103,7 +103,11 @@ def __call__(self, request):
         # code to execute before the view
         user = request.user
         if user.is_authenticated:
-            if user.social_auth.exists() or user.is_verified():
+            if (
+                user.social_auth.exists()
+                or user.is_verified()
+                or request.session.get("passkey_authenticated")
+            ):
                 return self._accept(request)
 
             # Allow rounds and lab detail pages

hypha/apply/users/migrations/0030_passkeys.py

@@ -0,0 +1,46 @@
+# Generated by Django 5.2.12 on 2026-03-23 21:24
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("users", "0029_alter_confirmaccesstoken_options_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Passkey",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("name", models.CharField(blank=True, max_length=255)),
+                ("credential_id", models.CharField(max_length=2048, unique=True)),
+                ("public_key", models.CharField(max_length=2048)),
+                ("sign_count", models.PositiveBigIntegerField(default=0)),
+                ("transports", models.JSONField(blank=True, default=list)),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("last_used_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="passkeys",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-created_at"],
+            },
+        ),
+    ]

hypha/apply/users/models.py

@@ -470,3 +470,32 @@ class Meta:
         ordering = ("modified",)
         verbose_name = _("Confirm Access Token")
         verbose_name_plural = _("Confirm Access Tokens")
+
+
+class Passkey(models.Model):
+    """Stores a WebAuthn passkey credential for a user.
+
+    credential_id and public_key are stored as base64url-encoded strings,
+    matching the convention used by django-two-factor-auth's WebAuthn plugin.
+    """
+
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="passkeys",
+    )
+    name = models.CharField(max_length=255, blank=True)
+    # base64url-encoded credential id (unique per authenticator)
+    credential_id = models.CharField(max_length=2048, unique=True)
+    # base64url-encoded public key
+    public_key = models.CharField(max_length=2048)
+    sign_count = models.PositiveBigIntegerField(default=0)
+    transports = models.JSONField(default=list, blank=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+    last_used_at = models.DateTimeField(null=True, blank=True)
+
+    class Meta:
+        ordering = ["-created_at"]
+
+    def __str__(self):
+        return self.name or f"Passkey {self.pk}"