Fix WebAuthn issues in Boilerplate (#10228)

[msynk]

closes #10228

Summary by CodeRabbit

• New Features
  • A new action button in the diagnostic modal now lets users delete all Web Authentication credentials, giving a streamlined way to manage credentials.
  • Enhanced passwordless authentication controls now include auto-loading feedback for smoother enable/disable interactions.
  • Display logic improvements ensure that passwordless options appear only when applicable, optimizing the overall user experience.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This update adds functionality for managing WebAuthn credentials. A new icon-only button in the diagnostic modal triggers the deletion of all WebAuthn credentials when clicked. On the client side, new methods and dependency injection support this feature. The changes also include updates to the passwordless settings UI with added auto-loading attributes and conditional assignment in the settings page. Additionally, conversion methods in the WebAuthn script have been renamed and adjusted, and corresponding server-side methods and documentation for handling WebAuthn credentials have been updated.

Changes

File(s)	Change Summary
.../Components/Layout/AppDiagnosticModal.razor and .../Components/Layout/AppDiagnosticModal.razor.cs	Added a new icon-only button to open credential deletion modal and a new async method DeleteAllWebAuthnCredentials with IUserController dependency to perform deletion.
.../Components/Pages/Authorized/Settings/PasswordlessSection.razor	Added AutoLoading attribute to two <BitButton> components for enabling/disabling passwordless actions.
.../Components/Pages/Authorized/Settings/SettingsPage.razor.cs	Modified the assignment of showPasswordless to occur only when not in a pre-render session.
.../Scripts/WebAuthn.ts	Renamed and updated conversion methods (e.g., arrayToUrl → binaryToString, urlToArray → stringToBinary, base64ToUrl → base64ToString) and introduced logging.
.../Controllers/Identity/UserController.WebAuthn.cs	Changed authenticator selection configuration, commented out authentication extensions, and added a new method DeleteAllWebAuthnCredentials with error handling.
.../Models/Identity/WebAuthnCredential.cs	Added documentation comment explaining the model’s purpose and its usage with the Fido2 library.
.../Controllers/Identity/IUserController.cs	Added a new asynchronous method DeleteAllWebAuthnCredentials with the [HttpDelete] attribute in the interface.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Modal as AppDiagnosticModal
    participant Ctrl as IUserController
    participant Server as UserController.WebAuthn

    User->>Modal: Click delete credentials button
    Modal->>Modal: Execute DeleteAllWebAuthnCredentials()
    Modal->>Ctrl: Call DeleteAllWebAuthnCredentials(cancellationToken)
    Ctrl->>Server: Send HTTP DELETE request for credentials
    Server-->>Ctrl: Return deletion result
    Ctrl-->>Modal: Respond with operation status
    Modal-->>User: Update UI state

Loading

Poem

I hopped through the code with glee,
Adding buttons and functions for you and me.
I nibbled through logic with a careful stride,
Deleting old credentials far and wide.
With each small change, my joy won't hide,
A rabbit’s cheer as the new code takes ride! 🐰

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor (1)

148-153: Add a Title attribute to the WebAuthn credential delete button

The new button for deleting WebAuthn credentials is missing a Title attribute, which is present on all other buttons in this modal. Adding a title would improve accessibility and provide users with context about the button's function.

<BitButton IconOnly
           AutoLoading
           Color="BitColor.Info"
           Variant="BitVariant.Text"
           IconName="@BitIconName.Delete"
+          Title="Delete WebAuthn credentials"
           OnClick="DeleteAllWebAuthnCredentials" />

Also, consider adding a confirmation dialog before deleting credentials since this is a destructive action that can't be undone.

src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.WebAuthn.cs (1)

40-45: Consider documenting the reason for disabling extensions

You've commented out the Extensions property which disables credential properties, extensions, and user verification methods. Consider adding a comment explaining why these features were disabled.

//Extensions = new AuthenticationExtensionsClientInputs
//{
//    CredProps = true,
//    Extensions = true,
//    UserVerificationMethod = true,
//}
+// Extensions are disabled to simplify the WebAuthn implementation and avoid compatibility issues

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebAuthn.ts (1)

26-26: Consider using conditional logging for production

Adding console logging of WebAuthn options is helpful for debugging but may expose sensitive information in production. Consider making this log conditional based on environment.

-console.log(options)
+if (process.env.NODE_ENV !== 'production') {
+    console.log('WebAuthn credential options:', options);
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 181d010 and d5e033b.

📒 Files selected for processing (8)

• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor.cs (3 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/PasswordlessSection.razor (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/SettingsPage.razor.cs (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebAuthn.ts (3 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.WebAuthn.cs (2 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Models/Identity/WebAuthnCredential.cs (1 hunks)
• src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IUserController.cs (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build and test

🔇 Additional comments (12)

src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Models/Identity/WebAuthnCredential.cs (1)

5-9: Documentation addition looks good

The added XML documentation for the WebAuthnCredential class is clear, informative, and follows good practices by including a reference link to the underlying library.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/SettingsPage.razor.cs (1)

37-40: Good fix to prevent JavaScript interop during prerendering

This change correctly prevents calling JavaScript methods during prerendering by checking the InPrerenderSession flag. This avoids potential errors since JavaScript interop is not available during prerendering in Blazor.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/PasswordlessSection.razor (2)

11-11: UI improvement with AutoLoading attribute

Adding the AutoLoading attribute provides visual feedback during the async operation, improving user experience.

---

17-17: UI improvement with AutoLoading attribute

Adding the AutoLoading attribute provides visual feedback during the async operation, improving user experience.

src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IUserController.cs (1)

61-62: API extension for bulk credential deletion looks good

The new DeleteAllWebAuthnCredentials method is a sensible addition that complements the existing DeleteWebAuthnCredential method, providing a way to delete all WebAuthn credentials at once rather than individually.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor.cs (3)

6-6: Appropriate import added

The import for the Identity controllers namespace is correctly added to support the new WebAuthn functionality.

---

45-45: Dependency injection properly implemented

The IUserController is correctly injected using the [AutoInject] attribute, following the established pattern in this class.

---

159-164: Proper authentication check in WebAuthn operation

The implementation correctly checks if the user is authenticated before attempting to delete WebAuthn credentials, which is a good security practice.

src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.WebAuthn.cs (2)

38-38: Security enhancement: Restricting to platform authenticators

Changing the authenticator selection to platform-only is a security enhancement that restricts WebAuthn to built-in authenticators like Windows Hello or Touch ID, rather than allowing cross-platform authenticators.

---

116-130: Efficient implementation for bulk deletion

The implementation correctly handles user verification, empty result cases, and uses efficient bulk removal with RemoveRange. Good error handling with the ResourceNotFoundException for user not found scenarios.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebAuthn.ts (2)

28-28: Improved method naming enhances code clarity

The renaming of conversion methods (urlToArray → stringToBinary, arrayToUrl → binaryToString, base64ToUrl → base64ToString) better reflects their actual functionality, making the code more maintainable and easier to understand.

Also applies to: 32-32, 42-42, 49-50, 54-55, 63-63, 70-70, 79-79, 83-86

---

93-103: Consistent naming convention for conversion methods

The renamed private methods now have a more consistent and descriptive naming convention that clearly indicates their purpose - converting between binary data and string representations.