Fix WebAuthn issues in Boilerplate (#10228)

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor

@@ -88,8 +88,8 @@
                                IconName="@BitIconName.RecycleBin" />
                 }
                 <BitButton IconOnly AutoLoading
-                           OnClick="ClearCache"
-                           Title="Clear cache"
+                           OnClick="ClearData"
+                           Title="Clear data"
                            Color="BitColor.SecondaryBackground"
                            IconName="@BitIconName.Clear" />
             </BitStack>

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/AppDiagnosticModal.razor.Utils.cs

@@ -1,6 +1,7 @@
 using System.Text;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
+using Boilerplate.Shared.Controllers.Identity;
 //#if (signalR == true)
 using Microsoft.AspNetCore.SignalR.Client;
 //#endif
@@ -9,9 +10,10 @@ namespace Boilerplate.Client.Core.Components.Layout;
 
 public partial class AppDiagnosticModal
 {
-    [AutoInject] Cookie cookie = default!;
-    [AutoInject] AuthManager authManager = default!;
-    [AutoInject] IStorageService storageService = default!;
+    [AutoInject] private Cookie cookie = default!;
+    [AutoInject] private AuthManager authManager = default!;
+    [AutoInject] private IStorageService storageService = default!;
+    [AutoInject] private IUserController userController = default!;
 
     private static async Task ThrowTestException()
     {
@@ -97,13 +99,13 @@ await Task.Run(() =>
         SnackBarService.Show("Memory After GC", GetMemoryUsage());
     }
 
-    string GetMemoryUsage()
+    private string GetMemoryUsage()
     {
         long memory = Environment.WorkingSet;
         return $"{memory / (1024.0 * 1024.0):F2} MB";
     }
 
-    async Task ClearCache()
+    private async Task ClearData()
     {
         try
         {
@@ -118,6 +120,15 @@ async Task ClearCache()
             await cookie.Remove(item.Name!);
         }
 
+        if ((await AuthenticationStateTask).User.IsAuthenticated())
+        {
+            await userController.DeleteAllWebAuthnCredentials(CurrentCancellationToken);
+
+            // since the localStorage is used to store configured webauthn users and it is already cleared above, we can ignore the following line.
+            // we kept it commented for future refrences.
+            //await JSRuntime.RemoveWebAuthnConfigured();
+        }
+
         if (AppPlatform.IsBlazorHybrid is false)
         {
             await JSRuntime.InvokeVoidAsync("BitBswup.forceRefresh"); // Clears cache storages and uninstalls service-worker.

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/PasswordlessSection.razor

@@ -8,13 +8,13 @@
         <br />
         @if (isConfigured)
         {
-            <BitButton OnClick="WrapHandled(DisablePasswordless)" Variant="BitVariant.Outline" Color="BitColor.Warning">
+            <BitButton AutoLoading OnClick="WrapHandled(DisablePasswordless)" Variant="BitVariant.Outline" Color="BitColor.Warning">
                 @Localizer[nameof(AppStrings.DisablePasswordless)]
             </BitButton>
         }
         else
         {
-            <BitButton OnClick="WrapHandled(EnablePasswordless)">
+            <BitButton AutoLoading OnClick="WrapHandled(EnablePasswordless)">
                 @Localizer[nameof(AppStrings.EnablePasswordless)]
             </BitButton>
         }

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorized/Settings/SettingsPage.razor.cs

@@ -34,7 +34,10 @@ protected override async Task OnInitAsync()
         try
         {
             user = (await PrerenderStateService.GetValue(() => HttpClient.GetFromJsonAsync("api/User/GetCurrentUser", JsonSerializerOptions.GetTypeInfo<UserDto>(), CurrentCancellationToken)))!;
-            showPasswordless = await JSRuntime.IsWebAuthnAvailable() && AppPlatform.IsBlazorHybrid is false;
+            if (InPrerenderSession is false)
+            {
+                showPasswordless = await JSRuntime.IsWebAuthnAvailable() && AppPlatform.IsBlazorHybrid is false;
+            }
         }
         finally
         {

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPage.razor.cs

@@ -38,6 +38,7 @@ public partial class SignInPage
     private SignInPanelTab currentSignInPanelTab;
     private readonly SignInRequestDto model = new();
     private AppDataAnnotationsValidator? validatorRef;
+    private AuthenticatorAssertionRawResponse? webAuthnAssertion;
     private Action unsubscribeIdentityHeaderBackLinkClicked = default!;
 
 
@@ -83,6 +84,7 @@ protected override async Task OnInitAsync()
 
             if (source == TfaPayload)
             {
+                webAuthnAssertion = null;
                 requiresTwoFactor = false;
                 model.TwoFactorCode = null;
             }
@@ -105,20 +107,29 @@ private async Task DoSignIn()
         {
             if (requiresTwoFactor && string.IsNullOrWhiteSpace(model.TwoFactorCode)) return;
 
-            CleanModel();
+            if (webAuthnAssertion is null)
+            {
+                CleanModel();
 
-            if (validatorRef?.EditContext.Validate() is false) return;
+                if (validatorRef?.EditContext.Validate() is false) return;
 
-            model.DeviceInfo = telemetryContext.Platform;
+                model.DeviceInfo = telemetryContext.Platform;
 
-            requiresTwoFactor = await AuthManager.SignIn(model, CurrentCancellationToken);
+                requiresTwoFactor = await AuthManager.SignIn(model, CurrentCancellationToken);
 
-            if (requiresTwoFactor)
-            {
-                PubSubService.Publish(ClientPubSubMessages.UPDATE_IDENTITY_HEADER_BACK_LINK, TfaPayload);
+                if (requiresTwoFactor)
+                {
+                    PubSubService.Publish(ClientPubSubMessages.UPDATE_IDENTITY_HEADER_BACK_LINK, TfaPayload);
+                }
+                else
+                {
+                    NavigationManager.NavigateTo(ReturnUrlQueryString ?? Urls.HomePage, replace: true);
+                }
             }
             else
             {
+                var response = await identityController.VerifyWebAuthAndSignIn(new() { ClientResponse = webAuthnAssertion, TfaCode = model.TwoFactorCode }, CurrentCancellationToken);
+                await AuthManager.StoreTokens(response!, model.RememberMe);
                 NavigationManager.NavigateTo(ReturnUrlQueryString ?? Urls.HomePage, replace: true);
             }
         }
@@ -160,10 +171,9 @@ private async Task HandleOnPasswordlessSignIn()
         {
             var options = await identityController.GetWebAuthnAssertionOptions(CurrentCancellationToken);
 
-            AuthenticatorAssertionRawResponse assertion;
             try
             {
-                assertion = await JSRuntime.VerifyWebAuthnCredential(options);
+                webAuthnAssertion = await JSRuntime.VerifyWebAuthnCredential(options);
             }
             catch (Exception ex)
             {
@@ -172,9 +182,11 @@ private async Task HandleOnPasswordlessSignIn()
                 return;
             }
 
-            var response = await identityController.VerifyWebAuthAndSignIn(assertion, CurrentCancellationToken);
+            var response = await identityController.VerifyWebAuthAndSignIn(new() { ClientResponse = webAuthnAssertion }, CurrentCancellationToken);
+
+            requiresTwoFactor = response.RequiresTwoFactor;
 
-            if (response.RequiresTwoFactor)
+            if (requiresTwoFactor)
             {
                 PubSubService.Publish(ClientPubSubMessages.UPDATE_IDENTITY_HEADER_BACK_LINK, TfaPayload);
             }
@@ -186,6 +198,7 @@ private async Task HandleOnPasswordlessSignIn()
         }
         catch (KnownException e)
         {
+            webAuthnAssertion = null;
             SnackBarService.Error(e.Message);
         }
         finally
@@ -242,9 +255,16 @@ private async Task HandleOnSendTfaToken()
     {
         try
         {
-            CleanModel();
+            if (webAuthnAssertion is null)
+            {
+                CleanModel();
 
-            await identityController.SendTwoFactorToken(model, CurrentCancellationToken);
+                await identityController.SendTwoFactorToken(model, CurrentCancellationToken);
+            }
+            else
+            {
+                await identityController.VerifyWebAuthAndSendTwoFactorToken(webAuthnAssertion, CurrentCancellationToken);
+            }
 
             SnackBarService.Success(Localizer[nameof(AppStrings.TfaTokenSentMessage)]);
         }

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Extensions/IJSRuntimeWebAuthnExtensions.cs

@@ -20,7 +20,7 @@ public static ValueTask<bool> IsWebAuthnConfigured(this IJSRuntime jsRuntime, st
         return jsRuntime.InvokeAsync<bool>("WebAuthn.isConfigured", username);
     }
 
-    public static ValueTask RemoveWebAuthnConfigured(this IJSRuntime jsRuntime, string username)
+    public static ValueTask RemoveWebAuthnConfigured(this IJSRuntime jsRuntime, string? username = null)
     {
         return jsRuntime.InvokeVoidAsync("WebAuthn.removeConfigured", username);
     }