feat(auth): pair passkeys with existing account and manage them

[kubo6472]

Summary

Users who sign in with a magic link (or any session) can now add a passkey without re-entering email, see which passkeys are on the account, and remove ones they no longer trust or use.

Listing passkeys by email without authentication is intentionally not exposed (that would be a credential-enumeration / privacy risk). Management is only for the signed-in user.

Backend

• POST /auth/register/begin: if Authorization: Bearer <jwt> is present, starts WebAuthn registration for that user (no JSON body). Without JWT, behaviour is unchanged: { email } required; same email still resolves to one account via upsertUserByEmail.
• POST /auth/register/finish: unchanged contract; after storing cred:*, appends metadata to user.passkeys[].
• POST /auth/login/finish: after a successful assertion, backfills user.passkeys if this credential was missing (covers accounts created before this index existed).
• GET /auth/passkeys: returns { passkeys: PasskeyMeta[] } for the JWT subject.
• DELETE /auth/passkeys?id=<credentialId>: deletes cred:* and removes the entry from user.passkeys when it belongs to the caller.
• GET /auth/me: strips passkeys from the JSON payload so the field is only returned from the dedicated endpoint.

CORS: DELETE allowed on preflight.

Frontend

• Account sheet (profile): passkey list, Add passkey on this device, Remove per row.
• Register copy clarifies same-email / magic-link / profile flow.
• registerWithPasskey() can be called without email when the API client already has a bearer token.

Types

• PasskeyMeta: id, createdAt, transports (mirrors worker).

  

Summary by CodeRabbit

• New Features
  • Manage passkeys from Account: view all registered passkeys with creation dates and transport details.
  • Add a passkey on the current device after signing in; remove existing passkeys as needed.
  • Registration copy updated: clarifies that the same email maps to one account (including magic link) and additional passkeys can be added post-sign-in.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ed55cf4-6d30-4890-9720-37a8d63b6b04

📥 Commits

Reviewing files that changed from the base of the PR and between 3a2cb8e and 2a6d0d4.

📒 Files selected for processing (1)

• src/styles/main.css

✅ Files skipped from review due to trivial changes (1)

• src/styles/main.css

---

📝 Walkthrough

Walkthrough

Adds passkey management: users can list, add, and remove passkeys. Changes span worker endpoints and storage, client API/auth logic, a new account-passkeys UI module, event wiring in main, styling, and minor HTML copy updates.

Changes

Passkey Management Feature

Layer / File(s)	Summary
Shared Data Types src/types.ts, worker/src/types.ts	PasskeyMeta added; worker User extended with optional passkeys array.
Worker Storage & Helpers worker/src/lib/kv.ts, worker/src/auth/passkey.ts	KV deleteCredential added; helpers to upsert/backfill passkey metadata.
Worker Registration Flow worker/src/auth/passkey.ts	registerBegin accepts JWT (add-to-account) or email; registerFinish records transports and upserts metadata.
Worker Login Flow worker/src/auth/passkey.ts	loginFinish backfills passkey metadata before issuing JWT.
Worker Endpoints worker/src/auth/passkey.ts	Added listPasskeys (GET) and deletePasskey (DELETE) authenticated endpoints.
Router & CORS worker/src/index.ts, worker/src/lib/http.ts	Routes for GET/DELETE /auth/passkeys; /auth/me omits internal passkeys; CORS allows DELETE.
Client Types src/api.ts	Client imports PasskeyMeta for typings.
Client API Wrapper src/api.ts	authRegisterBegin(email?: string) optional; added authPasskeysList() and authPasskeyDelete(id).
Client Auth Logic src/auth/passkey.ts	registerWithPasskey(email?: string) validates authRegisterFinish result and token before returning.
Client UI Handlers src/ui/account-passkeys.ts	Exports refreshAccountPasskeys(), handleAccountAddPasskey(), handleAccountRemovePasskey(credId) with rendering, session guard, toasts, and refresh.
Client Event Wiring src/main.ts	Imports handlers; opening account overlay refreshes passkeys; #add-passkey-btn wired; delegated remove-button listener on #passkeys-list.
UI Styling & Markup src/styles/main.css, index.html	CSS for passkeys section and rows added; account overlay markup extended; registration copy clarified.
Build Configuration vite.config.ts	Added src/ui/account-passkeys.ts to the auth manual chunk.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🔐 Passkeys nestle on each chosen device,
Click to add or drop, the list is concise.
Workers keep metadata neat and aligned,
Clients show rows, buttons wired and signed,
One account, many keys — auth done nice! 🗝️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 47.06% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main feature: enabling users to pair passkeys with existing accounts and manage them, which aligns with all the substantive changes across frontend and backend.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/passkey-pair-manage-65fe

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/styles/main.css`:
- Line 524: In .passkeys-row-sub replace the deprecated declaration "word-break:
break-word" with the modern overflow-wrap property; update the rule for the
class .passkeys-row-sub to remove word-break: break-word and add "overflow-wrap:
break-word" (or "overflow-wrap: anywhere" if you want more aggressive breaking)
so long credential IDs and transport names wrap correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c02dbaab-634b-4f98-b0a3-5da7fccb99e4

📥 Commits

Reviewing files that changed from the base of the PR and between 1c42660 and 3a2cb8e.

📒 Files selected for processing (13)

• index.html
• src/api.ts
• src/auth/passkey.ts
• src/main.ts
• src/styles/main.css
• src/types.ts
• src/ui/account-passkeys.ts
• vite.config.ts
• worker/src/auth/passkey.ts
• worker/src/index.ts
• worker/src/lib/http.ts
• worker/src/lib/kv.ts
• worker/src/types.ts