Implement passkey-based authentication in the Spring Boot backend using WebAuthn/FIDO2, so users can register and sign in without a password.
The backend should support:
Passkey registration for an authenticated user
Passkey login for returning users
Persistence of public credentials in the database
Verification of WebAuthn challenges and assertions
A safe fallback flow for accounts that do not yet have a passkey
Functional requirements:
Generate registration options/challenges for WebAuthn
Generate authentication options/challenges for WebAuthn
Verify attestation during registration
Verify assertions during login
Store credential metadata per user:
credential ID
public key
sign counter
transports if available
user handle / user reference
Prevent replay attacks using one-time challenges
Return a session/JWT after successful passkey login, following the current authentication strategy used by the project
API endpoints to add or adapt:
POST /auth/passkey/register/options
POST /auth/passkey/register/verify
POST /auth/passkey/login/options
POST /auth/passkey/login/verify
Optional: GET /auth/passkey/me or similar to check if the current user has passkeys registered
Acceptance criteria:
A user can register a passkey successfully
A user can log in using only a passkey
The backend validates WebAuthn challenges correctly
Registered passkeys are persisted and associated with the correct user
The solution works in local development and production-like HTTPS environments
Existing authentication flows remain stable
Notes for Copilot:
Follow the existing project architecture and naming conventions
Prefer a clean service/controller separation
Keep the implementation secure and production-ready
Use the WebAuthn browser API contract expected by the frontend
Implement passkey-based authentication in the Spring Boot backend using WebAuthn/FIDO2, so users can register and sign in without a password.
The backend should support:
Passkey registration for an authenticated user
Passkey login for returning users
Persistence of public credentials in the database
Verification of WebAuthn challenges and assertions
A safe fallback flow for accounts that do not yet have a passkey
Functional requirements:
Generate registration options/challenges for WebAuthn
Generate authentication options/challenges for WebAuthn
Verify attestation during registration
Verify assertions during login
Store credential metadata per user:
credential ID
public key
sign counter
transports if available
user handle / user reference
Prevent replay attacks using one-time challenges
Return a session/JWT after successful passkey login, following the current authentication strategy used by the project
API endpoints to add or adapt:
POST /auth/passkey/register/options
POST /auth/passkey/register/verify
POST /auth/passkey/login/options
POST /auth/passkey/login/verify
Optional: GET /auth/passkey/me or similar to check if the current user has passkeys registered
Acceptance criteria:
A user can register a passkey successfully
A user can log in using only a passkey
The backend validates WebAuthn challenges correctly
Registered passkeys are persisted and associated with the correct user
The solution works in local development and production-like HTTPS environments
Existing authentication flows remain stable
Notes for Copilot:
Follow the existing project architecture and naming conventions
Prefer a clean service/controller separation
Keep the implementation secure and production-ready
Use the WebAuthn browser API contract expected by the frontend