Add WebAuthn passkey registration/login with persisted credentials and challenge verification

[Copilot]

This PR adds passkey-based authentication (WebAuthn/FIDO2) to the Spring Boot backend so users can register and sign in without passwords, while preserving the existing JWT/refresh-token auth model and fallback path for accounts without passkeys.

• API surface (AuthController)

  • Added passkey endpoints under /api/v1/auth/passkey/*:
    • POST /register/options
    • POST /register/verify
    • POST /login/options
    • POST /login/verify
    • GET /me
  • login/verify returns the same auth response model and refresh-cookie behavior as password login.

• WebAuthn core flow

  • Introduced PasskeyAuthService backed by Yubico webauthn-server-core.
  • Registration:
    • Generates PublicKeyCredentialCreationOptions for the authenticated user.
    • Verifies attestation and persists credential metadata.
  • Authentication:
    • Generates assertion options for a known passkey user.
    • Verifies assertions and signature counter, then issues JWT/refresh tokens via existing auth strategy.
  • Fallback behavior:
    • login/options returns passkeyAvailable=false when user/passkey is absent (no hard failure).

• Persistence model

  • Added webauthn_credentials (credential id, public key COSE, sign counter, transports, user handle, user link).
  • Added webauthn_challenges (typed one-time challenge payloads with expiry/used flags) to prevent replay.
  • Added Flyway migration V16__add_webauthn_passkeys.sql.
  • Added JPA repositories and a CredentialRepository adapter (JpaWebAuthnCredentialRepository) for RP lookups.

• Configuration and security

  • Added app.webauthn.* config (rp-id, rp-name, origins, challenge-timeout-seconds).
  • Added WebAuthnConfig/WebAuthnProperties and RelyingParty bean wiring.
  • Updated security rules to allow unauthenticated access only for passkey login option/verify endpoints; registration endpoints remain authenticated.

• Auth integration

  • Added AuthService.issueAuthTokens(User) to reuse the existing token issuance path after passkey assertion verification.

• DTOs

  • Added focused request/response DTOs for passkey options/verify/status payloads.

Example (new login options contract):

POST /api/v1/auth/passkey/login/options
{
  "email": "user@example.com"
}

200 OK
{
  "passkeyAvailable": true,
  "challengeId": "4c6f7e6d-8f1b-4f83-9ed2-4c5f7fb6c8d1",
  "publicKey": {
    "challenge": "...",
    "rpId": "localhost",
    "allowCredentials": [ ... ]
  }
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• central.sonatype.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.16/boot/plexus-classworlds-2.11.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.16/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.16 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.16/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/SpringBoot-JobApplyTracker/SpringBoot-JobApplyTracker org.codehaus.plexus.classworlds.launcher.Launcher -q dependency:get -Dartifact=com.yubico:webauthn-server-core:2.7.0 (dns block)
• repository.apache.org
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.16/boot/plexus-classworlds-2.11.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.16/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.16 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.16/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/SpringBoot-JobApplyTracker/SpringBoot-JobApplyTracker org.codehaus.plexus.classworlds.launcher.Launcher -q dependency:get -Dartifact=com.yubico:webauthn-server-core:2.7.0 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Copilot wasn't able to review any files in this pull request.

[github-actions]

Qodana for JVM

4 new problems were found

Inspection name	Severity	Problems
Nullability and data flow problems	🔶 Warning	2
Non-distinguishable logging calls	◽️ Notice	2

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

• Register at Qodana Cloud and configure the action
• Use GitHub Code Scanning with Qodana
• Host Qodana report at GitHub Pages
• Inspect and use qodana.sarif.json (see the Qodana SARIF format for details)

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.3.2
        with:
          upload-result: true

Contact Qodana team

Contact us at qodana-support@jetbrains.com

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions