Passkeys!

src/pages/api/auth/passkey/delete/index.ts

@@ -0,0 +1,35 @@
+import type { APIRoute } from "astro";
+import { db } from "../../../../../db";
+import { passkeys } from "../../../../../db/schema";
+import { eq, and } from "drizzle-orm";
+
+export const DELETE: APIRoute = async ({ request, locals }) => {
+  const user = locals.user;
+
+  if (!user) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+    });
+  }
+
+  const url = new URL(request.url);
+  const id = url.searchParams.get("id");
+
+  if (!id) {
+    return new Response(JSON.stringify({ error: "Passkey ID is required" }), {
+      status: 400,
+    });
+  }
+
+  try {
+    await db
+      .delete(passkeys)
+      .where(and(eq(passkeys.id, id), eq(passkeys.userId, user.id)));
+
+    return new Response(JSON.stringify({ success: true }));
+  } catch (error) {
+    return new Response(JSON.stringify({ error: "Failed to delete passkey" }), {
+      status: 500,
+    });
+  }
+};

src/pages/api/auth/passkey/login/finish.ts

@@ -0,0 +1,102 @@
+import type { APIRoute } from "astro";
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { db } from "../../../../../db";
+import { users, passkeys, passkeyChallenges } from "../../../../../db/schema";
+import { eq, and, gt } from "drizzle-orm";
+import { createSession } from "../../../../../lib/auth";
+
+export const POST: APIRoute = async ({ request, cookies }) => {
+  const body = await request.json();
+  const { id } = body;
+
+  const passkey = await db.query.passkeys.findFirst({
+    where: eq(passkeys.id, id),
+  });
+
+  if (!passkey) {
+    return new Response(JSON.stringify({ error: "Passkey not found" }), {
+      status: 400,
+    });
+  }
+
+  const user = await db.query.users.findFirst({
+    where: eq(users.id, passkey.userId),
+  });
+
+  if (!user) return new Response(null, { status: 400 });
+
+  const clientDataJSON = Buffer.from(
+    body.response.clientDataJSON,
+    "base64url",
+  ).toString("utf-8");
+  const clientData = JSON.parse(clientDataJSON);
+  const challenge = clientData.challenge;
+
+  const dbChallenge = await db.query.passkeyChallenges.findFirst({
+    where: and(
+      eq(passkeyChallenges.challenge, challenge),
+      gt(passkeyChallenges.expiresAt, new Date()),
+    ),
+  });
+
+  if (!dbChallenge) {
+    return new Response(
+      JSON.stringify({ error: "Invalid or expired challenge" }),
+      {
+        status: 400,
+      },
+    );
+  }
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: challenge as string,
+      expectedOrigin: new URL(request.url).origin,
+      expectedRPID: new URL(request.url).hostname,
+      credential: {
+        id: passkey.id,
+        publicKey: new Uint8Array(Buffer.from(passkey.publicKey, "base64")),
+        counter: passkey.counter,
+        transports: passkey.transports
+          ? JSON.parse(passkey.transports)
+          : undefined,
+      },
+    });
+  } catch (error) {
+    return new Response(JSON.stringify({ error: (error as Error).message }), {
+      status: 400,
+    });
+  }
+
+  if (verification.verified) {
+    const { authenticationInfo } = verification;
+
+    await db
+      .update(passkeys)
+      .set({
+        counter: authenticationInfo.newCounter,
+        lastUsedAt: new Date(),
+      })
+      .where(eq(passkeys.id, passkey.id));
+
+    const { sessionId, expiresAt } = await createSession(user.id);
+
+    cookies.set("session_id", sessionId, {
+      path: "/",
+      httpOnly: true,
+      secure: import.meta.env.PROD,
+      sameSite: "lax",
+      expires: expiresAt,
+    });
+
+    await db
+      .delete(passkeyChallenges)
+      .where(eq(passkeyChallenges.challenge, challenge));
+
+    return new Response(JSON.stringify({ verified: true }));
+  }
+
+  return new Response(JSON.stringify({ verified: false }), { status: 400 });
+};

src/pages/api/auth/passkey/login/start.ts

@@ -0,0 +1,18 @@
+import type { APIRoute } from "astro";
+import { generateAuthenticationOptions } from "@simplewebauthn/server";
+import { db } from "../../../../../db";
+import { passkeyChallenges } from "../../../../../db/schema";
+
+export const GET: APIRoute = async ({ request }) => {
+  const options = await generateAuthenticationOptions({
+    rpID: new URL(request.url).hostname,
+    userVerification: "preferred",
+  });
+
+  await db.insert(passkeyChallenges).values({
+    challenge: options.challenge,
+    expiresAt: new Date(Date.now() + 5 * 60 * 1000),
+  });
+
+  return new Response(JSON.stringify(options));
+};

src/pages/api/auth/passkey/register/finish.ts

@@ -0,0 +1,81 @@
+import type { APIRoute } from "astro";
+import { verifyRegistrationResponse } from "@simplewebauthn/server";
+import { db } from "../../../../../db";
+import { passkeys, passkeyChallenges } from "../../../../../db/schema";
+import { eq, and, gt } from "drizzle-orm";
+
+export const POST: APIRoute = async ({ request, locals }) => {
+  const user = locals.user;
+
+  if (!user) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+    });
+  }
+
+  const body = await request.json();
+
+  const clientDataJSON = Buffer.from(
+    body.response.clientDataJSON,
+    "base64url",
+  ).toString("utf-8");
+  const clientData = JSON.parse(clientDataJSON);
+  const challenge = clientData.challenge;
+
+  const dbChallenge = await db.query.passkeyChallenges.findFirst({
+    where: and(
+      eq(passkeyChallenges.challenge, challenge),
+      eq(passkeyChallenges.userId, user.id),
+      gt(passkeyChallenges.expiresAt, new Date()),
+    ),
+  });
+
+  if (!dbChallenge) {
+    return new Response(
+      JSON.stringify({ error: "Invalid or expired challenge" }),
+      {
+        status: 400,
+      },
+    );
+  }
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: body,
+      expectedChallenge: challenge,
+      expectedOrigin: new URL(request.url).origin,
+      expectedRPID: new URL(request.url).hostname,
+    });
+  } catch (error) {
+    return new Response(JSON.stringify({ error: (error as Error).message }), {
+      status: 400,
+    });
+  }
+
+  if (verification.verified && verification.registrationInfo) {
+    const { registrationInfo } = verification;
+    const { credential, credentialDeviceType, credentialBackedUp } =
+      registrationInfo;
+
+    await db.insert(passkeys).values({
+      id: credential.id,
+      userId: user.id,
+      publicKey: Buffer.from(credential.publicKey).toString("base64"),
+      counter: credential.counter,
+      deviceType: credentialDeviceType,
+      backedUp: credentialBackedUp,
+      transports: body.response.transports
+        ? JSON.stringify(body.response.transports)
+        : undefined,
+    });
+
+    await db
+      .delete(passkeyChallenges)
+      .where(eq(passkeyChallenges.challenge, challenge));
+
+    return new Response(JSON.stringify({ verified: true }));
+  }
+
+  return new Response(JSON.stringify({ verified: false }), { status: 400 });
+};

src/pages/api/auth/passkey/register/start.ts

@@ -0,0 +1,45 @@
+import type { APIRoute } from "astro";
+import { generateRegistrationOptions } from "@simplewebauthn/server";
+import { db } from "../../../../../db";
+import { passkeys, passkeyChallenges } from "../../../../../db/schema";
+import { eq } from "drizzle-orm";
+
+export const GET: APIRoute = async ({ request, locals }) => {
+  const user = locals.user;
+
+  if (!user) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+    });
+  }
+
+  // Get user's existing passkeys to prevent registering the same authenticator twice
+  const userPasskeys = await db.query.passkeys.findMany({
+    where: eq(passkeys.userId, user.id),
+  });
+
+  const options = await generateRegistrationOptions({
+    rpName: "Chronus",
+    rpID: new URL(request.url).hostname,
+    userName: user.email,
+    attestationType: "none",
+    excludeCredentials: userPasskeys.map((passkey) => ({
+      id: passkey.id,
+      transports: passkey.transports
+        ? JSON.parse(passkey.transports)
+        : undefined,
+    })),
+    authenticatorSelection: {
+      residentKey: "preferred",
+      userVerification: "preferred",
+    },
+  });
+
+  await db.insert(passkeyChallenges).values({
+    challenge: options.challenge,
+    userId: user.id,
+    expiresAt: new Date(Date.now() + 5 * 60 * 1000),
+  });
+
+  return new Response(JSON.stringify(options));
+};

src/pages/api/user/change-password.ts

@@ -1,61 +1,104 @@
-import type { APIRoute } from 'astro';
-import { db } from '../../../db';
-import { users } from '../../../db/schema';
-import { eq } from 'drizzle-orm';
-import bcrypt from 'bcryptjs';
+import type { APIRoute } from "astro";
+import { db } from "../../../db";
+import { users } from "../../../db/schema";
+import { eq } from "drizzle-orm";
+import bcrypt from "bcryptjs";
 
 export const POST: APIRoute = async ({ request, locals, redirect }) => {
   const user = locals.user;
+  const contentType = request.headers.get("content-type");
+  const isJson = contentType?.includes("application/json");
+
   if (!user) {
-    return redirect('/login');
+    if (isJson) {
+      return new Response(JSON.stringify({ error: "Unauthorized" }), {
+        status: 401,
+      });
+    }
+    return redirect("/login");
   }
 
-  const formData = await request.formData();
-  const currentPassword = formData.get('currentPassword') as string;
-  const newPassword = formData.get('newPassword') as string;
-  const confirmPassword = formData.get('confirmPassword') as string;
+  let currentPassword, newPassword, confirmPassword;
+
+  if (isJson) {
+    const body = await request.json();
+    currentPassword = body.currentPassword;
+    newPassword = body.newPassword;
+    confirmPassword = body.confirmPassword;
+  } else {
+    const formData = await request.formData();
+    currentPassword = formData.get("currentPassword") as string;
+    newPassword = formData.get("newPassword") as string;
+    confirmPassword = formData.get("confirmPassword") as string;
+  }
 
   if (!currentPassword || !newPassword || !confirmPassword) {
-    return new Response('All fields are required', { status: 400 });
+    const msg = "All fields are required";
+    if (isJson)
+      return new Response(JSON.stringify({ error: msg }), { status: 400 });
+    return new Response(msg, { status: 400 });
   }
 
   if (newPassword !== confirmPassword) {
-    return new Response('New passwords do not match', { status: 400 });
+    const msg = "New passwords do not match";
+    if (isJson)
+      return new Response(JSON.stringify({ error: msg }), { status: 400 });
+    return new Response(msg, { status: 400 });
   }
 
   if (newPassword.length < 8) {
-    return new Response('Password must be at least 8 characters', { status: 400 });
+    const msg = "Password must be at least 8 characters";
+    if (isJson)
+      return new Response(JSON.stringify({ error: msg }), { status: 400 });
+    return new Response(msg, { status: 400 });
   }
 
   try {
     // Get current user from database
-    const dbUser = await db.select()
+    const dbUser = await db
+      .select()
       .from(users)
       .where(eq(users.id, user.id))
       .get();
 
     if (!dbUser) {
-      return new Response('User not found', { status: 404 });
+      const msg = "User not found";
+      if (isJson)
+        return new Response(JSON.stringify({ error: msg }), { status: 404 });
+      return new Response(msg, { status: 404 });
     }
 
     // Verify current password
-    const passwordMatch = await bcrypt.compare(currentPassword, dbUser.passwordHash);
+    const passwordMatch = await bcrypt.compare(
+      currentPassword,
+      dbUser.passwordHash,
+    );
     if (!passwordMatch) {
-      return new Response('Current password is incorrect', { status: 400 });
+      const msg = "Current password is incorrect";
+      if (isJson)
+        return new Response(JSON.stringify({ error: msg }), { status: 400 });
+      return new Response(msg, { status: 400 });
     }
 
     // Hash new password
     const hashedPassword = await bcrypt.hash(newPassword, 10);
 
     // Update password
-    await db.update(users)
+    await db
+      .update(users)
       .set({ passwordHash: hashedPassword })
       .where(eq(users.id, user.id))
       .run();
 
-    return redirect('/dashboard/settings?success=password');
+    if (isJson) {
+      return new Response(JSON.stringify({ success: true }), { status: 200 });
+    }
+    return redirect("/dashboard/settings?success=password");
   } catch (error) {
-    console.error('Error changing password:', error);
-    return new Response('Failed to change password', { status: 500 });
+    console.error("Error changing password:", error);
+    const msg = "Failed to change password";
+    if (isJson)
+      return new Response(JSON.stringify({ error: msg }), { status: 500 });
+    return new Response(msg, { status: 500 });
   }
 };

src/pages/api/user/tokens/index.ts

@@ -12,8 +12,16 @@ export const POST: APIRoute = async ({ request, locals }) => {
     });
   }
 
-  const formData = await request.formData();
-  const name = formData.get("name")?.toString();
+  let name: string | undefined;
+
+  const contentType = request.headers.get("content-type");
+  if (contentType?.includes("application/json")) {
+    const body = await request.json();
+    name = body.name;
+  } else {
+    const formData = await request.formData();
+    name = formData.get("name")?.toString();
+  }
 
   if (!name) {
     return new Response(JSON.stringify({ error: "Name is required" }), {

src/pages/api/user/update-profile.ts

@@ -1,30 +1,58 @@
-import type { APIRoute } from 'astro';
-import { db } from '../../../db';
-import { users } from '../../../db/schema';
-import { eq } from 'drizzle-orm';
+import type { APIRoute } from "astro";
+import { db } from "../../../db";
+import { users } from "../../../db/schema";
+import { eq } from "drizzle-orm";
 
 export const POST: APIRoute = async ({ request, locals, redirect }) => {
   const user = locals.user;
+  const contentType = request.headers.get("content-type");
+  const isJson = contentType?.includes("application/json");
+
   if (!user) {
-    return redirect('/login');
+    if (isJson) {
+      return new Response(JSON.stringify({ error: "Unauthorized" }), {
+        status: 401,
+      });
+    }
+    return redirect("/login");
   }
 
-  const formData = await request.formData();
-  const name = formData.get('name') as string;
+  let name: string | undefined;
+
+  if (isJson) {
+    const body = await request.json();
+    name = body.name;
+  } else {
+    const formData = await request.formData();
+    name = formData.get("name") as string;
+  }
 
   if (!name || name.trim().length === 0) {
-    return new Response('Name is required', { status: 400 });
+    const msg = "Name is required";
+    if (isJson) {
+      return new Response(JSON.stringify({ error: msg }), { status: 400 });
+    }
+    return new Response(msg, { status: 400 });
   }
 
   try {
-    await db.update(users)
+    await db
+      .update(users)
       .set({ name: name.trim() })
       .where(eq(users.id, user.id))
       .run();
 
-    return redirect('/dashboard/settings?success=profile');
+    if (isJson) {
+      return new Response(JSON.stringify({ success: true }), { status: 200 });
+    }
+
+    return redirect("/dashboard/settings?success=profile");
   } catch (error) {
-    console.error('Error updating profile:', error);
-    return new Response('Failed to update profile', { status: 500 });
+    console.error("Error updating profile:", error);
+    const msg = "Failed to update profile";
+    if (isJson) {
+      return new Response(JSON.stringify({ error: msg }), { status: 500 });
+    }
+    return new Response(msg, { status: 500 });
   }
 };

src/pages/dashboard/settings.astro

@@ -2,8 +2,12 @@
 import DashboardLayout from '../../layouts/DashboardLayout.astro';
 import { Icon } from 'astro-icon/components';
 import { db } from '../../db';
-import { apiTokens } from '../../db/schema';
+import { apiTokens, passkeys } from '../../db/schema';
 import { eq, desc } from 'drizzle-orm';
+import ProfileForm from '../../components/settings/ProfileForm.vue';
+import PasswordForm from '../../components/settings/PasswordForm.vue';
+import ApiTokenManager from '../../components/settings/ApiTokenManager.vue';
+import PasskeyManager from '../../components/settings/PasskeyManager.vue';
 
 const user = Astro.locals.user;
 if (!user) return Astro.redirect('/login');
@@ -16,6 +20,12 @@ const userTokens = await db.select()
   .where(eq(apiTokens.userId, user.id))
   .orderBy(desc(apiTokens.createdAt))
   .all();
+
+const userPasskeys = await db.select()
+  .from(passkeys)
+  .where(eq(passkeys.userId, user.id))
+  .orderBy(desc(passkeys.createdAt))
+  .all();
 ---
 
 <DashboardLayout title="Account Settings - Chronus">
@@ -40,177 +50,25 @@ const userTokens = await db.select()
     )}
 
     <!-- Profile Information -->
-    <div class="card bg-base-100 shadow-xl border border-base-200 mb-6">
-      <div class="card-body p-4 sm:p-6">
-        <h2 class="card-title mb-6 text-lg sm:text-xl">
-          <Icon name="heroicons:user-circle" class="w-5 h-5 sm:w-6 sm:h-6" />
-          Profile Information
-        </h2>
-
-        <form action="/api/user/update-profile" method="POST" class="space-y-5">
-          <div class="form-control">
-            <label class="label pb-2">
-              <span class="label-text font-medium text-sm sm:text-base">Full Name</span>
-            </label>
-            <input
-              type="text"
-              name="name"
-              value={user.name}
-              placeholder="Your full name"
-              class="input input-bordered w-full"
-              required
-            />
-          </div>
-
-          <div class="form-control">
-            <label class="label pb-2">
-              <span class="label-text font-medium text-sm sm:text-base">Email</span>
-            </label>
-            <input
-              type="email"
-              name="email"
-              value={user.email}
-              placeholder="your@email.com"
-              class="input input-bordered w-full"
-              disabled
-            />
-            <div class="label pt-2">
-              <span class="label-text-alt text-base-content/60 text-xs sm:text-sm">Email cannot be changed</span>
-            </div>
-          </div>
-
-          <div class="flex justify-end pt-4">
-            <button type="submit" class="btn btn-primary w-full sm:w-auto">
-              <Icon name="heroicons:check" class="w-5 h-5" />
-              Save Changes
-            </button>
-          </div>
-        </form>
-      </div>
-    </div>
+    <ProfileForm client:load user={user} />
 
     <!-- Change Password -->
-    <div class="card bg-base-100 shadow-xl border border-base-200 mb-6">
-      <div class="card-body p-4 sm:p-6">
-        <h2 class="card-title mb-6 text-lg sm:text-xl">
-          <Icon name="heroicons:key" class="w-5 h-5 sm:w-6 sm:h-6" />
-          Change Password
-        </h2>
+    <PasswordForm client:load />
 
-        <form action="/api/user/change-password" method="POST" class="space-y-5">
-          <div class="form-control">
-            <label class="label pb-2">
-              <span class="label-text font-medium text-sm sm:text-base">Current Password</span>
-            </label>
-            <input
-              type="password"
-              name="currentPassword"
-              placeholder="Enter current password"
-              class="input input-bordered w-full"
-              required
-            />
-          </div>
-
-          <div class="form-control">
-            <label class="label pb-2">
-              <span class="label-text font-medium text-sm sm:text-base">New Password</span>
-            </label>
-            <input
-              type="password"
-              name="newPassword"
-              placeholder="Enter new password"
-              class="input input-bordered w-full"
-              required
-              minlength="8"
-            />
-            <div class="label pt-2">
-              <span class="label-text-alt text-base-content/60 text-xs sm:text-sm">Minimum 8 characters</span>
-            </div>
-          </div>
-
-          <div class="form-control">
-            <label class="label pb-2">
-              <span class="label-text font-medium text-sm sm:text-base">Confirm New Password</span>
-            </label>
-            <input
-              type="password"
-              name="confirmPassword"
-              placeholder="Confirm new password"
-              class="input input-bordered w-full"
-              required
-              minlength="8"
-            />
-          </div>
-
-          <div class="flex justify-end pt-4">
-            <button type="submit" class="btn btn-primary w-full sm:w-auto">
-              <Icon name="heroicons:lock-closed" class="w-5 h-5" />
-              Update Password
-            </button>
-          </div>
-        </form>
-      </div>
-    </div>
+    <!-- Passkeys -->
+    <PasskeyManager client:load initialPasskeys={userPasskeys.map(pk => ({
+      ...pk,
+      lastUsedAt: pk.lastUsedAt ? pk.lastUsedAt.toISOString() : null,
+      createdAt: pk.createdAt ? pk.createdAt.toISOString() : null
+    }))} />
 
     <!-- API Tokens -->
-    <div class="card bg-base-100 shadow-xl border border-base-200 mb-6">
-      <div class="card-body p-4 sm:p-6">
-        <div class="flex justify-between items-center mb-6">
-          <h2 class="card-title text-lg sm:text-xl">
-            <Icon name="heroicons:code-bracket-square" class="w-5 h-5 sm:w-6 sm:h-6" />
-            API Tokens
-          </h2>
-          <button class="btn btn-primary btn-sm" onclick="createTokenModal.showModal()">
-            <Icon name="heroicons:plus" class="w-4 h-4" />
-            Create Token
-          </button>
-        </div>
+    <ApiTokenManager client:load initialTokens={userTokens.map(t => ({
+      ...t,
+      lastUsedAt: t.lastUsedAt ? t.lastUsedAt.toISOString() : null,
+      createdAt: t.createdAt ? t.createdAt.toISOString() : ''
+    }))} />
 
-        <div class="overflow-x-auto">
-          <table class="table">
-            <thead>
-              <tr>
-                <th>Name</th>
-                <th>Last Used</th>
-                <th>Created</th>
-                <th>Actions</th>
-              </tr>
-            </thead>
-            <tbody>
-              {userTokens.length === 0 ? (
-                <tr>
-                  <td colspan="4" class="text-center text-base-content/60 py-4">
-                    No API tokens found. Create one to access the API.
-                  </td>
-                </tr>
-              ) : (
-                userTokens.map(token => (
-                  <tr>
-                    <td class="font-medium">{token.name}</td>
-                    <td class="text-sm">
-                      {token.lastUsedAt ? token.lastUsedAt.toLocaleDateString() : 'Never'}
-                    </td>
-                    <td class="text-sm">
-                      {token.createdAt ? token.createdAt.toLocaleDateString() : 'N/A'}
-                    </td>
-                    <td>
-                      <button
-                        class="btn btn-ghost btn-xs text-error"
-                        onclick={`deleteToken('${token.id}')`}
-                      >
-                        <Icon name="heroicons:trash" class="w-4 h-4" />
-                      </button>
-                    </td>
-                  </tr>
-                ))
-              )}
-            </tbody>
-          </table>
-        </div>
-      </div>
-    </div>
-
-    <!-- Account Info -->
     <div class="card bg-base-100 shadow-xl border border-base-200">
       <div class="card-body p-4 sm:p-6">
         <h2 class="card-title mb-6 text-lg sm:text-xl">
@@ -238,132 +96,5 @@ const userTokens = await db.select()
     </div>
   </div>
 
-  <!-- Create Token Modal -->
-  <dialog id="createTokenModal" class="modal">
-    <div class="modal-box">
-      <h3 class="font-bold text-lg">Create API Token</h3>
-      <p class="py-4 text-sm text-base-content/70">
-        API tokens allow you to authenticate with the API programmatically.
-        Give your token a descriptive name.
-      </p>
 
-      <form id="createTokenForm" method="dialog" class="space-y-4">
-        <div class="form-control">
-          <label class="label pb-2">
-            <span class="label-text font-medium">Token Name</span>
-          </label>
-          <input
-            type="text"
-            name="name"
-            id="tokenName"
-            placeholder="e.g. CI/CD Pipeline"
-            class="input input-bordered w-full"
-            required
-          />
-        </div>
-
-        <div class="modal-action">
-          <button type="button" class="btn" onclick="createTokenModal.close()">Cancel</button>
-          <button type="submit" class="btn btn-primary">Generate Token</button>
-        </div>
-      </form>
-    </div>
-    <form method="dialog" class="modal-backdrop">
-      <button>close</button>
-    </form>
-  </dialog>
-
-  <!-- Show Token Modal -->
-  <dialog id="showTokenModal" class="modal">
-    <div class="modal-box">
-      <h3 class="font-bold text-lg text-success flex items-center gap-2">
-        <Icon name="heroicons:check-circle" class="w-6 h-6" />
-        Token Created
-      </h3>
-      <p class="py-4">
-        Make sure to copy your personal access token now. You won't be able to see it again!
-      </p>
-
-      <div class="bg-base-200 p-4 rounded-lg break-all font-mono text-sm relative group">
-        <span id="newTokenDisplay"></span>
-        <button
-          class="absolute top-2 right-2 btn btn-xs btn-ghost opacity-0 group-hover:opacity-100 transition-opacity"
-          onclick="copyToken()"
-          title="Copy to clipboard"
-        >
-          <Icon name="heroicons:clipboard" class="w-4 h-4" />
-        </button>
-      </div>
-
-      <div class="modal-action">
-        <button class="btn btn-primary" onclick="closeShowTokenModal()">Done</button>
-      </div>
-    </div>
-  </dialog>
-
-  <script is:inline>
-    // Handle Token Creation
-    const createTokenForm = document.getElementById('createTokenForm');
-
-    createTokenForm.addEventListener('submit', async (e) => {
-      e.preventDefault();
-      const name = document.getElementById('tokenName').value;
-      const formData = new FormData();
-      formData.append('name', name);
-
-      try {
-        const response = await fetch('/api/user/tokens', {
-          method: 'POST',
-          body: formData
-        });
-
-        if (response.ok) {
-          const data = await response.json();
-          document.getElementById('createTokenModal').close();
-          document.getElementById('newTokenDisplay').innerText = data.token;
-          document.getElementById('showTokenModal').showModal();
-          document.getElementById('tokenName').value = ''; // Reset form
-        } else {
-          alert('Failed to create token');
-        }
-      } catch (error) {
-        console.error('Error creating token:', error);
-        alert('An error occurred');
-      }
-    });
-
-    // Handle Token Copy
-    function copyToken() {
-      const token = document.getElementById('newTokenDisplay').innerText;
-      navigator.clipboard.writeText(token);
-    }
-
-    // Handle Closing Show Token Modal (refresh page to show new token in list)
-    function closeShowTokenModal() {
-      document.getElementById('showTokenModal').close();
-      window.location.reload();
-    }
-
-    // Handle Token Deletion
-    async function deleteToken(id) {
-      if (!confirm('Are you sure you want to revoke this token? Any applications using it will stop working.')) {
-        return;
-      }
-
-      try {
-        const response = await fetch(`/api/user/tokens/${id}`, {
-          method: 'DELETE'
-        });
-
-        if (response.ok) {
-          window.location.reload();
-        } else {
-          alert('Failed to delete token');
-        }
-      } catch (error) {
-        console.error('Error deleting token:', error);
-        alert('An error occurred');
-      }
-    }
-  </script>
 </DashboardLayout>

src/pages/login.astro

@@ -16,6 +16,40 @@ const errorMessage =
 ---
 
 <Layout title="Login - Chronus">
+  <script>
+    import { startAuthentication } from "@simplewebauthn/browser";
+
+    const loginBtn = document.getElementById("passkey-login");
+
+    loginBtn?.addEventListener("click", async () => {
+      // 1. Get options from server
+      const resp = await fetch("/api/auth/passkey/login/start");
+      const options = await resp.json();
+
+      // 2. Browser handles interaction
+      let asseResp;
+      try {
+        asseResp = await startAuthentication(options);
+      } catch (error) {
+        console.error(error);
+        return;
+      }
+
+      // 3. Verify with server
+      const verificationResp = await fetch("/api/auth/passkey/login/finish", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(asseResp),
+      });
+
+      const verificationJSON = await verificationResp.json();
+      if (verificationJSON.verified) {
+        window.location.href = "/dashboard";
+      } else {
+        alert("Login failed");
+      }
+    });
+  </script>
   <div class="flex justify-center items-center flex-1 bg-base-100">
     <div class="card bg-base-100 shadow-2xl w-full max-w-md mx-4">
       <div class="card-body">
@@ -60,6 +94,11 @@ const errorMessage =
           <button class="btn btn-primary w-full mt-6">Sign In</button>
         </form>
 
+        <button id="passkey-login" class="btn btn-secondary w-full mt-4">
+          <Icon name="heroicons:finger-print" class="w-5 h-5 mr-2" />
+          Sign in with Passkey
+        </button>
+
         <div class="divider">OR</div>
 
         <div class="text-center">