feat: add ability to revoke passkeys of users as admin (#1386)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jose-d <7630424+jose-d@users.noreply.github.com> Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Elias Schneider <login@eliasschneider.com>
2026-04-13 10:06:36 +00:00 · 2026-04-12 18:29:42 +02:00
parent 544f4e63d8
commit 33cceeafa8
17 changed files with 265 additions and 40 deletions
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -83,7 +83,7 @@ func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
 	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
 	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
-	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.oneTimeAccessService, svc.appConfigService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.oneTimeAccessService, svc.webauthnService, svc.appConfigService)
 	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
 	controller.NewAppImagesController(apiGroup, authMiddleware, svc.appImagesService)
 	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -63,6 +63,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	// Add device information to the logs
 	for i, logsDto := range logsDtos {
 		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDto.ActorUsername = logsDto.Data["actorUsername"]
 		logsDtos[i] = logsDto
 	}

@@ -101,6 +102,7 @@ func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
 	for i, logsDto := range logsDtos {
 		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
 		logsDto.Username = logs[i].User.Username
+		logsDto.ActorUsername = logsDto.Data["actorUsername"]
 		logsDtos[i] = logsDto
 	}

--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -21,10 +21,11 @@ const defaultOneTimeAccessTokenDuration = 15 * time.Minute
 // @Summary User management controller
 // @Description Initializes all user-related API endpoints
 // @Tags Users
-func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, oneTimeAccessService *service.OneTimeAccessService, appConfigService *service.AppConfigService) {
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, oneTimeAccessService *service.OneTimeAccessService, webAuthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
 	uc := UserController{
 		userService:          userService,
 		oneTimeAccessService: oneTimeAccessService,
+		webAuthnService:      webAuthnService,
 		appConfigService:     appConfigService,
 	}

@@ -34,8 +35,10 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
 	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
 	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.GET("/users/:id/webauthn-credentials", authMiddleware.Add(), uc.listUserWebauthnCredentialsHandler)
 	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
 	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)
+	group.DELETE("/users/:id/webauthn-credentials/:credentialId", authMiddleware.Add(), uc.deleteUserWebauthnCredentialHandler)

 	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)

@@ -60,6 +63,7 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 type UserController struct {
 	userService          *service.UserService
 	oneTimeAccessService *service.OneTimeAccessService
+	webAuthnService      *service.WebAuthnService
 	appConfigService     *service.AppConfigService
 }

@@ -87,6 +91,36 @@ func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, groupsDto)
 }

+// listUserWebauthnCredentialsHandler godoc
+// @Summary List user passkeys
+// @Description Retrieve all WebAuthn credentials for a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.WebauthnCredentialDto
+// @Router /api/users/{id}/webauthn-credentials [get]
+func (uc *UserController) listUserWebauthnCredentialsHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if _, err := uc.userService.GetUser(c.Request.Context(), userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	credentials, err := uc.webAuthnService.ListCredentials(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var credentialDtos []dto.WebauthnCredentialDto
+	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDtos)
+}
+
 // listUsersHandler godoc
 // @Summary List users
 // @Description Get a paginated list of users with optional search and sorting
@@ -181,6 +215,31 @@ func (uc *UserController) deleteUserHandler(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }

+// deleteUserWebauthnCredentialHandler godoc
+// @Summary Delete user passkey
+// @Description Delete a specific WebAuthn credential for a user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param credentialId path string true "Credential ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/webauthn-credentials/{credentialId} [delete]
+func (uc *UserController) deleteUserWebauthnCredentialHandler(c *gin.Context) {
+	err := uc.webAuthnService.DeleteCredential(
+		c.Request.Context(),
+		c.Param("id"),
+		c.Param("credentialId"),
+		c.ClientIP(),
+		c.Request.UserAgent(),
+		c.GetString("userID"),
+	)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
 // createUserHandler godoc
 // @Summary Create user
 // @Description Create a new user
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -137,7 +137,7 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	clientIP := c.ClientIP()
 	userAgent := c.Request.UserAgent()

-	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent, userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -8,12 +8,13 @@ type AuditLogDto struct {
 	ID        string            `json:"id"`
 	CreatedAt datatype.DateTime `json:"createdAt"`

-	Event     string            `json:"event"`
-	IpAddress string            `json:"ipAddress"`
-	Country   string            `json:"country"`
-	City      string            `json:"city"`
-	Device    string            `json:"device"`
-	UserID    string            `json:"userID"`
-	Username  string            `json:"username"`
-	Data      map[string]string `json:"data"`
+	Event         string            `json:"event"`
+	IpAddress     string            `json:"ipAddress"`
+	Country       string            `json:"country"`
+	City          string            `json:"city"`
+	Device        string            `json:"device"`
+	UserID        string            `json:"userID"`
+	Username      string            `json:"username"`
+	ActorUsername string            `json:"actorUsername"`
+	Data          map[string]string `json:"data"`
 }
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -293,26 +293,40 @@ func (s *WebAuthnService) ListCredentials(ctx context.Context, userID string) ([
 	return credentials, nil
 }

-func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID string, credentialID string, ipAddress string, userAgent string) error {
+func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID string, credentialID string, ipAddress string, userAgent string, actorUserID string) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()

 	credential := &model.WebauthnCredential{}
-	err := tx.
+	result := tx.
 		WithContext(ctx).
 		Clauses(clause.Returning{}).
-		Delete(credential, "id = ? AND user_id = ?", credentialID, userID).
-		Error
-	if err != nil {
-		return fmt.Errorf("failed to delete record: %w", err)
+		Delete(credential, "id = ? AND user_id = ?", credentialID, userID)
+	if result.Error != nil {
+		return fmt.Errorf("failed to delete record: %w", result.Error)
+	}
+	if result.RowsAffected == 0 {
+		return gorm.ErrRecordNotFound
 	}

 	auditLogData := model.AuditLogData{"credentialID": hex.EncodeToString(credential.CredentialID), "passkeyName": credential.Name}
+	if actorUserID != "" && actorUserID != userID {
+		var actor model.User
+		err := tx.
+			WithContext(ctx).
+			First(&actor, "id = ?", actorUserID).
+			Error
+		if err != nil {
+			return fmt.Errorf("failed to load actor user: %w", err)
+		}
+		auditLogData["actorUserID"] = actorUserID
+		auditLogData["actorUsername"] = actor.Username
+	}
 	s.auditLogService.Create(ctx, model.AuditLogEventPasskeyRemoved, ipAddress, userAgent, userID, auditLogData, tx)

-	err = tx.Commit().Error
+	err := tx.Commit().Error
 	if err != nil {
 		return fmt.Errorf("failed to commit transaction: %w", err)
 	}