lato 3.15.1 → 3.17.0

data/app/models/lato/user.rb

@@ -14,6 +14,7 @@ module Lato
     validates :accepted_privacy_policy_version, presence: true
     validates :accepted_terms_and_conditions_version, presence: true
     validates :web3_address, uniqueness: true, allow_blank: true
+    validates :webauthn_id, uniqueness: true, allow_blank: true
 
     # Relations
     ##
@@ -58,6 +59,10 @@ module Lato
       !authenticator_secret.blank?
     end
 
+    def webauthn_enabled?
+      webauthn_id.present? && webauthn_public_key.present?
+    end
+
     # Helpers
     ##
 
@@ -251,7 +256,9 @@ module Lato
       c_password_update_code('')
 
       update(params.permit(:password, :password_confirmation).merge(
-        authenticator_secret: nil # Reset authenticator secret when password is updated
+        authenticator_secret: nil, # Reset authenticator secret when password is updated
+        webauthn_id: nil,          # Reset webauthn credential when password is updated
+        webauthn_public_key: nil   # Reset webauthn credential when password is updated
       ))
     end
 
@@ -320,6 +327,93 @@ module Lato
       true
     end
 
+    def webauthn_registration_options
+      WebAuthn::Credential.options_for_create(
+        user: {
+          id: Base64.strict_encode64(webauthn_user_handle),
+          name: email,
+          display_name: full_name
+        },
+        exclude: webauthn_exclude_credentials.map { |cred| Base64.strict_encode64(cred) }
+      )
+    end
+
+    def webauthn_authentication_options
+      WebAuthn::Credential.options_for_get(
+        allow: webauthn_allow_credentials.map { |cred| Base64.strict_encode64(cred) }
+      )
+    end
+
+    def register_webauthn_credential(credential_payload, encoded_challenge)
+      if credential_payload.blank?
+        errors.add(:base, :webauthn_payload_missing)
+        return false
+      end
+
+      if encoded_challenge.blank?
+        errors.add(:base, :webauthn_challenge_missing)
+        return false
+      end
+
+      parsed_payload = JSON.parse(credential_payload)
+      credential = WebAuthn::Credential.from_create(parsed_payload)
+      credential.verify(Base64.strict_decode64(encoded_challenge))
+
+      update(
+        webauthn_id: Base64.strict_encode64(credential.raw_id),
+        webauthn_public_key: credential.public_key
+      )
+    rescue JSON::ParserError, WebAuthn::Error => e
+      Rails.logger.error(e)
+      errors.add(:base, :webauthn_registration_failed)
+      false
+    end
+
+    def webauthn_authentication(params, encoded_challenge)
+      return false unless webauthn_enabled?
+
+      if params[:webauthn_credential].blank?
+        errors.add(:base, :webauthn_payload_missing)
+        return false
+      end
+
+      if encoded_challenge.blank?
+        errors.add(:base, :webauthn_challenge_missing)
+        return false
+      end
+
+      parsed_payload = JSON.parse(params[:webauthn_credential])
+      
+      # Converti i campi da base64url a base64 standard per il gem webauthn
+      parsed_payload['rawId'] = base64url_to_base64(parsed_payload['rawId'])
+      parsed_payload['response']['clientDataJSON'] = base64url_to_base64(parsed_payload['response']['clientDataJSON'])
+      parsed_payload['response']['authenticatorData'] = base64url_to_base64(parsed_payload['response']['authenticatorData'])
+      parsed_payload['response']['signature'] = base64url_to_base64(parsed_payload['response']['signature'])
+      parsed_payload['response']['userHandle'] = base64url_to_base64(parsed_payload['response']['userHandle']) if parsed_payload['response']['userHandle']
+      
+      credential = WebAuthn::Credential.from_get(parsed_payload)
+      
+      credential.verify(
+        encoded_challenge,
+        public_key: webauthn_public_key,
+        sign_count: 0
+      )
+
+      true
+    rescue JSON::ParserError, WebAuthn::Error => e
+      Rails.logger.error(e)
+      Rails.logger.error(e.backtrace.join("\n"))
+      errors.add(:base, :webauthn_authentication_failed)
+      false
+    end
+
+    def remove_webauthn_credential
+      update(
+        webauthn_id: nil,
+        webauthn_public_key: nil
+      )
+    end
+
     def generate_authenticator_secret
       update(authenticator_secret: ROTP::Base32.random)
     end
@@ -367,5 +461,41 @@ module Lato
       Rails.cache.write(cache_key, value, expires_in: 30.minutes)
       value
     end
+
+    private
+
+    def webauthn_user_handle
+      Digest::SHA256.digest("lato-user-#{id}")
+    end
+
+    def webauthn_exclude_credentials
+      return [] unless webauthn_id.present?
+
+      [Base64.strict_decode64(webauthn_id)]
+    rescue ArgumentError
+      []
+    end
+
+    def webauthn_allow_credentials
+      return [] unless webauthn_id.present?
+
+      [Base64.strict_decode64(webauthn_id)]
+    rescue ArgumentError
+      []
+    end
+
+    def base64url_to_base64(str)
+      return nil if str.nil?
+      # Converti base64url in base64 standard
+      base64 = str.tr('-_', '+/')
+      # Aggiungi padding se necessario
+      case base64.length % 4
+      when 2
+        base64 += '=='
+      when 3
+        base64 += '='
+      end
+      base64
+    end
   end
 end

data/app/views/lato/account/_form-authenticator.html.erb

@@ -15,14 +15,15 @@ user ||= Lato::User.new
           <img class="shadow-sm rounded" src="<%= user.authenticator_qr_code_base64 %>" />
         </div>
         <div class="d-flex flex-column justify-content-between w-100">
-          <div class="alert alert-light">
+          <div class="alert alert-success">
+            <h4 class="alert-heading"><%= I18n.t('lato.account_authenticator_ready_title') %></h4>
             <p class="mb-0">
               <%= raw I18n.t('lato.account_authenticator_ready_qr') %>
             </p>
           </div>
 
           <div class="d-flex justify-content-end">
-            <%= lato_form_submit form, I18n.t('lato.cancel_authenticator'), class: %w[btn-danger] %>
+            <%= lato_form_submit form, I18n.t('lato.account_authenticator_disable'), class: %w[btn-danger] %>
           </div>
         </div>
       </div>
@@ -33,7 +34,7 @@ user ||= Lato::User.new
           <%= raw I18n.t('lato.account_authenticator_start_description') %>
         </p>
         <p class="mb-0">
-          <%= lato_form_submit form, I18n.t('lato.generate_qr_code'), class: %w[btn-primary] %>
+          <%= lato_form_submit form, I18n.t('lato.account_authenticator_generate_qr_code'), class: %w[btn-primary] %>
         </p>
       </div>
     <% end %>

data/app/views/lato/account/_form-webauthn.html.erb

@@ -0,0 +1,66 @@
+<%
+
+user ||= Lato::User.new
+registration_options = session[:webauthn_registration_options]
+form_data = { turbo_frame: '_self', controller: 'lato-form' }
+
+if registration_options.present?
+  form_data[:controller] += ' lato-account-webauthn'
+  form_data['lato-account-webauthn-options-value'] = registration_options.to_json
+  form_data['lato-account-webauthn-error-message-value'] = I18n.t('lato.account_webauthn_in_progress_error')
+end
+
+%>
+
+<%= turbo_frame_tag 'account_form-webauthn' do %>
+  <%= form_with model: user, url: lato.account_update_webauthn_action_path, data: form_data do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.webauthn_enabled? %>
+      <div class="alert alert-success mb-3">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_ready_title') %></h4>
+        <p class="mb-0">
+          <%= raw I18n.t('lato.account_webauthn_ready_description') %>
+        </p>
+      </div>
+
+      <%= form.hidden_field :webauthn_command, value: 'remove' %>
+
+      <div class="d-flex justify-content-end">
+        <%= lato_form_submit form, I18n.t('lato.account_webauthn_disable'), class: %w[btn-danger] %>
+      </div>
+    <% elsif registration_options.present? %>
+      <%= form.hidden_field :webauthn_command, value: 'complete' %>
+      <%= form.hidden_field :webauthn_credential, data: { lato_account_webauthn_target: 'credentialInput' } %>
+
+      <div class="alert alert-light mb-3" data-lato-account-webauthn-target="status">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_in_progress_title') %></h4>
+        <p class="mb-0">
+          <%= raw I18n.t('lato.account_webauthn_in_progress_description') %>
+        </p>
+      </div>
+
+      <%= lato_form_submit form, I18n.t('lato.account_webauthn_finalize'), class: %w[btn-primary d-none], data: { lato_account_webauthn_target: 'submit' } %>
+
+      <div class="d-flex justify-content-between align-items-center">
+        <%= link_to I18n.t('lato.account_webauthn_cancel'), lato.account_update_webauthn_action_path(user: { webauthn_command: 'cancel' }), class: 'btn btn-link px-0 text-decoration-none', data: { turbo_frame: '_self', turbo_method: :patch } %>
+        <div class="text-muted small d-flex align-items-center">
+          <span class="spinner-border spinner-border-sm me-2" role="status" aria-hidden="true"></span>
+          <span><%= I18n.t('lato.account_webauthn_waiting_browser') %></span>
+        </div>
+      </div>
+    <% else %>
+      <div class="alert alert-light mb-0">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_start_title') %></h4>
+        <p>
+          <%= raw I18n.t('lato.account_webauthn_start_description') %>
+        </p>
+        <p class="mb-0">
+          <%= form.hidden_field :webauthn_command, value: 'start' %>
+          <%= lato_form_submit form, I18n.t('lato.account_webauthn_enable'), class: %w[btn-primary] %>
+        </p>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>

data/app/views/lato/account/index.html.erb

@@ -21,24 +21,35 @@
   </div>
 </div>
 
-<% if Lato.config.web3_connection %>
+<% if Lato.config.authenticator_connection %>
 <div class="card mb-4">
   <div class="card-header">
-    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_web3') %></h2>
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
   </div>
   <div class="card-body">
-    <%= render 'lato/account/form-web3', user: @session.user %>
+    <%= render 'lato/account/form-authenticator', user: @session.user %>
   </div>
 </div>
 <% end %>
 
-<% if Lato.config.authenticator_connection %>
+<% if Lato.config.webauthn_connection %>
 <div class="card mb-4">
   <div class="card-header">
-    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_webauthn') %></h2>
   </div>
   <div class="card-body">
-    <%= render 'lato/account/form-authenticator', user: @session.user %>
+    <%= render 'lato/account/form-webauthn', user: @session.user %>
+  </div>
+</div>
+<% end %>
+
+<% if Lato.config.web3_connection %>
+<div class="card mb-4">
+  <div class="card-header">
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_web3') %></h2>
+  </div>
+  <div class="card-body">
+    <%= render 'lato/account/form-web3', user: @session.user %>
   </div>
 </div>
 <% end %>

data/app/views/lato/authentication/_form-authentication-method.html.erb

@@ -0,0 +1,36 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-authentication-method' do %>
+  <%= form_with url: lato.authentication_authentication_method_action_path, method: :post, data: { turbo_frame: '_self' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.authenticator_enabled? %>
+      <div class="mb-3">
+        <%= form.button I18n.t('lato.use_google_authenticator'), 
+          type: 'submit', 
+          name: 'method', 
+          value: 'authenticator',
+          class: 'btn btn-primary w-100' %>
+      </div>
+    <% end %>
+
+    <% if user.webauthn_enabled? %>
+      <div class="mb-3">
+        <%= form.button I18n.t('lato.use_webauthn'), 
+          type: 'submit', 
+          name: 'method', 
+          value: 'webauthn',
+          class: 'btn btn-primary w-100' %>
+      </div>
+    <% end %>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/_form-webauthn.html.erb

@@ -0,0 +1,27 @@
+<%
+
+user ||= Lato::User.new
+options ||= {}
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-webauthn' do %>
+  <%= form_with model: user, url: lato.authentication_webauthn_action_path, method: :post, data: { turbo_frame: '_self', controller: 'lato-form lato-webauthn-auth', 'lato-webauthn-auth-options-value': options.to_json } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <div class="mb-4 text-center">
+      <p><%= raw I18n.t('lato.webauthn_help', email: h(user.email_protected)) %></p>
+    </div>
+    
+    <%= form.hidden_field :webauthn_credential, data: { 'lato-webauthn-auth-target': 'credential' } %>
+
+    <div class="mb-3">
+      <%= lato_form_submit form, I18n.t('lato.authenticate'), class: %w[d-block w-100], data: { action: 'lato-webauthn-auth#authenticate' } %>
+    </div>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/authentication_method.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.choose_authentication_method') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-authentication-method', user: @user %>
+    </div>
+  </div>
+</div>

data/app/views/lato/authentication/webauthn.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.webauthn') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-webauthn', user: @user, options: @options %>
+    </div>
+  </div>
+</div>

data/app/views/lato/components/_form_item_input_list.html.erb

@@ -0,0 +1,66 @@
+<%
+
+form ||= nil
+key ||= nil
+partial ||= nil
+partial_params ||= {}
+
+existing_records = form.object.send(key) || []
+
+%>
+
+<% unless partial %>
+  <div class="alert alert-warning">
+    Missing partial parameter for form_item_input_list partial.
+  </div>
+<% else %>
+  <div data-controller="lato-input-list">
+    <div data-lato-input-list-target="list" id="<%= "#{form.object_name}_#{key}" %>">
+      <% existing_records.each_with_index do |record, index| %>
+        <%
+          item_nested_form = form.fields_for(key, record) do |f|
+            partial_params[:form] = f
+          end
+        %>
+
+        <div class="border p-2 mb-2 rounded" data-lato-input-list-target="listItem" data-index="<%= index %>">
+          <input type="hidden" name="<%= "#{form.object_name}[#{key}_attributes][#{index}][id]" %>" value="<%= record.id %>">
+
+          <%= render partial: partial, locals: { 
+            form: item_nested_form,
+            **partial_params
+          } %>
+
+          <div class="d-flex justify-content-end mt-2">
+            <button type="button" class="btn btn-danger btn-sm" data-action="click->lato-input-list#removeItem" title="<%= I18n.t('lato.remove_item') %>" data-controller="lato-tooltip">
+              <i class="bi bi-trash"></i>
+            </button>
+          </div>
+        </div>
+      <% end %>
+    </div>
+
+    <div class="d-flex justify-content-end mt-2 pt-2 border-top">
+      <button type="button" class="btn btn-outline-primary btn-sm" data-action="click->lato-input-list#addItem">
+        <i class="bi bi-plus-circle"></i> <%= I18n.t('lato.add_item') %>
+      </button>
+    </div>
+
+    <template data-lato-input-list-target="template">
+      <div class="template border p-2 mb-2 rounded">
+        <%= render partial: partial, locals: { 
+          form: form.fields_for(key, form.object.send(key).new) do |f|
+            partial_params[:form] = f
+          end,
+          **partial_params
+        } %>
+
+        <div class="d-flex justify-content-end mt-2">
+          <button type="button" class="btn btn-danger btn-sm" data-action="click->lato-input-list#removeItem" title="<%= I18n.t('lato.remove_item') %>" data-controller="lato-tooltip">
+            <i class="bi bi-trash"></i>
+          </button>
+        </div>
+      </div>
+    </template>
+  </div>
+<% end %>

data/app/views/layouts/lato/_action.html.erb

@@ -1,6 +1,6 @@
 <% 10.times do %>
 
-<div class="modal fade" data-lato-action-target="modal" tabindex="-1" aria-hidden="true" data-bs-keyboard="false">
+<div class="modal fade" data-lato-action-target="modal" tabindex="-1" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
   <div class="modal-dialog modal-dialog-centered modal-dialog-scrollable" data-lato-action-target="modalDialog">
     <div class="modal-content">
       <div class="modal-header">

data/config/locales/en.yml

@@ -53,12 +53,32 @@ en:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Enable Google Authenticator
     account_authenticator_start_description: Generate a QR code by clicking the button below and scan it with the Google Authenticator app on your phone.<br>This will allow you to use the protect your account with a second factor authentication.
+    account_authenticator_ready_title: Google Authenticator ready
     account_authenticator_ready_qr: Scan the QR code with the Google Authenticator app to use the account protection with a second factor authentication.
-    generate_qr_code: Generate QR code
-    cancel_authenticator: Disconnect
-    authenticator: Two-factor authentication
+    account_authenticator_generate_qr_code: Generate QR code
+    account_authenticator_disable: Disconnect
+    authenticator: Google Authenticator
     authenticator_code_help: Insert the code generated by the Google Authenticator app for the account <b>%{email}</b>
     reset_password: Reset your password
+    choose_authentication_method: Choose authentication method
+    use_google_authenticator: Use Google Authenticator
+    use_webauthn: Use Passkey
+    authenticate: Authenticate
+    webauthn: Passkey Authentication
+    webauthn_help: Use your device to authenticate for account <b>%{email}</b>
+    account_webauthn: Passkey authentication
+    account_webauthn_start_title: Enable passkeys
+    account_webauthn_start_description: Use your device security (Touch ID, Face ID, Windows Hello, etc.) to approve future logins.<br>Click the button below and follow the browser prompts to register a passkey.
+    account_webauthn_enable: Register passkey
+    account_webauthn_in_progress_title: Complete the registration from your browser
+    account_webauthn_in_progress_description: Approve the prompt that appears in your browser to finish linking this passkey to your account.
+    account_webauthn_in_progress_error: Unable to register the passkey. Please restart the procedure and try again.
+    account_webauthn_waiting_browser: Waiting for your browser confirmation...
+    account_webauthn_cancel: Cancel request
+    account_webauthn_finalize: Complete registration
+    account_webauthn_ready_title: Passkey ready
+    account_webauthn_ready_description: This account now requires a WebAuthn challenge right after the classic login flow.
+    account_webauthn_disable: Disconnect
     per_page: Per page
     per_page_description: Number of elements per page
     confirm_title: Confirm
@@ -71,6 +91,8 @@ en:
     operation_failed_title: Operation failed
     operation_failed_subtitle: The operation has failed because of an error
     dropzone_drag_and_drop_or_click: Drag and drop files here or click to upload
+    add_item: Add item
+    remove_item: Remove item
 
     invitation_mailer:
       invite_mail_subject: You received an invitation
@@ -112,6 +134,10 @@ en:
               web3_address_invalid: The address you send is not corretly signed
               web3_connection_error: Impossible to connect the wallet
               authenticator_code_invalid: The code you inserted is not correct
+              webauthn_payload_missing: Passkey response missing. Please try again.
+              webauthn_challenge_missing: Passkey challenge expired. Start the registration again.
+              webauthn_registration_failed: Unable to verify the passkey response. Please restart the procedure.
+              webauthn_authentication_failed: Passkey authentication failed. Please try again or use another method.
             password:
               not_correct: not correct
             email:

data/config/locales/fr.yml

@@ -55,12 +55,32 @@ fr:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Activer Google Authenticator
     account_authenticator_start_description: Générez un code QR en cliquant sur le bouton ci-dessous et scannez-le avec l'application Google Authenticator sur votre téléphone.<br>Cela vous permettra de protéger votre compte avec une authentification à deux facteurs.
+    account_authenticator_ready_title: Google Authenticator prêt
     account_authenticator_ready_qr: Scannez le code QR avec l'application Google Authenticator pour activer la protection de votre compte avec une authentification à deux facteurs.
-    generate_qr_code: Générer un code QR
-    cancel_authenticator: Déconnecter
-    authenticator: Authentification à deux facteurs
+    account_authenticator_generate_qr_code: Générer un code QR
+    account_authenticator_disable: Déconnecter
+    authenticator: Google Authenticator
     authenticator_code_help: Saisissez le code généré par l'application Google Authenticator pour le compte <b>%{email}</b>
     reset_password: Réinitialisez votre mot de passe
+    choose_authentication_method: Choisir la méthode d'authentification
+    use_google_authenticator: Utiliser Google Authenticator
+    use_webauthn: Utiliser Passkey
+    authenticate: Authentifier
+    webauthn: Authentification Passkey
+    webauthn_help: Utilisez votre appareil pour vous authentifier sur le compte <b>%{email}</b>
+    account_webauthn: Authentification Passkey
+    account_webauthn_start_title: Activer les passkeys
+    account_webauthn_start_description: Utilisez la sécurité de votre appareil (Touch ID, Face ID, Windows Hello, etc.) pour approuver les connexions futures.<br>Cliquez sur le bouton ci-dessous et suivez les instructions de votre navigateur pour enregistrer une passkey.
+    account_webauthn_enable: Enregistrer la passkey
+    account_webauthn_in_progress_title: Validez l'inscription depuis votre navigateur
+    account_webauthn_in_progress_description: Approuvez la demande qui apparaît dans votre navigateur pour terminer l'association de la passkey à votre compte.
+    account_webauthn_in_progress_error: Impossible d'enregistrer la passkey. Redémarrez la procédure et réessayez.
+    account_webauthn_waiting_browser: En attente de la confirmation du navigateur...
+    account_webauthn_cancel: Annuler la demande
+    account_webauthn_finalize: Terminer l'inscription
+    account_webauthn_ready_title: Passkey activée
+    account_webauthn_ready_description: Ce compte nécessite désormais un défi WebAuthn juste après le processus de connexion classique.
+    account_webauthn_disable: Supprimer la passkey
     per_page: Par page
     per_page_description: Éléments par page
     confirm_title: Confirmation
@@ -73,6 +93,8 @@ fr:
     operation_failed_title: Échec de l'opération
     operation_failed_subtitle: Une erreur s'est produite lors de l'opération
     dropzone_drag_and_drop_or_click: Faites glisser et déposez les fichiers ici ou cliquez pour télécharger
+    add_item: Ajouter un élément
+    remove_item: Supprimer un élément
 
     invitation_mailer:
       invite_mail_subject: Vous avez reçu une invitation
@@ -120,6 +142,10 @@ fr:
               web3_address_invalid: L'adresse envoyée n'est pas correctement signée
               web3_connection_error: Impossible de connecter le portefeuille
               authenticator_code_invalid: Le code saisi n'est pas correct
+              webauthn_payload_missing: Réponse passkey manquante. Veuillez réessayer.
+              webauthn_challenge_missing: Le défi passkey a expiré. Veuillez relancer la procédure.
+              webauthn_registration_failed: Impossible de vérifier la réponse passkey. Redémarrez la procédure.
+              webauthn_authentication_failed: Échec de l'authentification passkey. Veuillez réessayer ou utiliser une autre méthode.
             password:
               not_correct: incorrect
             password_confirmation:

data/config/locales/it.yml

@@ -55,12 +55,32 @@ it:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Abilita Google Authenticator
     account_authenticator_start_description: Genera un codice QR cliccando il pulsante sottostante e scansionalo con l'app Google Authenticator sul tuo telefono.<br>Questo ti permetterà di proteggere il tuo account con un'autenticazione a due fattori.
+    account_authenticator_ready_title: Google Authenticator pronto
     account_authenticator_ready_qr: Scansiona il codice QR con l'app Google Authenticator per utilizzare la protezione dell'account con un'autenticazione a due fattori.
-    generate_qr_code: Genera codice QR
-    cancel_authenticator: Disconnetti
-    authenticator: Autenticazione a due fattori
+    account_authenticator_generate_qr_code: Genera codice QR
+    account_authenticator_disable: Disconnetti
+    authenticator: Google Authenticator
     authenticator_code_help: Inserisci il codice generato dall'app Google Authenticator per l'account <b>%{email}</b>
     reset_password: Reimposta la tua password
+    choose_authentication_method: Scegli il metodo di autenticazione
+    use_google_authenticator: Usa Google Authenticator
+    use_webauthn: Usa Passkey
+    authenticate: Autentica
+    webauthn: Autenticazione Passkey
+    webauthn_help: Usa il tuo dispositivo per autenticarti nell'account <b>%{email}</b>
+    account_webauthn: Autenticazione Passkey
+    account_webauthn_start_title: Abilita le Passkey
+    account_webauthn_start_description: Utilizza la sicurezza del tuo dispositivo (Touch ID, Face ID, Windows Hello, ecc.) per approvare gli accessi futuri.<br>Clicca il pulsante qui sotto e segui le istruzioni del browser per registrare una Passkey.
+    account_webauthn_enable: Registra Passkey
+    account_webauthn_in_progress_title: Completa la registrazione dal browser
+    account_webauthn_in_progress_description: Approva la richiesta che appare nel browser per terminare l'associazione della Passkey al tuo account.
+    account_webauthn_in_progress_error: Impossibile registrare la Passkey. Riavvia la procedura e riprova.
+    account_webauthn_waiting_browser: In attesa della conferma dal browser...
+    account_webauthn_cancel: Annulla richiesta
+    account_webauthn_finalize: Concludi registrazione
+    account_webauthn_ready_title: Passkey attiva
+    account_webauthn_ready_description: Questo account richiederà ora una sfida WebAuthn subito dopo il flusso di login classico.
+    account_webauthn_disable: Rimuovi Passkey
     per_page: Per pagina
     per_page_description: Elementi per pagina
     confirm_title: Conferma
@@ -73,6 +93,8 @@ it:
     operation_failed_title: Operazione fallita
     operation_failed_subtitle: Si è verificato un errore durante l'operazione
     dropzone_drag_and_drop_or_click: Trascina qui i file o clicca per caricare
+    add_item: Aggiungi elemento
+    remove_item: Rimuovi elemento
 
     invitation_mailer:
       invite_mail_subject: Hai ricevuto un invito
@@ -120,6 +142,10 @@ it:
               web3_address_invalid: L'inidirizzo inviato non è correttamente firmato
               web3_connection_error: Impossibile connettere il wallet
               authenticator_code_invalid: Il codice inserito non è corretto
+              webauthn_payload_missing: Risposta Passkey mancante. Riprovare.
+              webauthn_challenge_missing: La sfida Passkey è scaduta. Avvia nuovamente la procedura.
+              webauthn_registration_failed: Impossibile verificare la risposta Passkey. Riavvia la procedura.
+              webauthn_authentication_failed: Autenticazione Passkey fallita. Riprova o usa un altro metodo.
             password:
               not_correct: non corretta
             password_confirmation: