lato 3.16.0 → 3.17.0

data/app/models/lato/user.rb

@@ -14,6 +14,7 @@ module Lato
     validates :accepted_privacy_policy_version, presence: true
     validates :accepted_terms_and_conditions_version, presence: true
     validates :web3_address, uniqueness: true, allow_blank: true
+    validates :webauthn_id, uniqueness: true, allow_blank: true
 
     # Relations
     ##
@@ -58,6 +59,10 @@ module Lato
       !authenticator_secret.blank?
     end
 
+    def webauthn_enabled?
+      webauthn_id.present? && webauthn_public_key.present?
+    end
+
     # Helpers
     ##
 
@@ -251,7 +256,9 @@ module Lato
       c_password_update_code('')
 
       update(params.permit(:password, :password_confirmation).merge(
-        authenticator_secret: nil # Reset authenticator secret when password is updated
+        authenticator_secret: nil, # Reset authenticator secret when password is updated
+        webauthn_id: nil,          # Reset webauthn credential when password is updated
+        webauthn_public_key: nil   # Reset webauthn credential when password is updated
       ))
     end
 
@@ -320,6 +327,93 @@ module Lato
       true
     end
 
+    def webauthn_registration_options
+      WebAuthn::Credential.options_for_create(
+        user: {
+          id: Base64.strict_encode64(webauthn_user_handle),
+          name: email,
+          display_name: full_name
+        },
+        exclude: webauthn_exclude_credentials.map { |cred| Base64.strict_encode64(cred) }
+      )
+    end
+
+    def webauthn_authentication_options
+      WebAuthn::Credential.options_for_get(
+        allow: webauthn_allow_credentials.map { |cred| Base64.strict_encode64(cred) }
+      )
+    end
+
+    def register_webauthn_credential(credential_payload, encoded_challenge)
+      if credential_payload.blank?
+        errors.add(:base, :webauthn_payload_missing)
+        return false
+      end
+
+      if encoded_challenge.blank?
+        errors.add(:base, :webauthn_challenge_missing)
+        return false
+      end
+
+      parsed_payload = JSON.parse(credential_payload)
+      credential = WebAuthn::Credential.from_create(parsed_payload)
+      credential.verify(Base64.strict_decode64(encoded_challenge))
+
+      update(
+        webauthn_id: Base64.strict_encode64(credential.raw_id),
+        webauthn_public_key: credential.public_key
+      )
+    rescue JSON::ParserError, WebAuthn::Error => e
+      Rails.logger.error(e)
+      errors.add(:base, :webauthn_registration_failed)
+      false
+    end
+
+    def webauthn_authentication(params, encoded_challenge)
+      return false unless webauthn_enabled?
+
+      if params[:webauthn_credential].blank?
+        errors.add(:base, :webauthn_payload_missing)
+        return false
+      end
+
+      if encoded_challenge.blank?
+        errors.add(:base, :webauthn_challenge_missing)
+        return false
+      end
+
+      parsed_payload = JSON.parse(params[:webauthn_credential])
+      
+      # Converti i campi da base64url a base64 standard per il gem webauthn
+      parsed_payload['rawId'] = base64url_to_base64(parsed_payload['rawId'])
+      parsed_payload['response']['clientDataJSON'] = base64url_to_base64(parsed_payload['response']['clientDataJSON'])
+      parsed_payload['response']['authenticatorData'] = base64url_to_base64(parsed_payload['response']['authenticatorData'])
+      parsed_payload['response']['signature'] = base64url_to_base64(parsed_payload['response']['signature'])
+      parsed_payload['response']['userHandle'] = base64url_to_base64(parsed_payload['response']['userHandle']) if parsed_payload['response']['userHandle']
+      
+      credential = WebAuthn::Credential.from_get(parsed_payload)
+      
+      credential.verify(
+        encoded_challenge,
+        public_key: webauthn_public_key,
+        sign_count: 0
+      )
+
+      true
+    rescue JSON::ParserError, WebAuthn::Error => e
+      Rails.logger.error(e)
+      Rails.logger.error(e.backtrace.join("\n"))
+      errors.add(:base, :webauthn_authentication_failed)
+      false
+    end
+
+    def remove_webauthn_credential
+      update(
+        webauthn_id: nil,
+        webauthn_public_key: nil
+      )
+    end
+
     def generate_authenticator_secret
       update(authenticator_secret: ROTP::Base32.random)
     end
@@ -367,5 +461,41 @@ module Lato
       Rails.cache.write(cache_key, value, expires_in: 30.minutes)
       value
     end
+
+    private
+
+    def webauthn_user_handle
+      Digest::SHA256.digest("lato-user-#{id}")
+    end
+
+    def webauthn_exclude_credentials
+      return [] unless webauthn_id.present?
+
+      [Base64.strict_decode64(webauthn_id)]
+    rescue ArgumentError
+      []
+    end
+
+    def webauthn_allow_credentials
+      return [] unless webauthn_id.present?
+
+      [Base64.strict_decode64(webauthn_id)]
+    rescue ArgumentError
+      []
+    end
+
+    def base64url_to_base64(str)
+      return nil if str.nil?
+      # Converti base64url in base64 standard
+      base64 = str.tr('-_', '+/')
+      # Aggiungi padding se necessario
+      case base64.length % 4
+      when 2
+        base64 += '=='
+      when 3
+        base64 += '='
+      end
+      base64
+    end
   end
 end

data/app/views/lato/account/_form-authenticator.html.erb

@@ -15,14 +15,15 @@ user ||= Lato::User.new
           <img class="shadow-sm rounded" src="<%= user.authenticator_qr_code_base64 %>" />
         </div>
         <div class="d-flex flex-column justify-content-between w-100">
-          <div class="alert alert-light">
+          <div class="alert alert-success">
+            <h4 class="alert-heading"><%= I18n.t('lato.account_authenticator_ready_title') %></h4>
             <p class="mb-0">
               <%= raw I18n.t('lato.account_authenticator_ready_qr') %>
             </p>
           </div>
 
           <div class="d-flex justify-content-end">
-            <%= lato_form_submit form, I18n.t('lato.cancel_authenticator'), class: %w[btn-danger] %>
+            <%= lato_form_submit form, I18n.t('lato.account_authenticator_disable'), class: %w[btn-danger] %>
           </div>
         </div>
       </div>
@@ -33,7 +34,7 @@ user ||= Lato::User.new
           <%= raw I18n.t('lato.account_authenticator_start_description') %>
         </p>
         <p class="mb-0">
-          <%= lato_form_submit form, I18n.t('lato.generate_qr_code'), class: %w[btn-primary] %>
+          <%= lato_form_submit form, I18n.t('lato.account_authenticator_generate_qr_code'), class: %w[btn-primary] %>
         </p>
       </div>
     <% end %>

data/app/views/lato/account/_form-webauthn.html.erb

@@ -0,0 +1,66 @@
+<%
+
+user ||= Lato::User.new
+registration_options = session[:webauthn_registration_options]
+form_data = { turbo_frame: '_self', controller: 'lato-form' }
+
+if registration_options.present?
+  form_data[:controller] += ' lato-account-webauthn'
+  form_data['lato-account-webauthn-options-value'] = registration_options.to_json
+  form_data['lato-account-webauthn-error-message-value'] = I18n.t('lato.account_webauthn_in_progress_error')
+end
+
+%>
+
+<%= turbo_frame_tag 'account_form-webauthn' do %>
+  <%= form_with model: user, url: lato.account_update_webauthn_action_path, data: form_data do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.webauthn_enabled? %>
+      <div class="alert alert-success mb-3">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_ready_title') %></h4>
+        <p class="mb-0">
+          <%= raw I18n.t('lato.account_webauthn_ready_description') %>
+        </p>
+      </div>
+
+      <%= form.hidden_field :webauthn_command, value: 'remove' %>
+
+      <div class="d-flex justify-content-end">
+        <%= lato_form_submit form, I18n.t('lato.account_webauthn_disable'), class: %w[btn-danger] %>
+      </div>
+    <% elsif registration_options.present? %>
+      <%= form.hidden_field :webauthn_command, value: 'complete' %>
+      <%= form.hidden_field :webauthn_credential, data: { lato_account_webauthn_target: 'credentialInput' } %>
+
+      <div class="alert alert-light mb-3" data-lato-account-webauthn-target="status">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_in_progress_title') %></h4>
+        <p class="mb-0">
+          <%= raw I18n.t('lato.account_webauthn_in_progress_description') %>
+        </p>
+      </div>
+
+      <%= lato_form_submit form, I18n.t('lato.account_webauthn_finalize'), class: %w[btn-primary d-none], data: { lato_account_webauthn_target: 'submit' } %>
+
+      <div class="d-flex justify-content-between align-items-center">
+        <%= link_to I18n.t('lato.account_webauthn_cancel'), lato.account_update_webauthn_action_path(user: { webauthn_command: 'cancel' }), class: 'btn btn-link px-0 text-decoration-none', data: { turbo_frame: '_self', turbo_method: :patch } %>
+        <div class="text-muted small d-flex align-items-center">
+          <span class="spinner-border spinner-border-sm me-2" role="status" aria-hidden="true"></span>
+          <span><%= I18n.t('lato.account_webauthn_waiting_browser') %></span>
+        </div>
+      </div>
+    <% else %>
+      <div class="alert alert-light mb-0">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_webauthn_start_title') %></h4>
+        <p>
+          <%= raw I18n.t('lato.account_webauthn_start_description') %>
+        </p>
+        <p class="mb-0">
+          <%= form.hidden_field :webauthn_command, value: 'start' %>
+          <%= lato_form_submit form, I18n.t('lato.account_webauthn_enable'), class: %w[btn-primary] %>
+        </p>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>

data/app/views/lato/account/index.html.erb

@@ -21,24 +21,35 @@
   </div>
 </div>
 
-<% if Lato.config.web3_connection %>
+<% if Lato.config.authenticator_connection %>
 <div class="card mb-4">
   <div class="card-header">
-    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_web3') %></h2>
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
   </div>
   <div class="card-body">
-    <%= render 'lato/account/form-web3', user: @session.user %>
+    <%= render 'lato/account/form-authenticator', user: @session.user %>
   </div>
 </div>
 <% end %>
 
-<% if Lato.config.authenticator_connection %>
+<% if Lato.config.webauthn_connection %>
 <div class="card mb-4">
   <div class="card-header">
-    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_webauthn') %></h2>
   </div>
   <div class="card-body">
-    <%= render 'lato/account/form-authenticator', user: @session.user %>
+    <%= render 'lato/account/form-webauthn', user: @session.user %>
+  </div>
+</div>
+<% end %>
+
+<% if Lato.config.web3_connection %>
+<div class="card mb-4">
+  <div class="card-header">
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_web3') %></h2>
+  </div>
+  <div class="card-body">
+    <%= render 'lato/account/form-web3', user: @session.user %>
   </div>
 </div>
 <% end %>

data/app/views/lato/authentication/_form-authentication-method.html.erb

@@ -0,0 +1,36 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-authentication-method' do %>
+  <%= form_with url: lato.authentication_authentication_method_action_path, method: :post, data: { turbo_frame: '_self' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.authenticator_enabled? %>
+      <div class="mb-3">
+        <%= form.button I18n.t('lato.use_google_authenticator'), 
+          type: 'submit', 
+          name: 'method', 
+          value: 'authenticator',
+          class: 'btn btn-primary w-100' %>
+      </div>
+    <% end %>
+
+    <% if user.webauthn_enabled? %>
+      <div class="mb-3">
+        <%= form.button I18n.t('lato.use_webauthn'), 
+          type: 'submit', 
+          name: 'method', 
+          value: 'webauthn',
+          class: 'btn btn-primary w-100' %>
+      </div>
+    <% end %>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/_form-webauthn.html.erb

@@ -0,0 +1,27 @@
+<%
+
+user ||= Lato::User.new
+options ||= {}
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-webauthn' do %>
+  <%= form_with model: user, url: lato.authentication_webauthn_action_path, method: :post, data: { turbo_frame: '_self', controller: 'lato-form lato-webauthn-auth', 'lato-webauthn-auth-options-value': options.to_json } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <div class="mb-4 text-center">
+      <p><%= raw I18n.t('lato.webauthn_help', email: h(user.email_protected)) %></p>
+    </div>
+    
+    <%= form.hidden_field :webauthn_credential, data: { 'lato-webauthn-auth-target': 'credential' } %>
+
+    <div class="mb-3">
+      <%= lato_form_submit form, I18n.t('lato.authenticate'), class: %w[d-block w-100], data: { action: 'lato-webauthn-auth#authenticate' } %>
+    </div>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/authentication_method.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.choose_authentication_method') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-authentication-method', user: @user %>
+    </div>
+  </div>
+</div>

data/app/views/lato/authentication/webauthn.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.webauthn') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-webauthn', user: @user, options: @options %>
+    </div>
+  </div>
+</div>

data/app/views/layouts/lato/_action.html.erb

@@ -1,6 +1,6 @@
 <% 10.times do %>
 
-<div class="modal fade" data-lato-action-target="modal" tabindex="-1" aria-hidden="true" data-bs-keyboard="false">
+<div class="modal fade" data-lato-action-target="modal" tabindex="-1" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
   <div class="modal-dialog modal-dialog-centered modal-dialog-scrollable" data-lato-action-target="modalDialog">
     <div class="modal-content">
       <div class="modal-header">

data/config/locales/en.yml

@@ -53,12 +53,32 @@ en:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Enable Google Authenticator
     account_authenticator_start_description: Generate a QR code by clicking the button below and scan it with the Google Authenticator app on your phone.<br>This will allow you to use the protect your account with a second factor authentication.
+    account_authenticator_ready_title: Google Authenticator ready
     account_authenticator_ready_qr: Scan the QR code with the Google Authenticator app to use the account protection with a second factor authentication.
-    generate_qr_code: Generate QR code
-    cancel_authenticator: Disconnect
-    authenticator: Two-factor authentication
+    account_authenticator_generate_qr_code: Generate QR code
+    account_authenticator_disable: Disconnect
+    authenticator: Google Authenticator
     authenticator_code_help: Insert the code generated by the Google Authenticator app for the account <b>%{email}</b>
     reset_password: Reset your password
+    choose_authentication_method: Choose authentication method
+    use_google_authenticator: Use Google Authenticator
+    use_webauthn: Use Passkey
+    authenticate: Authenticate
+    webauthn: Passkey Authentication
+    webauthn_help: Use your device to authenticate for account <b>%{email}</b>
+    account_webauthn: Passkey authentication
+    account_webauthn_start_title: Enable passkeys
+    account_webauthn_start_description: Use your device security (Touch ID, Face ID, Windows Hello, etc.) to approve future logins.<br>Click the button below and follow the browser prompts to register a passkey.
+    account_webauthn_enable: Register passkey
+    account_webauthn_in_progress_title: Complete the registration from your browser
+    account_webauthn_in_progress_description: Approve the prompt that appears in your browser to finish linking this passkey to your account.
+    account_webauthn_in_progress_error: Unable to register the passkey. Please restart the procedure and try again.
+    account_webauthn_waiting_browser: Waiting for your browser confirmation...
+    account_webauthn_cancel: Cancel request
+    account_webauthn_finalize: Complete registration
+    account_webauthn_ready_title: Passkey ready
+    account_webauthn_ready_description: This account now requires a WebAuthn challenge right after the classic login flow.
+    account_webauthn_disable: Disconnect
     per_page: Per page
     per_page_description: Number of elements per page
     confirm_title: Confirm
@@ -114,6 +134,10 @@ en:
               web3_address_invalid: The address you send is not corretly signed
               web3_connection_error: Impossible to connect the wallet
               authenticator_code_invalid: The code you inserted is not correct
+              webauthn_payload_missing: Passkey response missing. Please try again.
+              webauthn_challenge_missing: Passkey challenge expired. Start the registration again.
+              webauthn_registration_failed: Unable to verify the passkey response. Please restart the procedure.
+              webauthn_authentication_failed: Passkey authentication failed. Please try again or use another method.
             password:
               not_correct: not correct
             email:

data/config/locales/fr.yml

@@ -55,12 +55,32 @@ fr:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Activer Google Authenticator
     account_authenticator_start_description: Générez un code QR en cliquant sur le bouton ci-dessous et scannez-le avec l'application Google Authenticator sur votre téléphone.<br>Cela vous permettra de protéger votre compte avec une authentification à deux facteurs.
+    account_authenticator_ready_title: Google Authenticator prêt
     account_authenticator_ready_qr: Scannez le code QR avec l'application Google Authenticator pour activer la protection de votre compte avec une authentification à deux facteurs.
-    generate_qr_code: Générer un code QR
-    cancel_authenticator: Déconnecter
-    authenticator: Authentification à deux facteurs
+    account_authenticator_generate_qr_code: Générer un code QR
+    account_authenticator_disable: Déconnecter
+    authenticator: Google Authenticator
     authenticator_code_help: Saisissez le code généré par l'application Google Authenticator pour le compte <b>%{email}</b>
     reset_password: Réinitialisez votre mot de passe
+    choose_authentication_method: Choisir la méthode d'authentification
+    use_google_authenticator: Utiliser Google Authenticator
+    use_webauthn: Utiliser Passkey
+    authenticate: Authentifier
+    webauthn: Authentification Passkey
+    webauthn_help: Utilisez votre appareil pour vous authentifier sur le compte <b>%{email}</b>
+    account_webauthn: Authentification Passkey
+    account_webauthn_start_title: Activer les passkeys
+    account_webauthn_start_description: Utilisez la sécurité de votre appareil (Touch ID, Face ID, Windows Hello, etc.) pour approuver les connexions futures.<br>Cliquez sur le bouton ci-dessous et suivez les instructions de votre navigateur pour enregistrer une passkey.
+    account_webauthn_enable: Enregistrer la passkey
+    account_webauthn_in_progress_title: Validez l'inscription depuis votre navigateur
+    account_webauthn_in_progress_description: Approuvez la demande qui apparaît dans votre navigateur pour terminer l'association de la passkey à votre compte.
+    account_webauthn_in_progress_error: Impossible d'enregistrer la passkey. Redémarrez la procédure et réessayez.
+    account_webauthn_waiting_browser: En attente de la confirmation du navigateur...
+    account_webauthn_cancel: Annuler la demande
+    account_webauthn_finalize: Terminer l'inscription
+    account_webauthn_ready_title: Passkey activée
+    account_webauthn_ready_description: Ce compte nécessite désormais un défi WebAuthn juste après le processus de connexion classique.
+    account_webauthn_disable: Supprimer la passkey
     per_page: Par page
     per_page_description: Éléments par page
     confirm_title: Confirmation
@@ -122,6 +142,10 @@ fr:
               web3_address_invalid: L'adresse envoyée n'est pas correctement signée
               web3_connection_error: Impossible de connecter le portefeuille
               authenticator_code_invalid: Le code saisi n'est pas correct
+              webauthn_payload_missing: Réponse passkey manquante. Veuillez réessayer.
+              webauthn_challenge_missing: Le défi passkey a expiré. Veuillez relancer la procédure.
+              webauthn_registration_failed: Impossible de vérifier la réponse passkey. Redémarrez la procédure.
+              webauthn_authentication_failed: Échec de l'authentification passkey. Veuillez réessayer ou utiliser une autre méthode.
             password:
               not_correct: incorrect
             password_confirmation:

data/config/locales/it.yml

@@ -55,12 +55,32 @@ it:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Abilita Google Authenticator
     account_authenticator_start_description: Genera un codice QR cliccando il pulsante sottostante e scansionalo con l'app Google Authenticator sul tuo telefono.<br>Questo ti permetterà di proteggere il tuo account con un'autenticazione a due fattori.
+    account_authenticator_ready_title: Google Authenticator pronto
     account_authenticator_ready_qr: Scansiona il codice QR con l'app Google Authenticator per utilizzare la protezione dell'account con un'autenticazione a due fattori.
-    generate_qr_code: Genera codice QR
-    cancel_authenticator: Disconnetti
-    authenticator: Autenticazione a due fattori
+    account_authenticator_generate_qr_code: Genera codice QR
+    account_authenticator_disable: Disconnetti
+    authenticator: Google Authenticator
     authenticator_code_help: Inserisci il codice generato dall'app Google Authenticator per l'account <b>%{email}</b>
     reset_password: Reimposta la tua password
+    choose_authentication_method: Scegli il metodo di autenticazione
+    use_google_authenticator: Usa Google Authenticator
+    use_webauthn: Usa Passkey
+    authenticate: Autentica
+    webauthn: Autenticazione Passkey
+    webauthn_help: Usa il tuo dispositivo per autenticarti nell'account <b>%{email}</b>
+    account_webauthn: Autenticazione Passkey
+    account_webauthn_start_title: Abilita le Passkey
+    account_webauthn_start_description: Utilizza la sicurezza del tuo dispositivo (Touch ID, Face ID, Windows Hello, ecc.) per approvare gli accessi futuri.<br>Clicca il pulsante qui sotto e segui le istruzioni del browser per registrare una Passkey.
+    account_webauthn_enable: Registra Passkey
+    account_webauthn_in_progress_title: Completa la registrazione dal browser
+    account_webauthn_in_progress_description: Approva la richiesta che appare nel browser per terminare l'associazione della Passkey al tuo account.
+    account_webauthn_in_progress_error: Impossibile registrare la Passkey. Riavvia la procedura e riprova.
+    account_webauthn_waiting_browser: In attesa della conferma dal browser...
+    account_webauthn_cancel: Annulla richiesta
+    account_webauthn_finalize: Concludi registrazione
+    account_webauthn_ready_title: Passkey attiva
+    account_webauthn_ready_description: Questo account richiederà ora una sfida WebAuthn subito dopo il flusso di login classico.
+    account_webauthn_disable: Rimuovi Passkey
     per_page: Per pagina
     per_page_description: Elementi per pagina
     confirm_title: Conferma
@@ -122,6 +142,10 @@ it:
               web3_address_invalid: L'inidirizzo inviato non è correttamente firmato
               web3_connection_error: Impossibile connettere il wallet
               authenticator_code_invalid: Il codice inserito non è corretto
+              webauthn_payload_missing: Risposta Passkey mancante. Riprovare.
+              webauthn_challenge_missing: La sfida Passkey è scaduta. Avvia nuovamente la procedura.
+              webauthn_registration_failed: Impossibile verificare la risposta Passkey. Riavvia la procedura.
+              webauthn_authentication_failed: Autenticazione Passkey fallita. Riprova o usa un altro metodo.
             password:
               not_correct: non corretta
             password_confirmation:

data/config/locales/ro.yml

@@ -55,12 +55,32 @@ ro:
     account_authenticator: Google Authenticator
     account_authenticator_start_title: Activează Google Authenticator
     account_authenticator_start_description: Generează un cod QR făcând clic pe butonul de mai jos și scanează-l cu aplicația Google Authenticator de pe telefon.<br>Aceasta îți va permite să îți protejezi contul cu autentificare în doi pași.
+    account_authenticator_ready_title: Google Authenticator gata
     account_authenticator_ready_qr: Scanează codul QR cu aplicația Google Authenticator pentru a utiliza protecția contului cu autentificare în doi pași.
-    generate_qr_code: Generează cod QR
-    cancel_authenticator: Deconectează
-    authenticator: Autentificare în doi pași
+    account_authenticator_generate_qr_code: Generează cod QR
+    account_authenticator_disable: Deconectează
+    authenticator: Google Authenticator
     authenticator_code_help: Introdu codul generat de aplicația Google Authenticator pentru contul <b>%{email}</b>
     reset_password: Resetează-ți parola
+    choose_authentication_method: Alege metoda de autentificare
+    use_google_authenticator: Folosește Google Authenticator
+    use_webauthn: Folosește Passkey
+    authenticate: Autentifică
+    webauthn: Autentificare Passkey
+    webauthn_help: Folosește dispozitivul tău pentru a te autentifica pe contul <b>%{email}</b>
+    account_webauthn: Autentificare Passkey
+    account_webauthn_start_title: Activează Passkey
+    account_webauthn_start_description: Folosește securitatea dispozitivului tău (Touch ID, Face ID, Windows Hello etc.) pentru a aproba conectările viitoare.<br>Apasă butonul de mai jos și urmează instrucțiunile din browser pentru a înregistra o Passkey.
+    account_webauthn_enable: Înregistrează Passkey
+    account_webauthn_in_progress_title: Finalizează înregistrarea din browser
+    account_webauthn_in_progress_description: Aprobă solicitarea care apare în browser pentru a termina asocierea Passkey la contul tău.
+    account_webauthn_in_progress_error: Nu am putut înregistra Passkey. Repornește procedura și încearcă din nou.
+    account_webauthn_waiting_browser: Se așteaptă confirmarea din browser...
+    account_webauthn_cancel: Anulează solicitarea
+    account_webauthn_finalize: Finalizează înregistrarea
+    account_webauthn_ready_title: Passkey activă
+    account_webauthn_ready_description: Acest cont va solicita acum o provocare WebAuthn imediat după fluxul de autentificare clasic.
+    account_webauthn_disable: Elimină Passkey
     per_page: Pe pagină
     per_page_description: Elemente pe pagină
     confirm_title: Confirmă
@@ -122,6 +142,10 @@ ro:
               web3_address_invalid: Adresa trimisă nu este semnată corect
               web3_connection_error: Imposibil să se conecteze portofelul
               authenticator_code_invalid: Codul introdus nu este corect
+              webauthn_payload_missing: Răspunsul Passkey lipsește. Te rugăm să încerci din nou.
+              webauthn_challenge_missing: Provocarea Passkey a expirat. Repornește procedura.
+              webauthn_registration_failed: Nu am putut verifica răspunsul Passkey. Repornește procedura.
+              webauthn_authentication_failed: Autentificarea Passkey a eșuat. Te rugăm să încerci din nou sau să folosești altă metodă.
             password:
               not_correct: incorectă
             password_confirmation:

data/config/routes.rb

@@ -27,8 +27,12 @@ Lato::Engine.routes.draw do
     patch 'update_password_action', to: 'authentication#update_password_action', as: :authentication_update_password_action
     get 'accept_invitation', to: 'authentication#accept_invitation', as: :authentication_accept_invitation
     post 'accept_invitation_action', to: 'authentication#accept_invitation_action', as: :authentication_accept_invitation_action
+    get 'authentication_method', to: 'authentication#authentication_method', as: :authentication_authentication_method
+    post 'authentication_method_action', to: 'authentication#authentication_method_action', as: :authentication_authentication_method_action
     get 'authenticator', to: 'authentication#authenticator', as: :authentication_authenticator
     post 'authenticator_action', to: 'authentication#authenticator_action', as: :authentication_authenticator_action
+    get 'webauthn', to: 'authentication#webauthn', as: :authentication_webauthn
+    post 'webauthn_action', to: 'authentication#webauthn_action', as: :authentication_webauthn_action
   end
 
   # Account
@@ -37,8 +41,9 @@ Lato::Engine.routes.draw do
   scope :account do
     get '', to: 'account#index', as: :account
     patch 'update_user_action', to: 'account#update_user_action', as: :account_update_user_action
-    patch 'update_web3_action', to: 'account#update_web3_action', as: :account_update_web3_action
     patch 'update_authenticator_action', to: 'account#update_authenticator_action', as: :account_update_authenticator_action
+    patch 'update_webauthn_action', to: 'account#update_webauthn_action', as: :account_update_webauthn_action
+    patch 'update_web3_action', to: 'account#update_web3_action', as: :account_update_web3_action
     patch 'request_verify_email_action', to: 'account#request_verify_email_action', as: :account_request_verify_email_action
     patch 'update_password_action', to: 'account#update_password_action', as: :account_update_password_action
     delete 'destroy_action', to: 'account#destroy_action', as: :account_destroy_action

data/db/migrate/20251206170443_add_webauthn_id_to_user.rb

@@ -0,0 +1,6 @@
+class AddWebauthnIdToUser < ActiveRecord::Migration[8.1]
+  def change
+    add_column :lato_users, :webauthn_id, :string
+    add_column :lato_users, :webauthn_public_key, :text
+  end
+end