javascript-solid-server 0.0.76 → 0.0.77

package/.claude/settings.local.json

@@ -256,7 +256,11 @@
       "Bash(gh run view:*)",
       "Bash(gh pr edit:*)",
       "WebFetch(domain:patch-diff.githubusercontent.com)",
-      "Bash(git rebase:*)"
+      "Bash(git rebase:*)",
+      "Bash(timeout 10 npm start)",
+      "Bash(node bin/jss.js start:*)",
+      "Bash(ssh solid.social \"cd /var/www/jss && git pull && pm2 restart jss\")",
+      "Bash(ssh solid.social:*)"
     ]
   }
 }

package/README.md

@@ -6,8 +6,11 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.75)
+### Implemented (v0.0.77)
 
+- **Passkey Authentication** - WebAuthn/FIDO2 passwordless login with Touch ID, Face ID, or security keys
+- **HTTP Range Requests** - Partial content delivery for large files and media streaming
+- **Single-User Mode** - Simplified setup for personal pod servers
 - **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -670,6 +673,26 @@ Response:
 
 For DPoP-bound tokens (Solid-OIDC compliant), include a DPoP proof header.
 
+### Passkey Authentication (v0.0.77+)
+
+Enable passwordless login with WebAuthn/FIDO2:
+
+```bash
+jss start --idp
+```
+
+**How it works:**
+1. User logs in with username/password
+2. Prompted to add a passkey (Touch ID, Face ID, security key)
+3. Future logins: tap "Sign in with Passkey" → biometric → done!
+
+**Benefits:**
+- Phishing-resistant (bound to domain)
+- No passwords to remember or leak
+- Works on mobile and desktop
+
+Passkeys are stored per-account and work across devices via platform sync (iCloud Keychain, Google Password Manager, etc.).
+
 ### Solid-OIDC (External IdP)
 
 The server also accepts DPoP-bound access tokens from external Solid identity providers:
@@ -869,7 +892,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **213 tests** (including 27 conformance tests)
+Currently passing: **223 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.76",
+  "version": "0.0.77",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -26,6 +26,7 @@
     "@fastify/middie": "^8.3.3",
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/websocket": "^8.3.1",
+    "@simplewebauthn/server": "^13.2.2",
     "bcrypt": "^6.0.0",
     "bcryptjs": "^3.0.3",
     "better-sqlite3": "^12.5.0",

package/src/idp/accounts.js

@@ -38,6 +38,10 @@ function getWebIdIndexPath() {
   return path.join(getAccountsDir(), '_webid_index.json');
 }
 
+function getCredentialIndexPath() {
+  return path.join(getAccountsDir(), '_credential_index.json');
+}
+
 const SALT_ROUNDS = 10;
 
 /**
@@ -270,6 +274,135 @@ export async function deleteAccount(id) {
   await fs.remove(accountPath);
 }
 
+/**
+ * Save an account (internal helper)
+ * @param {object} account - Account object
+ */
+async function saveAccount(account) {
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Update last login timestamp
+ * @param {string} id - Account ID
+ */
+export async function updateLastLogin(id) {
+  const account = await findById(id);
+  if (!account) return;
+  account.lastLogin = new Date().toISOString();
+  await saveAccount(account);
+}
+
+/**
+ * Add a passkey credential to an account
+ * @param {string} accountId - Account ID
+ * @param {object} credential - Passkey credential
+ * @param {string} credential.credentialId - Base64url encoded credential ID
+ * @param {string} credential.publicKey - Base64url encoded public key
+ * @param {number} credential.counter - Authenticator counter
+ * @param {string[]} [credential.transports] - Supported transports
+ * @param {string} [credential.name] - User-friendly name
+ * @returns {Promise<boolean>} - Success
+ */
+export async function addPasskey(accountId, credential) {
+  const account = await findById(accountId);
+  if (!account) return false;
+
+  account.passkeys = account.passkeys || [];
+
+  // Check for duplicate credentialId
+  const existingPasskey = account.passkeys.find(pk => pk.credentialId === credential.credentialId);
+  if (existingPasskey) {
+    return false; // Already registered
+  }
+
+  account.passkeys.push({
+    credentialId: credential.credentialId,
+    publicKey: credential.publicKey,
+    counter: credential.counter || 0,
+    transports: credential.transports || [],
+    createdAt: new Date().toISOString(),
+    lastUsed: null,
+    name: credential.name || 'Security Key'
+  });
+
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  credentialIndex[credential.credentialId] = accountId;
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Find an account by passkey credential ID
+ * @param {string} credentialId - Base64url encoded credential ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByCredentialId(credentialId) {
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  const id = credentialIndex[credentialId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update passkey counter after successful authentication
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID
+ * @param {number} newCounter - New counter value
+ */
+export async function updatePasskeyCounter(accountId, credentialId, newCounter) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return;
+
+  const passkey = account.passkeys.find(p => p.credentialId === credentialId);
+  if (passkey) {
+    passkey.counter = newCounter;
+    passkey.lastUsed = new Date().toISOString();
+    await saveAccount(account);
+  }
+}
+
+/**
+ * Remove a passkey from an account
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID to remove
+ * @returns {Promise<boolean>} - Success
+ */
+export async function removePasskey(accountId, credentialId) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return false;
+
+  const index = account.passkeys.findIndex(p => p.credentialId === credentialId);
+  if (index === -1) return false;
+
+  account.passkeys.splice(index, 1);
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  delete credentialIndex[credentialId];
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Set passkey prompt dismissed flag
+ * @param {string} accountId - Account ID
+ * @param {boolean} dismissed - Whether prompt was dismissed
+ */
+export async function setPasskeyPromptDismissed(accountId, dismissed = true) {
+  const account = await findById(accountId);
+  if (!account) return;
+  account.passkeyPromptDismissed = dismissed;
+  await saveAccount(account);
+}
+
 /**
  * Get account for oidc-provider's findAccount
  * This is the interface oidc-provider expects

package/src/idp/index.js

@@ -13,11 +13,14 @@ import {
   handleAbort,
   handleRegisterGet,
   handleRegisterPost,
+  handlePasskeyComplete,
+  handlePasskeySkip,
 } from './interactions.js';
 import {
   handleCredentials,
   handleCredentialsInfo,
 } from './credentials.js';
+import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
 
 /**
@@ -290,6 +293,68 @@ export async function idpPlugin(fastify, options) {
     return handleRegisterPost(request, reply, issuer, inviteOnly);
   });
 
+  // Passkey routes
+  // Registration options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/register/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationOptions(request, reply);
+  });
+
+  // Registration verify - rate limited
+  fastify.post('/idp/passkey/register/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationVerify(request, reply);
+  });
+
+  // Login options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/login/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationOptions(request, reply);
+  });
+
+  // Login verify - rate limited
+  fastify.post('/idp/passkey/login/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationVerify(request, reply);
+  });
+
+  // Passkey interaction handlers
+  fastify.get('/idp/interaction/:uid/passkey-complete', async (request, reply) => {
+    return handlePasskeyComplete(request, reply, provider);
+  });
+
+  fastify.get('/idp/interaction/:uid/passkey-skip', async (request, reply) => {
+    return handlePasskeySkip(request, reply, provider);
+  });
+
   fastify.log.info(`IdP initialized with issuer: ${issuer}`);
 }
 

package/src/idp/interactions.js

@@ -3,8 +3,8 @@
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById, createAccount } from './accounts.js';
-import { loginPage, consentPage, errorPage, registerPage } from './views.js';
+import { authenticate, findById, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
+import { loginPage, consentPage, errorPage, registerPage, passkeyPromptPage } from './views.js';
 import * as storage from '../storage/filesystem.js';
 import { createPodStructure } from '../handlers/container.js';
 import { validateInvite } from './invites.js';
@@ -122,7 +122,31 @@ export async function handleLogin(request, reply, provider) {
       return reply.redirect(`/idp/interaction/${uid}`);
     }
 
-    // Login successful - complete the interaction
+    // Login successful
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
+
+    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
+    const acceptHeader = request.headers.accept || '';
+    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
+
+    // Check if user should see passkey prompt (browser only, no passkeys, not dismissed)
+    const fullAccount = await findById(account.id);
+    const shouldPromptPasskey = wantsBrowserRedirect &&
+      !fullAccount.passkeys?.length &&
+      !fullAccount.passkeyPromptDismissed;
+
+    if (shouldPromptPasskey) {
+      // Show passkey registration prompt before completing login
+      // Store the pending login in the interaction
+      interaction.result = {
+        login: { accountId: account.id, remember: true }
+      };
+      interaction.passkeyPromptPending = true;
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.type('text/html').send(passkeyPromptPage(uid, account.id));
+    }
+
+    // Complete the interaction
     const result = {
       login: {
         accountId: account.id,
@@ -130,12 +154,6 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    request.log.info({ accountId: account.id, uid }, 'Login successful');
-
-    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
-    const acceptHeader = request.headers.accept || '';
-    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
-
     // Save the login result to the interaction
     interaction.result = result;
     await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
@@ -433,3 +451,94 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly));
   }
 }
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-complete
+ * Completes OIDC interaction after passkey login or registration
+ */
+export async function handlePasskeyComplete(request, reply, provider) {
+  const { uid } = request.params;
+  const { accountId } = request.query;
+
+  if (!accountId) {
+    return reply.code(400).type('text/html').send(errorPage('Missing account', 'Account ID is required.'));
+  }
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // If this is a post-login passkey registration flow, validate accountId matches
+    // the already-authenticated user to prevent account takeover
+    if (interaction.passkeyPromptPending && interaction.result?.login?.accountId) {
+      if (interaction.result.login.accountId !== accountId) {
+        request.log.warn({ expected: interaction.result.login.accountId, provided: accountId }, 'AccountId mismatch in passkey complete');
+        return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
+      }
+    }
+
+    const account = await findById(accountId);
+    if (!account) {
+      return reply.code(404).type('text/html').send(errorPage('Account not found', 'The account could not be found.'));
+    }
+
+    // Update last login
+    await updateLastLogin(accountId);
+
+    // Complete the OIDC interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    request.log.info({ accountId: account.id, uid }, 'Passkey login completed');
+
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey complete error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-skip
+ * User skipped passkey registration, complete login
+ */
+export async function handlePasskeySkip(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate the interaction is in the passkey prompt state
+    if (!interaction.passkeyPromptPending) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in passkey prompt flow.'));
+    }
+
+    // Get the pending login result
+    const result = interaction.result;
+    if (!result?.login?.accountId) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'No pending login found.'));
+    }
+
+    // Mark passkey prompt as dismissed so we don't nag again
+    await setPasskeyPromptDismissed(result.login.accountId, true);
+
+    request.log.info({ accountId: result.login.accountId, uid }, 'Passkey prompt skipped');
+
+    // Complete the OIDC interaction
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey skip error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/passkey.js

@@ -0,0 +1,311 @@
+/**
+ * Passkey (WebAuthn) authentication endpoints
+ * Handles registration and authentication of passkey credentials
+ */
+
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse
+} from '@simplewebauthn/server';
+import crypto from 'crypto';
+import * as accounts from './accounts.js';
+
+// Temporary challenge storage (in-memory, cleared on restart)
+// For production clusters, use Redis or session storage
+const challenges = new Map();
+const MAX_CHALLENGES = 10000; // Prevent unbounded growth
+
+// Clean up expired challenges periodically
+// Use unref() so this timer doesn't prevent process exit (important for tests)
+const cleanupInterval = setInterval(() => {
+  const now = Date.now();
+  for (const [key, value] of challenges.entries()) {
+    if (now > value.expires) {
+      challenges.delete(key);
+    }
+  }
+}, 60000);
+cleanupInterval.unref();
+
+/**
+ * Store a challenge with size limit enforcement
+ */
+function storeChallenge(key, value) {
+  // If at capacity, remove oldest expired entries first
+  if (challenges.size >= MAX_CHALLENGES) {
+    const now = Date.now();
+    for (const [k, v] of challenges.entries()) {
+      if (now > v.expires) {
+        challenges.delete(k);
+      }
+      if (challenges.size < MAX_CHALLENGES) break;
+    }
+  }
+  // If still at capacity, reject (DoS protection)
+  if (challenges.size >= MAX_CHALLENGES) {
+    return false;
+  }
+  challenges.set(key, value);
+  return true;
+}
+
+/**
+ * Get Relying Party configuration from request
+ * Handles both IPv4 (with port) and IPv6 addresses correctly
+ */
+function getRP(request) {
+  let hostname;
+  try {
+    // Use URL parsing to correctly extract hostname (handles IPv6)
+    const url = new URL(`${request.protocol}://${request.hostname}`);
+    hostname = url.hostname;
+  } catch {
+    // Fallback: strip port from hostname (IPv4 only)
+    hostname = String(request.hostname || '').split(':')[0];
+  }
+  return {
+    name: 'Solid Pod',
+    id: hostname
+  };
+}
+
+/**
+ * Get origin from request
+ */
+function getOrigin(request) {
+  return `${request.protocol}://${request.hostname}`;
+}
+
+/**
+ * POST /idp/passkey/register/options
+ * Generate registration options for a logged-in user
+ */
+export async function registrationOptions(request, reply) {
+  const { accountId } = request.body || {};
+
+  if (!accountId) {
+    return reply.code(401).send({ error: 'Must provide accountId' });
+  }
+
+  const account = await accounts.findById(accountId);
+  if (!account) {
+    return reply.code(404).send({ error: 'Account not found' });
+  }
+
+  const rp = getRP(request);
+
+  const options = await generateRegistrationOptions({
+    rpName: rp.name,
+    rpID: rp.id,
+    userID: new TextEncoder().encode(account.id),
+    userName: account.username,
+    userDisplayName: account.username,
+    attestationType: 'none', // Don't require attestation for privacy
+    excludeCredentials: (account.passkeys || []).map(pk => ({
+      id: Buffer.from(pk.credentialId, 'base64url'),
+      type: 'public-key',
+      transports: pk.transports
+    })),
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    }
+  });
+
+  // Store challenge for verification with unique key (prevents race conditions from multiple tabs)
+  const challengeKey = crypto.randomUUID();
+  const stored = storeChallenge(challengeKey, {
+    challenge: options.challenge,
+    type: 'registration',
+    accountId: account.id,
+    expires: Date.now() + 60000 // 1 minute
+  });
+
+  if (!stored) {
+    return reply.code(503).send({ error: 'Server busy, try again later' });
+  }
+
+  return reply.send({ ...options, challengeKey });
+}
+
+/**
+ * POST /idp/passkey/register/verify
+ * Verify and store the registration response
+ */
+export async function registrationVerify(request, reply) {
+  const { accountId, credential, name, challengeKey } = request.body || {};
+
+  if (!accountId || !credential || !challengeKey) {
+    return reply.code(400).send({ error: 'Missing required fields' });
+  }
+
+  const stored = challenges.get(challengeKey);
+  if (!stored || stored.type !== 'registration' || Date.now() > stored.expires) {
+    return reply.code(400).send({ error: 'Challenge expired or invalid' });
+  }
+
+  // Verify the accountId matches the challenge
+  if (stored.accountId !== accountId) {
+    return reply.code(403).send({ error: 'Account mismatch' });
+  }
+
+  const account = await accounts.findById(accountId);
+  if (!account) {
+    return reply.code(404).send({ error: 'Account not found' });
+  }
+
+  const rp = getRP(request);
+
+  try {
+    const verification = await verifyRegistrationResponse({
+      response: credential,
+      expectedChallenge: stored.challenge,
+      expectedOrigin: getOrigin(request),
+      expectedRPID: rp.id
+    });
+
+    if (!verification.verified || !verification.registrationInfo) {
+      request.log.warn({ verified: verification.verified, hasInfo: !!verification.registrationInfo }, 'Passkey registration verification failed');
+      return reply.code(400).send({ error: 'Verification failed' });
+    }
+
+    const { credential: regCredential } = verification.registrationInfo;
+
+    await accounts.addPasskey(accountId, {
+      credentialId: regCredential.id, // Already base64url string
+      publicKey: Buffer.from(regCredential.publicKey).toString('base64url'),
+      counter: regCredential.counter,
+      transports: regCredential.transports || credential.response?.transports || [],
+      name: name || 'Security Key'
+    });
+
+    challenges.delete(challengeKey);
+
+    return reply.send({ success: true });
+  } catch (err) {
+    request.log.error({ err }, 'Passkey registration error');
+    return reply.code(400).send({ error: 'Passkey registration failed' });
+  }
+}
+
+/**
+ * POST /idp/passkey/login/options
+ * Generate authentication options
+ */
+export async function authenticationOptions(request, reply) {
+  const { username } = request.body || {};
+  const rp = getRP(request);
+
+  let allowCredentials = [];
+  let accountId = null;
+
+  // If username provided, limit to that user's credentials
+  if (username) {
+    const account = await accounts.findByUsername(username);
+    if (account && account.passkeys?.length) {
+      accountId = account.id;
+      allowCredentials = account.passkeys.map(pk => ({
+        id: Buffer.from(pk.credentialId, 'base64url'),
+        type: 'public-key',
+        transports: pk.transports
+      }));
+    }
+  }
+
+  const options = await generateAuthenticationOptions({
+    rpID: rp.id,
+    allowCredentials,
+    userVerification: 'preferred'
+  });
+
+  // Store challenge - use visitorId for anonymous requests
+  const challengeKey = accountId || request.body?.visitorId || crypto.randomUUID();
+  const stored = storeChallenge(challengeKey, {
+    challenge: options.challenge,
+    type: 'authentication',
+    accountId,
+    expires: Date.now() + 60000 // 1 minute
+  });
+
+  if (!stored) {
+    return reply.code(503).send({ error: 'Server busy, try again later' });
+  }
+
+  return reply.send({ ...options, challengeKey });
+}
+
+/**
+ * POST /idp/passkey/login/verify
+ * Verify authentication and return account info
+ */
+export async function authenticationVerify(request, reply) {
+  const { challengeKey, credential } = request.body || {};
+
+  if (!challengeKey || !credential) {
+    return reply.code(400).send({ error: 'Missing challengeKey or credential' });
+  }
+
+  const stored = challenges.get(challengeKey);
+  if (!stored || stored.type !== 'authentication' || Date.now() > stored.expires) {
+    return reply.code(400).send({ error: 'Challenge expired or invalid' });
+  }
+
+  // Find account by credential ID
+  const credentialId = credential.id;
+  const account = stored.accountId
+    ? await accounts.findById(stored.accountId)
+    : await accounts.findByCredentialId(credentialId);
+
+  if (!account) {
+    return reply.code(400).send({ error: 'Unknown credential' });
+  }
+
+  const passkey = account.passkeys?.find(pk => pk.credentialId === credentialId);
+  if (!passkey) {
+    return reply.code(400).send({ error: 'Credential not found' });
+  }
+
+  const rp = getRP(request);
+
+  try {
+    const verification = await verifyAuthenticationResponse({
+      response: credential,
+      expectedChallenge: stored.challenge,
+      expectedOrigin: getOrigin(request),
+      expectedRPID: rp.id,
+      credential: {
+        id: Buffer.from(passkey.credentialId, 'base64url'),
+        publicKey: Buffer.from(passkey.publicKey, 'base64url'),
+        counter: passkey.counter
+      }
+    });
+
+    if (!verification.verified) {
+      return reply.code(400).send({ error: 'Verification failed' });
+    }
+
+    // Update counter to prevent replay attacks
+    await accounts.updatePasskeyCounter(
+      account.id,
+      credentialId,
+      verification.authenticationInfo.newCounter
+    );
+
+    // Update last login
+    await accounts.updateLastLogin(account.id);
+
+    challenges.delete(challengeKey);
+
+    // Return account info for session creation
+    return reply.send({
+      success: true,
+      accountId: account.id,
+      webId: account.webId
+    });
+  } catch (err) {
+    request.log.error({ err }, 'Passkey authentication error');
+    return reply.code(400).send({ error: 'Authentication failed' });
+  }
+}

package/src/idp/views.js

@@ -105,6 +105,38 @@ const styles = `
   .btn-secondary:hover {
     background: #e0e0e0;
   }
+  .btn-passkey {
+    background: #1a73e8;
+    color: white;
+    width: 100%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    gap: 8px;
+  }
+  .btn-passkey:hover {
+    background: #1557b0;
+  }
+  .btn-passkey svg {
+    width: 20px;
+    height: 20px;
+  }
+  .divider {
+    display: flex;
+    align-items: center;
+    margin: 20px 0;
+    color: #666;
+    font-size: 14px;
+  }
+  .divider::before,
+  .divider::after {
+    content: '';
+    flex: 1;
+    border-bottom: 1px solid #ddd;
+  }
+  .divider span {
+    padding: 0 12px;
+  }
   .scopes {
     margin: 20px 0;
   }
@@ -149,6 +181,12 @@ const solidLogo = `
 </svg>
 `;
 
+const passkeyIcon = `
+<svg viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+  <path d="M12.65 10C11.83 7.67 9.61 6 7 6c-3.31 0-6 2.69-6 6s2.69 6 6 6c2.61 0 4.83-1.67 5.65-4H17v4h4v-4h2v-4H12.65zM7 14c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2z"/>
+</svg>
+`;
+
 const scopeDescriptions = {
   openid: 'Access your identity',
   webid: 'Access your WebID',
@@ -157,11 +195,125 @@ const scopeDescriptions = {
   offline_access: 'Stay logged in',
 };
 
+/**
+ * Escape string for safe use in JavaScript
+ */
+function escapeJs(text) {
+  if (!text) return '';
+  return String(text)
+    .replace(/\\/g, '\\\\')
+    .replace(/'/g, "\\'")
+    .replace(/"/g, '\\"')
+    .replace(/</g, '\\x3c')
+    .replace(/>/g, '\\x3e')
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r');
+}
+
 /**
  * Login page HTML
  */
-export function loginPage(uid, clientId, error = null) {
+export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
   const appName = clientId || 'An application';
+  const safeUid = escapeJs(uid);
+
+  const passkeySection = passkeyEnabled ? `
+    <button type="button" class="btn btn-passkey" onclick="loginWithPasskey()">
+      ${passkeyIcon}
+      Sign in with Passkey
+    </button>
+
+    <div class="divider"><span>or</span></div>
+  ` : '';
+
+  const passkeyScript = passkeyEnabled ? `
+  <script>
+    var INTERACTION_UID = '${safeUid}';
+
+    async function loginWithPasskey() {
+      try {
+        // Get authentication options
+        const optionsRes = await fetch('/idp/passkey/login/options', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ visitorId: crypto.randomUUID() })
+        });
+        const options = await optionsRes.json();
+        if (options.error) {
+          alert('Error: ' + options.error);
+          return;
+        }
+
+        // Convert base64url to ArrayBuffer
+        options.challenge = base64urlToBuffer(options.challenge);
+        if (options.allowCredentials) {
+          options.allowCredentials = options.allowCredentials.map(c => ({
+            ...c,
+            id: base64urlToBuffer(c.id)
+          }));
+        }
+
+        // Prompt user for passkey
+        const credential = await navigator.credentials.get({ publicKey: options });
+
+        // Send response to server
+        const verifyRes = await fetch('/idp/passkey/login/verify', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            challengeKey: options.challengeKey,
+            credential: {
+              id: credential.id,
+              rawId: bufferToBase64url(credential.rawId),
+              type: credential.type,
+              response: {
+                clientDataJSON: bufferToBase64url(credential.response.clientDataJSON),
+                authenticatorData: bufferToBase64url(credential.response.authenticatorData),
+                signature: bufferToBase64url(credential.response.signature),
+                userHandle: credential.response.userHandle
+                  ? bufferToBase64url(credential.response.userHandle)
+                  : null
+              }
+            }
+          })
+        });
+
+        const result = await verifyRes.json();
+        if (result.success) {
+          // Complete the OIDC interaction - build URL safely
+          const redirectUrl = '/idp/interaction/' + encodeURIComponent(INTERACTION_UID) + '/passkey-complete?accountId=' + encodeURIComponent(result.accountId);
+          window.location.href = redirectUrl;
+        } else {
+          alert('Passkey authentication failed: ' + (result.error || 'Unknown error'));
+        }
+      } catch (err) {
+        if (err.name === 'NotAllowedError') {
+          // User cancelled - do nothing
+        } else {
+          console.error('Passkey error:', err);
+          alert('Passkey authentication failed: ' + err.message);
+        }
+      }
+    }
+
+    function base64urlToBuffer(base64url) {
+      const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+      const padLen = (4 - base64.length % 4) % 4;
+      const padded = base64 + '='.repeat(padLen);
+      const binary = atob(padded);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+      return bytes.buffer;
+    }
+
+    function bufferToBase64url(buffer) {
+      const bytes = new Uint8Array(buffer);
+      let binary = '';
+      for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+      return btoa(binary).replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/=/g, '');
+    }
+  </script>
+  ` : '';
 
   return `
 <!DOCTYPE html>
@@ -185,6 +337,8 @@ export function loginPage(uid, clientId, error = null) {
 
     ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
 
+    ${passkeySection}
+
     <form method="POST" action="/idp/interaction/${uid}/login">
       <label for="username">Username</label>
       <input type="text" id="username" name="username" required autofocus placeholder="Your username">
@@ -203,6 +357,7 @@ export function loginPage(uid, clientId, error = null) {
       Don't have an account? <a href="/idp/register?uid=${uid}" style="color: #0066cc;">Register</a>
     </p>
   </div>
+  ${passkeyScript}
 </body>
 </html>
   `;
@@ -349,6 +504,162 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
   `;
 }
 
+/**
+ * Passkey prompt page - shown after password login to encourage passkey setup
+ */
+export function passkeyPromptPage(uid, accountId) {
+  const safeUid = escapeJs(uid);
+  const safeAccountId = escapeJs(accountId);
+  // Pre-escape the SVG for innerHTML assignment (no user data, just static SVG)
+  const passkeyIconEscaped = passkeyIcon.replace(/'/g, "\\'").replace(/\n/g, '');
+
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Add a Passkey - Solid IdP</title>
+  <style>${styles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">${solidLogo}</div>
+    <h1>Add a Passkey?</h1>
+    <p class="subtitle">Sign in faster next time</p>
+
+    <div class="client-info">
+      <div class="client-name">Passkeys are more secure</div>
+      <div class="client-uri">Use Touch ID, Face ID, or a security key instead of your password</div>
+    </div>
+
+    <button type="button" class="btn btn-passkey" onclick="registerPasskey()" id="addBtn">
+      ${passkeyIcon}
+      Add Passkey
+    </button>
+
+    <form method="GET" action="/idp/interaction/${escapeHtml(uid)}/passkey-skip">
+      <button type="submit" class="btn btn-secondary">Skip for now</button>
+    </form>
+  </div>
+
+  <script>
+    var INTERACTION_UID = '${safeUid}';
+    var ACCOUNT_ID = '${safeAccountId}';
+    var PASSKEY_ICON = '${passkeyIconEscaped}';
+
+    async function registerPasskey() {
+      const btn = document.getElementById('addBtn');
+      btn.disabled = true;
+      btn.textContent = 'Setting up...';
+
+      try {
+        // Get registration options
+        const optionsRes = await fetch('/idp/passkey/register/options', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ accountId: ACCOUNT_ID })
+        });
+        const options = await optionsRes.json();
+        if (options.error) {
+          alert('Error: ' + options.error);
+          btn.disabled = false;
+          btn.innerHTML = PASSKEY_ICON + ' Add Passkey';
+          return;
+        }
+
+        // Save challengeKey for verification
+        const challengeKey = options.challengeKey;
+
+        // Convert base64url to ArrayBuffer
+        options.challenge = base64urlToBuffer(options.challenge);
+        options.user.id = base64urlToBuffer(options.user.id);
+        if (options.excludeCredentials) {
+          options.excludeCredentials = options.excludeCredentials.map(c => ({
+            ...c,
+            id: base64urlToBuffer(c.id)
+          }));
+        }
+
+        // Prompt user to create passkey
+        const credential = await navigator.credentials.create({ publicKey: options });
+
+        // Send response to server
+        const verifyRes = await fetch('/idp/passkey/register/verify', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            accountId: ACCOUNT_ID,
+            challengeKey: challengeKey,
+            credential: {
+              id: credential.id,
+              rawId: bufferToBase64url(credential.rawId),
+              type: credential.type,
+              response: {
+                clientDataJSON: bufferToBase64url(credential.response.clientDataJSON),
+                attestationObject: bufferToBase64url(credential.response.attestationObject),
+                transports: credential.response.getTransports ? credential.response.getTransports() : []
+              }
+            },
+            name: detectDeviceName()
+          })
+        });
+
+        const result = await verifyRes.json();
+        if (result.success) {
+          // Passkey added, continue to app - build URL safely
+          const redirectUrl = '/idp/interaction/' + encodeURIComponent(INTERACTION_UID) + '/passkey-complete?accountId=' + encodeURIComponent(ACCOUNT_ID);
+          window.location.href = redirectUrl;
+        } else {
+          alert('Failed to add passkey: ' + (result.error || 'Unknown error'));
+          btn.disabled = false;
+          btn.innerHTML = PASSKEY_ICON + ' Add Passkey';
+        }
+      } catch (err) {
+        if (err.name === 'NotAllowedError') {
+          // User cancelled
+        } else {
+          console.error('Passkey error:', err);
+          alert('Failed to add passkey: ' + err.message);
+        }
+        btn.disabled = false;
+        btn.innerHTML = PASSKEY_ICON + ' Add Passkey';
+      }
+    }
+
+    function detectDeviceName() {
+      const ua = navigator.userAgent;
+      if (/iPhone/.test(ua)) return 'iPhone';
+      if (/iPad/.test(ua)) return 'iPad';
+      if (/Mac/.test(ua)) return 'Mac';
+      if (/Android/.test(ua)) return 'Android';
+      if (/Windows/.test(ua)) return 'Windows';
+      if (/Linux/.test(ua)) return 'Linux';
+      return 'Security Key';
+    }
+
+    function base64urlToBuffer(base64url) {
+      const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+      const padLen = (4 - base64.length % 4) % 4;
+      const padded = base64 + '='.repeat(padLen);
+      const binary = atob(padded);
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+      return bytes.buffer;
+    }
+
+    function bufferToBase64url(buffer) {
+      const bytes = new Uint8Array(buffer);
+      let binary = '';
+      for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+      return btoa(binary).replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/=/g, '');
+    }
+  </script>
+</body>
+</html>
+  `;
+}
+
 /**
  * Escape HTML to prevent XSS
  */