Draft
Conversation
Prepare for admin TFA passkey support by extracting a shared interface from Config so CeremonyStepManagerProvider can work with both storefront and admin configurations via DI virtualType. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…terface Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…pport AdminTfaConfig implements WebAuthnConfigInterface using the admin store base URL to derive RP ID and allowed origins, with 'required' user verification and policy-driven hardware key enforcement. OriginValidator guards ceremonies against admin domain changes since passkey registration. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements Magento\TwoFactorAuth\Api\EngineInterface with config validation, origin checking via OriginValidator, and delegation to Authenticate for WebAuthn assertion verification. Includes placeholder Authenticate stub (Task 5 will provide the full implementation) and full unit test coverage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a CLI command for bulk-resetting passkey TFA credentials for all admin users, supporting a --force flag to skip the confirmation prompt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Temporary icons copied from U2F provider. Replace with proper passkey icons before release. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Configure/ConfigurePost: fix parent::__construct() to pass ($context, $tokenVerifier) matching AbstractConfigureAction's actual signature, not ($context, $session, $tfa) - Configure/ConfigurePost: rename isAllowed() to _isAllowed() so Magento's dispatch mechanism actually calls it - Auth/AuthPost: extend AbstractAction (TFA's base with 403 handling) instead of Action directly - Engine: type-hint AuthenticateInterface instead of concrete Authenticate class Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Move passkey-core.js from view/frontend/web/js/ to view/base/web/js/ so it resolves in both frontend and adminhtml areas via Magento's RequireJS module resolution. Frontend JS is NOT available in admin. - Remove redundant adminhtml requirejs-config.js (self-mapping no-op). - Fix configure.phtml and auth.phtml: merge layout jsLayout with controller config in a single x-magento-init block instead of double-initializing via data-mage-init + script tag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
passkeyandpasskey_hardware) to Magento's TwoFactorAuth module, built entirely within MageOS_PasskeyAuthallvshardware-only viaauthenticatorAttachment: cross-platform)SerializerFactory,CeremonyStepManagerProvider, andChallengeManagervia DI virtualType with admin-specific originstfa_user_configtable (single credential per admin user)security:tfa:passkey:reset-allCLI for bulk recoveryuserVerification: requiredhardcoded for all admin passkey auth (biometric/PIN enforced)Architecture
Shared services (no modification):
SerializerFactory,ChallengeManagerRefactored:
CeremonyStepManagerProvidernow type-hintsWebAuthnConfigInterface(extracted fromConfig) — admin virtualType injectsAdminTfaConfigfor admin-domain originsNew:
Engine,Configure,Authenticateservices underModel/AdminTfa/; 4 admin controllers; KnockoutJS frontend reusingpasskey-core.js(moved toview/base/)Security properties
userVerification: requiredin both registration and authauthenticatorAttachment: cross-platformon hardware providerTest plan
passkeyprovider in TFA settings, verify configure screen renderspasskey_hardwareprovider, verify only hardware keys are offered (no platform authenticator)bin/magento security:tfa:passkey:reset-alland verify credentials are clearedsecurity:tfa:reset <user> passkeyworks for single-user resetSpec & plan
docs/superpowers/specs/2026-04-06-passkey-tfa-provider-design.mddocs/superpowers/plans/2026-04-06-passkey-tfa-provider.md🤖 Generated with Claude Code