Controllers and services 

Controllers 

The extension registers backend routes for three controller groups. All controllers use the JsonBodyTrait for parsing JSON request bodies. Login routes use Routes.php (public access). Management and admin routes use AjaxRoutes.php (AJAX, with Sudo Mode on write operations). All paths below are relative to /typo3/.

LoginController (public) 

Handles the passkey login flow. Routes have access: public (via Routes.php).

  • POST /passkeys/login/options
  • POST /passkeys/login/verify

ManagementController (AJAX) 

Passkey lifecycle for the current user (via AjaxRoutes.php). Write operations require Sudo Mode re-authentication.

  • POST /ajax/passkeys/manage/registration/options *
  • POST /ajax/passkeys/manage/registration/verify *
  • GET /ajax/passkeys/manage/list
  • POST /ajax/passkeys/manage/rename *
  • POST /ajax/passkeys/manage/remove *

AdminController (AJAX, admin) 

Administrative operations for any user (via AjaxRoutes.php). Write operations require Sudo Mode re-authentication.

  • GET /ajax/passkeys/admin/list
  • POST /ajax/passkeys/admin/remove *
  • POST /ajax/passkeys/admin/revoke-all *
  • POST /ajax/passkeys/admin/unlock *
  • POST /ajax/passkeys/admin/update-enforcement *
  • POST /ajax/passkeys/admin/send-reminder *
  • POST /ajax/passkeys/admin/clear-nudge *

AdminModuleController (Backend module) 

Renders the Admin Tools > Passkey Management backend module with Dashboard and Help tabs (via Modules.php).

Enforcement status (AJAX) 

Provides enforcement status for the banner.

  • GET /ajax/passkeys/enforcement/status

Routes marked with * are protected by TYPO3's Sudo Mode. When accessed without a recent password verification, they return HTTP 422 with sudoModeInitialization data. The JavaScript handles this transparently by showing a password dialog and retrying the request.

Service classes 

WebAuthnService 

Orchestrates WebAuthn ceremonies using web-auth/webauthn-lib v5.x. Handles registration options, attestation verification, assertion options, and assertion verification.

ChallengeService 

Generates and verifies HMAC-signed challenge tokens with nonce replay protection.

CredentialRepository 

Database access layer for tx_nrpasskeysbe_credential. Uses ConnectionPool directly (no Extbase).

RateLimiterService 

Per-endpoint rate limiting by IP and account lockout after configurable failed attempts. Uses TYPO3 caching framework.

ExtensionConfigurationService 

Reads extension configuration and computes effective values for rpId and origin (auto-detection from request).

EnforcementService 

Determines the effective enforcement level for a user by resolving their group memberships (strictest level wins, shortest grace period wins).

AdoptionStatsService 

Provides adoption statistics for the admin dashboard: overall counts, per-group breakdowns, users without passkeys, and grace period status.

JavaScript modules 

  • PasskeyLogin.js -- Login form passkey button and WebAuthn flow
  • PasskeyManagement.js -- User Settings passkey management panel
  • PasskeyBanner.js -- Encourage-stage onboarding banner
  • PasskeyDashboard.js -- Admin dashboard enforcement controls
  • PasskeyAdminInfo.js -- Admin passkey info in user records