Changelog 

0.3.0 

Features 

  • Inline name input for passkey registration -- users can name their passkey before registering (defaults to "Passkey")
  • Accessible aria-label on the name input field
  • Input is disabled during registration and reset after success

Refactoring 

  • Rewrote PasskeyManagement.js from IIFE to ES module using TYPO3 native APIs: AjaxRequest, Notification, Modal, SeverityEnum, sudoModeInterceptor, DocumentService
  • Replaced PageRenderer::addJsFile() with loadJavaScriptModule()
  • Replaced inline style with CSS class

Fixes 

  • Escape label in removal confirmation modal (XSS prevention)
  • Defer DOM initialization with DocumentService.ready()
  • Resolve AjaxRequest responses and check status before showing success notifications

0.2.0 

Features 

  • Warn about short or missing TYPO3 encryption key in the passkey settings panel (minimum 32 characters required)
  • Include exception details in management API error responses for authenticated users

Documentation 

  • Added Troubleshooting section covering encryption key issues, HTTPS requirements, log location, and debug mode

0.1.0 

Initial release.

Features 

  • Passwordless backend authentication via WebAuthn/FIDO2 Passkeys
  • Passkey button injected into the standard TYPO3 login form via PSR-14 event listener (no login provider switching)
  • Support for TouchID, FaceID, YubiKey, Windows Hello, and other FIDO2-compliant authenticators
  • Authentication service at priority 80 (above standard password service)
  • Authentication data packed into userident field as JSON ($GLOBALS['TYPO3_REQUEST'] is null during auth chain)
  • Credential registration, listing, renaming, and removal for users
  • Admin API for listing, revoking credentials and unlocking accounts
  • HMAC-SHA256 signed challenge tokens with nonce replay protection
  • Per-endpoint rate limiting by IP address
  • Account lockout after configurable failed attempt threshold
  • Discoverable login (usernameless, Conditional UI) behind feature flag
  • Option to disable password login entirely (passkey-only mode)
  • Configurable signing algorithms (ES256, ES384, ES512, RS256)
  • Configurable user verification requirement
  • User enumeration prevention with randomized timing
  • Soft delete and admin revocation with audit trails
  • Signature counter tracking for clone detection
  • Passkey-specific error message on failed login attempts via sessionStorage detection
  • Default audit log writer (WARNING+ to typo3temp/var/log/passkey_auth.log)
  • TYPO3 13.4 LTS and TYPO3 14.x compatibility
  • PHP 8.2, 8.3, 8.4, and 8.5 support
  • Comprehensive test suite (unit, fuzz, functional, JavaScript)
  • PSR-3 logging for all significant events