barrettruth/delta
1
0
Fork 0
Code Issues 14 Pull requests Releases 1 Packages Activity Actions

feat(auth): replace OAuth with WebAuthn, TOTP, and settings view #121

Merged
barrettruth merged 8 commits from feat/auth-settings-redesign into main 2026-03-27 20:31:55 +00:00
Conversation 0 Commits 8 Files changed 43 +3652 -890
barrettruth commented 2026-03-27 17:46:45 +00:00
Copy link

Problem

Delta relied on third-party OAuth providers (GitHub/Google/GitLab) for
authentication. For a self-hosted app shared with friends, this is an
unwanted dependency — users should authenticate with hardware keys and
authenticator apps instead.

Solution

Remove all OAuth infrastructure and replace with self-hosted 2FA:

  • WebAuthn/Passkeys: hardware keys (YubiKey, SoloKeys) and platform
    authenticators (Touch ID, Windows Hello, synced passkeys via 1Password
    etc.) for passwordless login or 2FA
  • TOTP: authenticator app codes (Aegis, Bitwarden, etc.) as 2FA
  • Recovery codes: 8 one-time codes shown at 2FA setup, hashed in DB
  • Mandatory 2FA: new users must configure at least one method before
    accessing the app (/setup-2fa redirect)
  • Settings view (/settings): config-file aesthetic with account,
    security (passkey/TOTP/recovery management), and preferences sections.
    Vim mnemonics (l/a/t/r/v/d) on each row. Sidebar footer
    with gear icon + username, S keyboard shortcut
  • Login redesign: password flow with inline TOTP step, "sign in with
    passkey" button for passwordless auth, auto-detect new username and
    switch to sign-up mode with invite code

Env vars for deployment: WEBAUTHN_RP_ID, WEBAUTHN_ORIGIN.

## Problem Delta relied on third-party OAuth providers (GitHub/Google/GitLab) for authentication. For a self-hosted app shared with friends, this is an unwanted dependency — users should authenticate with hardware keys and authenticator apps instead. ## Solution Remove all OAuth infrastructure and replace with self-hosted 2FA: - **WebAuthn/Passkeys**: hardware keys (YubiKey, SoloKeys) and platform authenticators (Touch ID, Windows Hello, synced passkeys via 1Password etc.) for passwordless login or 2FA - **TOTP**: authenticator app codes (Aegis, Bitwarden, etc.) as 2FA - **Recovery codes**: 8 one-time codes shown at 2FA setup, hashed in DB - **Mandatory 2FA**: new users must configure at least one method before accessing the app (`/setup-2fa` redirect) - **Settings view** (`/settings`): config-file aesthetic with account, security (passkey/TOTP/recovery management), and preferences sections. Vim mnemonics (`l`/`a`/`t`/`r`/`v`/`d`) on each row. Sidebar footer with gear icon + username, `S` keyboard shortcut - **Login redesign**: password flow with inline TOTP step, "sign in with passkey" button for passwordless auth, auto-detect new username and switch to sign-up mode with invite code Env vars for deployment: `WEBAUTHN_RP_ID`, `WEBAUTHN_ORIGIN`.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
track:api
API layer track

  
track:auto
Automation track

  
track:core
Core engine track

  
track:deploy
Deployment track

  
track:infra
Infrastructure track

  
track:ui
Web UI track

  
v0.1.0
First release milestone

  
v0.1.1
post-initial release

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
track:api
track:auto
track:core
track:deploy
track:infra
track:ui
v0.1.0
v0.1.1
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/delta!121
No description provided.