From 37e4a15383d586af74e4afc3ed60ccad2c889fe7 Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Thu, 12 Jun 2025 11:54:32 -0400
Subject: [PATCH 1/6] Add webauthn-rs

---
 Cargo.lock               | 194 +++++++++++++++++++++++++++++++++++++++
 Cargo.toml               |   1 +
 apps/labrinth/Cargo.toml |   2 +
 3 files changed, 197 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index 3c29be8c68..607a0c3c5d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -514,6 +514,45 @@ dependencies = [
  "zbus",
 ]
 
+[[package]]
+name = "asn1-rs"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+]
+
 [[package]]
 name = "async-broadcast"
 version = "0.7.2"
@@ -987,6 +1026,17 @@ version = "1.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3"
 
+[[package]]
+name = "base64urlsafedata"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72f0ad38ce7fbed55985ad5b2197f05cff8324ee6eb6638304e78f0108fae56c"
+dependencies = [
+ "base64 0.21.7",
+ "paste",
+ "serde",
+]
+
 [[package]]
 name = "bit-set"
 version = "0.5.3"
@@ -1524,6 +1574,23 @@ dependencies = [
  "tokio-util",
 ]
 
+[[package]]
+name = "compact_jwt"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12bbab6445446e8d0b07468a01d0bfdae15879de5c440c5e47ae4ae0e18a1fba"
+dependencies = [
+ "base64 0.21.7",
+ "base64urlsafedata",
+ "hex",
+ "openssl",
+ "serde",
+ "serde_json",
+ "tracing",
+ "url",
+ "uuid 1.17.0",
+]
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -2020,6 +2087,20 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "der-parser"
+version = "9.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom 7.1.3",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "deranged"
 version = "0.4.0"
@@ -4395,6 +4476,7 @@ dependencies = [
  "urlencoding",
  "uuid 1.17.0",
  "validator",
+ "webauthn-rs",
  "webp",
  "woothee",
  "yaserde",
@@ -5494,6 +5576,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "oid-registry"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -7010,6 +7101,15 @@ dependencies = [
  "semver",
 ]
 
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom 7.1.3",
+]
+
 [[package]]
 name = "rustix"
 version = "0.38.44"
@@ -7508,6 +7608,16 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_cbor_2"
+version = "0.12.0-dev"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b46d75f449e01f1eddbe9b00f432d616fbbd899b809c837d0fbc380496a0dd55"
+dependencies = [
+ "half 1.8.3",
+ "serde",
+]
+
 [[package]]
 name = "serde_derive"
 version = "1.0.219"
@@ -9994,6 +10104,73 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "webauthn-attestation-ca"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29e77e8859ecb93b00e4a8e56ae45f8a8dd69b1539e3d32cf4cce1db9a3a0b99"
+dependencies = [
+ "base64urlsafedata",
+ "openssl",
+ "serde",
+ "tracing",
+ "uuid 1.17.0",
+]
+
+[[package]]
+name = "webauthn-rs"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b44347ee0d66f222043663a6aaf5ec78022b9b11c3a9ed488c21f2bd5680856"
+dependencies = [
+ "base64urlsafedata",
+ "serde",
+ "tracing",
+ "url",
+ "uuid 1.17.0",
+ "webauthn-rs-core",
+]
+
+[[package]]
+name = "webauthn-rs-core"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ef48f07ed8f3dfe304d6c48e85317feba0439675f31a13063b2936c9b4eaf0d"
+dependencies = [
+ "base64 0.21.7",
+ "base64urlsafedata",
+ "compact_jwt",
+ "der-parser",
+ "hex",
+ "nom 7.1.3",
+ "openssl",
+ "rand 0.8.5",
+ "rand_chacha 0.3.1",
+ "serde",
+ "serde_cbor_2",
+ "serde_json",
+ "thiserror 1.0.69",
+ "tracing",
+ "url",
+ "uuid 1.17.0",
+ "webauthn-attestation-ca",
+ "webauthn-rs-proto",
+ "x509-parser",
+]
+
+[[package]]
+name = "webauthn-rs-proto"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "14e1367f70e7dc7b83afc971ce8a54d578f4fdf488ea093021180e073744a69f"
+dependencies = [
+ "base64 0.21.7",
+ "base64urlsafedata",
+ "serde",
+ "serde_json",
+ "url",
+]
+
 [[package]]
 name = "webkit2gtk"
 version = "2.0.1"
@@ -10677,6 +10854,23 @@ dependencies = [
  "pkg-config",
 ]
 
+[[package]]
+name = "x509-parser"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom 7.1.3",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
 [[package]]
 name = "xattr"
 version = "1.5.0"
diff --git a/Cargo.toml b/Cargo.toml
index eabe40a958..c9c58eee8f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -155,6 +155,7 @@ url = "2.5.4"
 urlencoding = "2.1.3"
 uuid = "1.17.0"
 validator = "0.20.0"
+webauthn-rs = "0.5.1"
 webp = { version = "0.3.0", default-features = false }
 whoami = "1.6.0"
 winreg = "0.55.0"
diff --git a/apps/labrinth/Cargo.toml b/apps/labrinth/Cargo.toml
index 53f30a27c4..3423b1be24 100644
--- a/apps/labrinth/Cargo.toml
+++ b/apps/labrinth/Cargo.toml
@@ -119,6 +119,8 @@ ariadne.workspace = true
 
 clap = { workspace = true, features = ["derive"] }
 
+webauthn-rs.workspace = true
+
 [target.'cfg(target_os = "linux")'.dependencies]
 tikv-jemallocator = { workspace = true, features = ["profiling", "unprefixed_malloc_on_supported_platforms"] }
 tikv-jemalloc-ctl = { workspace = true, features = ["stats"] }

From 4cf6429a06133a065e5fb32b244354f4d73da9c0 Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Mon, 14 Jul 2025 20:32:48 -0400
Subject: [PATCH 2/6] Start work on hw security key support

---
 .gitignore                                    |  2 +
 Cargo.lock                                    | 52 +++++------
 Cargo.toml                                    |  2 +-
 apps/frontend/src/pages/settings/account.vue  | 89 +++++++++++++++++++
 apps/labrinth/Cargo.toml                      |  2 +-
 apps/labrinth/src/auth/mod.rs                 |  2 +
 apps/labrinth/src/auth/webauthn.rs            | 30 +++++++
 .../labrinth/src/database/models/flow_item.rs |  7 ++
 apps/labrinth/src/lib.rs                      |  2 +
 apps/labrinth/src/models/v3/users.rs          |  7 +-
 apps/labrinth/src/routes/internal/flows.rs    | 56 +++++++++++-
 apps/labrinth/src/routes/internal/session.rs  | 19 ++++
 apps/labrinth/src/routes/mod.rs               |  4 +
 packages/assets/icons/security-key.svg        |  1 +
 packages/assets/index.ts                      |  2 +
 packages/utils/types.ts                       |  1 +
 16 files changed, 242 insertions(+), 36 deletions(-)
 create mode 100644 apps/labrinth/src/auth/webauthn.rs
 create mode 100644 packages/assets/icons/security-key.svg

diff --git a/.gitignore b/.gitignore
index 41ffebf9a3..ac719fc2cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,3 +61,5 @@ app-playground-data/*
 apps/frontend/.env
 
 .astro
+
+container_data/
diff --git a/Cargo.lock b/Cargo.lock
index 607a0c3c5d..bbe7c1edab 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1028,12 +1028,12 @@ checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3"
 
 [[package]]
 name = "base64urlsafedata"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72f0ad38ce7fbed55985ad5b2197f05cff8324ee6eb6638304e78f0108fae56c"
+checksum = "e5913e643e4dfb43d5908e9e6f1386f8e0dfde086ecef124a6450c6195d89160"
 dependencies = [
  "base64 0.21.7",
- "paste",
+ "pastey",
  "serde",
 ]
 
@@ -1574,23 +1574,6 @@ dependencies = [
  "tokio-util",
 ]
 
-[[package]]
-name = "compact_jwt"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "12bbab6445446e8d0b07468a01d0bfdae15879de5c440c5e47ae4ae0e18a1fba"
-dependencies = [
- "base64 0.21.7",
- "base64urlsafedata",
- "hex",
- "openssl",
- "serde",
- "serde_json",
- "tracing",
- "url",
- "uuid 1.17.0",
-]
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -5641,9 +5624,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.108"
+version = "0.9.109"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847"
+checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
 dependencies = [
  "cc",
  "libc",
@@ -5797,6 +5780,12 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "pastey"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3a8cb46bdc156b1c90460339ae6bfd45ba0394e5effbaa640badb4987fdc261"
+
 [[package]]
 name = "pathdiff"
 version = "0.2.3"
@@ -10106,12 +10095,13 @@ dependencies = [
 
 [[package]]
 name = "webauthn-attestation-ca"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29e77e8859ecb93b00e4a8e56ae45f8a8dd69b1539e3d32cf4cce1db9a3a0b99"
+checksum = "384e43534efe4e8f56c4eb1615a27e24d2ff29281385c843cf9f16ac1077dbdc"
 dependencies = [
  "base64urlsafedata",
  "openssl",
+ "openssl-sys",
  "serde",
  "tracing",
  "uuid 1.17.0",
@@ -10119,9 +10109,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b44347ee0d66f222043663a6aaf5ec78022b9b11c3a9ed488c21f2bd5680856"
+checksum = "ed1f861a94557baeb0cf711e3e55d623c46b68f4aab7aa932562f785b8b5f1ab"
 dependencies = [
  "base64urlsafedata",
  "serde",
@@ -10133,17 +10123,17 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs-core"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ef48f07ed8f3dfe304d6c48e85317feba0439675f31a13063b2936c9b4eaf0d"
+checksum = "269c210cd5f183aaca860bb5733187d1dd110ebed54640f8fc1aca31a04aa4dc"
 dependencies = [
  "base64 0.21.7",
  "base64urlsafedata",
- "compact_jwt",
  "der-parser",
  "hex",
  "nom 7.1.3",
  "openssl",
+ "openssl-sys",
  "rand 0.8.5",
  "rand_chacha 0.3.1",
  "serde",
@@ -10160,9 +10150,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs-proto"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14e1367f70e7dc7b83afc971ce8a54d578f4fdf488ea093021180e073744a69f"
+checksum = "144dbee9abb4bfad78fd283a2613f0312a0ed5955051b7864cfc98679112ae60"
 dependencies = [
  "base64 0.21.7",
  "base64urlsafedata",
diff --git a/Cargo.toml b/Cargo.toml
index c9c58eee8f..579828e01b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -155,7 +155,7 @@ url = "2.5.4"
 urlencoding = "2.1.3"
 uuid = "1.17.0"
 validator = "0.20.0"
-webauthn-rs = "0.5.1"
+webauthn-rs = { version = "0.5.2", features = ["danger-allow-state-serialisation"] }
 webp = { version = "0.3.0", default-features = false }
 whoami = "1.6.0"
 winreg = "0.55.0"
diff --git a/apps/frontend/src/pages/settings/account.vue b/apps/frontend/src/pages/settings/account.vue
index 10c153f3d3..f54e8b510b 100644
--- a/apps/frontend/src/pages/settings/account.vue
+++ b/apps/frontend/src/pages/settings/account.vue
@@ -355,6 +355,20 @@
           </button>
         </div>
       </div>
+      <div class="adjacent-input">
+        <label for="theme-selector">
+          <span class="label__title">Hardware security key</span>
+          <span class="label__description">
+            Add an additional and more secure method of security to your account during login.
+          </span>
+        </label>
+        <div>
+          <button class="iconified-button" @click="showWebauthnModal">
+            <template v-if="auth.user.has_webauthn"> <TrashIcon /> Remove Hardware Security Key </template>
+            <template v-else> <SecurityKeyIcon /> Setup Hardware Security Key </template>
+          </button>
+        </div>
+      </div>
       <div class="adjacent-input">
         <label for="theme-selector">
           <span class="label__title">Manage authentication providers</span>
@@ -579,6 +593,81 @@ async function removeTwoFactor() {
   stopLoading();
 }
 
+const mangeWebauthnModal = ref();
+const webauthnSecret = ref(null);
+const webauthnFlow = ref(null);
+const webauthnStep = ref(0);
+async function showWebauthnModal() {
+  webauthnStep.value = 0;
+  // twoFactorCode.value = null;
+  // twoFactorIncorrect.value = false;
+  if (auth.value.user.has_webauthn) {
+    mangeWebauthnModal.value.show();
+    return;
+  }
+
+  webauthnSecret.value = null;
+  webauthnFlow.value = null;
+  // backupCodes.value = [];
+  mangeWebauthnModal.value.show();
+
+  startLoading();
+  try {
+    const res = await useBaseFetch(`auth/webauthn/register/${auth.value.user.username}`, {
+      method: "POST",
+      internal: true
+    });
+
+    webauthnSecret.value = res.secret;
+    webauthnFlow.value = res.flow;
+  } catch (err) {
+    data.$notify({
+      group: "main",
+      title: "An error occurred",
+      text: err.data ? err.data.description : err,
+      type: "error",
+    });
+  }
+  stopLoading();
+}
+
+// TODO - webauthn
+async function createCredential(ccr) {
+  const publicKeyOptions = convertCcrToPublicKeyOptions(ccr);
+
+  try {
+    const credential = await navigator.credentials.create({
+      publicKey: publicKeyOptions,
+    });
+
+    console.log("created cred", credential);
+    return credential;
+  } catch (err) {
+    console.error("failed to create cred", err);
+    throw err;
+  }
+}
+
+function convertCcrToPublicKeyOptions(ccr) {
+  return {
+    challenge: Uint8Array.from(atob(ccr.challenge), c => c.charCodeAt(0)),
+    rp: {
+      name: ccr.rp.name,
+      id: ccr.rp.id,
+    },
+    user: {
+      id: Uint8Array.from(atob(ccr.user.id), c => c.charCodeAt(0)),
+      name: ccr.user.name,
+      displayName: ccr.user.displayName,
+    },
+    pubKeyCredParams: ccr.pubKeyCredParams,
+    timeout: ccr.timeout,
+    attestation: ccr.attestation,
+    authenticatorSelection: ccr.authenticatorSelection,
+    extensions: ccr.extensions,
+  };
+}
+
 const authProviders = [
   {
     id: "github",
diff --git a/apps/labrinth/Cargo.toml b/apps/labrinth/Cargo.toml
index 3423b1be24..cb5a6cbfac 100644
--- a/apps/labrinth/Cargo.toml
+++ b/apps/labrinth/Cargo.toml
@@ -83,7 +83,7 @@ sqlx = { workspace = true, features = [
     "macros",
     "migrate",
     "rust_decimal",
-    "json",
+    "json"
 ] }
 rust_decimal = { workspace = true, features = [
     "serde-with-float",
diff --git a/apps/labrinth/src/auth/mod.rs b/apps/labrinth/src/auth/mod.rs
index e2dc16ff86..5516b1048c 100644
--- a/apps/labrinth/src/auth/mod.rs
+++ b/apps/labrinth/src/auth/mod.rs
@@ -3,6 +3,8 @@ pub mod email;
 pub mod oauth;
 pub mod templates;
 pub mod validate;
+pub mod webauthn;
+
 pub use crate::auth::email::send_email;
 pub use checks::{
     filter_enlisted_projects_ids, filter_enlisted_version_ids,
diff --git a/apps/labrinth/src/auth/webauthn.rs b/apps/labrinth/src/auth/webauthn.rs
new file mode 100644
index 0000000000..5a77617e6c
--- /dev/null
+++ b/apps/labrinth/src/auth/webauthn.rs
@@ -0,0 +1,30 @@
+use actix_web::web::Data;
+use regex::Regex;
+use webauthn_rs::{Webauthn, WebauthnBuilder};
+
+pub fn startup() -> Data<Webauthn> {
+    let url = url::Url::parse(&dotenvy::var("SITE_URL").unwrap_or_default())
+        .unwrap();
+    
+    let rp_id = dotenvy::var("SITE_URL")
+        .ok()
+        .and_then(|s| {
+            Regex::new(r"^(?:http|https)://([^:/]+)")
+                .ok()
+                .and_then(|re| re.captures(&s))
+                .and_then(|caps| caps.get(1))
+                .map(|m| m.as_str().to_string())
+        })
+        .unwrap_or_default();
+
+    let builder = WebauthnBuilder::new(&rp_id, &url)
+        .expect("Invalid configuration");
+    
+    let builder = builder.rp_name("Actix-web modrinth");
+
+
+    let webauthn = Data::new(builder.build()
+        .expect("Invalid configuration"));
+
+    webauthn
+}
\ No newline at end of file
diff --git a/apps/labrinth/src/database/models/flow_item.rs b/apps/labrinth/src/database/models/flow_item.rs
index 53bd379c53..8b41443394 100644
--- a/apps/labrinth/src/database/models/flow_item.rs
+++ b/apps/labrinth/src/database/models/flow_item.rs
@@ -10,6 +10,8 @@ use rand::distributions::Alphanumeric;
 use rand_chacha::ChaCha20Rng;
 use rand_chacha::rand_core::SeedableRng;
 use serde::{Deserialize, Serialize};
+use webauthn_rs::prelude::PasskeyRegistration;
+use crate::routes::internal::session::PasskeyRegistrationState;
 
 const FLOWS_NAMESPACE: &str = "flows";
 
@@ -28,6 +30,11 @@ pub enum DBFlow {
         user_id: DBUserId,
         secret: String,
     },
+    InitializeWebauthn {
+        username: String,
+        user_id: DBUserId,
+        reg_state: PasskeyRegistration,
+    },
     ForgotPassword {
         user_id: DBUserId,
     },
diff --git a/apps/labrinth/src/lib.rs b/apps/labrinth/src/lib.rs
index 66007a9a2f..dca50a41f2 100644
--- a/apps/labrinth/src/lib.rs
+++ b/apps/labrinth/src/lib.rs
@@ -19,6 +19,7 @@ use crate::queue::moderation::AutomatedModerationQueue;
 use crate::util::env::{parse_strings_from_var, parse_var};
 use crate::util::ratelimit::{AsyncRateLimiter, GCRAParameters};
 use sync::friends::handle_pubsub;
+use crate::auth::webauthn;
 
 pub mod auth;
 pub mod background_task;
@@ -313,6 +314,7 @@ pub fn app_config(
     .app_data(labrinth_config.automated_moderation_queue.clone())
     .app_data(web::Data::new(labrinth_config.stripe_client.clone()))
     .app_data(labrinth_config.rate_limiter.clone())
+    .app_data(webauthn::startup().clone())
     .configure(
         #[allow(unused_variables)]
         |cfg| {
diff --git a/apps/labrinth/src/models/v3/users.rs b/apps/labrinth/src/models/v3/users.rs
index 42d5053574..eafa5ad8f2 100644
--- a/apps/labrinth/src/models/v3/users.rs
+++ b/apps/labrinth/src/models/v3/users.rs
@@ -46,6 +46,7 @@ pub struct User {
     pub email_verified: Option<bool>,
     pub has_password: Option<bool>,
     pub has_totp: Option<bool>,
+    pub has_webauthn: Option<bool>,
     pub payout_data: Option<UserPayoutData>,
     pub stripe_customer_id: Option<String>,
     pub allow_friend_requests: Option<bool>,
@@ -80,9 +81,10 @@ impl From<DBUser> for User {
             auth_providers: None,
             has_password: None,
             has_totp: None,
+            has_webauthn: None,
             github_id: None,
             stripe_customer_id: None,
-            allow_friend_requests: None,
+            allow_friend_requests: None
         }
     }
 }
@@ -126,6 +128,7 @@ impl User {
             auth_providers: Some(auth_providers),
             has_password: Some(db_user.password.is_some()),
             has_totp: Some(db_user.totp_secret.is_some()),
+            has_webauthn: Some(false), // TODO - webauthn
             github_id: None,
             payout_data: Some(UserPayoutData {
                 paypal_address: db_user.paypal_email,
@@ -189,7 +192,7 @@ impl Role {
 pub struct UserFriend {
     // The user who accepted the friend request
     pub id: UserId,
-    /// THe user who sent the friend request
+    /// The user who sent the friend request
     pub friend_id: UserId,
     pub accepted: bool,
     pub created: DateTime<Utc>,
diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
index 1117c95160..344bcde208 100644
--- a/apps/labrinth/src/routes/internal/flows.rs
+++ b/apps/labrinth/src/routes/internal/flows.rs
@@ -1,7 +1,7 @@
 use crate::auth::email::send_email;
 use crate::auth::validate::get_user_record_from_bearer_token;
 use crate::auth::{AuthProvider, AuthenticationError, get_user_from_headers};
-use crate::database::models::DBUser;
+use crate::database::models::{DBUser, DBUserId};
 use crate::database::models::flow_item::DBFlow;
 use crate::database::redis::RedisPool;
 use crate::file_hosting::FileHost;
@@ -31,7 +31,9 @@ use sqlx::postgres::PgPool;
 use std::collections::HashMap;
 use std::str::FromStr;
 use std::sync::Arc;
+use uuid::Uuid;
 use validator::Validate;
+use webauthn_rs::Webauthn;
 use zxcvbn::Score;
 
 pub fn config(cfg: &mut ServiceConfig) {
@@ -48,6 +50,7 @@ pub fn config(cfg: &mut ServiceConfig) {
             .service(remove_2fa)
             .service(reset_password_begin)
             .service(change_password)
+            .service(webauthn_registration)
             .service(resend_verify_email)
             .service(set_email)
             .service(verify_email)
@@ -2156,6 +2159,57 @@ pub async fn change_password(
     Ok(HttpResponse::Ok().finish())
 }
 
+#[post("webauthn/register/{username}")]
+pub async fn webauthn_registration(
+    username: web::Path<String>,
+    req: HttpRequest,
+    pool: Data<PgPool>,
+    redis: Data<RedisPool>,
+    session_queue: Data<AuthQueue>,
+    webauthn: Data<Webauthn>,
+) -> Result<HttpResponse, ApiError> {
+    let user = get_user_from_headers(
+        &req,
+        &**pool,
+        &redis,
+        &session_queue,
+        Scopes::USER_AUTH_WRITE,
+    )
+    .await?
+    .1;
+
+    let db_user_id: DBUserId = user.id.into();
+
+    // Convert i64 user id to uuid
+    let user_uuid = Uuid::from_u128(db_user_id.0 as u128);
+
+    let (ccr, reg_state) = webauthn
+        .start_passkey_registration(
+            user_uuid,
+            &username,
+            &username,
+            None
+            //exclude_credentials,
+        )
+        .map_err(|_| {
+            // TODO - Error handling
+            ApiError::WebauthnRegistration
+        })?;
+
+    let flow = DBFlow::InitializeWebauthn {
+            username: username.into_inner(),
+            user_id: db_user_id.clone(),
+            reg_state,
+        }
+        .insert(Duration::minutes(30), &redis)
+        .await?;
+
+    Ok(HttpResponse::Ok().json(serde_json::json!({
+        "challenge": ccr,
+        "flow": flow,
+    })))
+}
+
 #[derive(Deserialize, Validate)]
 pub struct SetEmail {
     #[validate(email)]
diff --git a/apps/labrinth/src/routes/internal/session.rs b/apps/labrinth/src/routes/internal/session.rs
index 63ac84bd81..5e201f0763 100644
--- a/apps/labrinth/src/routes/internal/session.rs
+++ b/apps/labrinth/src/routes/internal/session.rs
@@ -16,6 +16,8 @@ use rand::distributions::Alphanumeric;
 use rand::{Rng, SeedableRng};
 use rand_chacha::ChaCha20Rng;
 use sqlx::PgPool;
+use uuid::Uuid;
+use webauthn_rs::prelude::{PasskeyAuthentication, PasskeyRegistration};
 use woothee::parser::Parser;
 
 pub fn config(cfg: &mut ServiceConfig) {
@@ -27,6 +29,17 @@ pub fn config(cfg: &mut ServiceConfig) {
     );
 }
 
+pub struct PasskeyRegistrationState {
+    pub username: String,
+    pub id: Uuid,
+    pub passkey_registration: PasskeyRegistration,
+}
+
+pub struct PasskeyAuthenticationState {
+    pub user_id: Uuid,
+    pub passkey_authentication: PasskeyAuthentication,
+}
+
 pub struct SessionMetadata {
     pub city: Option<String>,
     pub country: Option<String>,
@@ -35,6 +48,9 @@ pub struct SessionMetadata {
     pub os: Option<String>,
     pub platform: Option<String>,
     pub user_agent: String,
+
+    pub passkey_registration_state: Option<PasskeyRegistrationState>,
+    pub passkey_authentication_state: Option<PasskeyAuthenticationState>,
 }
 
 pub async fn get_session_metadata(
@@ -80,6 +96,9 @@ pub async fn get_session_metadata(
             .ok_or_else(|| AuthenticationError::InvalidCredentials)?
             .to_string(),
         user_agent: user_agent.to_string(),
+        // TODO - Webauthn
+        passkey_registration_state: None,
+        passkey_authentication_state: None,
     })
 }
 
diff --git a/apps/labrinth/src/routes/mod.rs b/apps/labrinth/src/routes/mod.rs
index caa143f259..efb46a45c9 100644
--- a/apps/labrinth/src/routes/mod.rs
+++ b/apps/labrinth/src/routes/mod.rs
@@ -143,6 +143,8 @@ pub enum ApiError {
     RateLimitError(u128, u32),
     #[error("Error while interacting with payment processor: {0}")]
     Stripe(#[from] stripe::StripeError),
+    #[error("Error during webauthn registration")]
+    WebauthnRegistration
 }
 
 impl ApiError {
@@ -176,6 +178,7 @@ impl ApiError {
                 ApiError::Io(..) => "io_error",
                 ApiError::RateLimitError(..) => "ratelimit_error",
                 ApiError::Stripe(..) => "stripe_error",
+                ApiError::WebauthnRegistration => "webauthn_registration_error",
             },
             description: self.to_string(),
         }
@@ -212,6 +215,7 @@ impl actix_web::ResponseError for ApiError {
             ApiError::Io(..) => StatusCode::BAD_REQUEST,
             ApiError::RateLimitError(..) => StatusCode::TOO_MANY_REQUESTS,
             ApiError::Stripe(..) => StatusCode::FAILED_DEPENDENCY,
+            ApiError::WebauthnRegistration => StatusCode::BAD_REQUEST,
         }
     }
 
diff --git a/packages/assets/icons/security-key.svg b/packages/assets/icons/security-key.svg
new file mode 100644
index 0000000000..716b282052
--- /dev/null
+++ b/packages/assets/icons/security-key.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 24 24" fill="none" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><path fill="currentColor" d="M10.423 22q-.69 0-1.153-.462t-.462-1.153v-2.943h-.192q-.691 0-1.153-.462T7 15.827V3.616q0-.691.463-1.153T8.616 2h6.769q.69 0 1.153.463T17 3.616v12.211q0 .69-.462 1.153t-1.153.462h-.193v2.943q0 .69-.462 1.153T13.577 22zM12 12.02q.962 0 1.635-.664t.673-1.625t-.674-1.644T12 7.404t-1.634.683t-.674 1.644t.674 1.625t1.634.663M10.27 21h3.48q.192 0 .327-.134q.135-.135.135-.327v-3.097H9.808v3.097q0 .192.134.327q.135.134.327.134M12 11.02q-.54 0-.914-.375t-.375-.914t.374-.934t.915-.393t.934.393t.393.934t-.393.914t-.934.374"/></svg>
\ No newline at end of file
diff --git a/packages/assets/index.ts b/packages/assets/index.ts
index df7df42472..9e95833915 100644
--- a/packages/assets/index.ts
+++ b/packages/assets/index.ts
@@ -161,6 +161,7 @@ import _SaveIcon from './icons/save.svg?component'
 import _ScaleIcon from './icons/scale.svg?component'
 import _ScanEyeIcon from './icons/scan-eye.svg?component'
 import _SearchIcon from './icons/search.svg?component'
+import _SecurityKeyIcon from './icons/security-key.svg?component'
 import _SendIcon from './icons/send.svg?component'
 import _ServerIcon from './icons/server.svg?component'
 import _SettingsIcon from './icons/settings.svg?component'
@@ -381,6 +382,7 @@ export const SaveIcon = _SaveIcon
 export const ScaleIcon = _ScaleIcon
 export const ScanEyeIcon = _ScanEyeIcon
 export const SearchIcon = _SearchIcon
+export const SecurityKeyIcon = _SecurityKeyIcon
 export const SendIcon = _SendIcon
 export const ServerIcon = _ServerIcon
 export const SettingsIcon = _SettingsIcon
diff --git a/packages/utils/types.ts b/packages/utils/types.ts
index b5ccbd5030..0c0b962cd1 100644
--- a/packages/utils/types.ts
+++ b/packages/utils/types.ts
@@ -255,6 +255,7 @@ export interface User {
   email_verified?: boolean
   has_password?: boolean
   has_totp?: boolean
+  has_webauthn?: boolean
 }
 
 export enum TeamMemberPermission {

From b8fabd761746f5f9ed59e9282bfcd4a260cef297 Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Mon, 14 Jul 2025 22:37:21 -0400
Subject: [PATCH 3/6] Finish registration in labrinth

---
 apps/docs/public/openapi.yaml                 |  4 +
 apps/frontend/src/pages/settings/account.vue  | 98 +++++++++----------
 apps/frontend/src/pages/user/[id].vue         |  7 ++
 .../migrations/20250715014925_webauthn.sql    |  2 +
 apps/labrinth/src/auth/webauthn.rs            | 20 ++--
 .../labrinth/src/database/models/flow_item.rs |  1 -
 .../labrinth/src/database/models/user_item.rs |  8 +-
 apps/labrinth/src/lib.rs                      |  2 +-
 apps/labrinth/src/models/v2/user.rs           |  2 +
 apps/labrinth/src/models/v3/users.rs          |  4 +-
 apps/labrinth/src/routes/internal/flows.rs    | 83 ++++++++++++----
 apps/labrinth/src/routes/mod.rs               |  2 +-
 .../tests/common/api_common/models.rs         |  1 +
 13 files changed, 150 insertions(+), 84 deletions(-)
 create mode 100644 apps/labrinth/migrations/20250715014925_webauthn.sql

diff --git a/apps/docs/public/openapi.yaml b/apps/docs/public/openapi.yaml
index 73b2b05b7b..a15cd042c0 100644
--- a/apps/docs/public/openapi.yaml
+++ b/apps/docs/public/openapi.yaml
@@ -1290,6 +1290,10 @@ components:
               type: boolean
               description: Whether you have TOTP two-factor authentication connected to your account (only displayed if requesting your own account)
               nullable: true
+            has_webauthn:
+              type: boolean
+              description: Whether you have Webauthn authentication connected to your account (only displayed if requesting your own account)
+              nullable: true
             github_id:
               deprecated: true
               type: integer
diff --git a/apps/frontend/src/pages/settings/account.vue b/apps/frontend/src/pages/settings/account.vue
index f54e8b510b..a5f68f49a3 100644
--- a/apps/frontend/src/pages/settings/account.vue
+++ b/apps/frontend/src/pages/settings/account.vue
@@ -364,7 +364,9 @@
         </label>
         <div>
           <button class="iconified-button" @click="showWebauthnModal">
-            <template v-if="auth.user.has_webauthn"> <TrashIcon /> Remove Hardware Security Key </template>
+            <template v-if="auth.user.has_webauthn">
+              <TrashIcon /> Remove Hardware Security Key
+            </template>
             <template v-else> <SecurityKeyIcon /> Setup Hardware Security Key </template>
           </button>
         </div>
@@ -428,6 +430,7 @@ import {
   PlusIcon,
   RightArrowIcon,
   SaveIcon,
+  SecurityKeyIcon,
   SettingsIcon,
   TrashIcon,
   UpdatedIcon,
@@ -594,32 +597,47 @@ async function removeTwoFactor() {
 }
 
 const mangeWebauthnModal = ref();
-const webauthnSecret = ref(null);
-const webauthnFlow = ref(null);
-const webauthnStep = ref(0);
 async function showWebauthnModal() {
-  webauthnStep.value = 0;
-  // twoFactorCode.value = null;
-  // twoFactorIncorrect.value = false;
   if (auth.value.user.has_webauthn) {
     mangeWebauthnModal.value.show();
     return;
   }
 
-  webauthnSecret.value = null;
-  webauthnFlow.value = null;
-  // backupCodes.value = [];
-  mangeWebauthnModal.value.show();
-
   startLoading();
   try {
-    const res = await useBaseFetch(`auth/webauthn/register/${auth.value.user.username}`, {
+    const res = await useBaseFetch(`auth/webauthn/register/start/${auth.value.user.username}`, {
+      method: "POST",
+      internal: true,
+    });
+
+    const publicKey = res.challenge.publicKey;
+    publicKey.challenge = b64urlToUint8Array(publicKey.challenge);
+    publicKey.user.id = b64urlToUint8Array(publicKey.user.id);
+
+    const credential = await navigator.credentials.create({ publicKey });
+
+    console.log("Created webauthn credential", credential);
+
+    const jsonCredential = {
+      id: credential.id,
+      rawId: uint8ArrayToB64url(credential.rawId),
+      type: credential.type,
+      response: {
+        clientDataJSON: uint8ArrayToB64url(credential.response.clientDataJSON),
+        attestationObject: uint8ArrayToB64url(credential.response.attestationObject),
+      },
+    };
+
+    await useBaseFetch("auth/webauthn/register/finish", {
       method: "POST",
-      internal: true
+      internal: true,
+      body: {
+        cred: jsonCredential,
+        flow: res.flow
+      },
     });
 
-    webauthnSecret.value = res.secret;
-    webauthnFlow.value = res.flow;
+    mangeWebauthnModal.value.show();
   } catch (err) {
     data.$notify({
       group: "main",
@@ -631,41 +649,23 @@ async function showWebauthnModal() {
   stopLoading();
 }
 
-// TODO - webauthn
-async function createCredential(ccr) {
-  const publicKeyOptions = convertCcrToPublicKeyOptions(ccr);
-
-  try {
-    const credential = await navigator.credentials.create({
-      publicKey: publicKeyOptions,
-    });
-
-    console.log("created cred", credential);
-    return credential;
-  } catch (err) {
-    console.error("failed to create cred", err);
-    throw err;
-  }
+function b64urlToUint8Array(b64url) {
+  const base64 = b64url
+      .replace(/-/g, '+')
+      .replace(/_/g, '/')
+      .padEnd(b64url.length + (4 - b64url.length % 4) % 4, '=');
+  const binary = atob(base64);
+  return Uint8Array.from(binary, c => c.charCodeAt(0));
 }
 
-function convertCcrToPublicKeyOptions(ccr) {
-  return {
-    challenge: Uint8Array.from(atob(ccr.challenge), c => c.charCodeAt(0)),
-    rp: {
-      name: ccr.rp.name,
-      id: ccr.rp.id,
-    },
-    user: {
-      id: Uint8Array.from(atob(ccr.user.id), c => c.charCodeAt(0)),
-      name: ccr.user.name,
-      displayName: ccr.user.displayName,
-    },
-    pubKeyCredParams: ccr.pubKeyCredParams,
-    timeout: ccr.timeout,
-    attestation: ccr.attestation,
-    authenticatorSelection: ccr.authenticatorSelection,
-    extensions: ccr.extensions,
-  };
+function uint8ArrayToB64url(buf) {
+  let binary = "";
+  const bytes = new Uint8Array(buf);
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
 }
 
 const authProviders = [
diff --git a/apps/frontend/src/pages/user/[id].vue b/apps/frontend/src/pages/user/[id].vue
index 11f5678667..98499ca2f4 100644
--- a/apps/frontend/src/pages/user/[id].vue
+++ b/apps/frontend/src/pages/user/[id].vue
@@ -51,6 +51,13 @@
             {{ user.has_totp ? "Yes" : "No" }}
           </span>
         </div>
+
+        <div class="flex flex-col gap-1">
+          <span class="text-lg font-bold text-primary"> Has Hardware Security Key </span>
+          <span>
+            {{ user.has_webauthn ? "Yes" : "No" }}
+          </span>
+        </div>
       </div>
     </NewModal>
     <div class="new-page sidebar" :class="{ 'alt-layout': cosmetics.leftContentLayout }">
diff --git a/apps/labrinth/migrations/20250715014925_webauthn.sql b/apps/labrinth/migrations/20250715014925_webauthn.sql
new file mode 100644
index 0000000000..9e25126d39
--- /dev/null
+++ b/apps/labrinth/migrations/20250715014925_webauthn.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+    ADD COLUMN webauthn_passkey jsonb default NULL
\ No newline at end of file
diff --git a/apps/labrinth/src/auth/webauthn.rs b/apps/labrinth/src/auth/webauthn.rs
index 5a77617e6c..f26fdcef25 100644
--- a/apps/labrinth/src/auth/webauthn.rs
+++ b/apps/labrinth/src/auth/webauthn.rs
@@ -3,9 +3,9 @@ use regex::Regex;
 use webauthn_rs::{Webauthn, WebauthnBuilder};
 
 pub fn startup() -> Data<Webauthn> {
-    let url = url::Url::parse(&dotenvy::var("SITE_URL").unwrap_or_default())
-        .unwrap();
-    
+    let url =
+        url::Url::parse(&dotenvy::var("SITE_URL").unwrap_or_default()).unwrap();
+
     let rp_id = dotenvy::var("SITE_URL")
         .ok()
         .and_then(|s| {
@@ -17,14 +17,10 @@ pub fn startup() -> Data<Webauthn> {
         })
         .unwrap_or_default();
 
-    let builder = WebauthnBuilder::new(&rp_id, &url)
-        .expect("Invalid configuration");
-    
-    let builder = builder.rp_name("Actix-web modrinth");
-
+    let builder =
+        WebauthnBuilder::new(&rp_id, &url).expect("Invalid configuration");
 
-    let webauthn = Data::new(builder.build()
-        .expect("Invalid configuration"));
+    let builder = builder.rp_name("Actix-web modrinth");
 
-    webauthn
-}
\ No newline at end of file
+    Data::new(builder.build().expect("Invalid configuration"))
+}
diff --git a/apps/labrinth/src/database/models/flow_item.rs b/apps/labrinth/src/database/models/flow_item.rs
index 8b41443394..35e3f7bfc7 100644
--- a/apps/labrinth/src/database/models/flow_item.rs
+++ b/apps/labrinth/src/database/models/flow_item.rs
@@ -11,7 +11,6 @@ use rand_chacha::ChaCha20Rng;
 use rand_chacha::rand_core::SeedableRng;
 use serde::{Deserialize, Serialize};
 use webauthn_rs::prelude::PasskeyRegistration;
-use crate::routes::internal::session::PasskeyRegistrationState;
 
 const FLOWS_NAMESPACE: &str = "flows";
 
diff --git a/apps/labrinth/src/database/models/user_item.rs b/apps/labrinth/src/database/models/user_item.rs
index d38ed84603..79794ef5bd 100644
--- a/apps/labrinth/src/database/models/user_item.rs
+++ b/apps/labrinth/src/database/models/user_item.rs
@@ -13,6 +13,7 @@ use dashmap::DashMap;
 use serde::{Deserialize, Serialize};
 use std::fmt::{Debug, Display};
 use std::hash::Hash;
+use webauthn_rs::prelude::Passkey;
 
 const USERS_NAMESPACE: &str = "users";
 const USER_USERNAMES_NAMESPACE: &str = "users_usernames";
@@ -37,6 +38,7 @@ pub struct DBUser {
     pub stripe_customer_id: Option<String>,
 
     pub totp_secret: Option<String>,
+    pub webauthn_passkey: Option<Passkey>,
 
     pub username: String,
     pub email: Option<String>,
@@ -177,7 +179,7 @@ impl DBUser {
                         avatar_url, raw_avatar_url, username, bio,
                         created, role, badges,
                         github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,
-                        email_verified, password, totp_secret, paypal_id, paypal_country, paypal_email,
+                        email_verified, password, totp_secret, webauthn_passkey, paypal_id, paypal_country, paypal_email,
                         venmo_handle, stripe_customer_id, allow_friend_requests
                     FROM users
                     WHERE id = ANY($1) OR LOWER(username) = ANY($2)
@@ -211,6 +213,10 @@ impl DBUser {
                             venmo_handle: u.venmo_handle,
                             stripe_customer_id: u.stripe_customer_id,
                             totp_secret: u.totp_secret,
+                            webauthn_passkey: u.webauthn_passkey
+                                .map(|v| serde_json::from_value(v))
+                                .transpose()
+                                .unwrap_or_default(),
                             allow_friend_requests: u.allow_friend_requests,
                         };
 
diff --git a/apps/labrinth/src/lib.rs b/apps/labrinth/src/lib.rs
index dca50a41f2..14a1547cea 100644
--- a/apps/labrinth/src/lib.rs
+++ b/apps/labrinth/src/lib.rs
@@ -14,12 +14,12 @@ extern crate clickhouse as clickhouse_crate;
 use clickhouse_crate::Client;
 use util::cors::default_cors;
 
+use crate::auth::webauthn;
 use crate::background_task::update_versions;
 use crate::queue::moderation::AutomatedModerationQueue;
 use crate::util::env::{parse_strings_from_var, parse_var};
 use crate::util::ratelimit::{AsyncRateLimiter, GCRAParameters};
 use sync::friends::handle_pubsub;
-use crate::auth::webauthn;
 
 pub mod auth;
 pub mod background_task;
diff --git a/apps/labrinth/src/models/v2/user.rs b/apps/labrinth/src/models/v2/user.rs
index f8e9d0d0db..5c1e75285a 100644
--- a/apps/labrinth/src/models/v2/user.rs
+++ b/apps/labrinth/src/models/v2/user.rs
@@ -22,6 +22,7 @@ pub struct LegacyUser {
     pub email_verified: Option<bool>,
     pub has_password: Option<bool>,
     pub has_totp: Option<bool>,
+    pub has_webauthn: Option<bool>,
     pub payout_data: Option<UserPayoutData>, // this was changed in v3, but not ones we want to keep out of v2
 
     // DEPRECATED. Always returns None
@@ -45,6 +46,7 @@ impl From<crate::models::v3::users::User> for LegacyUser {
             auth_providers: data.auth_providers,
             has_password: data.has_password,
             has_totp: data.has_totp,
+            has_webauthn: data.has_webauthn,
             github_id: data.github_id,
         }
     }
diff --git a/apps/labrinth/src/models/v3/users.rs b/apps/labrinth/src/models/v3/users.rs
index eafa5ad8f2..e5d4879d30 100644
--- a/apps/labrinth/src/models/v3/users.rs
+++ b/apps/labrinth/src/models/v3/users.rs
@@ -84,7 +84,7 @@ impl From<DBUser> for User {
             has_webauthn: None,
             github_id: None,
             stripe_customer_id: None,
-            allow_friend_requests: None
+            allow_friend_requests: None,
         }
     }
 }
@@ -128,7 +128,7 @@ impl User {
             auth_providers: Some(auth_providers),
             has_password: Some(db_user.password.is_some()),
             has_totp: Some(db_user.totp_secret.is_some()),
-            has_webauthn: Some(false), // TODO - webauthn
+            has_webauthn: Some(db_user.webauthn_passkey.is_some()),
             github_id: None,
             payout_data: Some(UserPayoutData {
                 paypal_address: db_user.paypal_email,
diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
index 344bcde208..1b7898d1e2 100644
--- a/apps/labrinth/src/routes/internal/flows.rs
+++ b/apps/labrinth/src/routes/internal/flows.rs
@@ -1,8 +1,8 @@
 use crate::auth::email::send_email;
 use crate::auth::validate::get_user_record_from_bearer_token;
 use crate::auth::{AuthProvider, AuthenticationError, get_user_from_headers};
-use crate::database::models::{DBUser, DBUserId};
 use crate::database::models::flow_item::DBFlow;
+use crate::database::models::{DBUser, DBUserId};
 use crate::database::redis::RedisPool;
 use crate::file_hosting::FileHost;
 use crate::models::pats::Scopes;
@@ -33,6 +33,7 @@ use std::str::FromStr;
 use std::sync::Arc;
 use uuid::Uuid;
 use validator::Validate;
+use webauthn_rs::prelude::{RegisterPublicKeyCredential};
 use webauthn_rs::Webauthn;
 use zxcvbn::Score;
 
@@ -50,7 +51,8 @@ pub fn config(cfg: &mut ServiceConfig) {
             .service(remove_2fa)
             .service(reset_password_begin)
             .service(change_password)
-            .service(webauthn_registration)
+            .service(webauthn_register_start)
+            .service(webauthn_register_finish)
             .service(resend_verify_email)
             .service(set_email)
             .service(verify_email)
@@ -223,6 +225,7 @@ impl TempUser {
                 venmo_handle: None,
                 stripe_customer_id: None,
                 totp_secret: None,
+                webauthn_passkey: None,
                 username,
                 email: self.email,
                 email_verified: true,
@@ -1416,6 +1419,7 @@ pub async fn create_account_with_password(
         venmo_handle: None,
         stripe_customer_id: None,
         totp_secret: None,
+        webauthn_passkey: None,
         username: new_account.username.clone(),
         email: Some(new_account.email.clone()),
         email_verified: false,
@@ -2159,8 +2163,14 @@ pub async fn change_password(
     Ok(HttpResponse::Ok().finish())
 }
 
-#[post("webauthn/register/{username}")]
-pub async fn webauthn_registration(
+#[derive(Deserialize, Validate)]
+pub struct SetupWebauthnFinish {
+    pub cred: RegisterPublicKeyCredential,
+    pub flow: String,
+}
+
+#[post("webauthn/register/start/{username}")]
+pub async fn webauthn_register_start(
     username: web::Path<String>,
     req: HttpRequest,
     pool: Data<PgPool>,
@@ -2185,24 +2195,20 @@ pub async fn webauthn_registration(
 
     let (ccr, reg_state) = webauthn
         .start_passkey_registration(
-            user_uuid,
-            &username,
-            &username,
-            None
-            //exclude_credentials,
+            user_uuid, &username, &username, None, //exclude_credentials, TODO
         )
-        .map_err(|_| {
-            // TODO - Error handling
+        .map_err(|e| {
+            tracing::error!("Encountered error while starting passkey reg: {e}");
             ApiError::WebauthnRegistration
         })?;
 
     let flow = DBFlow::InitializeWebauthn {
-            username: username.into_inner(),
-            user_id: db_user_id.clone(),
-            reg_state,
-        }
-        .insert(Duration::minutes(30), &redis)
-        .await?;
+        username: username.into_inner(),
+        user_id: db_user_id,
+        reg_state,
+    }
+    .insert(Duration::minutes(30), &redis)
+    .await?;
 
     Ok(HttpResponse::Ok().json(serde_json::json!({
         "challenge": ccr,
@@ -2210,6 +2216,49 @@ pub async fn webauthn_registration(
     })))
 }
 
+#[post("webauthn/register/finish")]
+pub async fn webauthn_register_finish(
+    pool: Data<PgPool>,
+    redis: Data<RedisPool>,
+    login: web::Json<SetupWebauthnFinish>,
+    webauthn: Data<Webauthn>,
+) -> Result<HttpResponse, ApiError> {
+    let flow = DBFlow::get(&login.flow, &redis)
+        .await?
+        .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
+
+    if let DBFlow::InitializeWebauthn { user_id, reg_state, .. } = flow {
+        let sk = webauthn
+            .finish_passkey_registration(&login.cred, &reg_state)
+            .map_err(|e| {
+                tracing::error!("Encountered error while finishing passkey reg: {e}");
+                ApiError::WebauthnRegistration
+            })?;
+
+        let sk_json = serde_json::to_value(&sk)
+            .map_err(|_| ApiError::WebauthnRegistration)?;
+
+        sqlx::query!(
+            "
+            UPDATE users
+            SET webauthn_passkey = $2
+            WHERE (id = $1)
+            ",
+            user_id.0,
+            sk_json
+        )
+            .execute(&**pool)
+            .await?;
+
+
+        Ok(HttpResponse::Ok().finish())
+    } else {
+        Err(ApiError::Authentication(
+            AuthenticationError::InvalidCredentials,
+        ))
+    }
+}
+
 #[derive(Deserialize, Validate)]
 pub struct SetEmail {
     #[validate(email)]
diff --git a/apps/labrinth/src/routes/mod.rs b/apps/labrinth/src/routes/mod.rs
index efb46a45c9..7f20fb07b4 100644
--- a/apps/labrinth/src/routes/mod.rs
+++ b/apps/labrinth/src/routes/mod.rs
@@ -144,7 +144,7 @@ pub enum ApiError {
     #[error("Error while interacting with payment processor: {0}")]
     Stripe(#[from] stripe::StripeError),
     #[error("Error during webauthn registration")]
-    WebauthnRegistration
+    WebauthnRegistration,
 }
 
 impl ApiError {
diff --git a/apps/labrinth/tests/common/api_common/models.rs b/apps/labrinth/tests/common/api_common/models.rs
index b33324104f..bbb9ccd14b 100644
--- a/apps/labrinth/tests/common/api_common/models.rs
+++ b/apps/labrinth/tests/common/api_common/models.rs
@@ -239,6 +239,7 @@ pub struct CommonUser {
     pub email_verified: Option<bool>,
     pub has_password: Option<bool>,
     pub has_totp: Option<bool>,
+    pub has_webauthn: Option<bool>,
     pub payout_data: Option<UserPayoutData>,
     pub github_id: Option<u64>,
 }

From 30ac90ca03ac5b015515cbfaaa6b2780831bf8d0 Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Fri, 1 Aug 2025 14:47:05 -0400
Subject: [PATCH 4/6] Update query's

---
 ...7cae270a26aa075e1e06f89528739e3f557b.json} | 20 ++++++++++++-------
 ...d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json | 15 ++++++++++++++
 2 files changed, 28 insertions(+), 7 deletions(-)
 rename apps/labrinth/.sqlx/{query-b5857aafa522ca62294bc296fb6cddd862eca2889203e43b4962df07ba1221a0.json => query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json} (87%)
 create mode 100644 apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json

diff --git a/apps/labrinth/.sqlx/query-b5857aafa522ca62294bc296fb6cddd862eca2889203e43b4962df07ba1221a0.json b/apps/labrinth/.sqlx/query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json
similarity index 87%
rename from apps/labrinth/.sqlx/query-b5857aafa522ca62294bc296fb6cddd862eca2889203e43b4962df07ba1221a0.json
rename to apps/labrinth/.sqlx/query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json
index 988ec11ad5..91382f9cf4 100644
--- a/apps/labrinth/.sqlx/query-b5857aafa522ca62294bc296fb6cddd862eca2889203e43b4962df07ba1221a0.json
+++ b/apps/labrinth/.sqlx/query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n                    SELECT id, email,\n                        avatar_url, raw_avatar_url, username, bio,\n                        created, role, badges,\n                        github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,\n                        email_verified, password, totp_secret, paypal_id, paypal_country, paypal_email,\n                        venmo_handle, stripe_customer_id, allow_friend_requests\n                    FROM users\n                    WHERE id = ANY($1) OR LOWER(username) = ANY($2)\n                    ",
+  "query": "\n                    SELECT id, email,\n                        avatar_url, raw_avatar_url, username, bio,\n                        created, role, badges,\n                        github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,\n                        email_verified, password, totp_secret, webauthn_passkey, paypal_id, paypal_country, paypal_email,\n                        venmo_handle, stripe_customer_id, allow_friend_requests\n                    FROM users\n                    WHERE id = ANY($1) OR LOWER(username) = ANY($2)\n                    ",
   "describe": {
     "columns": [
       {
@@ -95,31 +95,36 @@
       },
       {
         "ordinal": 18,
+        "name": "webauthn_passkey",
+        "type_info": "Jsonb"
+      },
+      {
+        "ordinal": 19,
         "name": "paypal_id",
         "type_info": "Text"
       },
       {
-        "ordinal": 19,
+        "ordinal": 20,
         "name": "paypal_country",
         "type_info": "Text"
       },
       {
-        "ordinal": 20,
+        "ordinal": 21,
         "name": "paypal_email",
         "type_info": "Text"
       },
       {
-        "ordinal": 21,
+        "ordinal": 22,
         "name": "venmo_handle",
         "type_info": "Text"
       },
       {
-        "ordinal": 22,
+        "ordinal": 23,
         "name": "stripe_customer_id",
         "type_info": "Text"
       },
       {
-        "ordinal": 23,
+        "ordinal": 24,
         "name": "allow_friend_requests",
         "type_info": "Bool"
       }
@@ -154,8 +159,9 @@
       true,
       true,
       true,
+      true,
       false
     ]
   },
-  "hash": "b5857aafa522ca62294bc296fb6cddd862eca2889203e43b4962df07ba1221a0"
+  "hash": "57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b"
 }
diff --git a/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json b/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json
new file mode 100644
index 0000000000..ec0a3a0aac
--- /dev/null
+++ b/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json
@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "\n            UPDATE users\n            SET webauthn_passkey = $2\n            WHERE (id = $1)\n            ",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Int8",
+        "Jsonb"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc"
+}

From 666bf493bcf311fb32fe71fa49239934e565bbac Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Wed, 15 Oct 2025 21:22:04 -0400
Subject: [PATCH 5/6] Fix icon

---
 packages/assets/generated-icons.ts | 36 ++++++++++++++++--------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/packages/assets/generated-icons.ts b/packages/assets/generated-icons.ts
index 79da983dd4..4dcc1d638d 100644
--- a/packages/assets/generated-icons.ts
+++ b/packages/assets/generated-icons.ts
@@ -8,26 +8,26 @@ import _ArrowBigUpDashIcon from './icons/arrow-big-up-dash.svg?component'
 import _AsteriskIcon from './icons/asterisk.svg?component'
 import _BadgeCheckIcon from './icons/badge-check.svg?component'
 import _BanIcon from './icons/ban.svg?component'
-import _BellIcon from './icons/bell.svg?component'
 import _BellRingIcon from './icons/bell-ring.svg?component'
+import _BellIcon from './icons/bell.svg?component'
 import _BlocksIcon from './icons/blocks.svg?component'
 import _BoldIcon from './icons/bold.svg?component'
-import _BookIcon from './icons/book.svg?component'
 import _BookOpenIcon from './icons/book-open.svg?component'
 import _BookTextIcon from './icons/book-text.svg?component'
+import _BookIcon from './icons/book.svg?component'
 import _BookmarkIcon from './icons/bookmark.svg?component'
 import _BotIcon from './icons/bot.svg?component'
-import _BoxIcon from './icons/box.svg?component'
 import _BoxImportIcon from './icons/box-import.svg?component'
+import _BoxIcon from './icons/box.svg?component'
 import _BracesIcon from './icons/braces.svg?component'
 import _BrushCleaningIcon from './icons/brush-cleaning.svg?component'
 import _CalendarIcon from './icons/calendar.svg?component'
 import _CardIcon from './icons/card.svg?component'
 import _ChangeSkinIcon from './icons/change-skin.svg?component'
 import _ChartIcon from './icons/chart.svg?component'
-import _CheckIcon from './icons/check.svg?component'
 import _CheckCheckIcon from './icons/check-check.svg?component'
 import _CheckCircleIcon from './icons/check-circle.svg?component'
+import _CheckIcon from './icons/check.svg?component'
 import _ChevronLeftIcon from './icons/chevron-left.svg?component'
 import _ChevronRightIcon from './icons/chevron-right.svg?component'
 import _ClearIcon from './icons/clear.svg?component'
@@ -57,13 +57,13 @@ import _EditIcon from './icons/edit.svg?component'
 import _EllipsisVerticalIcon from './icons/ellipsis-vertical.svg?component'
 import _ExpandIcon from './icons/expand.svg?component'
 import _ExternalIcon from './icons/external.svg?component'
-import _EyeIcon from './icons/eye.svg?component'
 import _EyeOffIcon from './icons/eye-off.svg?component'
-import _FileIcon from './icons/file.svg?component'
+import _EyeIcon from './icons/eye.svg?component'
 import _FileArchiveIcon from './icons/file-archive.svg?component'
 import _FileTextIcon from './icons/file-text.svg?component'
-import _FilterIcon from './icons/filter.svg?component'
+import _FileIcon from './icons/file.svg?component'
 import _FilterXIcon from './icons/filter-x.svg?component'
+import _FilterIcon from './icons/filter.svg?component'
 import _FolderArchiveIcon from './icons/folder-archive.svg?component'
 import _FolderOpenIcon from './icons/folder-open.svg?component'
 import _FolderSearchIcon from './icons/folder-search.svg?component'
@@ -80,8 +80,8 @@ import _HashIcon from './icons/hash.svg?component'
 import _Heading1Icon from './icons/heading-1.svg?component'
 import _Heading2Icon from './icons/heading-2.svg?component'
 import _Heading3Icon from './icons/heading-3.svg?component'
-import _HeartIcon from './icons/heart.svg?component'
 import _HeartHandshakeIcon from './icons/heart-handshake.svg?component'
+import _HeartIcon from './icons/heart.svg?component'
 import _HistoryIcon from './icons/history.svg?component'
 import _HomeIcon from './icons/home.svg?component'
 import _ImageIcon from './icons/image.svg?component'
@@ -97,13 +97,13 @@ import _LeftArrowIcon from './icons/left-arrow.svg?component'
 import _LibraryIcon from './icons/library.svg?component'
 import _LightBulbIcon from './icons/light-bulb.svg?component'
 import _LinkIcon from './icons/link.svg?component'
-import _ListIcon from './icons/list.svg?component'
 import _ListBulletedIcon from './icons/list-bulleted.svg?component'
 import _ListEndIcon from './icons/list-end.svg?component'
 import _ListOrderedIcon from './icons/list-ordered.svg?component'
+import _ListIcon from './icons/list.svg?component'
 import _LoaderIcon from './icons/loader.svg?component'
-import _LockIcon from './icons/lock.svg?component'
 import _LockOpenIcon from './icons/lock-open.svg?component'
+import _LockIcon from './icons/lock.svg?component'
 import _LogInIcon from './icons/log-in.svg?component'
 import _LogOutIcon from './icons/log-out.svg?component'
 import _MailIcon from './icons/mail.svg?component'
@@ -114,8 +114,8 @@ import _MessageIcon from './icons/message.svg?component'
 import _MicrophoneIcon from './icons/microphone.svg?component'
 import _MinimizeIcon from './icons/minimize.svg?component'
 import _MinusIcon from './icons/minus.svg?component'
-import _MonitorIcon from './icons/monitor.svg?component'
 import _MonitorSmartphoneIcon from './icons/monitor-smartphone.svg?component'
+import _MonitorIcon from './icons/monitor.svg?component'
 import _MoonIcon from './icons/moon.svg?component'
 import _MoreHorizontalIcon from './icons/more-horizontal.svg?component'
 import _MoreVerticalIcon from './icons/more-vertical.svg?component'
@@ -124,16 +124,16 @@ import _NoSignalIcon from './icons/no-signal.svg?component'
 import _NotepadTextIcon from './icons/notepad-text.svg?component'
 import _OmorphiaIcon from './icons/omorphia.svg?component'
 import _OrganizationIcon from './icons/organization.svg?component'
-import _PackageIcon from './icons/package.svg?component'
 import _PackageClosedIcon from './icons/package-closed.svg?component'
 import _PackageOpenIcon from './icons/package-open.svg?component'
+import _PackageIcon from './icons/package.svg?component'
 import _PaintbrushIcon from './icons/paintbrush.svg?component'
 import _PickaxeIcon from './icons/pickaxe.svg?component'
 import _PlayIcon from './icons/play.svg?component'
 import _PlugIcon from './icons/plug.svg?component'
 import _PlusIcon from './icons/plus.svg?component'
-import _RadioButtonIcon from './icons/radio-button.svg?component'
 import _RadioButtonCheckedIcon from './icons/radio-button-checked.svg?component'
+import _RadioButtonIcon from './icons/radio-button.svg?component'
 import _ReceiptTextIcon from './icons/receipt-text.svg?component'
 import _RedoIcon from './icons/redo.svg?component'
 import _RefreshCwIcon from './icons/refresh-cw.svg?component'
@@ -149,9 +149,10 @@ import _SaveIcon from './icons/save.svg?component'
 import _ScaleIcon from './icons/scale.svg?component'
 import _ScanEyeIcon from './icons/scan-eye.svg?component'
 import _SearchIcon from './icons/search.svg?component'
+import _SecurityKeyIcon from './icons/security-key.svg?component'
 import _SendIcon from './icons/send.svg?component'
-import _ServerIcon from './icons/server.svg?component'
 import _ServerPlusIcon from './icons/server-plus.svg?component'
+import _ServerIcon from './icons/server.svg?component'
 import _SettingsIcon from './icons/settings.svg?component'
 import _ShareIcon from './icons/share.svg?component'
 import _ShieldIcon from './icons/shield.svg?component'
@@ -181,23 +182,23 @@ import _TrashIcon from './icons/trash.svg?component'
 import _TriangleAlertIcon from './icons/triangle-alert.svg?component'
 import _UnderlineIcon from './icons/underline.svg?component'
 import _UndoIcon from './icons/undo.svg?component'
-import _UnknownIcon from './icons/unknown.svg?component'
 import _UnknownDonationIcon from './icons/unknown-donation.svg?component'
+import _UnknownIcon from './icons/unknown.svg?component'
 import _UnlinkIcon from './icons/unlink.svg?component'
 import _UnplugIcon from './icons/unplug.svg?component'
 import _UpdatedIcon from './icons/updated.svg?component'
 import _UploadIcon from './icons/upload.svg?component'
-import _UserIcon from './icons/user.svg?component'
 import _UserPlusIcon from './icons/user-plus.svg?component'
 import _UserXIcon from './icons/user-x.svg?component'
+import _UserIcon from './icons/user.svg?component'
 import _UsersIcon from './icons/users.svg?component'
 import _VersionIcon from './icons/version.svg?component'
 import _WikiIcon from './icons/wiki.svg?component'
 import _WindowIcon from './icons/window.svg?component'
 import _WorldIcon from './icons/world.svg?component'
 import _WrenchIcon from './icons/wrench.svg?component'
-import _XIcon from './icons/x.svg?component'
 import _XCircleIcon from './icons/x-circle.svg?component'
+import _XIcon from './icons/x.svg?component'
 import _ZoomInIcon from './icons/zoom-in.svg?component'
 import _ZoomOutIcon from './icons/zoom-out.svg?component'
 
@@ -349,6 +350,7 @@ export const SaveIcon = _SaveIcon
 export const ScaleIcon = _ScaleIcon
 export const ScanEyeIcon = _ScanEyeIcon
 export const SearchIcon = _SearchIcon
+export const SecurityKeyIcon = _SecurityKeyIcon
 export const SendIcon = _SendIcon
 export const ServerPlusIcon = _ServerPlusIcon
 export const ServerIcon = _ServerIcon

From 20741823120853764fd134a8470b22d40a143de4 Mon Sep 17 00:00:00 2001
From: IThundxr <me@ithundxr.dev>
Date: Wed, 15 Oct 2025 22:56:14 -0400
Subject: [PATCH 6/6] WIP multi-key support

---
 apps/frontend/src/pages/settings/account.vue  | 1388 +++++++++--------
 ...d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json |   15 -
 ...fe484d598f80d0cee5f838d10b40d7e927af.json} |   21 +-
 apps/labrinth/Cargo.toml                      |    3 +-
 .../migrations/20250715014925_webauthn.sql    |    2 +-
 apps/labrinth/src/auth/webauthn.rs            |    5 +-
 .../labrinth/src/database/models/user_item.rs |   10 +-
 apps/labrinth/src/models/v3/users.rs          |    4 +-
 apps/labrinth/src/routes/internal/flows.rs    |   45 +-
 packages/utils/types.ts                       |    2 +-
 10 files changed, 779 insertions(+), 716 deletions(-)
 delete mode 100644 apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json
 rename apps/labrinth/.sqlx/{query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json => query-b87b5ac280e3fb5fc62770033531fe484d598f80d0cee5f838d10b40d7e927af.json} (67%)

diff --git a/apps/frontend/src/pages/settings/account.vue b/apps/frontend/src/pages/settings/account.vue
index 6ff2683faa..bdca0e63ca 100644
--- a/apps/frontend/src/pages/settings/account.vue
+++ b/apps/frontend/src/pages/settings/account.vue
@@ -1,366 +1,430 @@
 <template>
-	<div>
-		<ConfirmModal
-			ref="modal_confirm"
-			title="Are you sure you want to delete your account?"
-			description="This will **immediately delete all of your user data and follows**. This will not delete your projects. Deleting your account cannot be reversed.<br><br>If you need help with your account, get support on the [Modrinth Discord](https://discord.modrinth.com)."
-			proceed-label="Delete this account"
-			:confirmation-text="auth.user.username"
-			:has-to-type="true"
-			@proceed="deleteAccount"
-		/>
-		<Modal ref="changeEmailModal" :header="`${auth.user.email ? 'Change' : 'Add'} email`">
-			<div class="universal-modal">
-				<p>Your account information is not displayed publicly.</p>
-				<label for="email-input"><span class="label__title">Email address</span> </label>
-				<input
-					id="email-input"
-					v-model="email"
-					maxlength="2048"
-					type="email"
-					:placeholder="`Enter your email address...`"
-					@keyup.enter="saveEmail()"
-				/>
-				<div class="input-group push-right">
-					<button class="iconified-button" @click="$refs.changeEmailModal.hide()">
-						<XIcon />
-						Cancel
-					</button>
-					<button
-						type="button"
-						class="iconified-button brand-button"
-						:disabled="!email"
-						@click="saveEmail()"
-					>
-						<SaveIcon />
-						Save email
-					</button>
-				</div>
-			</div>
-		</Modal>
-		<Modal
-			ref="managePasswordModal"
-			:header="`${
-				removePasswordMode ? 'Remove' : auth.user.has_password ? 'Change' : 'Add'
-			} password`"
-		>
-			<div class="universal-modal">
-				<ul
-					v-if="newPassword !== confirmNewPassword && confirmNewPassword.length > 0"
-					class="known-errors"
-				>
-					<li>Input passwords do not match!</li>
-				</ul>
-				<label v-if="removePasswordMode" for="old-password">
-					<span class="label__title">Confirm password</span>
-					<span class="label__description">Please enter your password to proceed.</span>
-				</label>
-				<label v-else-if="auth.user.has_password" for="old-password">
-					<span class="label__title">Old password</span>
-				</label>
-				<input
-					v-if="auth.user.has_password"
-					id="old-password"
-					v-model="oldPassword"
-					maxlength="2048"
-					type="password"
-					autocomplete="current-password"
-					:placeholder="`${removePasswordMode ? 'Confirm' : 'Old'} password`"
-				/>
-				<template v-if="!removePasswordMode">
-					<label for="new-password"><span class="label__title">New password</span></label>
-					<input
-						id="new-password"
-						v-model="newPassword"
-						maxlength="2048"
-						type="password"
-						autocomplete="new-password"
-						placeholder="New password"
-					/>
-					<label for="confirm-new-password"
-						><span class="label__title">Confirm new password</span></label
-					>
-					<input
-						id="confirm-new-password"
-						v-model="confirmNewPassword"
-						maxlength="2048"
-						type="password"
-						autocomplete="new-password"
-						placeholder="Confirm new password"
-					/>
-				</template>
-				<p></p>
-				<div class="input-group push-right">
-					<button class="iconified-button" @click="$refs.managePasswordModal.hide()">
-						<XIcon />
-						Cancel
-					</button>
-					<template v-if="removePasswordMode">
-						<button
-							type="button"
-							class="iconified-button danger-button"
-							:disabled="!oldPassword"
-							@click="savePassword"
-						>
-							<TrashIcon />
-							Remove password
-						</button>
-					</template>
-					<template v-else>
-						<button
-							v-if="auth.user.has_password && auth.user.auth_providers.length > 0"
-							type="button"
-							class="iconified-button danger-button"
-							@click="removePasswordMode = true"
-						>
-							<TrashIcon />
-							Remove password
-						</button>
-						<button
-							type="button"
-							class="iconified-button brand-button"
-							:disabled="
-								newPassword.length == 0 ||
-								(auth.user.has_password && oldPassword.length == 0) ||
-								newPassword !== confirmNewPassword
-							"
-							@click="savePassword"
-						>
-							<SaveIcon />
-							Save password
-						</button>
-					</template>
-				</div>
-			</div>
-		</Modal>
-		<Modal
-			ref="manageTwoFactorModal"
-			:header="`${
-				auth.user.has_totp && twoFactorStep === 0 ? 'Remove' : 'Setup'
-			} two-factor authentication`"
-		>
-			<div class="universal-modal">
-				<template v-if="auth.user.has_totp && twoFactorStep === 0">
-					<label for="two-factor-code">
-						<span class="label__title">Enter two-factor code</span>
-						<span class="label__description">Please enter a two-factor code to proceed.</span>
-					</label>
-					<input
-						id="two-factor-code"
-						v-model="twoFactorCode"
-						maxlength="11"
-						type="text"
-						placeholder="Enter code..."
-						@keyup.enter="removeTwoFactor()"
-					/>
-					<p v-if="twoFactorIncorrect" class="known-errors">The code entered is incorrect!</p>
-					<div class="input-group push-right">
-						<button class="iconified-button" @click="$refs.manageTwoFactorModal.hide()">
-							<XIcon />
-							Cancel
-						</button>
-						<button class="iconified-button danger-button" @click="removeTwoFactor">
-							<TrashIcon />
-							Remove 2FA
-						</button>
-					</div>
-				</template>
-				<template v-else>
-					<template v-if="twoFactorStep === 0">
-						<p>
-							Two-factor authentication keeps your account secure by requiring access to a second
-							device in order to sign in.
-							<br /><br />
-							Scan the QR code with <a href="https://authy.com/">Authy</a>,
-							<a href="https://www.microsoft.com/en-us/security/mobile-authenticator-app">
-								Microsoft Authenticator</a
-							>, or any other 2FA app to begin.
-						</p>
-						<qrcode-vue
-							v-if="twoFactorSecret"
-							:value="`otpauth://totp/${encodeURIComponent(
-								auth.user.email,
-							)}?secret=${twoFactorSecret}&issuer=Modrinth`"
-							:size="250"
-							:margin="2"
-							level="H"
-						/>
-						<p>
-							If the QR code does not scan, you can manually enter the secret:
-							<strong>{{ twoFactorSecret }}</strong>
-						</p>
-					</template>
-					<template v-if="twoFactorStep === 1">
-						<label for="verify-code">
-							<span class="label__title">Verify code</span>
-							<span class="label__description"
-								>Enter the one-time code from authenticator to verify access.
-							</span>
-						</label>
-						<input
-							id="verify-code"
-							v-model="twoFactorCode"
-							maxlength="6"
-							type="text"
-							autocomplete="one-time-code"
-							placeholder="Enter code..."
-							@keyup.enter="verifyTwoFactorCode()"
-						/>
-						<p v-if="twoFactorIncorrect" class="known-errors">The code entered is incorrect!</p>
-					</template>
-					<template v-if="twoFactorStep === 2">
-						<p>
-							Download and save these back-up codes in a safe place. You can use these in-place of a
-							2FA code if you ever lose access to your device! You should protect these codes like
-							your password.
-						</p>
-						<p>Backup codes can only be used once.</p>
-						<ul>
-							<li v-for="code in backupCodes" :key="code">{{ code }}</li>
-						</ul>
-					</template>
-					<div class="input-group push-right">
-						<button v-if="twoFactorStep === 1" class="iconified-button" @click="twoFactorStep = 0">
-							<LeftArrowIcon />
-							Back
-						</button>
-						<button
-							v-if="twoFactorStep !== 2"
-							class="iconified-button"
-							@click="$refs.manageTwoFactorModal.hide()"
-						>
-							<XIcon />
-							Cancel
-						</button>
-						<button
-							v-if="twoFactorStep <= 1"
-							class="iconified-button brand-button"
-							@click="twoFactorStep === 1 ? verifyTwoFactorCode() : (twoFactorStep = 1)"
-						>
-							<RightArrowIcon />
-							Continue
-						</button>
-						<button
-							v-if="twoFactorStep === 2"
-							class="iconified-button brand-button"
-							@click="$refs.manageTwoFactorModal.hide()"
-						>
-							<CheckIcon />
-							Complete setup
-						</button>
-					</div>
-				</template>
-			</div>
-		</Modal>
-		<Modal ref="manageProvidersModal" header="Authentication providers">
-			<div class="universal-modal">
-				<div class="table">
-					<div class="table-head table-row">
-						<div class="table-text table-cell">Provider</div>
-						<div class="table-text table-cell">Actions</div>
-					</div>
-					<div v-for="provider in authProviders" :key="provider.id" class="table-row">
-						<div class="table-text table-cell">
-							<span><component :is="provider.icon" /> {{ provider.display }}</span>
-						</div>
-						<div class="table-text manage table-cell">
-							<button
-								v-if="auth.user.auth_providers.includes(provider.id)"
-								class="btn"
-								@click="handleRemoveAuthProvider(provider.id)"
-							>
-								<TrashIcon /> Remove
-							</button>
-							<a
-								v-else
-								class="btn"
-								:href="`${getAuthUrl(provider.id, '/settings/account')}&token=${auth.token}`"
-							>
-								<ExternalIcon /> Add
-							</a>
-						</div>
-					</div>
-				</div>
-				<p></p>
-				<div class="input-group push-right">
-					<button class="iconified-button" @click="$refs.manageProvidersModal.hide()">
-						<XIcon />
-						Close
-					</button>
-				</div>
-			</div>
-		</Modal>
-		<section class="universal-card">
-			<h2 class="text-2xl">Account security</h2>
-
-			<div class="adjacent-input">
-				<label for="theme-selector">
-					<span class="label__title">Email</span>
-					<span class="label__description">Changes the email associated with your account.</span>
-				</label>
-				<div>
-					<button class="iconified-button" @click="$refs.changeEmailModal.show()">
-						<template v-if="auth.user.email">
-							<EditIcon />
-							Change email
-						</template>
-						<template v-else>
-							<PlusIcon />
-							Add email
-						</template>
-					</button>
-				</div>
-			</div>
-			<div class="adjacent-input">
-				<label for="theme-selector">
-					<span class="label__title">Password</span>
-					<span v-if="auth.user.has_password" class="label__description">
-						Change
-						<template v-if="auth.user.auth_providers.length > 0">or remove</template>
-						the password used to login to your account.
-					</span>
-					<span v-else class="label__description">
-						Set a permanent password to login to your account.
-					</span>
-				</label>
-				<div>
-					<button
-						class="iconified-button"
-						@click="
-							() => {
-								oldPassword = ''
-								newPassword = ''
-								confirmNewPassword = ''
-								removePasswordMode = false
-								$refs.managePasswordModal.show()
-							}
-						"
-					>
-						<KeyIcon />
-						<template v-if="auth.user.has_password"> Change password </template>
-						<template v-else> Add password </template>
-					</button>
-				</div>
-			</div>
-			<div class="adjacent-input">
-				<label for="theme-selector">
-					<span class="label__title">Two-factor authentication</span>
-					<span class="label__description">
-						Add an additional layer of security to your account during login.
-					</span>
-				</label>
-				<div>
-					<button class="iconified-button" @click="showTwoFactorModal">
-						<template v-if="auth.user.has_totp"> <TrashIcon /> Remove 2FA </template>
-						<template v-else> <PlusIcon /> Setup 2FA </template>
-					</button>
-				</div>
-			</div>
-			<div class="adjacent-input">
-				<label for="theme-selector">
-					<span class="label__title">Hardware security key</span>
+  <div>
+    <ConfirmModal
+      ref="modal_confirm"
+      title="Are you sure you want to delete your account?"
+      description="This will **immediately delete all of your user data and follows**. This will not delete your projects. Deleting your account cannot be reversed.<br><br>If you need help with your account, get support on the [Modrinth Discord](https://discord.modrinth.com)."
+      proceed-label="Delete this account"
+      :confirmation-text="auth.user.username"
+      :has-to-type="true"
+      @proceed="deleteAccount"
+    />
+    <Modal
+      ref="changeEmailModal"
+      :header="`${auth.user.email ? 'Change' : 'Add'} email`"
+    >
+      <div class="universal-modal">
+        <p>Your account information is not displayed publicly.</p>
+        <label for="email-input"
+          ><span class="label__title">Email address</span>
+        </label>
+        <input
+          id="email-input"
+          v-model="email"
+          maxlength="2048"
+          type="email"
+          :placeholder="`Enter your email address...`"
+          @keyup.enter="saveEmail()"
+        />
+        <div class="input-group push-right">
+          <button
+            class="iconified-button"
+            @click="$refs.changeEmailModal.hide()"
+          >
+            <XIcon />
+            Cancel
+          </button>
+          <button
+            type="button"
+            class="iconified-button brand-button"
+            :disabled="!email"
+            @click="saveEmail()"
+          >
+            <SaveIcon />
+            Save email
+          </button>
+        </div>
+      </div>
+    </Modal>
+    <Modal
+      ref="managePasswordModal"
+      :header="`${
+        removePasswordMode
+          ? 'Remove'
+          : auth.user.has_password
+            ? 'Change'
+            : 'Add'
+      } password`"
+    >
+      <div class="universal-modal">
+        <ul
+          v-if="
+            newPassword !== confirmNewPassword && confirmNewPassword.length > 0
+          "
+          class="known-errors"
+        >
+          <li>Input passwords do not match!</li>
+        </ul>
+        <label v-if="removePasswordMode" for="old-password">
+          <span class="label__title">Confirm password</span>
+          <span class="label__description"
+            >Please enter your password to proceed.</span
+          >
+        </label>
+        <label v-else-if="auth.user.has_password" for="old-password">
+          <span class="label__title">Old password</span>
+        </label>
+        <input
+          v-if="auth.user.has_password"
+          id="old-password"
+          v-model="oldPassword"
+          maxlength="2048"
+          type="password"
+          autocomplete="current-password"
+          :placeholder="`${removePasswordMode ? 'Confirm' : 'Old'} password`"
+        />
+        <template v-if="!removePasswordMode">
+          <label for="new-password"
+            ><span class="label__title">New password</span></label
+          >
+          <input
+            id="new-password"
+            v-model="newPassword"
+            maxlength="2048"
+            type="password"
+            autocomplete="new-password"
+            placeholder="New password"
+          />
+          <label for="confirm-new-password"
+            ><span class="label__title">Confirm new password</span></label
+          >
+          <input
+            id="confirm-new-password"
+            v-model="confirmNewPassword"
+            maxlength="2048"
+            type="password"
+            autocomplete="new-password"
+            placeholder="Confirm new password"
+          />
+        </template>
+        <p></p>
+        <div class="input-group push-right">
+          <button
+            class="iconified-button"
+            @click="$refs.managePasswordModal.hide()"
+          >
+            <XIcon />
+            Cancel
+          </button>
+          <template v-if="removePasswordMode">
+            <button
+              type="button"
+              class="iconified-button danger-button"
+              :disabled="!oldPassword"
+              @click="savePassword"
+            >
+              <TrashIcon />
+              Remove password
+            </button>
+          </template>
+          <template v-else>
+            <button
+              v-if="
+                auth.user.has_password && auth.user.auth_providers.length > 0
+              "
+              type="button"
+              class="iconified-button danger-button"
+              @click="removePasswordMode = true"
+            >
+              <TrashIcon />
+              Remove password
+            </button>
+            <button
+              type="button"
+              class="iconified-button brand-button"
+              :disabled="
+                newPassword.length == 0 ||
+                (auth.user.has_password && oldPassword.length == 0) ||
+                newPassword !== confirmNewPassword
+              "
+              @click="savePassword"
+            >
+              <SaveIcon />
+              Save password
+            </button>
+          </template>
+        </div>
+      </div>
+    </Modal>
+    <Modal
+      ref="manageTwoFactorModal"
+      :header="`${
+        auth.user.has_totp && twoFactorStep === 0 ? 'Remove' : 'Setup'
+      } two-factor authentication`"
+    >
+      <div class="universal-modal">
+        <template v-if="auth.user.has_totp && twoFactorStep === 0">
+          <label for="two-factor-code">
+            <span class="label__title">Enter two-factor code</span>
+            <span class="label__description"
+              >Please enter a two-factor code to proceed.</span
+            >
+          </label>
+          <input
+            id="two-factor-code"
+            v-model="twoFactorCode"
+            maxlength="11"
+            type="text"
+            placeholder="Enter code..."
+            @keyup.enter="removeTwoFactor()"
+          />
+          <p v-if="twoFactorIncorrect" class="known-errors">
+            The code entered is incorrect!
+          </p>
+          <div class="input-group push-right">
+            <button
+              class="iconified-button"
+              @click="$refs.manageTwoFactorModal.hide()"
+            >
+              <XIcon />
+              Cancel
+            </button>
+            <button
+              class="iconified-button danger-button"
+              @click="removeTwoFactor"
+            >
+              <TrashIcon />
+              Remove 2FA
+            </button>
+          </div>
+        </template>
+        <template v-else>
+          <template v-if="twoFactorStep === 0">
+            <p>
+              Two-factor authentication keeps your account secure by requiring
+              access to a second device in order to sign in.
+              <br /><br />
+              Scan the QR code with <a href="https://authy.com/">Authy</a>,
+              <a
+                href="https://www.microsoft.com/en-us/security/mobile-authenticator-app"
+              >
+                Microsoft Authenticator</a
+              >, or any other 2FA app to begin.
+            </p>
+            <qrcode-vue
+              v-if="twoFactorSecret"
+              :value="`otpauth://totp/${encodeURIComponent(
+                auth.user.email,
+              )}?secret=${twoFactorSecret}&issuer=Modrinth`"
+              :size="250"
+              :margin="2"
+              level="H"
+            />
+            <p>
+              If the QR code does not scan, you can manually enter the secret:
+              <strong>{{ twoFactorSecret }}</strong>
+            </p>
+          </template>
+          <template v-if="twoFactorStep === 1">
+            <label for="verify-code">
+              <span class="label__title">Verify code</span>
+              <span class="label__description"
+                >Enter the one-time code from authenticator to verify access.
+              </span>
+            </label>
+            <input
+              id="verify-code"
+              v-model="twoFactorCode"
+              maxlength="6"
+              type="text"
+              autocomplete="one-time-code"
+              placeholder="Enter code..."
+              @keyup.enter="verifyTwoFactorCode()"
+            />
+            <p v-if="twoFactorIncorrect" class="known-errors">
+              The code entered is incorrect!
+            </p>
+          </template>
+          <template v-if="twoFactorStep === 2">
+            <p>
+              Download and save these back-up codes in a safe place. You can use
+              these in-place of a 2FA code if you ever lose access to your
+              device! You should protect these codes like your password.
+            </p>
+            <p>Backup codes can only be used once.</p>
+            <ul>
+              <li v-for="code in backupCodes" :key="code">{{ code }}</li>
+            </ul>
+          </template>
+          <div class="input-group push-right">
+            <button
+              v-if="twoFactorStep === 1"
+              class="iconified-button"
+              @click="twoFactorStep = 0"
+            >
+              <LeftArrowIcon />
+              Back
+            </button>
+            <button
+              v-if="twoFactorStep !== 2"
+              class="iconified-button"
+              @click="$refs.manageTwoFactorModal.hide()"
+            >
+              <XIcon />
+              Cancel
+            </button>
+            <button
+              v-if="twoFactorStep <= 1"
+              class="iconified-button brand-button"
+              @click="
+                twoFactorStep === 1
+                  ? verifyTwoFactorCode()
+                  : (twoFactorStep = 1)
+              "
+            >
+              <RightArrowIcon />
+              Continue
+            </button>
+            <button
+              v-if="twoFactorStep === 2"
+              class="iconified-button brand-button"
+              @click="$refs.manageTwoFactorModal.hide()"
+            >
+              <CheckIcon />
+              Complete setup
+            </button>
+          </div>
+        </template>
+      </div>
+    </Modal>
+    <Modal ref="manageProvidersModal" header="Authentication providers">
+      <div class="universal-modal">
+        <div class="table">
+          <div class="table-head table-row">
+            <div class="table-text table-cell">Provider</div>
+            <div class="table-text table-cell">Actions</div>
+          </div>
+          <div
+            v-for="provider in authProviders"
+            :key="provider.id"
+            class="table-row"
+          >
+            <div class="table-text table-cell">
+              <span
+                ><component :is="provider.icon" /> {{ provider.display }}</span
+              >
+            </div>
+            <div class="table-text manage table-cell">
+              <button
+                v-if="auth.user.auth_providers.includes(provider.id)"
+                class="btn"
+                @click="handleRemoveAuthProvider(provider.id)"
+              >
+                <TrashIcon /> Remove
+              </button>
+              <a
+                v-else
+                class="btn"
+                :href="`${getAuthUrl(provider.id, '/settings/account')}&token=${auth.token}`"
+              >
+                <ExternalIcon /> Add
+              </a>
+            </div>
+          </div>
+        </div>
+        <p></p>
+        <div class="input-group push-right">
+          <button
+            class="iconified-button"
+            @click="$refs.manageProvidersModal.hide()"
+          >
+            <XIcon />
+            Close
+          </button>
+        </div>
+      </div>
+    </Modal>
+    <section class="universal-card">
+      <h2 class="text-2xl">Account security</h2>
+
+      <div class="adjacent-input">
+        <label for="theme-selector">
+          <span class="label__title">Email</span>
+          <span class="label__description"
+            >Changes the email associated with your account.</span
+          >
+        </label>
+        <div>
+          <button
+            class="iconified-button"
+            @click="$refs.changeEmailModal.show()"
+          >
+            <template v-if="auth.user.email">
+              <EditIcon />
+              Change email
+            </template>
+            <template v-else>
+              <PlusIcon />
+              Add email
+            </template>
+          </button>
+        </div>
+      </div>
+      <div class="adjacent-input">
+        <label for="theme-selector">
+          <span class="label__title">Password</span>
+          <span v-if="auth.user.has_password" class="label__description">
+            Change
+            <template v-if="auth.user.auth_providers.length > 0"
+              >or remove</template
+            >
+            the password used to login to your account.
+          </span>
+          <span v-else class="label__description">
+            Set a permanent password to login to your account.
+          </span>
+        </label>
+        <div>
+          <button
+            class="iconified-button"
+            @click="
+              () => {
+                oldPassword = ''
+                newPassword = ''
+                confirmNewPassword = ''
+                removePasswordMode = false
+                $refs.managePasswordModal.show()
+              }
+            "
+          >
+            <KeyIcon />
+            <template v-if="auth.user.has_password"> Change password </template>
+            <template v-else> Add password </template>
+          </button>
+        </div>
+      </div>
+      <div class="adjacent-input">
+        <label for="theme-selector">
+          <span class="label__title">Two-factor authentication</span>
           <span class="label__description">
-            Add an additional and more secure method of security to your account during login.
+            Add an additional layer of security to your account during login.
+          </span>
+        </label>
+        <div>
+          <button class="iconified-button" @click="showTwoFactorModal">
+            <template v-if="auth.user.has_totp">
+              <TrashIcon /> Remove 2FA
+            </template>
+            <template v-else> <PlusIcon /> Setup 2FA </template>
+          </button>
+        </div>
+      </div>
+      <div class="adjacent-input">
+        <label for="theme-selector">
+          <span class="label__title">Hardware security key</span>
+          <span class="label__description">
+            Add an additional and more secure method of security to your account
+            during login.
           </span>
         </label>
         <div>
@@ -368,76 +432,93 @@
             <template v-if="auth.user.has_webauthn">
               <TrashIcon /> Remove Hardware Security Key
             </template>
-            <template v-else> <SecurityKeyIcon /> Setup Hardware Security Key </template>
+            <template v-else>
+              <SecurityKeyIcon /> Setup Hardware Security Key
+            </template>
           </button>
         </div>
       </div>
       <div class="adjacent-input">
         <label for="theme-selector">
           <span class="label__title">Manage authentication providers</span>
-					<span class="label__description">
-						Add or remove sign-on methods from your account, including GitHub, GitLab, Microsoft,
-						Discord, Steam, and Google.
-					</span>
-				</label>
-				<div>
-					<button class="iconified-button" @click="$refs.manageProvidersModal.show()">
-						<SettingsIcon /> Manage providers
-					</button>
-				</div>
-			</div>
-		</section>
-
-		<section id="data-export" class="universal-card">
-			<h2>Data export</h2>
-			<p>
-				Request a copy of all your personal data you have uploaded to Modrinth. This may take
-				several minutes to complete.
-			</p>
-			<a v-if="generated" class="iconified-button" :href="generated" download="export.json">
-				<DownloadIcon />
-				Download export
-			</a>
-			<button v-else class="iconified-button" :disabled="generatingExport" @click="exportData">
-				<template v-if="generatingExport"> <UpdatedIcon /> Generating export... </template>
-				<template v-else> <UpdatedIcon /> Generate export </template>
-			</button>
-		</section>
-
-		<section id="delete-account" class="universal-card">
-			<h2>Delete account</h2>
-			<p>
-				Once you delete your account, there is no going back. Deleting your account will remove all
-				attached data, excluding projects, from our servers.
-			</p>
-			<button
-				type="button"
-				class="iconified-button danger-button"
-				@click="$refs.modal_confirm.show()"
-			>
-				<TrashIcon />
-				Delete account
-			</button>
-		</section>
-	</div>
+          <span class="label__description">
+            Add or remove sign-on methods from your account, including GitHub,
+            GitLab, Microsoft, Discord, Steam, and Google.
+          </span>
+        </label>
+        <div>
+          <button
+            class="iconified-button"
+            @click="$refs.manageProvidersModal.show()"
+          >
+            <SettingsIcon /> Manage providers
+          </button>
+        </div>
+      </div>
+    </section>
+
+    <section id="data-export" class="universal-card">
+      <h2>Data export</h2>
+      <p>
+        Request a copy of all your personal data you have uploaded to Modrinth.
+        This may take several minutes to complete.
+      </p>
+      <a
+        v-if="generated"
+        class="iconified-button"
+        :href="generated"
+        download="export.json"
+      >
+        <DownloadIcon />
+        Download export
+      </a>
+      <button
+        v-else
+        class="iconified-button"
+        :disabled="generatingExport"
+        @click="exportData"
+      >
+        <template v-if="generatingExport">
+          <UpdatedIcon /> Generating export...
+        </template>
+        <template v-else> <UpdatedIcon /> Generate export </template>
+      </button>
+    </section>
+
+    <section id="delete-account" class="universal-card">
+      <h2>Delete account</h2>
+      <p>
+        Once you delete your account, there is no going back. Deleting your
+        account will remove all attached data, excluding projects, from our
+        servers.
+      </p>
+      <button
+        type="button"
+        class="iconified-button danger-button"
+        @click="$refs.modal_confirm.show()"
+      >
+        <TrashIcon />
+        Delete account
+      </button>
+    </section>
+  </div>
 </template>
 
 <script setup>
 import {
-	CheckIcon,
-	DownloadIcon,
-	EditIcon,
-	ExternalIcon,
-	LeftArrowIcon,
-	PlusIcon,
-	RightArrowIcon,
-	SaveIcon,
-	SecurityKeyIcon,
+  CheckIcon,
+  DownloadIcon,
+  EditIcon,
+  ExternalIcon,
+  LeftArrowIcon,
+  PlusIcon,
+  RightArrowIcon,
+  SaveIcon,
+  SecurityKeyIcon,
   SettingsIcon,
   TrashIcon,
   UpdatedIcon,
   XIcon,
-
 } from '@modrinth/assets'
 import { ConfirmModal, injectNotificationManager } from '@modrinth/ui'
 import KeyIcon from 'assets/icons/auth/key.svg'
@@ -453,11 +534,11 @@ import Modal from '~/components/ui/Modal.vue'
 import { getAuthUrl, removeAuthProvider } from '~/composables/auth.js'
 
 useHead({
-	title: 'Account settings - Modrinth',
+  title: 'Account settings - Modrinth',
 })
 
 definePageMeta({
-	middleware: 'auth',
+  middleware: 'auth',
 })
 
 const { addNotification } = injectNotificationManager()
@@ -466,36 +547,36 @@ const auth = await useAuth()
 const changeEmailModal = ref()
 const email = ref(auth.value.user.email)
 async function saveEmail() {
-	if (!email.value) {
-		return
-	}
-
-	startLoading()
-	try {
-		await useBaseFetch(`auth/email`, {
-			method: 'PATCH',
-			body: {
-				email: email.value,
-			},
-		})
-		changeEmailModal.value.hide()
-		await useAuth(auth.value.token)
-	} catch (err) {
-		addNotification({
-			title: 'An error occurred',
-			text: err.data ? err.data.description : err,
-			type: 'error',
-		})
-	}
-	stopLoading()
+  if (!email.value) {
+    return
+  }
+
+  startLoading()
+  try {
+    await useBaseFetch(`auth/email`, {
+      method: 'PATCH',
+      body: {
+        email: email.value,
+      },
+    })
+    changeEmailModal.value.hide()
+    await useAuth(auth.value.token)
+  } catch (err) {
+    addNotification({
+      title: 'An error occurred',
+      text: err.data ? err.data.description : err,
+      type: 'error',
+    })
+  }
+  stopLoading()
 }
 
 async function handleRemoveAuthProvider(provider) {
-	try {
-		await removeAuthProvider(provider)
-	} catch (error) {
-		handleError(error)
-	}
+  try {
+    await removeAuthProvider(provider)
+  } catch (error) {
+    handleError(error)
+  }
 }
 
 const managePasswordModal = ref()
@@ -504,29 +585,29 @@ const oldPassword = ref('')
 const newPassword = ref('')
 const confirmNewPassword = ref('')
 async function savePassword() {
-	if (newPassword.value !== confirmNewPassword.value) {
-		return
-	}
-
-	startLoading()
-	try {
-		await useBaseFetch(`auth/password`, {
-			method: 'PATCH',
-			body: {
-				old_password: auth.value.user.has_password ? oldPassword.value : null,
-				new_password: removePasswordMode.value ? null : newPassword.value,
-			},
-		})
-		managePasswordModal.value.hide()
-		await useAuth(auth.value.token)
-	} catch (err) {
-		addNotification({
-			title: 'An error occurred',
-			text: err.data ? err.data.description : err,
-			type: 'error',
-		})
-	}
-	stopLoading()
+  if (newPassword.value !== confirmNewPassword.value) {
+    return
+  }
+
+  startLoading()
+  try {
+    await useBaseFetch(`auth/password`, {
+      method: 'PATCH',
+      body: {
+        old_password: auth.value.user.has_password ? oldPassword.value : null,
+        new_password: removePasswordMode.value ? null : newPassword.value,
+      },
+    })
+    managePasswordModal.value.hide()
+    await useAuth(auth.value.token)
+  } catch (err) {
+    addNotification({
+      title: 'An error occurred',
+      text: err.data ? err.data.description : err,
+      type: 'error',
+    })
+  }
+  stopLoading()
 }
 
 const manageTwoFactorModal = ref()
@@ -534,98 +615,103 @@ const twoFactorSecret = ref(null)
 const twoFactorFlow = ref(null)
 const twoFactorStep = ref(0)
 async function showTwoFactorModal() {
-	twoFactorStep.value = 0
-	twoFactorCode.value = null
-	twoFactorIncorrect.value = false
-	if (auth.value.user.has_totp) {
-		manageTwoFactorModal.value.show()
-		return
-	}
-
-	twoFactorSecret.value = null
-	twoFactorFlow.value = null
-	backupCodes.value = []
-	manageTwoFactorModal.value.show()
-
-	startLoading()
-	try {
-		const res = await useBaseFetch('auth/2fa/get_secret', {
-			method: 'POST',
-		})
-
-		twoFactorSecret.value = res.secret
-		twoFactorFlow.value = res.flow
-	} catch (err) {
-		addNotification({
-			title: 'An error occurred',
-			text: err.data ? err.data.description : err,
-			type: 'error',
-		})
-	}
-	stopLoading()
+  twoFactorStep.value = 0
+  twoFactorCode.value = null
+  twoFactorIncorrect.value = false
+  if (auth.value.user.has_totp) {
+    manageTwoFactorModal.value.show()
+    return
+  }
+
+  twoFactorSecret.value = null
+  twoFactorFlow.value = null
+  backupCodes.value = []
+  manageTwoFactorModal.value.show()
+
+  startLoading()
+  try {
+    const res = await useBaseFetch('auth/2fa/get_secret', {
+      method: 'POST',
+    })
+
+    twoFactorSecret.value = res.secret
+    twoFactorFlow.value = res.flow
+  } catch (err) {
+    addNotification({
+      title: 'An error occurred',
+      text: err.data ? err.data.description : err,
+      type: 'error',
+    })
+  }
+  stopLoading()
 }
 
 const twoFactorIncorrect = ref(false)
 const twoFactorCode = ref(null)
 const backupCodes = ref([])
 async function verifyTwoFactorCode() {
-	startLoading()
-	try {
-		const res = await useBaseFetch('auth/2fa', {
-			method: 'POST',
-			body: {
-				code: twoFactorCode.value ? twoFactorCode.value : '',
-				flow: twoFactorFlow.value,
-			},
-		})
-
-		backupCodes.value = res.backup_codes
-		twoFactorStep.value = 2
-		await useAuth(auth.value.token)
-	} catch {
-		twoFactorIncorrect.value = true
-	}
-	stopLoading()
+  startLoading()
+  try {
+    const res = await useBaseFetch('auth/2fa', {
+      method: 'POST',
+      body: {
+        code: twoFactorCode.value ? twoFactorCode.value : '',
+        flow: twoFactorFlow.value,
+      },
+    })
+
+    backupCodes.value = res.backup_codes
+    twoFactorStep.value = 2
+    await useAuth(auth.value.token)
+  } catch {
+    twoFactorIncorrect.value = true
+  }
+  stopLoading()
 }
 
 async function removeTwoFactor() {
-	startLoading()
-	try {
-		await useBaseFetch('auth/2fa', {
-			method: 'DELETE',
-			body: {
-				code: twoFactorCode.value ? twoFactorCode.value.toString() : '',
-			},
-		})
-		manageTwoFactorModal.value.hide()
-		await useAuth(auth.value.token)
-	} catch {
-		twoFactorIncorrect.value = true
-	}
-	stopLoading()
+  startLoading()
+  try {
+    await useBaseFetch('auth/2fa', {
+      method: 'DELETE',
+      body: {
+        code: twoFactorCode.value ? twoFactorCode.value.toString() : '',
+      },
+    })
+    manageTwoFactorModal.value.hide()
+    await useAuth(auth.value.token)
+  } catch {
+    twoFactorIncorrect.value = true
+  }
+  stopLoading()
 }
 
-const mangeWebauthnModal = ref();
+const mangeWebauthnModal = ref()
 async function showWebauthnModal() {
-  if (auth.value.user.has_webauthn) {
-    mangeWebauthnModal.value.show();
-    return;
+  console.log(auth.value.user) // TODO
+
+  if (auth.value.user.has_webauthn) { // TODO - This is never true for some reason
+    mangeWebauthnModal.value.show()
+    return
   }
 
-  startLoading();
+  startLoading()
   try {
-    const res = await useBaseFetch(`auth/webauthn/register/start/${auth.value.user.username}`, {
-      method: "POST",
-      internal: true,
-    });
+    const res = await useBaseFetch(
+      `auth/webauthn/register/start/${auth.value.user.username}`,
+      {
+        method: 'POST',
+        internal: true,
+      },
+    )
 
-    const publicKey = res.challenge.publicKey;
-    publicKey.challenge = b64urlToUint8Array(publicKey.challenge);
-    publicKey.user.id = b64urlToUint8Array(publicKey.user.id);
+    const publicKey = res.challenge.publicKey
+    publicKey.challenge = b64urlToUint8Array(publicKey.challenge)
+    publicKey.user.id = b64urlToUint8Array(publicKey.user.id)
 
-    const credential = await navigator.credentials.create({ publicKey });
+    const credential = await navigator.credentials.create({ publicKey })
 
-    console.log("Created webauthn credential", credential);
+    console.log('Created webauthn credential', credential) // TODO
 
     const jsonCredential = {
       id: credential.id,
@@ -633,149 +719,151 @@ async function showWebauthnModal() {
       type: credential.type,
       response: {
         clientDataJSON: uint8ArrayToB64url(credential.response.clientDataJSON),
-        attestationObject: uint8ArrayToB64url(credential.response.attestationObject),
+        attestationObject: uint8ArrayToB64url(
+          credential.response.attestationObject,
+        ),
       },
-    };
+    }
 
-    await useBaseFetch("auth/webauthn/register/finish", {
-      method: "POST",
+    let res2 = await useBaseFetch('auth/webauthn/register/finish', {
+      method: 'POST',
       internal: true,
       body: {
+        name: 'My Key', // TODO
         cred: jsonCredential,
-        flow: res.flow
+        flow: res.flow,
       },
-    });
+    })
 
-    mangeWebauthnModal.value.show();
+    mangeWebauthnModal.value.show()
   } catch (err) {
-    data.$notify({
-      group: "main",
-      title: "An error occurred",
+    addNotification({
+      title: 'An error occurred',
       text: err.data ? err.data.description : err,
-      type: "error",
-    });
+      type: 'error',
+    })
   }
-  stopLoading();
+  stopLoading()
 }
 
 function b64urlToUint8Array(b64url) {
   const base64 = b64url
-      .replace(/-/g, '+')
-      .replace(/_/g, '/')
-      .padEnd(b64url.length + (4 - b64url.length % 4) % 4, '=');
-  const binary = atob(base64);
-  return Uint8Array.from(binary, c => c.charCodeAt(0));
+    .replace(/-/g, '+')
+    .replace(/_/g, '/')
+    .padEnd(b64url.length + ((4 - (b64url.length % 4)) % 4), '=')
+  const binary = atob(base64)
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0))
 }
 
 function uint8ArrayToB64url(buf) {
-  let binary = "";
-  const bytes = new Uint8Array(buf);
+  let binary = ''
+  const bytes = new Uint8Array(buf)
   for (let i = 0; i < bytes.byteLength; i++) {
-    binary += String.fromCharCode(bytes[i]);
+    binary += String.fromCharCode(bytes[i])
   }
-  const base64 = btoa(binary);
-  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+  const base64 = btoa(binary)
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
 }
 
 const authProviders = [
-	{
-		id: 'github',
-		display: 'GitHub',
-		icon: GithubIcon,
-	},
-	{
-		id: 'gitlab',
-		display: 'GitLab',
-		icon: GitLabIcon,
-	},
-	{
-		id: 'steam',
-		display: 'Steam',
-		icon: SteamIcon,
-	},
-	{
-		id: 'discord',
-		display: 'Discord',
-		icon: DiscordIcon,
-	},
-	{
-		id: 'microsoft',
-		display: 'Microsoft',
-		icon: MicrosoftIcon,
-	},
-	{
-		id: 'google',
-		display: 'Google',
-		icon: GoogleIcon,
-	},
+  {
+    id: 'github',
+    display: 'GitHub',
+    icon: GithubIcon,
+  },
+  {
+    id: 'gitlab',
+    display: 'GitLab',
+    icon: GitLabIcon,
+  },
+  {
+    id: 'steam',
+    display: 'Steam',
+    icon: SteamIcon,
+  },
+  {
+    id: 'discord',
+    display: 'Discord',
+    icon: DiscordIcon,
+  },
+  {
+    id: 'microsoft',
+    display: 'Microsoft',
+    icon: MicrosoftIcon,
+  },
+  {
+    id: 'google',
+    display: 'Google',
+    icon: GoogleIcon,
+  },
 ]
 
 async function deleteAccount() {
-	startLoading()
-	try {
-		await useBaseFetch(`user/${auth.value.user.id}`, {
-			method: 'DELETE',
-		})
-	} catch (err) {
-		addNotification({
-			title: 'An error occurred',
-			text: err.data ? err.data.description : err,
-			type: 'error',
-		})
-	}
-
-	useCookie('auth-token').value = null
-	window.location.href = '/'
-
-	stopLoading()
+  startLoading()
+  try {
+    await useBaseFetch(`user/${auth.value.user.id}`, {
+      method: 'DELETE',
+    })
+  } catch (err) {
+    addNotification({
+      title: 'An error occurred',
+      text: err.data ? err.data.description : err,
+      type: 'error',
+    })
+  }
+
+  useCookie('auth-token').value = null
+  window.location.href = '/'
+
+  stopLoading()
 }
 
 const generatingExport = ref(false)
 const generated = ref()
 async function exportData() {
-	startLoading()
-	generatingExport.value = true
-	try {
-		const res = await useBaseFetch('gdpr/export', {
-			method: 'POST',
-			internal: true,
-		})
-
-		const jsonString = JSON.stringify(res, null, 2)
-
-		const blob = new Blob([jsonString], { type: 'application/json' })
-		generated.value = URL.createObjectURL(blob)
-	} catch (err) {
-		addNotification({
-			title: 'An error occurred',
-			text: err.data ? err.data.description : err,
-			type: 'error',
-		})
-	}
-
-	generatingExport.value = false
-	stopLoading()
+  startLoading()
+  generatingExport.value = true
+  try {
+    const res = await useBaseFetch('gdpr/export', {
+      method: 'POST',
+      internal: true,
+    })
+
+    const jsonString = JSON.stringify(res, null, 2)
+
+    const blob = new Blob([jsonString], { type: 'application/json' })
+    generated.value = URL.createObjectURL(blob)
+  } catch (err) {
+    addNotification({
+      title: 'An error occurred',
+      text: err.data ? err.data.description : err,
+      type: 'error',
+    })
+  }
+
+  generatingExport.value = false
+  stopLoading()
 }
 </script>
 <style lang="scss" scoped>
 canvas {
-	margin: 0 auto;
-	border-radius: var(--size-rounded-card);
+  margin: 0 auto;
+  border-radius: var(--size-rounded-card);
 }
 
 .table-row {
-	grid-template-columns: 1fr 10rem;
-
-	span {
-		display: flex;
-		align-items: center;
-		margin: auto 0;
-
-		svg {
-			width: 1.25rem;
-			height: 1.25rem;
-			margin-right: 0.35rem;
-		}
-	}
+  grid-template-columns: 1fr 10rem;
+
+  span {
+    display: flex;
+    align-items: center;
+    margin: auto 0;
+
+    svg {
+      width: 1.25rem;
+      height: 1.25rem;
+      margin-right: 0.35rem;
+    }
+  }
 }
 </style>
diff --git a/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json b/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json
deleted file mode 100644
index ec0a3a0aac..0000000000
--- a/apps/labrinth/.sqlx/query-80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "\n            UPDATE users\n            SET webauthn_passkey = $2\n            WHERE (id = $1)\n            ",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Int8",
-        "Jsonb"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "80b130ef14b58c5e55ef063e9c3d0d4b9050fea8a6ac9db80f77ed850a3e8efc"
-}
diff --git a/apps/labrinth/.sqlx/query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json b/apps/labrinth/.sqlx/query-b87b5ac280e3fb5fc62770033531fe484d598f80d0cee5f838d10b40d7e927af.json
similarity index 67%
rename from apps/labrinth/.sqlx/query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json
rename to apps/labrinth/.sqlx/query-b87b5ac280e3fb5fc62770033531fe484d598f80d0cee5f838d10b40d7e927af.json
index e669d6cc47..24aedbfa22 100644
--- a/apps/labrinth/.sqlx/query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json
+++ b/apps/labrinth/.sqlx/query-b87b5ac280e3fb5fc62770033531fe484d598f80d0cee5f838d10b40d7e927af.json
@@ -1,10 +1,6 @@
 {
   "db_name": "PostgreSQL",
-<<<<<<<< HEAD:apps/labrinth/.sqlx/query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json
-  "query": "\n                    SELECT id, email,\n                        avatar_url, raw_avatar_url, username, bio,\n                        created, role, badges,\n                        github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,\n                        email_verified, password, totp_secret, webauthn_passkey, paypal_id, paypal_country, paypal_email,\n                        venmo_handle, stripe_customer_id, allow_friend_requests\n                    FROM users\n                    WHERE id = ANY($1) OR LOWER(username) = ANY($2)\n                    ",
-========
-  "query": "\n                    SELECT id, email,\n                        avatar_url, raw_avatar_url, username, bio,\n                        created, role, badges,\n                        github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,\n                        email_verified, password, totp_secret, paypal_id, paypal_country, paypal_email,\n                        venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter\n                    FROM users\n                    WHERE id = ANY($1) OR LOWER(username) = ANY($2)\n                    ",
->>>>>>>> upstream/main:apps/labrinth/.sqlx/query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json
+  "query": "\n                    SELECT id, email,\n                        avatar_url, raw_avatar_url, username, bio,\n                        created, role, badges,\n                        github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,\n                        email_verified, password, totp_secret, webauthn_passkeys, paypal_id, paypal_country, paypal_email,\n                        venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter\n                    FROM users\n                    WHERE id = ANY($1) OR LOWER(username) = ANY($2)\n                    ",
   "describe": {
     "columns": [
       {
@@ -99,7 +95,7 @@
       },
       {
         "ordinal": 18,
-        "name": "webauthn_passkey",
+        "name": "webauthn_passkeys",
         "type_info": "Jsonb"
       },
       {
@@ -133,7 +129,7 @@
         "type_info": "Bool"
       },
       {
-        "ordinal": 24,
+        "ordinal": 25,
         "name": "is_subscribed_to_newsletter",
         "type_info": "Bool"
       }
@@ -163,22 +159,15 @@
       false,
       true,
       true,
+      false,
       true,
       true,
       true,
       true,
       true,
-<<<<<<<< HEAD:apps/labrinth/.sqlx/query-57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b.json
-      true,
-      false
-    ]
-  },
-  "hash": "57d72c122f1fea3ea9ebefbcfd5f7cae270a26aa075e1e06f89528739e3f557b"
-========
       false,
       false
     ]
   },
-  "hash": "5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4"
->>>>>>>> upstream/main:apps/labrinth/.sqlx/query-5fcdeeeb820ada62e10feb0beefa29b0535241bbb6d74143925e16cf8cd720c4.json
+  "hash": "b87b5ac280e3fb5fc62770033531fe484d598f80d0cee5f838d10b40d7e927af"
 }
diff --git a/apps/labrinth/Cargo.toml b/apps/labrinth/Cargo.toml
index 686adc7529..d6571b8635 100644
--- a/apps/labrinth/Cargo.toml
+++ b/apps/labrinth/Cargo.toml
@@ -124,6 +124,7 @@ url = { workspace = true }
 urlencoding = { workspace = true }
 uuid = { workspace = true, features = ["fast-rng", "serde", "v4"] }
 validator = { workspace = true, features = ["derive"] }
+webauthn-rs = { workspace = true }
 webp = { workspace = true }
 woothee = { workspace = true }
 yaserde = { workspace = true, features = ["derive"] }
@@ -138,8 +139,6 @@ chrono = { workspace = true }
 dotenv-build = { workspace = true }
 iana-time-zone = { workspace = true }
 
-webauthn-rs.workspace = true
-
 [target.'cfg(target_os = "linux")'.dependencies]
 jemalloc_pprof = { workspace = true, features = ["flamegraph"] }
 tikv-jemalloc-ctl = { workspace = true, features = ["stats"] }
diff --git a/apps/labrinth/migrations/20250715014925_webauthn.sql b/apps/labrinth/migrations/20250715014925_webauthn.sql
index 9e25126d39..64c4b09314 100644
--- a/apps/labrinth/migrations/20250715014925_webauthn.sql
+++ b/apps/labrinth/migrations/20250715014925_webauthn.sql
@@ -1,2 +1,2 @@
 ALTER TABLE users
-    ADD COLUMN webauthn_passkey jsonb default NULL
\ No newline at end of file
+    ADD COLUMN webauthn_passkeys jsonb not null default '{}' -- Empty map
\ No newline at end of file
diff --git a/apps/labrinth/src/auth/webauthn.rs b/apps/labrinth/src/auth/webauthn.rs
index f26fdcef25..c12d699257 100644
--- a/apps/labrinth/src/auth/webauthn.rs
+++ b/apps/labrinth/src/auth/webauthn.rs
@@ -3,8 +3,7 @@ use regex::Regex;
 use webauthn_rs::{Webauthn, WebauthnBuilder};
 
 pub fn startup() -> Data<Webauthn> {
-    let url =
-        url::Url::parse(&dotenvy::var("SITE_URL").unwrap_or_default()).unwrap();
+    let url = url::Url::parse(&dotenvy::var("SITE_URL").unwrap()).unwrap();
 
     let rp_id = dotenvy::var("SITE_URL")
         .ok()
@@ -15,7 +14,7 @@ pub fn startup() -> Data<Webauthn> {
                 .and_then(|caps| caps.get(1))
                 .map(|m| m.as_str().to_string())
         })
-        .unwrap_or_default();
+        .unwrap();
 
     let builder =
         WebauthnBuilder::new(&rp_id, &url).expect("Invalid configuration");
diff --git a/apps/labrinth/src/database/models/user_item.rs b/apps/labrinth/src/database/models/user_item.rs
index 2bd3c764c4..62a69871f0 100644
--- a/apps/labrinth/src/database/models/user_item.rs
+++ b/apps/labrinth/src/database/models/user_item.rs
@@ -1,3 +1,4 @@
+use std::collections::HashMap;
 use super::ids::{DBProjectId, DBUserId};
 use super::{DBCollectionId, DBReportId, DBThreadId};
 use crate::database::models;
@@ -38,7 +39,7 @@ pub struct DBUser {
     pub stripe_customer_id: Option<String>,
 
     pub totp_secret: Option<String>,
-    pub webauthn_passkey: Option<Passkey>,
+    pub webauthn_passkeys: HashMap<String, Passkey>,
 
     pub username: String,
     pub email: Option<String>,
@@ -182,7 +183,7 @@ impl DBUser {
                         avatar_url, raw_avatar_url, username, bio,
                         created, role, badges,
                         github_id, discord_id, gitlab_id, google_id, steam_id, microsoft_id,
-                        email_verified, password, totp_secret, webauthn_passkey, paypal_id, paypal_country, paypal_email,
+                        email_verified, password, totp_secret, webauthn_passkeys, paypal_id, paypal_country, paypal_email,
                         venmo_handle, stripe_customer_id, allow_friend_requests, is_subscribed_to_newsletter
                     FROM users
                     WHERE id = ANY($1) OR LOWER(username) = ANY($2)
@@ -216,10 +217,7 @@ impl DBUser {
                             venmo_handle: u.venmo_handle,
                             stripe_customer_id: u.stripe_customer_id,
                             totp_secret: u.totp_secret,
-                            webauthn_passkey: u.webauthn_passkey
-                                .map(|v| serde_json::from_value(v))
-                                .transpose()
-                                .unwrap_or_default(),
+                            webauthn_passkeys: serde_json::from_value(u.webauthn_passkeys).unwrap_or_default(),
                             allow_friend_requests: u.allow_friend_requests,
                             is_subscribed_to_newsletter: u.is_subscribed_to_newsletter,
                         };
diff --git a/apps/labrinth/src/models/v3/users.rs b/apps/labrinth/src/models/v3/users.rs
index 05505f3991..a2d97e5aa0 100644
--- a/apps/labrinth/src/models/v3/users.rs
+++ b/apps/labrinth/src/models/v3/users.rs
@@ -79,7 +79,7 @@ impl From<DBUser> for User {
             auth_providers: None,
             has_password: None,
             has_totp: None,
-            has_webauthn: None,
+            has_webauthn: Some(!data.webauthn_passkeys.is_empty()),
             github_id: None,
             stripe_customer_id: None,
             allow_friend_requests: None,
@@ -126,7 +126,7 @@ impl User {
             auth_providers: Some(auth_providers),
             has_password: Some(db_user.password.is_some()),
             has_totp: Some(db_user.totp_secret.is_some()),
-            has_webauthn: Some(db_user.webauthn_passkey.is_some()),
+            has_webauthn: Some(!db_user.webauthn_passkeys.is_empty()),
             github_id: None,
             payout_data: Some(UserPayoutData {
                 paypal_address: db_user.paypal_email,
diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
index 4078def632..17e869e6f1 100644
--- a/apps/labrinth/src/routes/internal/flows.rs
+++ b/apps/labrinth/src/routes/internal/flows.rs
@@ -3,8 +3,8 @@ use crate::auth::validate::{
 };
 use crate::auth::{AuthProvider, AuthenticationError, get_user_from_headers};
 use crate::database::models::flow_item::DBFlow;
-use crate::database::models::{DBUser, DBUserId};
 use crate::database::models::notification_item::NotificationBuilder;
+use crate::database::models::{DBUser, DBUserId};
 use crate::database::redis::RedisPool;
 use crate::file_hosting::{FileHost, FileHostPublicity};
 use crate::models::notifications::NotificationBody;
@@ -38,8 +38,8 @@ use std::str::FromStr;
 use std::sync::Arc;
 use uuid::Uuid;
 use validator::Validate;
-use webauthn_rs::prelude::{RegisterPublicKeyCredential};
 use webauthn_rs::Webauthn;
+use webauthn_rs::prelude::RegisterPublicKeyCredential;
 use zxcvbn::Score;
 
 pub fn config(cfg: &mut ServiceConfig) {
@@ -231,7 +231,7 @@ impl TempUser {
                 venmo_handle: None,
                 stripe_customer_id: None,
                 totp_secret: None,
-                webauthn_passkey: None,
+                webauthn_passkeys: HashMap::new(),
                 username,
                 email: self.email.clone(),
                 email_verified: self.email.is_some(),
@@ -1418,7 +1418,7 @@ pub async fn create_account_with_password(
         venmo_handle: None,
         stripe_customer_id: None,
         totp_secret: None,
-        webauthn_passkey: None,
+        webauthn_passkeys: HashMap::new(),
         username: new_account.username.clone(),
         email: Some(new_account.email.clone()),
         email_verified: false,
@@ -2156,7 +2156,7 @@ pub async fn change_password(
     }
 
     transaction.commit().await?;
-    crate::database::models::DBUser::clear_caches(&[(user.id, None)], &redis)
+    DBUser::clear_caches(&[(user.id, None)], &redis)
         .await?;
 
     Ok(HttpResponse::Ok().finish())
@@ -2164,6 +2164,7 @@ pub async fn change_password(
 
 #[derive(Deserialize, Validate)]
 pub struct SetupWebauthnFinish {
+    pub name: String,
     pub cred: RegisterPublicKeyCredential,
     pub flow: String,
 }
@@ -2194,10 +2195,13 @@ pub async fn webauthn_register_start(
 
     let (ccr, reg_state) = webauthn
         .start_passkey_registration(
-            user_uuid, &username, &username, None, //exclude_credentials, TODO
+            user_uuid, &username, &username,
+            None, //exclude_credentials, TODO
         )
         .map_err(|e| {
-            tracing::error!("Encountered error while starting passkey reg: {e}");
+            tracing::error!(
+                "Encountered error while starting passkey reg: {e}"
+            );
             ApiError::WebauthnRegistration
         })?;
 
@@ -2226,29 +2230,30 @@ pub async fn webauthn_register_finish(
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
-    if let DBFlow::InitializeWebauthn { user_id, reg_state, .. } = flow {
+    if let DBFlow::InitializeWebauthn {
+        user_id, reg_state, ..
+    } = flow
+    {
         let sk = webauthn
             .finish_passkey_registration(&login.cred, &reg_state)
             .map_err(|e| {
-                tracing::error!("Encountered error while finishing passkey reg: {e}");
+                tracing::error!(
+                    "Encountered error while finishing passkey reg: {e}"
+                );
                 ApiError::WebauthnRegistration
             })?;
 
-        let sk_json = serde_json::to_value(&sk)
+        let sk_json = serde_json::to_value(HashMap::from([(login.name.clone(), sk)]))
             .map_err(|_| ApiError::WebauthnRegistration)?;
 
-        sqlx::query!(
-            "
+        sqlx::query("
             UPDATE users
-            SET webauthn_passkey = $2
-            WHERE (id = $1)
-            ",
-            user_id.0,
-            sk_json
+            SET webauthn_passkeys = COALESCE(webauthn_passkeys, '{}'::jsonb) || $1::jsonb
+            WHERE id = $2",
         )
-            .execute(&**pool)
-            .await?;
-
+            .bind(sk_json)
+            .bind(user_id.0)
+            .execute(&**pool).await?;
 
         Ok(HttpResponse::Ok().finish())
     } else {
diff --git a/packages/utils/types.ts b/packages/utils/types.ts
index e433e9505d..ab1d036086 100644
--- a/packages/utils/types.ts
+++ b/packages/utils/types.ts
@@ -352,7 +352,7 @@ export interface User {
 	email_verified?: boolean
 	has_password?: boolean
 	has_totp?: boolean
-  has_webauthn?: boolean
+    has_webauthn?: boolean
 }
 
 export enum TeamMemberPermission {