Add WebAuthn/Passkey authentication support

[florida117]

Summary

Implements passwordless passkey (WebAuthn) authentication for the admin interface, as requested in #3363.

• Passwordless login: "Sign in with Passkey" button on the login page — the browser presents registered passkeys directly, no email or password needed
• Passkey management: Users can register, rename, and delete passkeys from the user dropdown menu
• Bypasses 2FA: Passkeys are inherently multi-factor (device possession + biometric/PIN), so TOTP is skipped when authenticating with a passkey
• Auto-detected RP settings: WebAuthn relying party ID and origin are automatically derived from the incoming request headers, so passkeys work behind reverse proxies without configuration

Configuration

WebAuthn relying party settings are auto-detected from the request. When behind a reverse proxy, the standard X-Forwarded-Host and X-Forwarded-Proto headers are used (Express trust proxy is already enabled).

Environment variables are available as optional overrides if needed:

Variable	Default	Description
WEBAUTHN_RP_ID	req.hostname (auto-detected)	Relying party domain
WEBAUTHN_RP_NAME	Nginx Proxy Manager	Display name shown during registration
WEBAUTHN_ORIGIN	req.protocol + req.get("host") (auto-detected)	Full origin URL

Passkeys registered under one origin will not work from a different origin — this is by design in the WebAuthn spec.

Backend changes

• New webauthn_credential database table via Knex migration
• New Objection.js model (backend/models/webauthn_credential.js)
• Business logic module (backend/internal/webauthn.js) handling registration, authentication, listing, renaming, and deletion
• getTokenFromPasskey() added to backend/internal/token.js
• New unauthenticated routes: POST /tokens/passkey/options, POST /tokens/passkey/verify
• New authenticated routes: GET/POST/PUT/DELETE /users/:id/passkeys/...
• OpenAPI schema definitions for all new endpoints

Frontend changes

• @simplewebauthn/browser integration in AuthContext (loginWithPasskey)
• "Sign in with Passkey" button on login page (conditionally hidden if browser lacks WebAuthn support)
• PasskeyModal for managing passkeys (register, list, rename, delete)
• Passkeys menu item added to user dropdown in SiteHeader
• Full i18n support via react-intl locale strings

Dependencies added

• Backend: @simplewebauthn/server@^11.0.0
• Frontend: @simplewebauthn/browser@^11.0.0

Test plan

• Run npx knex migrate:latest — verify webauthn_credential table is created
• Verify existing email/password login still works
• Verify existing TOTP 2FA flow still works
• Register a passkey via Settings > Passkeys
• Log out and sign in using the "Sign in with Passkey" button (passwordless)
• Rename a registered passkey
• Delete a registered passkey
• Verify passkey button is hidden in browsers without WebAuthn support
• Test with different databases (SQLite, MySQL, PostgreSQL)
• Test access via reverse proxy — RP settings should auto-detect from forwarded headers

Closes #3363

🤖 Generated with Claude Code

[nginxproxymanagerci]

Docker Image for build 11 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5267

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!