Implement passkey login functionality and enhance passkey support checks

server/api/auth/passkeys/authentication-options.post.js

@@ -1,4 +1,5 @@
 import { generateAuthenticationOptions } from '@simplewebauthn/server'
+import { readUsers } from '../../../utils/auth.js'
 import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
 import { setAuthChallenge } from '../../../utils/webauthn-challenges.js'
 
@@ -16,11 +17,31 @@ export default defineEventHandler(async (event) => {
     return { success: true }
   }
 
+  const body = await readBody(event)
+  const email = String(body?.email || '').trim().toLowerCase()
+
   const { rpId } = getWebAuthnConfig()
 
-  // Username-less / discoverable credentials: allowCredentials absichtlich leer
+  let allowCredentials
+  if (email) {
+    const users = await readUsers()
+    const user = users.find(u => String(u.email || '').toLowerCase() === email)
+    const passkeys = Array.isArray(user?.passkeys) ? user.passkeys : []
+
+    allowCredentials = passkeys
+      .filter(pk => pk?.credentialId)
+      .map(pk => ({
+        id: pk.credentialId,
+        type: 'public-key',
+        transports: pk.transports || undefined
+      }))
+  }
+
+  // Ohne E-Mail: discoverable Credentials (username-less).
+  // Mit E-Mail: allowCredentials nutzen, damit auch nicht-discoverable Credentials funktionieren.
   const options = await generateAuthenticationOptions({
     rpID: rpId,
+    allowCredentials,
     userVerification: 'preferred',
     // Timeout erhöhen für Cross-Device (Standard: 60s, hier: 5 Minuten)
     timeout: 300000