=== Authentry - Face ID, Fingerprint & Passkey Login ===
Contributors:      hosseinalehabib
Tags:              passkey, webauthn, passwordless-login, fingerprint, login
Requires at least: 6.0
Tested up to:      7.0
Requires PHP:      7.4
Stable tag:        1.0.0
License:           GPL-2.0+
License URI:       https://www.gnu.org/licenses/gpl-2.0.html

Passwordless passkey login for WordPress using Face ID, fingerprint, Touch ID, and Windows Hello.


== Description ==

## 🔐 Passwordless Login Is Here, and It's Simpler Than You Think

**Authentry** brings passkey authentication to WordPress. One tap. One glance. Instantly signed in.

No passwords to type. No usernames to remember. No resets, no friction, no phishing.

Passkeys are built on the **WebAuthn / FIDO2 standard**, the same technology trusted by Google, Apple, and Microsoft. Authentry brings that same enterprise-grade security to any WordPress site, for free.

---

### 👆 Your Users Already Know How to Use It

They unlock their phone with a fingerprint or Face ID dozens of times a day. Authentry makes signing into your site feel exactly the same.

Here's the flow: user taps the Authentry button → confirms with Touch ID, Face ID, Android fingerprint, or Windows Hello → they're in. That's it.

Enable **usernameless login** in settings and they don't even need to type their email. The site finds their passkey automatically, as effortless as unlocking their phone.

💡 **Perfect for:** membership sites, WooCommerce stores, subscription platforms, and any audience that expects a fast, modern, mobile-first experience.

---

## ✨ Key Features

* 🚫 **Zero-password login**: tap a fingerprint or glance at the camera to sign in instantly
* 👆 **Full biometric support**: Face ID, Touch ID, Android fingerprint, and Windows Hello
* 👤 **Usernameless sign-in**: passkey account discovery lets users skip typing their email entirely, with a smart fallback for unsupported devices
* 🛡️ **FIDO2 / WebAuthn compliant**: follows the W3C WebAuthn Level 2 specification
* 🔑 **ES256 and RS256 support**: works with all major authenticator types
* 🛒 **Full WooCommerce integration**: passkey buttons on login and registration forms, plus a Security Keys tab in My Account
* ⚙️ **User profile management**: view, rename, and delete passkeys from WP Admin, WooCommerce My Account, or any page via the `[authentry_manage]` shortcode
* 📌 **Three ready-to-use shortcodes**: `[authentry_button]` to sign in, `[authentry_register]` to add a passkey, `[authentry_manage]` for the full management UI
* 🧰 **Developer-friendly hooks**: filters and actions for complete customization
* 🎨 **Tabbed settings page**: General, Appearance, Security, Advanced, and Integration
* ⏱️ **Rate limiting**: transient-based, 10 requests per IP per minute
* 🔄 **Replay attack protection**: sign count strictly enforced per credential
* 🌙 **Dark mode support**: full CSS dark mode included out of the box

---

## 🌐 Supported Browsers

* Chrome 67+ (desktop and Android)
* Safari 16+ (macOS and iOS)
* Firefox 60+
* Microsoft Edge 18+
* Samsung Internet 9.0+

---

## 📋 Shortcode Reference

### Sign-In Button (guests)

`[authentry_button label="Sign in with Passkey" style="default" redirect="" class=""]`

### Add a Passkey (logged-in users only)

`[authentry_register label="Add a passkey" style="default" class="" reload="1"]`

Omit `label` to use the value set in Appearance settings. Set `reload="0"` to stay on the page after a successful registration.

### Full Passkey Management UI (logged-in users only)

`[authentry_manage class="" title=""]`

Lists all passkeys with rename, delete, and add controls, the same UI shown in WooCommerce My Account and the WP Admin profile page. Scripts load automatically.

---

### Shortcode Attributes - `[authentry_button]`

* `label`: button text (default: from Appearance settings)
* `style`: `default`, `outline`, or `ghost`
* `redirect`: URL to send the user after a successful login
* `class`: additional CSS class names

### Shortcode Attributes - `[authentry_register]`

* `label`: button text (default: from Appearance settings)
* `style`: `default`, `outline`, or `ghost`
* `class`: extra CSS class on the wrapper
* `reload`: `1` (default) reloads the page after registration; `0`, `false`, or `no` stays on the current page

### Shortcode Attributes - `[authentry_manage]`

* `class`: extra CSS class on the wrapper
* `title`: optional section heading (default: "Security Keys"; also filterable via `authentry_manage_heading`)

---

## 🔧 Custom Login Pages

Already have a custom login page? No problem. Just drop the Authentry button in and keep your existing form. No need to rebuild anything.

**✅ Recommended: Shortcode**

1. Edit your custom login page
2. Add a Shortcode block:

`[authentry_button]`

3. Optionally, pass attributes:

`[authentry_button label="Sign in with Passkey" redirect="https://yoursite.com/my-account/" style="outline"]`

Authentry automatically enqueues its CSS and JavaScript on standard front-end pages. No extra setup needed.

---

**Alternative: PHP Template**

In your login template file:

`do_action( 'authentry_render_button', [ 'redirect' => home_url( '/my-account/' ) ] );`

Any missing keys fall back to your **Authentry > Appearance** and **General** settings.

---

### Username / Email Field (non-usernameless flow)

When usernameless login is off, or when a browser falls back from discovery mode, Authentry looks for a username or email field using these selectors:

* `#user_login` (WordPress default)
* `input[name="username"]`
* `input[name="email"]`

If the field is already filled when the user clicks the button, that value is sent automatically. If it's empty, the user is prompted. With usernameless login on, users can often sign in without typing anything at all.

---

### Let Users Manage Their Passkeys

On any member dashboard or account page (logged-in users), add the full management UI:

`[authentry_manage]`

Or just the "Add a passkey" button with no list:

`[authentry_register]`

In a theme template:

`do_action( 'authentry_render_manage', [ 'title' => 'Security Keys' ] );`

---

### Page Builders & Late-Rendered Output

If the button is printed after `wp_enqueue_scripts`, for example in some page builders or AJAX-loaded forms, fire this hook once before output:

`do_action( 'authentry_enqueue_public_assets' );`

The `[authentry_register]` and `[authentry_manage]` shortcodes handle this automatically. Use the same hook in custom templates if styles or scripts appear to be missing.

---

### Redirects & Customization

* **Per-button redirect:** `redirect` attribute on `[authentry_button]`, or the `redirect` key in `authentry_render_button`
* **Global redirect:** **Authentry > General > Redirect URL after login**, or the `authentry_redirect_url` filter
* **Button HTML:** `authentry_button_html` filter

---

### For Developers

See **Authentry > Integration** in the admin for the full reference of shortcodes, actions, filters, and REST API endpoints (`/wp-json/authentry/v1/...`). The global `window.Authentry` object is also available for advanced JavaScript integrations.

**Hook-Only Example (theme login template)**

Step 1 - In your login markup:

`do_action( 'authentry_render_button', [ 'context' => 'my-theme-login' ] );`

Step 2 - In `functions.php` or your login class:

`add_filter( 'authentry_login_username_selectors', function( $selectors ) {
    $selectors[] = '#my-login-email';
    return $selectors;
} );`

`add_filter( 'authentry_redirect_url', function( $url, $user ) {
    return home_url( '/account/' );
}, 10, 2 );`

---

## 🧑‍💻 Developer Hooks

### Actions - Render UI in Theme Templates

`do_action( 'authentry_render_button', $args );`
`do_action( 'authentry_render_manage', [ 'class' => '', 'title' => '' ] );`

### Filters

* `authentry_creation_options`: modify WebAuthn credential creation options
* `authentry_request_options`: modify WebAuthn authentication request options
* `authentry_redirect_url`: modify the post-login redirect URL
* `authentry_button_html`: modify the rendered login button HTML
* `authentry_register_shortcode_html`: modify the rendered `[authentry_register]` HTML
* `authentry_manage_shortcode_html`: modify the rendered `[authentry_manage]` HTML
* `authentry_manage_heading`: modify the section heading on the management UI
* `authentry_render_manage_args`: adjust args before `authentry_render_manage` output
* `authentry_render_button_args`: adjust args before `authentry_render_button` output
* `authentry_login_username_selectors`: CSS selectors for username/email fields on custom login forms

### Actions

* `authentry_enqueue_public_assets`: enqueue public CSS/JS (useful when output is built late)
* `authentry_before_manage_passkeys` / `authentry_after_manage_passkeys`: fires before/after the management UI block
* `authentry_before_render_login_button`: fires before sign-in button HTML is echoed in custom templates
* `authentry_after_render_login_button`: fires after sign-in button HTML is echoed in custom templates

== Installation ==

1. Upload the `authentry` folder to `/wp-content/plugins/`.
2. Activate the plugin via the **Plugins** menu in WordPress.
3. Go to **Authentry** in the WordPress admin sidebar and configure your settings.
4. Your site **must be served over HTTPS**. WebAuthn requires a secure context. This is a strict browser-level requirement and cannot be overridden.

== Frequently Asked Questions ==

= 🔒 Does Authentry require HTTPS? =

Yes. The WebAuthn standard requires a secure context (HTTPS). Authentry will not work on HTTP sites. This is a browser-level security requirement and cannot be overridden.

= 🔑 Will this remove the password login form? =

No. By default, the passkey button is added alongside the existing login form. Users can still log in with their username and password. You can optionally configure Authentry to replace the password field entirely.

= 👤 Can users log in without entering a username? =

Yes Enable **"Enable usernameless passkey login"** in settings to allow discoverable-credential login where the authenticator and browser support it. If account discovery isn't available on a device, Authentry automatically falls back to the standard username/email + passkey flow.

= 📱 Which authenticators are supported? =

Any FIDO2-compatible authenticator works, including:

* **Platform authenticators:** Touch ID, Face ID, Windows Hello, Android fingerprint
* **Roaming authenticators:** YubiKey, Google Titan Key, and similar hardware security keys

= 👆 Does this support Face ID and fingerprint login? =

Yes On compatible devices and browsers, users can authenticate using Face ID, Touch ID, Android fingerprint, or Windows Hello, all through the standard WebAuthn passkey flow.

= 💡 Why offer passkey login to subscribers and customers? =

Most people already trust biometrics to unlock their phone. Passkeys use the same built-in device security, so signing into your site feels as natural as unlocking a screen: one touch or one glance instead of typing a password. Less friction at checkout, in member areas, and on return visits, all while staying fully phishing-resistant.

= 🔢 How many passkeys can a user register? =

The default limit is **5 passkeys per user**. You can adjust this (from 1 to 20) under **Authentry > Security**.

= 🛒 Is Authentry compatible with WooCommerce? =

Yes Authentry adds passkey buttons to WooCommerce login and registration forms, and can display passkey management in My Account (toggle **Show passkeys in WooCommerce My Account** under **Authentry > General**).

You can choose between:

* **Separate menu item (endpoint):** a dedicated Security Keys tab
* **Inside Account details (edit profile):** passkeys embedded on the account settings screen

WooCommerce-specific options only appear when WooCommerce is active.

= 🛡️ Is it safe? How is replay attack protection handled? =

Each authentication uses a cryptographically random 32-byte challenge stored as a single-use transient. The challenge is deleted immediately after verification.

Sign counts are tracked per credential. If the received count is not strictly greater than the stored count, authentication is rejected, indicating a possible cloned authenticator. All signatures are cryptographically verified using OpenSSL.

= 💾 Where are passkeys stored? =

Passkey public keys are stored in a custom database table (`{prefix}authentry_credentials`). The **private key never leaves the user's device**. Only the public key is ever sent to your server.

= 🌐 Can I use Authentry on a WordPress Multisite network? =

Authentry is compatible with WordPress Multisite but operates on a **per-site basis**. Each site in the network maintains its own credential table and settings.

= ⚡ Does it work with caching plugins? =

Yes. The REST API endpoints used by Authentry bypass full-page caching automatically (they return JSON, not HTML). No special configuration is required for most caching plugins.

= 📵 What happens if a user loses their device? =

The user can still log in with their password (if they remember it), then remove the lost device's passkey from their profile. Administrators can also delete credentials directly from the user's profile in WP Admin.

= 🎨 I use a custom login page. How do I add passkey login? =

Place `[authentry_button]` on your custom login page, or call `do_action( 'authentry_render_button' );` in your login template.

Disable **Enable on WordPress login form** under **Authentry > General** if you don't use `wp-login.php`. See the **Custom Login Pages** section above for full details on username fields, redirects, and enrollment using `[authentry_register]`.

== Screenshots ==

1. WooCommerce login and register form with the Authentry passkey button.
2. WordPress login form with the Authentry passkey button.
3. WordPress register form with the Authentry add passkey button.
4. Login with Face ID in Windows
5. WooCommerce My account page in a Separate menu "Security key" to manage passkeys
6. WooCommerce My account page in edit profile tab to manage passkeys
7. Wordpress edit profile to see and manage user passkeys
8. Authentry General settings 
9. Authentry Appearance settings 
10. Authentry Security settings 
11. Authentry Advanced settings 
12. Authentry Integration for adding to any form and panel


== Changelog ==

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.0 =
Welcome to Authentry Please ensure your site is served over HTTPS before activating the plugin.