Add WebAuthn / Passkey integration

This is a rebase of #1618 in which @dave-atx added WebAuthn support. Closes #1618
author: Florian Rüchel <florian.ruechel.github@inexplicity.de> 2023-11-06 04:27:35 +1030
committer: GitHub <noreply@github.com> 2023-11-05 18:57:35 +0100
commit: 62ef8ed57aab9f2b05a64b153d231ae4f42769f4 (patch)
tree: acc33ab1fd02113f8fc93751e593dc67ff504a84 /internal/ui/webauthn.go
parent: 62188b49f072ea3c2bf30a8ed42f8b9303840191 (diff)
download: v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.tar.gz
v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.tar.zst
v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.zip
1 files changed, 395 insertions, 0 deletions
diff --git a/internal/ui/webauthn.go b/internal/ui/webauthn.go
new file mode 100644
index 00000000..0071c74c
--- /dev/null
+++ b/internal/ui/webauthn.go
@@ -0,0 +1,395 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package ui // import "miniflux.app/v2/internal/ui"
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"net/url"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"miniflux.app/v2/internal/config"
+	"miniflux.app/v2/internal/crypto"
+	"miniflux.app/v2/internal/http/cookie"
+	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response/html"
+	"miniflux.app/v2/internal/http/response/json"
+	"miniflux.app/v2/internal/http/route"
+	"miniflux.app/v2/internal/model"
+	"miniflux.app/v2/internal/ui/form"
+	"miniflux.app/v2/internal/ui/session"
+	"miniflux.app/v2/internal/ui/view"
+)
+
+type WebAuthnUser struct {
+	User        *model.User
+	AuthnID     []byte
+	Credentials []model.WebAuthnCredential
+}
+
+func (u WebAuthnUser) WebAuthnID() []byte {
+	return u.AuthnID
+}
+
+func (u WebAuthnUser) WebAuthnName() string {
+	return u.User.Username
+}
+
+func (u WebAuthnUser) WebAuthnDisplayName() string {
+	return u.User.Username
+}
+
+func (u WebAuthnUser) WebAuthnIcon() string {
+	return ""
+}
+
+func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential {
+	creds := make([]webauthn.Credential, len(u.Credentials))
+	for i, cred := range u.Credentials {
+		creds[i] = cred.Credential
+	}
+	return creds
+}
+
+func newWebAuthn(h *handler) (*webauthn.WebAuthn, error) {
+	url, err := url.Parse(config.Opts.BaseURL())
+	if err != nil {
+		return nil, err
+	}
+	return webauthn.New(&webauthn.Config{
+		RPDisplayName: "Miniflux",
+		RPID:          url.Hostname(),
+		RPOrigin:      config.Opts.RootURL(),
+	})
+}
+
+func (h *handler) beginRegistration(w http.ResponseWriter, r *http.Request) {
+	web, err := newWebAuthn(h)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	uid := request.UserID(r)
+	if uid == 0 {
+		json.Unauthorized(w, r)
+		return
+	}
+	user, err := h.store.UserByID(uid)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	var creds []model.WebAuthnCredential
+
+	creds, err = h.store.WebAuthnCredentialsByUserID(user.ID)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	credsDescriptors := make([]protocol.CredentialDescriptor, len(creds))
+	for i, cred := range creds {
+		credsDescriptors[i] = cred.Credential.Descriptor()
+	}
+
+	options, sessionData, err := web.BeginRegistration(
+		WebAuthnUser{
+			user,
+			crypto.GenerateRandomBytes(32),
+			nil,
+		},
+		webauthn.WithExclusions(credsDescriptors),
+	)
+
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	s := session.New(h.store, request.SessionID(r))
+	s.SetWebAuthnSessionData(&model.WebAuthnSession{SessionData: sessionData})
+	json.OK(w, r, options)
+}
+
+func (h *handler) finishRegistration(w http.ResponseWriter, r *http.Request) {
+	web, err := newWebAuthn(h)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	uid := request.UserID(r)
+	if uid == 0 {
+		json.Unauthorized(w, r)
+		return
+	}
+	user, err := h.store.UserByID(uid)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	sessionData := request.WebAuthnSessionData(r)
+	webAuthnUser := WebAuthnUser{user, sessionData.UserID, nil}
+	cred, err := web.FinishRegistration(webAuthnUser, *sessionData.SessionData, r)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	err = h.store.AddWebAuthnCredential(uid, sessionData.UserID, cred)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	handleEncoded := model.WebAuthnCredential{Handle: sessionData.UserID}.HandleEncoded()
+	redirect := route.Path(h.router, "webauthnRename", "credentialHandle", handleEncoded)
+	json.OK(w, r, map[string]string{"redirect": redirect})
+}
+
+func (h *handler) beginLogin(w http.ResponseWriter, r *http.Request) {
+	web, err := newWebAuthn(h)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	var user *model.User
+	username := request.QueryStringParam(r, "username", "")
+	if username != "" {
+		user, err = h.store.UserByUsername(username)
+		if err != nil {
+			json.Unauthorized(w, r)
+			return
+		}
+	}
+
+	var assertion *protocol.CredentialAssertion
+	var sessionData *webauthn.SessionData
+	if user != nil {
+		creds, err := h.store.WebAuthnCredentialsByUserID(user.ID)
+		if err != nil {
+			json.ServerError(w, r, err)
+			return
+		}
+		assertion, sessionData, err = web.BeginLogin(WebAuthnUser{user, nil, creds})
+		if err != nil {
+			json.ServerError(w, r, err)
+			return
+		}
+	} else {
+		assertion, sessionData, err = web.BeginDiscoverableLogin()
+		if err != nil {
+			json.ServerError(w, r, err)
+			return
+		}
+	}
+
+	s := session.New(h.store, request.SessionID(r))
+	s.SetWebAuthnSessionData(&model.WebAuthnSession{SessionData: sessionData})
+	json.OK(w, r, assertion)
+}
+
+func (h *handler) finishLogin(w http.ResponseWriter, r *http.Request) {
+	web, err := newWebAuthn(h)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	parsedResponse, err := protocol.ParseCredentialRequestResponseBody(r.Body)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	sessionData := request.WebAuthnSessionData(r)
+
+	var user *model.User
+	username := request.QueryStringParam(r, "username", "")
+	if username != "" {
+		user, err = h.store.UserByUsername(username)
+		if err != nil {
+			json.Unauthorized(w, r)
+			return
+		}
+	}
+
+	var cred *model.WebAuthnCredential
+	if user != nil {
+		creds, err := h.store.WebAuthnCredentialsByUserID(user.ID)
+		if err != nil {
+			json.ServerError(w, r, err)
+			return
+		}
+		sessionData.SessionData.UserID = parsedResponse.Response.UserHandle
+		credCredential, err := web.ValidateLogin(WebAuthnUser{user, parsedResponse.Response.UserHandle, creds}, *sessionData.SessionData, parsedResponse)
+		if err != nil {
+			json.Unauthorized(w, r)
+			return
+		}
+
+		for _, credTest := range creds {
+			if bytes.Equal(credCredential.ID, credTest.Credential.ID) {
+				cred = &credTest
+			}
+		}
+
+		if cred == nil {
+			json.ServerError(w, r, fmt.Errorf("no matching credential for %v", credCredential))
+			return
+		}
+	} else {
+		userByHandle := func(rawID, userHandle []byte) (webauthn.User, error) {
+			var uid int64
+			uid, cred, err = h.store.WebAuthnCredentialByHandle(userHandle)
+			if err != nil {
+				return nil, err
+			}
+			if uid == 0 {
+				return nil, fmt.Errorf("no user found for handle %x", userHandle)
+			}
+			user, err = h.store.UserByID(uid)
+			if err != nil {
+				return nil, err
+			}
+			if user == nil {
+				return nil, fmt.Errorf("no user found for handle %x", userHandle)
+			}
+			return WebAuthnUser{user, userHandle, []model.WebAuthnCredential{*cred}}, nil
+		}
+
+		_, err = web.ValidateDiscoverableLogin(userByHandle, *sessionData.SessionData, parsedResponse)
+		if err != nil {
+			json.Unauthorized(w, r)
+			return
+		}
+	}
+
+	sessionToken, _, err := h.store.CreateUserSessionFromUsername(user.Username, r.UserAgent(), request.ClientIP(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	h.store.WebAuthnSaveLogin(cred.Handle)
+
+	slog.Info("User authenticated successfully with webauthn",
+		slog.Bool("authentication_successful", true),
+		slog.String("client_ip", request.ClientIP(r)),
+		slog.String("user_agent", r.UserAgent()),
+		slog.Int64("user_id", user.ID),
+		slog.String("username", user.Username),
+	)
+	h.store.SetLastLogin(user.ID)
+
+	sess := session.New(h.store, request.SessionID(r))
+	sess.SetLanguage(user.Language)
+	sess.SetTheme(user.Theme)
+
+	http.SetCookie(w, cookie.New(
+		cookie.CookieUserSessionID,
+		sessionToken,
+		config.Opts.HTTPS,
+		config.Opts.BasePath(),
+	))
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) renameCredential(w http.ResponseWriter, r *http.Request) {
+	sess := session.New(h.store, request.SessionID(r))
+	view := view.New(h.tpl, r, sess)
+
+	user, err := h.store.UserByID(request.UserID(r))
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+
+	credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle")
+	credentialHandle, err := hex.DecodeString(credentialHandleEncoded)
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+	cred_uid, cred, err := h.store.WebAuthnCredentialByHandle(credentialHandle)
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+
+	if cred_uid != user.ID {
+		html.Forbidden(w, r)
+		return
+	}
+
+	webauthnForm := form.WebauthnForm{Name: cred.Name}
+
+	view.Set("form", webauthnForm)
+	view.Set("cred", cred)
+	view.Set("menu", "settings")
+	view.Set("user", user)
+	view.Set("countUnread", h.store.CountUnreadEntries(user.ID))
+	view.Set("countErrorFeeds", h.store.CountUserFeedsWithErrors(user.ID))
+
+	html.OK(w, r, view.Render("webauthn_rename"))
+}
+
+func (h *handler) saveCredential(w http.ResponseWriter, r *http.Request) {
+	_, err := h.store.UserByID(request.UserID(r))
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+
+	credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle")
+	credentialHandle, err := hex.DecodeString(credentialHandleEncoded)
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+
+	newName := r.FormValue("name")
+	err = h.store.WebAuthnUpdateName(credentialHandle, newName)
+	if err != nil {
+		html.ServerError(w, r, err)
+		return
+	}
+
+	html.Redirect(w, r, route.Path(h.router, "settings"))
+}
+
+func (h *handler) deleteCredential(w http.ResponseWriter, r *http.Request) {
+	uid := request.UserID(r)
+	if uid == 0 {
+		json.Unauthorized(w, r)
+		return
+	}
+
+	credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle")
+	credentialHandle, err := hex.DecodeString(credentialHandleEncoded)
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	err = h.store.DeleteCredentialByHandle(uid, []byte(credentialHandle))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+
+	json.NoContent(w, r)
+}
+
+func (h *handler) deleteAllCredentials(w http.ResponseWriter, r *http.Request) {
+	err := h.store.DeleteAllWebAuthnCredentialsByUserID(request.UserID(r))
+	if err != nil {
+		json.ServerError(w, r, err)
+		return
+	}
+	json.NoContent(w, r)
+}
author	Florian Rüchel <florian.ruechel.github@inexplicity.de>	2023-11-06 04:27:35 +1030
committer	GitHub <noreply@github.com>	2023-11-05 18:57:35 +0100
commit	62ef8ed57aab9f2b05a64b153d231ae4f42769f4 (patch)
tree	acc33ab1fd02113f8fc93751e593dc67ff504a84 /internal/ui/webauthn.go
parent	62188b49f072ea3c2bf30a8ed42f8b9303840191 (diff)
download	v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.tar.gz v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.tar.zst v2-62ef8ed57aab9f2b05a64b153d231ae4f42769f4.zip