From 62ef8ed57aab9f2b05a64b153d231ae4f42769f4 Mon Sep 17 00:00:00 2001 From: Florian RĂ¼chel Date: Mon, 6 Nov 2023 04:27:35 +1030 Subject: Add WebAuthn / Passkey integration This is a rebase of #1618 in which @dave-atx added WebAuthn support. Closes #1618 --- internal/ui/webauthn.go | 395 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 395 insertions(+) create mode 100644 internal/ui/webauthn.go (limited to 'internal/ui/webauthn.go') diff --git a/internal/ui/webauthn.go b/internal/ui/webauthn.go new file mode 100644 index 00000000..0071c74c --- /dev/null +++ b/internal/ui/webauthn.go @@ -0,0 +1,395 @@ +// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 + +package ui // import "miniflux.app/v2/internal/ui" + +import ( + "bytes" + "encoding/hex" + "fmt" + "log/slog" + "net/http" + "net/url" + + "github.com/go-webauthn/webauthn/protocol" + "github.com/go-webauthn/webauthn/webauthn" + "miniflux.app/v2/internal/config" + "miniflux.app/v2/internal/crypto" + "miniflux.app/v2/internal/http/cookie" + "miniflux.app/v2/internal/http/request" + "miniflux.app/v2/internal/http/response/html" + "miniflux.app/v2/internal/http/response/json" + "miniflux.app/v2/internal/http/route" + "miniflux.app/v2/internal/model" + "miniflux.app/v2/internal/ui/form" + "miniflux.app/v2/internal/ui/session" + "miniflux.app/v2/internal/ui/view" +) + +type WebAuthnUser struct { + User *model.User + AuthnID []byte + Credentials []model.WebAuthnCredential +} + +func (u WebAuthnUser) WebAuthnID() []byte { + return u.AuthnID +} + +func (u WebAuthnUser) WebAuthnName() string { + return u.User.Username +} + +func (u WebAuthnUser) WebAuthnDisplayName() string { + return u.User.Username +} + +func (u WebAuthnUser) WebAuthnIcon() string { + return "" +} + +func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential { + creds := make([]webauthn.Credential, len(u.Credentials)) + for i, cred := range u.Credentials { + creds[i] = cred.Credential + } + return creds +} + +func newWebAuthn(h *handler) (*webauthn.WebAuthn, error) { + url, err := url.Parse(config.Opts.BaseURL()) + if err != nil { + return nil, err + } + return webauthn.New(&webauthn.Config{ + RPDisplayName: "Miniflux", + RPID: url.Hostname(), + RPOrigin: config.Opts.RootURL(), + }) +} + +func (h *handler) beginRegistration(w http.ResponseWriter, r *http.Request) { + web, err := newWebAuthn(h) + if err != nil { + json.ServerError(w, r, err) + return + } + uid := request.UserID(r) + if uid == 0 { + json.Unauthorized(w, r) + return + } + user, err := h.store.UserByID(uid) + if err != nil { + json.ServerError(w, r, err) + return + } + var creds []model.WebAuthnCredential + + creds, err = h.store.WebAuthnCredentialsByUserID(user.ID) + if err != nil { + json.ServerError(w, r, err) + return + } + + credsDescriptors := make([]protocol.CredentialDescriptor, len(creds)) + for i, cred := range creds { + credsDescriptors[i] = cred.Credential.Descriptor() + } + + options, sessionData, err := web.BeginRegistration( + WebAuthnUser{ + user, + crypto.GenerateRandomBytes(32), + nil, + }, + webauthn.WithExclusions(credsDescriptors), + ) + + if err != nil { + json.ServerError(w, r, err) + return + } + s := session.New(h.store, request.SessionID(r)) + s.SetWebAuthnSessionData(&model.WebAuthnSession{SessionData: sessionData}) + json.OK(w, r, options) +} + +func (h *handler) finishRegistration(w http.ResponseWriter, r *http.Request) { + web, err := newWebAuthn(h) + if err != nil { + json.ServerError(w, r, err) + return + } + uid := request.UserID(r) + if uid == 0 { + json.Unauthorized(w, r) + return + } + user, err := h.store.UserByID(uid) + if err != nil { + json.ServerError(w, r, err) + return + } + sessionData := request.WebAuthnSessionData(r) + webAuthnUser := WebAuthnUser{user, sessionData.UserID, nil} + cred, err := web.FinishRegistration(webAuthnUser, *sessionData.SessionData, r) + if err != nil { + json.ServerError(w, r, err) + return + } + + err = h.store.AddWebAuthnCredential(uid, sessionData.UserID, cred) + if err != nil { + json.ServerError(w, r, err) + return + } + + handleEncoded := model.WebAuthnCredential{Handle: sessionData.UserID}.HandleEncoded() + redirect := route.Path(h.router, "webauthnRename", "credentialHandle", handleEncoded) + json.OK(w, r, map[string]string{"redirect": redirect}) +} + +func (h *handler) beginLogin(w http.ResponseWriter, r *http.Request) { + web, err := newWebAuthn(h) + if err != nil { + json.ServerError(w, r, err) + return + } + + var user *model.User + username := request.QueryStringParam(r, "username", "") + if username != "" { + user, err = h.store.UserByUsername(username) + if err != nil { + json.Unauthorized(w, r) + return + } + } + + var assertion *protocol.CredentialAssertion + var sessionData *webauthn.SessionData + if user != nil { + creds, err := h.store.WebAuthnCredentialsByUserID(user.ID) + if err != nil { + json.ServerError(w, r, err) + return + } + assertion, sessionData, err = web.BeginLogin(WebAuthnUser{user, nil, creds}) + if err != nil { + json.ServerError(w, r, err) + return + } + } else { + assertion, sessionData, err = web.BeginDiscoverableLogin() + if err != nil { + json.ServerError(w, r, err) + return + } + } + + s := session.New(h.store, request.SessionID(r)) + s.SetWebAuthnSessionData(&model.WebAuthnSession{SessionData: sessionData}) + json.OK(w, r, assertion) +} + +func (h *handler) finishLogin(w http.ResponseWriter, r *http.Request) { + web, err := newWebAuthn(h) + if err != nil { + json.ServerError(w, r, err) + return + } + + parsedResponse, err := protocol.ParseCredentialRequestResponseBody(r.Body) + if err != nil { + json.ServerError(w, r, err) + return + } + sessionData := request.WebAuthnSessionData(r) + + var user *model.User + username := request.QueryStringParam(r, "username", "") + if username != "" { + user, err = h.store.UserByUsername(username) + if err != nil { + json.Unauthorized(w, r) + return + } + } + + var cred *model.WebAuthnCredential + if user != nil { + creds, err := h.store.WebAuthnCredentialsByUserID(user.ID) + if err != nil { + json.ServerError(w, r, err) + return + } + sessionData.SessionData.UserID = parsedResponse.Response.UserHandle + credCredential, err := web.ValidateLogin(WebAuthnUser{user, parsedResponse.Response.UserHandle, creds}, *sessionData.SessionData, parsedResponse) + if err != nil { + json.Unauthorized(w, r) + return + } + + for _, credTest := range creds { + if bytes.Equal(credCredential.ID, credTest.Credential.ID) { + cred = &credTest + } + } + + if cred == nil { + json.ServerError(w, r, fmt.Errorf("no matching credential for %v", credCredential)) + return + } + } else { + userByHandle := func(rawID, userHandle []byte) (webauthn.User, error) { + var uid int64 + uid, cred, err = h.store.WebAuthnCredentialByHandle(userHandle) + if err != nil { + return nil, err + } + if uid == 0 { + return nil, fmt.Errorf("no user found for handle %x", userHandle) + } + user, err = h.store.UserByID(uid) + if err != nil { + return nil, err + } + if user == nil { + return nil, fmt.Errorf("no user found for handle %x", userHandle) + } + return WebAuthnUser{user, userHandle, []model.WebAuthnCredential{*cred}}, nil + } + + _, err = web.ValidateDiscoverableLogin(userByHandle, *sessionData.SessionData, parsedResponse) + if err != nil { + json.Unauthorized(w, r) + return + } + } + + sessionToken, _, err := h.store.CreateUserSessionFromUsername(user.Username, r.UserAgent(), request.ClientIP(r)) + if err != nil { + json.ServerError(w, r, err) + return + } + + h.store.WebAuthnSaveLogin(cred.Handle) + + slog.Info("User authenticated successfully with webauthn", + slog.Bool("authentication_successful", true), + slog.String("client_ip", request.ClientIP(r)), + slog.String("user_agent", r.UserAgent()), + slog.Int64("user_id", user.ID), + slog.String("username", user.Username), + ) + h.store.SetLastLogin(user.ID) + + sess := session.New(h.store, request.SessionID(r)) + sess.SetLanguage(user.Language) + sess.SetTheme(user.Theme) + + http.SetCookie(w, cookie.New( + cookie.CookieUserSessionID, + sessionToken, + config.Opts.HTTPS, + config.Opts.BasePath(), + )) + + json.NoContent(w, r) +} + +func (h *handler) renameCredential(w http.ResponseWriter, r *http.Request) { + sess := session.New(h.store, request.SessionID(r)) + view := view.New(h.tpl, r, sess) + + user, err := h.store.UserByID(request.UserID(r)) + if err != nil { + html.ServerError(w, r, err) + return + } + + credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle") + credentialHandle, err := hex.DecodeString(credentialHandleEncoded) + if err != nil { + html.ServerError(w, r, err) + return + } + cred_uid, cred, err := h.store.WebAuthnCredentialByHandle(credentialHandle) + if err != nil { + html.ServerError(w, r, err) + return + } + + if cred_uid != user.ID { + html.Forbidden(w, r) + return + } + + webauthnForm := form.WebauthnForm{Name: cred.Name} + + view.Set("form", webauthnForm) + view.Set("cred", cred) + view.Set("menu", "settings") + view.Set("user", user) + view.Set("countUnread", h.store.CountUnreadEntries(user.ID)) + view.Set("countErrorFeeds", h.store.CountUserFeedsWithErrors(user.ID)) + + html.OK(w, r, view.Render("webauthn_rename")) +} + +func (h *handler) saveCredential(w http.ResponseWriter, r *http.Request) { + _, err := h.store.UserByID(request.UserID(r)) + if err != nil { + html.ServerError(w, r, err) + return + } + + credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle") + credentialHandle, err := hex.DecodeString(credentialHandleEncoded) + if err != nil { + html.ServerError(w, r, err) + return + } + + newName := r.FormValue("name") + err = h.store.WebAuthnUpdateName(credentialHandle, newName) + if err != nil { + html.ServerError(w, r, err) + return + } + + html.Redirect(w, r, route.Path(h.router, "settings")) +} + +func (h *handler) deleteCredential(w http.ResponseWriter, r *http.Request) { + uid := request.UserID(r) + if uid == 0 { + json.Unauthorized(w, r) + return + } + + credentialHandleEncoded := request.RouteStringParam(r, "credentialHandle") + credentialHandle, err := hex.DecodeString(credentialHandleEncoded) + if err != nil { + json.ServerError(w, r, err) + return + } + + err = h.store.DeleteCredentialByHandle(uid, []byte(credentialHandle)) + if err != nil { + json.ServerError(w, r, err) + return + } + + json.NoContent(w, r) +} + +func (h *handler) deleteAllCredentials(w http.ResponseWriter, r *http.Request) { + err := h.store.DeleteAllWebAuthnCredentialsByUserID(request.UserID(r)) + if err != nil { + json.ServerError(w, r, err) + return + } + json.NoContent(w, r) +} -- cgit v1.2.3