afan
/
gitea
보기 1
좋아요 0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 Activity
gitea源码
3 커밋
2 브랜치
트리: 6d2efddf43
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from '6d2efddf43'
${ noResults }
gitea/routers/web/auth/webauthn.go

webauthn.go 8.3KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package auth

  5. 

  6. import (

  7. 	"encoding/binary"

  8. 	"errors"

  9. 	"net/http"

  10. 

  11. 	"code.gitea.io/gitea/models/auth"

  12. 	user_model "code.gitea.io/gitea/models/user"

  13. 	wa "code.gitea.io/gitea/modules/auth/webauthn"

  14. 	"code.gitea.io/gitea/modules/log"

  15. 	"code.gitea.io/gitea/modules/setting"

  16. 	"code.gitea.io/gitea/modules/templates"

  17. 	"code.gitea.io/gitea/services/context"

  18. 

  19. 	"github.com/go-webauthn/webauthn/protocol"

  20. 	"github.com/go-webauthn/webauthn/webauthn"

  21. )

  22. 

  23. var tplWebAuthn templates.TplName = "user/auth/webauthn"

  24. 

  25. // WebAuthn shows the WebAuthn login page

  26. func WebAuthn(ctx *context.Context) {

  27. 	ctx.Data["Title"] = ctx.Tr("twofa")

  28. 

  29. 	if CheckAutoLogin(ctx) {

  30. 		return

  31. 	}

  32. 

  33. 	// Ensure user is in a 2FA session.

  34. 	if ctx.Session.Get("twofaUid") == nil {

  35. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  36. 		return

  37. 	}

  38. 

  39. 	hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, ctx.Session.Get("twofaUid").(int64))

  40. 	if err != nil {

  41. 		ctx.ServerError("HasTwoFactorByUID", err)

  42. 		return

  43. 	}

  44. 

  45. 	ctx.Data["HasTwoFactor"] = hasTwoFactor

  46. 

  47. 	ctx.HTML(http.StatusOK, tplWebAuthn)

  48. }

  49. 

  50. // WebAuthnPasskeyAssertion submits a WebAuthn challenge for the passkey login to the browser

  51. func WebAuthnPasskeyAssertion(ctx *context.Context) {

  52. 	if !setting.Service.EnablePasskeyAuth {

  53. 		ctx.HTTPError(http.StatusForbidden)

  54. 		return

  55. 	}

  56. 

  57. 	assertion, sessionData, err := wa.WebAuthn.BeginDiscoverableLogin()

  58. 	if err != nil {

  59. 		ctx.ServerError("webauthn.BeginDiscoverableLogin", err)

  60. 		return

  61. 	}

  62. 

  63. 	if err := ctx.Session.Set("webauthnPasskeyAssertion", sessionData); err != nil {

  64. 		ctx.ServerError("Session.Set", err)

  65. 		return

  66. 	}

  67. 

  68. 	ctx.JSON(http.StatusOK, assertion)

  69. }

  70. 

  71. // WebAuthnPasskeyLogin handles the WebAuthn login process using a Passkey

  72. func WebAuthnPasskeyLogin(ctx *context.Context) {

  73. 	if !setting.Service.EnablePasskeyAuth {

  74. 		ctx.HTTPError(http.StatusForbidden)

  75. 		return

  76. 	}

  77. 

  78. 	sessionData, okData := ctx.Session.Get("webauthnPasskeyAssertion").(*webauthn.SessionData)

  79. 	if !okData || sessionData == nil {

  80. 		ctx.ServerError("ctx.Session.Get", errors.New("not in WebAuthn session"))

  81. 		return

  82. 	}

  83. 	defer func() {

  84. 		_ = ctx.Session.Delete("webauthnPasskeyAssertion")

  85. 	}()

  86. 

  87. 	// Validate the parsed response.

  88. 

  89. 	// ParseCredentialRequestResponse+ValidateDiscoverableLogin equals to FinishDiscoverableLogin, but we need to ParseCredentialRequestResponse first to get flags

  90. 	var user *user_model.User

  91. 	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)

  92. 	if err != nil {

  93. 		// Failed authentication attempt.

  94. 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)

  95. 		ctx.Status(http.StatusForbidden)

  96. 		return

  97. 	}

  98. 	cred, err := wa.WebAuthn.ValidateDiscoverableLogin(func(rawID, userHandle []byte) (webauthn.User, error) {

  99. 		userID, n := binary.Varint(userHandle)

  100. 		if n <= 0 {

  101. 			return nil, errors.New("invalid rawID")

  102. 		}

  103. 

  104. 		var err error

  105. 		user, err = user_model.GetUserByID(ctx, userID)

  106. 		if err != nil {

  107. 			return nil, err

  108. 		}

  109. 

  110. 		return wa.NewWebAuthnUser(ctx, user, parsedResponse.Response.AuthenticatorData.Flags), nil

  111. 	}, *sessionData, parsedResponse)

  112. 	if err != nil {

  113. 		// Failed authentication attempt.

  114. 		log.Info("Failed authentication attempt for passkey from %s: %v", ctx.RemoteAddr(), err)

  115. 		ctx.Status(http.StatusForbidden)

  116. 		return

  117. 	}

  118. 

  119. 	if !cred.Flags.UserPresent {

  120. 		ctx.Status(http.StatusBadRequest)

  121. 		return

  122. 	}

  123. 

  124. 	if user == nil {

  125. 		ctx.Status(http.StatusBadRequest)

  126. 		return

  127. 	}

  128. 

  129. 	// Ensure that the credential wasn't cloned by checking if CloneWarning is set.

  130. 	// (This is set if the sign counter is less than the one we have stored.)

  131. 	if cred.Authenticator.CloneWarning {

  132. 		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr())

  133. 		ctx.Status(http.StatusForbidden)

  134. 		return

  135. 	}

  136. 

  137. 	// Success! Get the credential and update the sign count with the new value we received.

  138. 	dbCred, err := auth.GetWebAuthnCredentialByCredID(ctx, user.ID, cred.ID)

  139. 	if err != nil {

  140. 		ctx.ServerError("GetWebAuthnCredentialByCredID", err)

  141. 		return

  142. 	}

  143. 

  144. 	dbCred.SignCount = cred.Authenticator.SignCount

  145. 	if err := dbCred.UpdateSignCount(ctx); err != nil {

  146. 		ctx.ServerError("UpdateSignCount", err)

  147. 		return

  148. 	}

  149. 

  150. 	// Now handle account linking if that's requested

  151. 	if ctx.Session.Get("linkAccount") != nil {

  152. 		if err := linkAccountFromContext(ctx, user); err != nil {

  153. 			ctx.ServerError("LinkAccountFromStore", err)

  154. 			return

  155. 		}

  156. 	}

  157. 

  158. 	remember := false // TODO: implement remember me

  159. 	redirect := handleSignInFull(ctx, user, remember, false)

  160. 	if redirect == "" {

  161. 		redirect = setting.AppSubURL + "/"

  162. 	}

  163. 

  164. 	ctx.JSONRedirect(redirect)

  165. }

  166. 

  167. // WebAuthnLoginAssertion submits a WebAuthn challenge to the browser

  168. func WebAuthnLoginAssertion(ctx *context.Context) {

  169. 	// Ensure user is in a WebAuthn session.

  170. 	idSess, ok := ctx.Session.Get("twofaUid").(int64)

  171. 	if !ok || idSess == 0 {

  172. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  173. 		return

  174. 	}

  175. 

  176. 	user, err := user_model.GetUserByID(ctx, idSess)

  177. 	if err != nil {

  178. 		ctx.ServerError("UserSignIn", err)

  179. 		return

  180. 	}

  181. 

  182. 	exists, err := auth.ExistsWebAuthnCredentialsForUID(ctx, user.ID)

  183. 	if err != nil {

  184. 		ctx.ServerError("UserSignIn", err)

  185. 		return

  186. 	}

  187. 	if !exists {

  188. 		ctx.ServerError("UserSignIn", errors.New("no device registered"))

  189. 		return

  190. 	}

  191. 

  192. 	webAuthnUser := wa.NewWebAuthnUser(ctx, user)

  193. 	assertion, sessionData, err := wa.WebAuthn.BeginLogin(webAuthnUser)

  194. 	if err != nil {

  195. 		ctx.ServerError("webauthn.BeginLogin", err)

  196. 		return

  197. 	}

  198. 

  199. 	if err := ctx.Session.Set("webauthnAssertion", sessionData); err != nil {

  200. 		ctx.ServerError("Session.Set", err)

  201. 		return

  202. 	}

  203. 	ctx.JSON(http.StatusOK, assertion)

  204. }

  205. 

  206. // WebAuthnLoginAssertionPost validates the signature and logs the user in

  207. func WebAuthnLoginAssertionPost(ctx *context.Context) {

  208. 	idSess, ok := ctx.Session.Get("twofaUid").(int64)

  209. 	sessionData, okData := ctx.Session.Get("webauthnAssertion").(*webauthn.SessionData)

  210. 	if !ok || !okData || sessionData == nil || idSess == 0 {

  211. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  212. 		return

  213. 	}

  214. 	defer func() {

  215. 		_ = ctx.Session.Delete("webauthnAssertion")

  216. 	}()

  217. 

  218. 	// Load the user from the db

  219. 	user, err := user_model.GetUserByID(ctx, idSess)

  220. 	if err != nil {

  221. 		ctx.ServerError("UserSignIn", err)

  222. 		return

  223. 	}

  224. 

  225. 	log.Trace("Finishing webauthn authentication with user: %s", user.Name)

  226. 

  227. 	// Now we do the equivalent of webauthn.FinishLogin using a combination of our session data

  228. 	// (from webauthnAssertion) and verify the provided request.0

  229. 	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)

  230. 	if err != nil {

  231. 		// Failed authentication attempt.

  232. 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)

  233. 		ctx.Status(http.StatusForbidden)

  234. 		return

  235. 	}

  236. 

  237. 	// Validate the parsed response.

  238. 	webAuthnUser := wa.NewWebAuthnUser(ctx, user, parsedResponse.Response.AuthenticatorData.Flags)

  239. 	cred, err := wa.WebAuthn.ValidateLogin(webAuthnUser, *sessionData, parsedResponse)

  240. 	if err != nil {

  241. 		// Failed authentication attempt.

  242. 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)

  243. 		ctx.Status(http.StatusForbidden)

  244. 		return

  245. 	}

  246. 

  247. 	// Ensure that the credential wasn't cloned by checking if CloneWarning is set.

  248. 	// (This is set if the sign counter is less than the one we have stored.)

  249. 	if cred.Authenticator.CloneWarning {

  250. 		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr())

  251. 		ctx.Status(http.StatusForbidden)

  252. 		return

  253. 	}

  254. 

  255. 	// Success! Get the credential and update the sign count with the new value we received.

  256. 	dbCred, err := auth.GetWebAuthnCredentialByCredID(ctx, user.ID, cred.ID)

  257. 	if err != nil {

  258. 		ctx.ServerError("GetWebAuthnCredentialByCredID", err)

  259. 		return

  260. 	}

  261. 

  262. 	dbCred.SignCount = cred.Authenticator.SignCount

  263. 	if err := dbCred.UpdateSignCount(ctx); err != nil {

  264. 		ctx.ServerError("UpdateSignCount", err)

  265. 		return

  266. 	}

  267. 

  268. 	// Now handle account linking if that's requested

  269. 	if ctx.Session.Get("linkAccount") != nil {

  270. 		if err := linkAccountFromContext(ctx, user); err != nil {

  271. 			ctx.ServerError("LinkAccountFromStore", err)

  272. 			return

  273. 		}

  274. 	}

  275. 

  276. 	remember := ctx.Session.Get("twofaRemember").(bool)

  277. 	redirect := handleSignInFull(ctx, user, remember, false)

  278. 	if redirect == "" {

  279. 		redirect = setting.AppSubURL + "/"

  280. 	}

  281. 	_ = ctx.Session.Delete("twofaUid")

  282. 

  283. 	ctx.JSONRedirect(redirect)

  284. }