authelia/internal/handlers/webauthn.go

package handlers

import (
	"net/url"
	"strings"

	"github.com/go-webauthn/webauthn/protocol"
	"github.com/go-webauthn/webauthn/webauthn"

	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/session"
)

func getWebauthnUser(ctx *middlewares.AutheliaCtx, userSession session.UserSession) (user *model.WebauthnUser, err error) {
	return getWebauthnUserByRPID(ctx, userSession, "")
}

func getWebauthnUserByRPID(ctx *middlewares.AutheliaCtx, userSession session.UserSession, rpid string) (user *model.WebauthnUser, err error) {
	user = &model.WebauthnUser{
		Username:    userSession.Username,
		DisplayName: userSession.DisplayName,
	}

	if user.DisplayName == "" {
		user.DisplayName = user.Username
	}

	if user.Devices, err = ctx.Providers.StorageProvider.LoadWebauthnDevicesByUsername(ctx, rpid, userSession.Username); err != nil {
		return nil, err
	}

	return user, nil
}

func newWebauthn(ctx *middlewares.AutheliaCtx) (w *webauthn.WebAuthn, err error) {
	var (
		origin *url.URL
	)

	if origin, err = ctx.GetOrigin(); err != nil {
		return nil, err
	}

	config := &webauthn.Config{
		RPDisplayName: ctx.Configuration.Webauthn.DisplayName,
		RPID:          origin.Hostname(),
		RPOrigins:     []string{origin.String()},
		RPIcon:        "",

		AttestationPreference: ctx.Configuration.Webauthn.ConveyancePreference,
		AuthenticatorSelection: protocol.AuthenticatorSelection{
			AuthenticatorAttachment: protocol.CrossPlatform,
			UserVerification:        ctx.Configuration.Webauthn.UserVerification,
			RequireResidentKey:      protocol.ResidentKeyNotRequired(),
		},

		Timeout: int(ctx.Configuration.Webauthn.Timeout.Milliseconds()),
	}

	ctx.Logger.Tracef("Creating new Webauthn RP instance with ID %s and Origins %s", config.RPID, strings.Join(config.RPOrigins, ", "))

	return webauthn.New(config)
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`package handlers`

			`import (`
			`"net/url"`
build(deps): update module github.com/go-webauthn/webauthn to v0.6.0 (#4646) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-01-07 03:21:27 +00:00			`"strings"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
build(deps): utilize github.com/go-webauthn/webauthn (#2947) 2022-03-03 23:46:38 +00:00			`"github.com/go-webauthn/webauthn/protocol"`
			`"github.com/go-webauthn/webauthn/webauthn"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
			`"github.com/authelia/authelia/v4/internal/middlewares"`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`"github.com/authelia/authelia/v4/internal/session"`
			`)`

fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`func getWebauthnUser(ctx middlewares.AutheliaCtx, userSession session.UserSession) (user model.WebauthnUser, err error) {`
			`return getWebauthnUserByRPID(ctx, userSession, "")`
			`}`

			`func getWebauthnUserByRPID(ctx middlewares.AutheliaCtx, userSession session.UserSession, rpid string) (user model.WebauthnUser, err error) {`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`user = &model.WebauthnUser{`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`Username: userSession.Username,`
			`DisplayName: userSession.DisplayName,`
			`}`

			`if user.DisplayName == "" {`
			`user.DisplayName = user.Username`
			`}`

fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`if user.Devices, err = ctx.Providers.StorageProvider.LoadWebauthnDevicesByUsername(ctx, rpid, userSession.Username); err != nil {`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`return nil, err`
			`}`

			`return user, nil`
			`}`

			`func newWebauthn(ctx middlewares.AutheliaCtx) (w webauthn.WebAuthn, err error) {`
			`var (`
fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`origin *url.URL`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`)`

fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`if origin, err = ctx.GetOrigin(); err != nil {`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`return nil, err`
			`}`

			`config := &webauthn.Config{`
			`RPDisplayName: ctx.Configuration.Webauthn.DisplayName,`
fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`RPID: origin.Hostname(),`
			`RPOrigins: []string{origin.String()},`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`RPIcon: "",`

			`AttestationPreference: ctx.Configuration.Webauthn.ConveyancePreference,`
			`AuthenticatorSelection: protocol.AuthenticatorSelection{`
			`AuthenticatorAttachment: protocol.CrossPlatform,`
			`UserVerification: ctx.Configuration.Webauthn.UserVerification,`
build(deps): utilize github.com/go-webauthn/webauthn (#2947) 2022-03-03 23:46:38 +00:00			`RequireResidentKey: protocol.ResidentKeyNotRequired(),`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`},`

			`Timeout: int(ctx.Configuration.Webauthn.Timeout.Milliseconds()),`
			`}`

build(deps): update module github.com/go-webauthn/webauthn to v0.6.0 (#4646) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-01-07 03:21:27 +00:00			`ctx.Logger.Tracef("Creating new Webauthn RP instance with ID %s and Origins %s", config.RPID, strings.Join(config.RPOrigins, ", "))`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
			`return webauthn.New(config)`
			`}`