authelia/internal/handlers/webauthn.go

package handlers

import (
	"net/url"
	"strings"

	"github.com/go-webauthn/webauthn/protocol"
	"github.com/go-webauthn/webauthn/webauthn"

	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/random"
)

func getWebauthnUserByRPID(ctx *middlewares.AutheliaCtx, username, displayname string, rpid string) (user *model.WebauthnUser, err error) {
	if user, err = ctx.Providers.StorageProvider.LoadWebauthnUser(ctx, rpid, username); err != nil {
		return nil, err
	}

	if user == nil {
		user = &model.WebauthnUser{
			RPID:        rpid,
			Username:    username,
			UserID:      ctx.Providers.Random.StringCustom(64, random.CharSetASCII),
			DisplayName: displayname,
		}

		if err = ctx.Providers.StorageProvider.SaveWebauthnUser(ctx, *user); err != nil {
			return nil, err
		}
	} else {
		user.DisplayName = displayname
	}

	if user.DisplayName == "" {
		user.DisplayName = user.Username
	}

	if user.Devices, err = ctx.Providers.StorageProvider.LoadWebauthnDevicesByUsername(ctx, rpid, user.Username); err != nil {
		return nil, err
	}

	return user, nil
}

func newWebauthn(ctx *middlewares.AutheliaCtx) (w *webauthn.WebAuthn, err error) {
	var (
		origin *url.URL
	)

	if origin, err = ctx.GetOrigin(); err != nil {
		return nil, err
	}

	config := &webauthn.Config{
		RPID:                  origin.Hostname(),
		RPDisplayName:         ctx.Configuration.Webauthn.DisplayName,
		RPOrigins:             []string{origin.String()},
		AttestationPreference: ctx.Configuration.Webauthn.ConveyancePreference,
		AuthenticatorSelection: protocol.AuthenticatorSelection{
			AuthenticatorAttachment: protocol.CrossPlatform,
			RequireResidentKey:      protocol.ResidentKeyNotRequired(),
			ResidentKey:             protocol.ResidentKeyRequirementDiscouraged,
			UserVerification:        ctx.Configuration.Webauthn.UserVerification,
		},
		Debug:                false,
		EncodeUserIDAsString: true,
		Timeouts: webauthn.TimeoutsConfig{
			Login: webauthn.TimeoutConfig{
				Enforce:    true,
				Timeout:    ctx.Configuration.Webauthn.Timeout,
				TimeoutUVD: ctx.Configuration.Webauthn.Timeout,
			},
			Registration: webauthn.TimeoutConfig{
				Enforce:    true,
				Timeout:    ctx.Configuration.Webauthn.Timeout,
				TimeoutUVD: ctx.Configuration.Webauthn.Timeout,
			},
		},
	}

	ctx.Logger.Tracef("Creating new Webauthn RP instance with ID %s and Origins %s", config.RPID, strings.Join(config.RPOrigins, ", "))

	return webauthn.New(config)
}

func webauthnCredentialCreationIsDiscoverable(ctx *middlewares.AutheliaCtx, response *protocol.ParsedCredentialCreationData) (discoverable bool) {
	if value, ok := response.ClientExtensionResults["credProps"]; ok {
		switch credentialProperties := value.(type) {
		case map[string]any:
			var v any

			if v, ok = credentialProperties["rk"]; ok {
				if discoverable, ok = v.(bool); ok {
					ctx.Logger.WithFields(map[string]any{"discoverable": discoverable}).Trace("Determined Credential Discoverability via Client Extension Results")

					return discoverable
				} else {
					ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'rk' field for the 'credProps' extension in the Client Extension Results was not a boolean")
				}
			} else {
				ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'rk' field for the 'credProps' extension was missing from the Client Extension Results")
			}

			return false
		default:
			ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'credProps' extension in the Client Extension Results does not appear to be a dictionary")

			return false
		}
	}

	ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'credProps' extension is missing from the Client Extension Results")

	return false
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`package handlers`

			`import (`
			`"net/url"`
build(deps): update module github.com/go-webauthn/webauthn to v0.6.0 (#4646) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-01-07 03:21:27 +00:00			`"strings"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
build(deps): utilize github.com/go-webauthn/webauthn (#2947) 2022-03-03 23:46:38 +00:00			`"github.com/go-webauthn/webauthn/protocol"`
			`"github.com/go-webauthn/webauthn/webauthn"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
			`"github.com/authelia/authelia/v4/internal/middlewares"`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
feat: webauthn users 2023-02-16 19:40:40 +00:00			`"github.com/authelia/authelia/v4/internal/random"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`)`

test: fix test 2023-02-19 01:40:57 +00:00			`func getWebauthnUserByRPID(ctx middlewares.AutheliaCtx, username, displayname string, rpid string) (user model.WebauthnUser, err error) {`
feat: webauthn users 2023-02-16 19:40:40 +00:00			`if user, err = ctx.Providers.StorageProvider.LoadWebauthnUser(ctx, rpid, username); err != nil {`
			`return nil, err`
			`}`

			`if user == nil {`
			`user = &model.WebauthnUser{`
			`RPID: rpid,`
			`Username: username,`
			`UserID: ctx.Providers.Random.StringCustom(64, random.CharSetASCII),`
test: fix test 2023-02-19 01:40:57 +00:00			`DisplayName: displayname,`
feat: webauthn users 2023-02-16 19:40:40 +00:00			`}`
fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00
feat: webauthn users 2023-02-16 19:40:40 +00:00			`if err = ctx.Providers.StorageProvider.SaveWebauthnUser(ctx, *user); err != nil {`
			`return nil, err`
			`}`
test: fix test 2023-02-19 01:40:57 +00:00			`} else {`
			`user.DisplayName = displayname`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`}`

			`if user.DisplayName == "" {`
			`user.DisplayName = user.Username`
			`}`

refactor: sql updates 2023-02-14 02:53:57 +00:00			`if user.Devices, err = ctx.Providers.StorageProvider.LoadWebauthnDevicesByUsername(ctx, rpid, user.Username); err != nil {`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`return nil, err`
			`}`

			`return user, nil`
			`}`

			`func newWebauthn(ctx middlewares.AutheliaCtx) (w webauthn.WebAuthn, err error) {`
			`var (`
fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`origin *url.URL`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`)`

fix: multi-cookie domain webauthn 2023-02-11 15:47:03 +00:00			`if origin, err = ctx.GetOrigin(); err != nil {`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`return nil, err`
			`}`

			`config := &webauthn.Config{`
fix: encoding 2023-02-19 00:48:35 +00:00			`RPID: origin.Hostname(),`
			`RPDisplayName: ctx.Configuration.Webauthn.DisplayName,`
			`RPOrigins: []string{origin.String()},`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`AttestationPreference: ctx.Configuration.Webauthn.ConveyancePreference,`
			`AuthenticatorSelection: protocol.AuthenticatorSelection{`
			`AuthenticatorAttachment: protocol.CrossPlatform,`
build(deps): utilize github.com/go-webauthn/webauthn (#2947) 2022-03-03 23:46:38 +00:00			`RequireResidentKey: protocol.ResidentKeyNotRequired(),`
fix: encoding 2023-02-19 00:48:35 +00:00			`ResidentKey: protocol.ResidentKeyRequirementDiscouraged,`
			`UserVerification: ctx.Configuration.Webauthn.UserVerification,`
			`},`
			`Debug: false,`
			`EncodeUserIDAsString: true,`
			`Timeouts: webauthn.TimeoutsConfig{`
			`Login: webauthn.TimeoutConfig{`
			`Enforce: true,`
			`Timeout: ctx.Configuration.Webauthn.Timeout,`
			`TimeoutUVD: ctx.Configuration.Webauthn.Timeout,`
			`},`
			`Registration: webauthn.TimeoutConfig{`
			`Enforce: true,`
			`Timeout: ctx.Configuration.Webauthn.Timeout,`
			`TimeoutUVD: ctx.Configuration.Webauthn.Timeout,`
			`},`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`},`
			`}`

build(deps): update module github.com/go-webauthn/webauthn to v0.6.0 (#4646) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-01-07 03:21:27 +00:00			`ctx.Logger.Tracef("Creating new Webauthn RP instance with ID %s and Origins %s", config.RPID, strings.Join(config.RPOrigins, ", "))`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00
			`return webauthn.New(config)`
			`}`
feat: cred props 2023-02-18 04:36:58 +00:00
			`func webauthnCredentialCreationIsDiscoverable(ctx middlewares.AutheliaCtx, response protocol.ParsedCredentialCreationData) (discoverable bool) {`
			`if value, ok := response.ClientExtensionResults["credProps"]; ok {`
			`switch credentialProperties := value.(type) {`
			`case map[string]any:`
			`var v any`

			`if v, ok = credentialProperties["rk"]; ok {`
			`if discoverable, ok = v.(bool); ok {`
			`ctx.Logger.WithFields(map[string]any{"discoverable": discoverable}).Trace("Determined Credential Discoverability via Client Extension Results")`

			`return discoverable`
			`} else {`
			`ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'rk' field for the 'credProps' extension in the Client Extension Results was not a boolean")`
			`}`
			`} else {`
			`ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'rk' field for the 'credProps' extension was missing from the Client Extension Results")`
			`}`

			`return false`
			`default:`
			`ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'credProps' extension in the Client Extension Results does not appear to be a dictionary")`

			`return false`
			`}`
			`}`

			`ctx.Logger.WithFields(map[string]any{"discoverable": false}).Trace("Assuming Credential Discoverability is false as the 'credProps' extension is missing from the Client Extension Results")`

			`return false`
			`}`