diff options
author | Puyodead1 <puyodead@proton.me> | 2023-01-29 21:30:42 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-30 13:30:42 +1100 |
commit | 709dc7280e8b4aab2b173c3897b418f6e1759ae7 (patch) | |
tree | 5a8ed3e144a8032649d1c2f7c72f9c0c01e7742c /src/util | |
parent | Merge branch 'master' of github.com:fosscord/fosscord-server (diff) | |
download | server-709dc7280e8b4aab2b173c3897b418f6e1759ae7.tar.xz |
Implement WebAuthn (#967)
* implement webauthn * code review --------- Co-authored-by: Madeline <46743919+MaddyUnderStars@users.noreply.github.com>
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/entities/SecurityKey.ts | 46 | ||||
-rw-r--r-- | src/util/entities/User.ts | 7 | ||||
-rw-r--r-- | src/util/entities/index.ts | 3 | ||||
-rw-r--r-- | src/util/migration/mariadb/1675045120206-webauthn.ts | 27 | ||||
-rw-r--r-- | src/util/migration/mysql/1675045120206-webauthn.ts | 27 | ||||
-rw-r--r-- | src/util/migration/postgresql/1675044825710-webauthn.ts | 27 | ||||
-rw-r--r-- | src/util/schemas/WebAuthnSchema.ts | 38 | ||||
-rw-r--r-- | src/util/schemas/index.ts | 69 | ||||
-rw-r--r-- | src/util/util/WebAuthn.ts | 68 | ||||
-rw-r--r-- | src/util/util/index.ts | 1 |
10 files changed, 274 insertions, 39 deletions
diff --git a/src/util/entities/SecurityKey.ts b/src/util/entities/SecurityKey.ts new file mode 100644 index 00000000..8f377d9d --- /dev/null +++ b/src/util/entities/SecurityKey.ts @@ -0,0 +1,46 @@ +/* + Fosscord: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Fosscord and Fosscord Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. +*/ + +import { Column, Entity, JoinColumn, ManyToOne, RelationId } from "typeorm"; +import { BaseClass } from "./BaseClass"; +import { User } from "./User"; + +@Entity("security_keys") +export class SecurityKey extends BaseClass { + @Column({ nullable: true }) + @RelationId((key: SecurityKey) => key.user) + user_id: string; + + @JoinColumn({ name: "user_id" }) + @ManyToOne(() => User, { + onDelete: "CASCADE", + }) + user: User; + + @Column() + key_id: string; + + @Column() + public_key: string; + + @Column() + counter: number; + + @Column() + name: string; +} diff --git a/src/util/entities/User.ts b/src/util/entities/User.ts index 658584c3..fa8c7aa7 100644 --- a/src/util/entities/User.ts +++ b/src/util/entities/User.ts @@ -33,6 +33,7 @@ import { UserSettings } from "./UserSettings"; import { Session } from "./Session"; import { Config, FieldErrors, Snowflake, trimSpecial, adjustEmail } from ".."; import { Request } from "express"; +import { SecurityKey } from "./SecurityKey"; export enum PublicUserEnum { username, @@ -138,6 +139,9 @@ export class User extends BaseClass { @Column({ select: false }) mfa_enabled: boolean = false; // if multi factor authentication is enabled + @Column({ select: false, default: false }) + webauthn_enabled: boolean = false; // if webauthn multi factor authentication is enabled + @Column({ select: false, nullable: true }) totp_secret?: string = ""; @@ -223,6 +227,9 @@ export class User extends BaseClass { @Column({ type: "simple-json", select: false }) extended_settings: string = "{}"; + @OneToMany(() => SecurityKey, (key: SecurityKey) => key.user) + security_keys: SecurityKey[]; + // TODO: I don't like this method? validate() { if (this.email) { diff --git a/src/util/entities/index.ts b/src/util/entities/index.ts index d856c41b..6dfbd822 100644 --- a/src/util/entities/index.ts +++ b/src/util/entities/index.ts @@ -23,8 +23,8 @@ export * from "./BackupCodes"; export * from "./Ban"; export * from "./BaseClass"; export * from "./Categories"; -export * from "./ClientRelease"; export * from "./Channel"; +export * from "./ClientRelease"; export * from "./Config"; export * from "./ConnectedAccount"; export * from "./EmbedCache"; @@ -41,6 +41,7 @@ export * from "./ReadState"; export * from "./Recipient"; export * from "./Relationship"; export * from "./Role"; +export * from "./SecurityKey"; export * from "./Session"; export * from "./Sticker"; export * from "./StickerPack"; diff --git a/src/util/migration/mariadb/1675045120206-webauthn.ts b/src/util/migration/mariadb/1675045120206-webauthn.ts new file mode 100644 index 00000000..e009fa0c --- /dev/null +++ b/src/util/migration/mariadb/1675045120206-webauthn.ts @@ -0,0 +1,27 @@ +import { MigrationInterface, QueryRunner } from "typeorm"; + +export class webauthn1675045120206 implements MigrationInterface { + name = "webauthn1675045120206"; + + public async up(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `CREATE TABLE \`security_keys\` (\`id\` varchar(255) NOT NULL, \`user_id\` varchar(255) NULL, \`key_id\` varchar(255) NOT NULL, \`public_key\` varchar(255) NOT NULL, \`counter\` int NOT NULL, \`name\` varchar(255) NOT NULL, PRIMARY KEY (\`id\`)) ENGINE=InnoDB`, + ); + await queryRunner.query( + `ALTER TABLE \`users\` ADD \`webauthn_enabled\` tinyint NOT NULL DEFAULT 0`, + ); + await queryRunner.query( + `ALTER TABLE \`security_keys\` ADD CONSTRAINT \`FK_24c97d0771cafedce6d7163eaad\` FOREIGN KEY (\`user_id\`) REFERENCES \`users\`(\`id\`) ON DELETE CASCADE ON UPDATE NO ACTION`, + ); + } + + public async down(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `ALTER TABLE \`security_keys\` DROP FOREIGN KEY \`FK_24c97d0771cafedce6d7163eaad\``, + ); + await queryRunner.query( + `ALTER TABLE \`users\` DROP COLUMN \`webauthn_enabled\``, + ); + await queryRunner.query(`DROP TABLE \`security_keys\``); + } +} diff --git a/src/util/migration/mysql/1675045120206-webauthn.ts b/src/util/migration/mysql/1675045120206-webauthn.ts new file mode 100644 index 00000000..e009fa0c --- /dev/null +++ b/src/util/migration/mysql/1675045120206-webauthn.ts @@ -0,0 +1,27 @@ +import { MigrationInterface, QueryRunner } from "typeorm"; + +export class webauthn1675045120206 implements MigrationInterface { + name = "webauthn1675045120206"; + + public async up(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `CREATE TABLE \`security_keys\` (\`id\` varchar(255) NOT NULL, \`user_id\` varchar(255) NULL, \`key_id\` varchar(255) NOT NULL, \`public_key\` varchar(255) NOT NULL, \`counter\` int NOT NULL, \`name\` varchar(255) NOT NULL, PRIMARY KEY (\`id\`)) ENGINE=InnoDB`, + ); + await queryRunner.query( + `ALTER TABLE \`users\` ADD \`webauthn_enabled\` tinyint NOT NULL DEFAULT 0`, + ); + await queryRunner.query( + `ALTER TABLE \`security_keys\` ADD CONSTRAINT \`FK_24c97d0771cafedce6d7163eaad\` FOREIGN KEY (\`user_id\`) REFERENCES \`users\`(\`id\`) ON DELETE CASCADE ON UPDATE NO ACTION`, + ); + } + + public async down(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `ALTER TABLE \`security_keys\` DROP FOREIGN KEY \`FK_24c97d0771cafedce6d7163eaad\``, + ); + await queryRunner.query( + `ALTER TABLE \`users\` DROP COLUMN \`webauthn_enabled\``, + ); + await queryRunner.query(`DROP TABLE \`security_keys\``); + } +} diff --git a/src/util/migration/postgresql/1675044825710-webauthn.ts b/src/util/migration/postgresql/1675044825710-webauthn.ts new file mode 100644 index 00000000..ac43c928 --- /dev/null +++ b/src/util/migration/postgresql/1675044825710-webauthn.ts @@ -0,0 +1,27 @@ +import { MigrationInterface, QueryRunner } from "typeorm"; + +export class webauthn1675044825710 implements MigrationInterface { + name = "webauthn1675044825710"; + + public async up(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `CREATE TABLE "security_keys" ("id" character varying NOT NULL, "user_id" character varying, "key_id" character varying NOT NULL, "public_key" character varying NOT NULL, "counter" integer NOT NULL, "name" character varying NOT NULL, CONSTRAINT "PK_6e95cdd91779e7cca06d1fff89c" PRIMARY KEY ("id"))`, + ); + await queryRunner.query( + `ALTER TABLE "users" ADD "webauthn_enabled" boolean NOT NULL DEFAULT false`, + ); + await queryRunner.query( + `ALTER TABLE "security_keys" ADD CONSTRAINT "FK_24c97d0771cafedce6d7163eaad" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE CASCADE ON UPDATE NO ACTION`, + ); + } + + public async down(queryRunner: QueryRunner): Promise<void> { + await queryRunner.query( + `ALTER TABLE "security_keys" DROP CONSTRAINT "FK_24c97d0771cafedce6d7163eaad"`, + ); + await queryRunner.query( + `ALTER TABLE "users" DROP COLUMN "webauthn_enabled"`, + ); + await queryRunner.query(`DROP TABLE "security_keys"`); + } +} diff --git a/src/util/schemas/WebAuthnSchema.ts b/src/util/schemas/WebAuthnSchema.ts new file mode 100644 index 00000000..03e173a7 --- /dev/null +++ b/src/util/schemas/WebAuthnSchema.ts @@ -0,0 +1,38 @@ +/* + Fosscord: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Fosscord and Fosscord Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. +*/ + +// FIXME: better naming +export interface GenerateWebAuthnCredentialsSchema { + password: string; +} + +// FIXME: better naming +export interface CreateWebAuthnCredentialSchema { + credential: string; + name: string; + ticket: string; +} + +export type WebAuthnPostSchema = Partial< + GenerateWebAuthnCredentialsSchema | CreateWebAuthnCredentialSchema +>; + +export interface WebAuthnTotpSchema { + code: string; + ticket: string; +} diff --git a/src/util/schemas/index.ts b/src/util/schemas/index.ts index f49d2294..65e8b3cd 100644 --- a/src/util/schemas/index.ts +++ b/src/util/schemas/index.ts @@ -16,66 +16,59 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */ -export * from "./Validator"; -export * from "./SelectProtocolSchema"; -export * from "./LoginSchema"; -export * from "./RegisterSchema"; -export * from "./TotpSchema"; +export * from "./ActivitySchema"; +export * from "./ApplicationAuthorizeSchema"; +export * from "./ApplicationCreateSchema"; +export * from "./ApplicationModifySchema"; export * from "./BackupCodesChallengeSchema"; -export * from "./ChannelModifySchema"; -export * from "./InviteCreateSchema"; -export * from "./PurgeSchema"; -export * from "./WebhookCreateSchema"; -export * from "./MessageCreateSchema"; -export * from "./MessageAcknowledgeSchema"; -export * from "./GuildCreateSchema"; export * from "./BanCreateSchema"; export * from "./BanModeratorSchema"; export * from "./BanRegistrySchema"; +export * from "./BotModifySchema"; +export * from "./ChannelModifySchema"; +export * from "./ChannelPermissionOverwriteSchema"; +export * from "./ChannelReorderSchema"; +export * from "./CodesVerificationSchema"; +export * from "./DmChannelCreateSchema"; export * from "./EmojiCreateSchema"; export * from "./EmojiModifySchema"; -export * from "./ModifyGuildStickerSchema"; -export * from "./TemplateCreateSchema"; -export * from "./TemplateModifySchema"; -export * from "./VanityUrlSchema"; +export * from "./GatewayPayloadSchema"; +export * from "./GuildCreateSchema"; +export * from "./GuildTemplateCreateSchema"; +export * from "./GuildUpdateSchema"; export * from "./GuildUpdateWelcomeScreenSchema"; -export * from "./WidgetModifySchema"; export * from "./IdentifySchema"; export * from "./InviteCreateSchema"; export * from "./LazyRequestSchema"; export * from "./LoginSchema"; export * from "./MemberChangeProfileSchema"; export * from "./MemberChangeSchema"; -export * from "./RoleModifySchema"; -export * from "./GuildTemplateCreateSchema"; -export * from "./DmChannelCreateSchema"; -export * from "./UserModifySchema"; +export * from "./MessageAcknowledgeSchema"; +export * from "./MessageCreateSchema"; +export * from "./MfaCodesSchema"; +export * from "./ModifyGuildStickerSchema"; +export * from "./PurgeSchema"; +export * from "./RegisterSchema"; export * from "./RelationshipPostSchema"; export * from "./RelationshipPutSchema"; -export * from "./CodesVerificationSchema"; -export * from "./MfaCodesSchema"; +export * from "./RoleModifySchema"; +export * from "./RolePositionUpdateSchema"; +export * from "./SelectProtocolSchema"; +export * from "./TemplateCreateSchema"; +export * from "./TemplateModifySchema"; export * from "./TotpDisableSchema"; export * from "./TotpEnableSchema"; -export * from "./VoiceIdentifySchema"; export * from "./TotpSchema"; export * from "./UserDeleteSchema"; +export * from "./UserGuildSettingsSchema"; export * from "./UserModifySchema"; export * from "./UserProfileModifySchema"; export * from "./UserSettingsSchema"; +export * from "./Validator"; export * from "./VanityUrlSchema"; +export * from "./VoiceIdentifySchema"; export * from "./VoiceStateUpdateSchema"; export * from "./VoiceVideoSchema"; -export * from "./IdentifySchema"; -export * from "./ActivitySchema"; -export * from "./LazyRequestSchema"; -export * from "./GuildUpdateSchema"; -export * from "./ChannelPermissionOverwriteSchema"; -export * from "./UserGuildSettingsSchema"; -export * from "./GatewayPayloadSchema"; -export * from "./RolePositionUpdateSchema"; -export * from "./ChannelReorderSchema"; -export * from "./UserSettingsSchema"; -export * from "./BotModifySchema"; -export * from "./ApplicationModifySchema"; -export * from "./ApplicationCreateSchema"; -export * from "./ApplicationAuthorizeSchema"; +export * from "./WebAuthnSchema"; +export * from "./WebhookCreateSchema"; +export * from "./WidgetModifySchema"; diff --git a/src/util/util/WebAuthn.ts b/src/util/util/WebAuthn.ts new file mode 100644 index 00000000..1bac5b98 --- /dev/null +++ b/src/util/util/WebAuthn.ts @@ -0,0 +1,68 @@ +/* + Fosscord: A FOSS re-implementation and extension of the Discord.com backend. + Copyright (C) 2023 Fosscord and Fosscord Contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. +*/ + +import { Fido2Lib } from "fido2-lib"; +import jwt from "jsonwebtoken"; +import { Config } from "./Config"; + +const JWTOptions: jwt.SignOptions = { + algorithm: "HS256", + expiresIn: "5m", +}; + +export const WebAuthn: { + fido2: Fido2Lib | null; + init: () => void; +} = { + fido2: null, + init: function () { + this.fido2 = new Fido2Lib({ + challengeSize: 128, + }); + }, +}; + +export async function generateWebAuthnTicket( + challenge: string, +): Promise<string> { + return new Promise((res, rej) => { + jwt.sign( + { challenge }, + Config.get().security.jwtSecret, + JWTOptions, + (err, token) => { + if (err || !token) return rej(err || "no token"); + return res(token); + }, + ); + }); +} + +export async function verifyWebAuthnToken(token: string) { + return new Promise((res, rej) => { + jwt.verify( + token, + Config.get().security.jwtSecret, + JWTOptions, + async (err, decoded) => { + if (err) return rej(err); + return res(decoded); + }, + ); + }); +} diff --git a/src/util/util/index.ts b/src/util/util/index.ts index a195b99a..543a49a9 100644 --- a/src/util/util/index.ts +++ b/src/util/util/index.ts @@ -39,3 +39,4 @@ export * from "./Array"; export * from "./TraverseDirectory"; export * from "./InvisibleCharacters"; export * from "./Sentry"; +export * from "./WebAuthn"; |