Add passkeys support + MFA (#341)

2024-10-07 23:56:32 +02:00
parent 41dc2e451b
commit 6959929094
20 changed files with 1073 additions and 105 deletions
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -137,7 +137,7 @@ func Setup(dbUri string, sharedCache bool) error {
 		return err
 	}

-	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}); err != nil {
+	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}); err != nil {
 		return err
 	}

@@ -241,5 +241,5 @@ func DeprecationDBFilename() {
 }

 func TruncateDatabase() error {
-	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{})
+	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{})
 }
--- a/internal/db/types.go
+++ b/internal/db/types.go
@@ -0,0 +1,40 @@
+package db
+
+import (
+	"database/sql/driver"
+	"fmt"
+	"gorm.io/gorm"
+	"gorm.io/gorm/schema"
+)
+
+type binaryData []byte
+
+func (b *binaryData) Value() (driver.Value, error) {
+	return []byte(*b), nil
+}
+
+func (b *binaryData) Scan(value interface{}) error {
+	valBytes, ok := value.([]byte)
+	if !ok {
+		return fmt.Errorf("failed to unmarshal BinaryData: %v", value)
+	}
+	*b = valBytes
+	return nil
+}
+
+func (*binaryData) GormDataType() string {
+	return "binary_data"
+}
+
+func (*binaryData) GormDBDataType(db *gorm.DB, _ *schema.Field) string {
+	switch db.Dialector.Name() {
+	case "sqlite":
+		return "BLOB"
+	case "mysql":
+		return "VARBINARY(1024)"
+	case "postgres":
+		return "BYTEA"
+	default:
+		return "BLOB"
+	}
+}
--- a/internal/db/user.go
+++ b/internal/db/user.go
@@ -18,9 +18,10 @@ type User struct {
 	GiteaID   string
 	OIDCID    string `gorm:"column:oidc_id"`

-	Gists   []Gist   `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
-	SSHKeys []SSHKey `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
-	Liked   []Gist   `gorm:"many2many:likes;constraint:OnUpdate:CASCADE,OnDelete:CASCADE"`
+	Gists               []Gist               `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
+	SSHKeys             []SSHKey             `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
+	Liked               []Gist               `gorm:"many2many:likes;constraint:OnUpdate:CASCADE,OnDelete:CASCADE"`
+	WebAuthnCredentials []WebAuthnCredential `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
 }

 func (user *User) BeforeDelete(tx *gorm.DB) error {
@@ -58,6 +59,11 @@ func (user *User) BeforeDelete(tx *gorm.DB) error {
 		return err
 	}

+	err = tx.Where("user_id = ?", user.ID).Delete(&WebAuthnCredential{}).Error
+	if err != nil {
+		return err
+	}
+
 	// Delete all gists created by this user
 	return tx.Where("user_id = ?", user.ID).Delete(&Gist{}).Error
 }
@@ -200,6 +206,13 @@ func (user *User) DeleteProviderID(provider string) error {
 	return nil
 }

+func (user *User) HasMFA() (bool, error) {
+	var exists bool
+	err := db.Model(&WebAuthnCredential{}).Select("count(*) > 0").Where("user_id = ?", user.ID).Find(&exists).Error
+
+	return exists, err
+}
+
 // -- DTO -- //

 type UserDTO struct {
--- a/internal/db/webauth_credential.go
+++ b/internal/db/webauth_credential.go
@@ -0,0 +1,149 @@
+package db
+
+import (
+	"encoding/hex"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"time"
+)
+
+type WebAuthnCredential struct {
+	ID                 uint `gorm:"primaryKey"`
+	Name               string
+	UserID             uint
+	User               User
+	CredentialID       binaryData `gorm:"type:binary_data"`
+	PublicKey          binaryData `gorm:"type:binary_data"`
+	AttestationType    string
+	AAGUID             binaryData `gorm:"type:binary_data"`
+	SignCount          uint32
+	CloneWarning       bool
+	FlagUserPresent    bool
+	FlagUserVerified   bool
+	FlagBackupEligible bool
+	FlagBackupState    bool
+	CreatedAt          int64
+	LastUsedAt         int64
+}
+
+func (*WebAuthnCredential) TableName() string {
+	return "webauthn"
+}
+
+func GetAllWACredentialsForUser(userID uint) ([]webauthn.Credential, error) {
+	var creds []WebAuthnCredential
+	err := db.Where("user_id = ?", userID).Find(&creds).Error
+	if err != nil {
+		return nil, err
+	}
+	webCreds := make([]webauthn.Credential, len(creds))
+	for i, cred := range creds {
+		webCreds[i] = webauthn.Credential{
+			ID:              cred.CredentialID,
+			PublicKey:       cred.PublicKey,
+			AttestationType: cred.AttestationType,
+			Authenticator: webauthn.Authenticator{
+				AAGUID:       cred.AAGUID,
+				SignCount:    cred.SignCount,
+				CloneWarning: cred.CloneWarning,
+			},
+			Flags: webauthn.CredentialFlags{
+				UserPresent:    cred.FlagUserPresent,
+				UserVerified:   cred.FlagUserVerified,
+				BackupEligible: cred.FlagBackupEligible,
+				BackupState:    cred.FlagBackupState,
+			},
+		}
+	}
+	return webCreds, nil
+}
+
+func GetAllCredentialsForUser(userID uint) ([]WebAuthnCredential, error) {
+	var creds []WebAuthnCredential
+	err := db.Where("user_id = ?", userID).Find(&creds).Error
+	return creds, err
+}
+
+func GetUserByCredentialID(credID binaryData) (*User, error) {
+	var credential WebAuthnCredential
+	var err error
+
+	switch db.Dialector.Name() {
+	case "postgres":
+		hexCredID := hex.EncodeToString(credID)
+		if err = db.Preload("User").Where("credential_id = decode(?, 'hex')", hexCredID).First(&credential).Error; err != nil {
+			return nil, err
+		}
+	case "mysql":
+	case "sqlite":
+		hexCredID := hex.EncodeToString(credID)
+		if err = db.Preload("User").Where("credential_id = unhex(?)", hexCredID).First(&credential).Error; err != nil {
+			return nil, err
+		}
+	}
+
+	return &credential.User, err
+}
+
+func GetCredentialByIDDB(id uint) (*WebAuthnCredential, error) {
+	var cred WebAuthnCredential
+	err := db.Where("id = ?", id).First(&cred).Error
+	return &cred, err
+}
+
+func GetCredentialByID(id binaryData) (*WebAuthnCredential, error) {
+	var cred WebAuthnCredential
+	var err error
+
+	switch db.Dialector.Name() {
+	case "postgres":
+		hexCredID := hex.EncodeToString(id)
+		if err = db.Where("credential_id = decode(?, 'hex')", hexCredID).First(&cred).Error; err != nil {
+			return nil, err
+		}
+	case "mysql":
+	case "sqlite":
+		hexCredID := hex.EncodeToString(id)
+		if err = db.Where("credential_id = unhex(?)", hexCredID).First(&cred).Error; err != nil {
+			return nil, err
+		}
+	}
+
+	return &cred, err
+}
+
+func CreateFromCrendential(userID uint, name string, cred *webauthn.Credential) (*WebAuthnCredential, error) {
+	credDb := &WebAuthnCredential{
+		UserID:             userID,
+		Name:               name,
+		CredentialID:       cred.ID,
+		PublicKey:          cred.PublicKey,
+		AttestationType:    cred.AttestationType,
+		AAGUID:             cred.Authenticator.AAGUID,
+		SignCount:          cred.Authenticator.SignCount,
+		CloneWarning:       cred.Authenticator.CloneWarning,
+		FlagUserPresent:    cred.Flags.UserPresent,
+		FlagUserVerified:   cred.Flags.UserVerified,
+		FlagBackupEligible: cred.Flags.BackupEligible,
+		FlagBackupState:    cred.Flags.BackupState,
+	}
+	err := db.Create(credDb).Error
+	return credDb, err
+}
+
+func (w *WebAuthnCredential) UpdateSignCount() error {
+	return db.Model(w).Update("sign_count", w.SignCount).Error
+}
+
+func (w *WebAuthnCredential) UpdateLastUsedAt() error {
+	return db.Model(w).Update("last_used_at", time.Now().Unix()).Error
+}
+
+func (w *WebAuthnCredential) Delete() error {
+	return db.Delete(w).Error
+}
+
+// -- DTO -- //
+
+type CrendentialDTO struct {
+	PasskeyName string `json:"passkeyname" validate:"max=50"`
+}