lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: sql uppercasing

Browse source 
fix: structural changes to remove async/await flows
fix: invert boolean flow
fix: minor fixes
This commit is contained in:
Sérgio Salgado 2021-06-15 19:45:57 +01:00
parent f987a07e0b
commit 1563aa307b
9 changed files with 172 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/hardware-credentials.js
View file

@ -8,12 +8,12 @@ function createHardwareCredential (userID, credentialData) {
} }
function getHardwareCredentials () { function getHardwareCredentials () {
const sql = `SELECT * from hardware_credentials` const sql = `SELECT * FROM hardware_credentials`
return db.any(sql) return db.any(sql)
} }
function getHardwareCredentialsOfUser (userID) { function getHardwareCredentialsOfUser (userID) {
const sql = `SELECT * from hardware_credentials where user_id=$1` const sql = `SELECT * FROM hardware_credentials WHERE user_id=$1`
return db.any(sql, [userID]) return db.any(sql, [userID])
} }

40
lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -4,12 +4,17 @@ const _ = require('lodash/fp')
const userManagement = require('../userManagement') const userManagement = require('../userManagement')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const db = require('../../../../db')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -73,23 +78,31 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
return false
}
const { const {
counter, counter,
credentialPublicKey, credentialPublicKey,
credentialID credentialID
} = attestationInfo } = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) { if (!existingDevice) {
@ -100,7 +113,6 @@ const validateAttestation = (userID, attestationResponse, context) => {
} }
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
@ -112,7 +124,7 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
return userManagement.authenticateUser(username, password).then(user => { return userManagement.authenticateUser(username, password).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => { return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -142,19 +154,23 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
}
dbAuthenticator.data.counter = assertionInfo.newCounter
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
}) })
}) })
})
} }
module.exports = { module.exports = {

39
lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -3,12 +3,16 @@ const base64url = require('base64url')
const _ = require('lodash/fp') const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -72,23 +76,31 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
return false
}
const { const {
counter, counter,
credentialPublicKey, credentialPublicKey,
credentialID credentialID
} = attestationInfo } = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) { if (!existingDevice) {
@ -99,7 +111,6 @@ const validateAttestation = (userID, attestationResponse, context) => {
} }
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
@ -111,7 +122,7 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
return users.getUserByUsername(username).then(user => { return users.getUserByUsername(username).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => { return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -141,19 +152,23 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
}
dbAuthenticator.data.counter = assertionInfo.newCounter
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
}) })
}) })
})
} }
module.exports = { module.exports = {

43
lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -3,12 +3,16 @@ const base64url = require('base64url')
const _ = require('lodash/fp') const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -68,16 +72,23 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
return verified
}
const { const {
fmt, fmt,
counter, counter,
@ -89,7 +100,8 @@ const validateAttestation = (userID, attestationResponse, context) => {
attestationObject attestationObject
} = attestationInfo } = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) { if (!existingDevice) {
@ -105,7 +117,6 @@ const validateAttestation = (userID, attestationResponse, context) => {
} }
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
@ -116,7 +127,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const validateAssertion = (assertionResponse, context) => { const validateAssertion = (assertionResponse, context) => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentials().then(async devices => { return credentials.getHardwareCredentials().then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -146,19 +157,25 @@ const validateAssertion = (assertionResponse, context) => {
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
}
const user = await users.getUserById(dbAuthenticator.user_id) dbAuthenticator.data.counter = assertionInfo.newCounter
return Promise.all([
credentials.updateHardwareCredential(dbAuthenticator),
users.getUserById(dbAuthenticator.user_id)
])
.then(([_, user]) => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser context.req.session.user = finalUser
context.req.session.cookie.maxAge = REMEMBER_ME_AGE context.req.session.cookie.maxAge = REMEMBER_ME_AGE
}
context.req.session.webauthn = null context.req.session.webauthn = null
return verified return verified
}) })
})
} }
module.exports = { module.exports = {

2
lib/new-admin/graphql/modules/authentication/index.js
View file

@ -9,7 +9,7 @@ const STRATEGIES = {
} }
// FIDO2FA, FIDOPasswordless or FIDOUsernameless // FIDO2FA, FIDOPasswordless or FIDOUsernameless
const CHOSEN_STRATEGY = 'FIDOPasswordless' const CHOSEN_STRATEGY = 'FIDO2FA'
module.exports = { module.exports = {
CHOSEN_STRATEGY, CHOSEN_STRATEGY,

6
migrations/1620335170327-hardware-credentials.js
View file

@ -4,11 +4,11 @@ exports.up = function (next) {
var sql = [ var sql = [
`ALTER TABLE user_register_tokens ADD COLUMN use_fido BOOLEAN DEFAULT false`, `ALTER TABLE user_register_tokens ADD COLUMN use_fido BOOLEAN DEFAULT false`,
`CREATE TABLE hardware_credentials ( `CREATE TABLE hardware_credentials (
id UUID PRIMARY KEY, id UUID PRIMARY KEY NOT NULL,
user_id UUID REFERENCES users(id), user_id UUID REFERENCES users(id) NOT NULL,
created TIMESTAMPTZ DEFAULT now(), created TIMESTAMPTZ DEFAULT now(),
last_used TIMESTAMPTZ DEFAULT now(), last_used TIMESTAMPTZ DEFAULT now(),
data JSONB data JSONB NOT NULL
)` )`
] ]

2
new-lamassu-admin/src/pages/Authentication/LoginCard.js
View file

@ -13,7 +13,7 @@ import styles from './shared.styles'
import { STATES } from './states' import { STATES } from './states'
// FIDO2FA, FIDOPasswordless or FIDOUsernameless // FIDO2FA, FIDOPasswordless or FIDOUsernameless
const AUTHENTICATION_STRATEGY = 'FIDOPasswordless' const AUTHENTICATION_STRATEGY = 'FIDO2FA'
const useStyles = makeStyles(styles) const useStyles = makeStyles(styles)

1
new-lamassu-admin/src/pages/Authentication/LoginState.js
View file

@ -115,7 +115,6 @@ const LoginState = ({ state, dispatch, strategy }) => {
GENERATE_ASSERTION, GENERATE_ASSERTION,
{ {
onCompleted: ({ generateAssertionOptions: options }) => { onCompleted: ({ generateAssertionOptions: options }) => {
console.log(options)
startAssertion(options) startAssertion(options)
.then(res => { .then(res => {
validateAssertion({ validateAssertion({

3
new-lamassu-admin/src/pages/UserManagement/UserManagement.js
View file

@ -83,8 +83,7 @@ const Users = () => {
const [validateAttestation] = useMutation(VALIDATE_ATTESTATION, { const [validateAttestation] = useMutation(VALIDATE_ATTESTATION, {
onCompleted: res => { onCompleted: res => {
console.log(res) // TODO: show a brief popup to have UX feedback?
// success ? console.log('success') : console.log('failure')
} }
}) })