lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: sql uppercasing

Browse source 
fix: structural changes to remove async/await flows
fix: invert boolean flow
fix: minor fixes
This commit is contained in:
Sérgio Salgado 2021-06-15 19:45:57 +01:00
parent f987a07e0b
commit 1563aa307b
9 changed files with 172 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/hardware-credentials.js
View file

@ -8,12 +8,12 @@ function createHardwareCredential (userID, credentialData) {
} }
function getHardwareCredentials () { function getHardwareCredentials () {
const sql = `SELECT * from hardware_credentials` const sql = `SELECT * FROM hardware_credentials`
return db.any(sql) return db.any(sql)
} }
function getHardwareCredentialsOfUser (userID) { function getHardwareCredentialsOfUser (userID) {
const sql = `SELECT * from hardware_credentials where user_id=$1` const sql = `SELECT * FROM hardware_credentials WHERE user_id=$1`
return db.any(sql, [userID]) return db.any(sql, [userID])
} }

86
lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -4,12 +4,17 @@ const _ = require('lodash/fp')
const userManagement = require('../userManagement') const userManagement = require('../userManagement')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const db = require('../../../../db')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -73,46 +78,53 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
const { context.req.session.webauthn = null
counter, return false
credentialPublicKey,
credentialID
} = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
}
} }
context.req.session.webauthn = null const {
return verified counter,
credentialPublicKey,
credentialID
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
return verified
})
}) })
})
} }
const validateAssertion = (username, password, rememberMe, assertionResponse, context) => { const validateAssertion = (username, password, rememberMe, assertionResponse, context) => {
return userManagement.authenticateUser(username, password).then(user => { return userManagement.authenticateUser(username, password).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => { return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -142,17 +154,21 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
} }
context.req.session.webauthn = null dbAuthenticator.data.counter = assertionInfo.newCounter
return verified return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
return verified
})
}) })
}) })
} }

85
lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -3,12 +3,16 @@ const base64url = require('base64url')
const _ = require('lodash/fp') const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -72,46 +76,53 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
const { context.req.session.webauthn = null
counter, return false
credentialPublicKey,
credentialID
} = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
}
} }
context.req.session.webauthn = null const {
return verified counter,
credentialPublicKey,
credentialID
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
counter,
credentialPublicKey,
credentialID
}
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
return verified
})
}) })
})
} }
const validateAssertion = (username, rememberMe, assertionResponse, context) => { const validateAssertion = (username, rememberMe, assertionResponse, context) => {
return users.getUserByUsername(username).then(user => { return users.getUserByUsername(username).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => { return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -141,17 +152,21 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
} }
context.req.session.webauthn = null dbAuthenticator.data.counter = assertionInfo.newCounter
return verified return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
return verified
})
}) })
}) })
} }

109
lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -3,12 +3,16 @@ const base64url = require('base64url')
const _ = require('lodash/fp') const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day const REMEMBER_ME_AGE = 90 * T.day
const rpID = `localhost` const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (userID, session) => {
@ -68,55 +72,62 @@ const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = context.req.session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return users.getUserById(userID).then(user => { return Promise.all([
return simpleWebauthn.verifyAttestationResponse({ users.getUserById(userID),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
}).then(async verification => { })
])
.then(([user, verification]) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (verified && attestationInfo) { if (!(verified || attestationInfo)) {
const { context.req.session.webauthn = null
fmt, return verified
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
} = attestationInfo
const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
}
credentials.createHardwareCredential(user.id, newDevice)
}
} }
context.req.session.webauthn = null const {
return verified fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
if (!existingDevice) {
const newDevice = {
fmt,
counter,
aaguid,
credentialPublicKey,
credentialID,
credentialType,
userVerified,
attestationObject
}
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
return verified
})
}) })
})
} }
const validateAssertion = (assertionResponse, context) => { const validateAssertion = (assertionResponse, context) => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = context.req.session.webauthn.assertion.challenge
return credentials.getHardwareCredentials().then(async devices => { return credentials.getHardwareCredentials().then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
}, devices) }, devices)
@ -146,18 +157,24 @@ const validateAssertion = (assertionResponse, context) => {
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (verified) { if (!verified) {
dbAuthenticator.data.counter = assertionInfo.newCounter context.req.session.webauthn = null
await credentials.updateHardwareCredential(dbAuthenticator) return false
const user = await users.getUserById(dbAuthenticator.user_id)
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
context.req.session.cookie.maxAge = REMEMBER_ME_AGE
} }
context.req.session.webauthn = null dbAuthenticator.data.counter = assertionInfo.newCounter
return verified return Promise.all([
credentials.updateHardwareCredential(dbAuthenticator),
users.getUserById(dbAuthenticator.user_id)
])
.then(([_, user]) => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
context.req.session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
return verified
})
}) })
} }

2
lib/new-admin/graphql/modules/authentication/index.js
View file

@ -9,7 +9,7 @@ const STRATEGIES = {
} }
// FIDO2FA, FIDOPasswordless or FIDOUsernameless // FIDO2FA, FIDOPasswordless or FIDOUsernameless
const CHOSEN_STRATEGY = 'FIDOPasswordless' const CHOSEN_STRATEGY = 'FIDO2FA'
module.exports = { module.exports = {
CHOSEN_STRATEGY, CHOSEN_STRATEGY,

6
migrations/1620335170327-hardware-credentials.js
View file

@ -4,11 +4,11 @@ exports.up = function (next) {
var sql = [ var sql = [
`ALTER TABLE user_register_tokens ADD COLUMN use_fido BOOLEAN DEFAULT false`, `ALTER TABLE user_register_tokens ADD COLUMN use_fido BOOLEAN DEFAULT false`,
`CREATE TABLE hardware_credentials ( `CREATE TABLE hardware_credentials (
id UUID PRIMARY KEY, id UUID PRIMARY KEY NOT NULL,
user_id UUID REFERENCES users(id), user_id UUID REFERENCES users(id) NOT NULL,
created TIMESTAMPTZ DEFAULT now(), created TIMESTAMPTZ DEFAULT now(),
last_used TIMESTAMPTZ DEFAULT now(), last_used TIMESTAMPTZ DEFAULT now(),
data JSONB data JSONB NOT NULL
)` )`
] ]

2
new-lamassu-admin/src/pages/Authentication/LoginCard.js
View file

@ -13,7 +13,7 @@ import styles from './shared.styles'
import { STATES } from './states' import { STATES } from './states'
// FIDO2FA, FIDOPasswordless or FIDOUsernameless // FIDO2FA, FIDOPasswordless or FIDOUsernameless
const AUTHENTICATION_STRATEGY = 'FIDOPasswordless' const AUTHENTICATION_STRATEGY = 'FIDO2FA'
const useStyles = makeStyles(styles) const useStyles = makeStyles(styles)

1
new-lamassu-admin/src/pages/Authentication/LoginState.js
View file

@ -115,7 +115,6 @@ const LoginState = ({ state, dispatch, strategy }) => {
GENERATE_ASSERTION, GENERATE_ASSERTION,
{ {
onCompleted: ({ generateAssertionOptions: options }) => { onCompleted: ({ generateAssertionOptions: options }) => {
console.log(options)
startAssertion(options) startAssertion(options)
.then(res => { .then(res => {
validateAssertion({ validateAssertion({

3
new-lamassu-admin/src/pages/UserManagement/UserManagement.js
View file

@ -83,8 +83,7 @@ const Users = () => {
const [validateAttestation] = useMutation(VALIDATE_ATTESTATION, { const [validateAttestation] = useMutation(VALIDATE_ATTESTATION, {
onCompleted: res => { onCompleted: res => {
console.log(res) // TODO: show a brief popup to have UX feedback?
// success ? console.log('success') : console.log('failure')
} }
}) })