lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1036 from chaotixkilla/fix-fido-credential-creation

Browse source 
Fix FIDO registration on localhost environments
This commit is contained in:
Rafael Taranto 2022-01-26 16:16:45 +00:00 committed by GitHub
commit 7cd6604a5f
11 changed files with 148 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

23
lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -4,25 +4,20 @@ const _ = require('lodash/fp')
const userManagement = require('../userManagement')
const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time')
const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost:3001` : domain
const expectedOrigin = `https://${rpID}`
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const options = simpleWebauthn.generateAttestationOptions({
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID,
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
@ -40,11 +35,11 @@ const generateAttestationOptions = (session, options) => {
session.webauthn = {
attestation: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
}
@ -59,7 +54,7 @@ const generateAssertionOptions = (session, options) => {
transports: ['usb', 'ble', 'nfc', 'internal']
})),
userVerification: 'discouraged',
rpID
rpID: options.domain
})
session.webauthn = {
@ -82,8 +77,8 @@ const validateAttestation = (session, options) => {
simpleWebauthn.verifyAttestationResponse({
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
@ -142,8 +137,8 @@ const validateAssertion = (session, options) => {
verification = simpleWebauthn.verifyAssertionResponse({
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
})
} catch (err) {

17
lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -3,25 +3,20 @@ const base64url = require('base64url')
const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time')
const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost:3001` : domain
const expectedOrigin = `https://${rpID}`
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID,
rpID: options.domain,
userName: user.username,
userID: user.id,
timeout: 60000,
@ -58,7 +53,7 @@ const generateAssertionOptions = (session, options) => {
transports: ['usb', 'ble', 'nfc', 'internal']
})),
userVerification: 'discouraged',
rpID
rpID: options.domain
})
session.webauthn = {
@ -81,8 +76,8 @@ const validateAttestation = (session, options) => {
simpleWebauthn.verifyAttestationResponse({
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
@ -141,8 +136,8 @@ const validateAssertion = (session, options) => {
verification = simpleWebauthn.verifyAssertionResponse({
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
})
} catch (err) {

25
lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -3,23 +3,18 @@ const base64url = require('base64url')
const _ = require('lodash/fp')
const credentials = require('../../../../hardware-credentials')
const options = require('../../../../options')
const T = require('../../../../time')
const users = require('../../../../users')
const domain = options.hostname
const devMode = require('minimist')(process.argv.slice(2)).dev
const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost:3001` : domain
const expectedOrigin = `https://${rpID}`
const generateAttestationOptions = (session, options) => {
return credentials.getHardwareCredentials().then(devices => {
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID,
rpID: options.domain,
userName: `Usernameless user created at ${new Date().toISOString()}`,
userID: options.userId,
timeout: 60000,
@ -46,9 +41,9 @@ const generateAttestationOptions = (session, options) => {
})
}
const generateAssertionOptions = session => {
const generateAssertionOptions = (session, options) => {
return credentials.getHardwareCredentials().then(devices => {
const options = simpleWebauthn.generateAssertionOptions({
const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000,
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
@ -56,15 +51,15 @@ const generateAssertionOptions = session => {
transports: ['usb', 'ble', 'nfc', 'internal']
})),
userVerification: 'discouraged',
rpID
rpID: options.domain
})
session.webauthn = {
assertion: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
}
@ -77,8 +72,8 @@ const validateAttestation = (session, options) => {
simpleWebauthn.verifyAttestationResponse({
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain
})
])
.then(([user, verification]) => {
@ -146,8 +141,8 @@ const validateAssertion = (session, options) => {
verification = simpleWebauthn.verifyAssertionResponse({
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
expectedOrigin: `https://${options.domain}${devMode ? `:3001` : ``}`,
expectedRPID: options.domain,
authenticator: convertedAuthenticator
})
} catch (err) {

24
lib/new-admin/graphql/resolvers/users.resolver.js
View file

@ -6,11 +6,11 @@ const sessionManager = require('../../../session-manager')
const getAttestationQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { userId: variables.userID }
return { userId: variables.userID, domain: variables.domain }
case 'FIDOPasswordless':
return { userId: variables.userID }
return { userId: variables.userID, domain: variables.domain }
case 'FIDOUsernameless':
return { userId: variables.userID }
return { userId: variables.userID, domain: variables.domain }
default:
return {}
}
@ -19,11 +19,11 @@ const getAttestationQueryOptions = variables => {
const getAssertionQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { username: variables.username, password: variables.password }
return { username: variables.username, password: variables.password, domain: variables.domain }
case 'FIDOPasswordless':
return { username: variables.username }
return { username: variables.username, domain: variables.domain }
case 'FIDOUsernameless':
return {}
return { domain: variables.domain }
default:
return {}
}
@ -32,11 +32,11 @@ const getAssertionQueryOptions = variables => {
const getAttestationMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
return { userId: variables.userID, attestationResponse: variables.attestationResponse, domain: variables.domain }
case 'FIDOPasswordless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
return { userId: variables.userID, attestationResponse: variables.attestationResponse, domain: variables.domain }
case 'FIDOUsernameless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
return { userId: variables.userID, attestationResponse: variables.attestationResponse, domain: variables.domain }
default:
return {}
}
@ -45,11 +45,11 @@ const getAttestationMutationOptions = variables => {
const getAssertionMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { username: variables.username, password: variables.password, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
return { username: variables.username, password: variables.password, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse, domain: variables.domain }
case 'FIDOPasswordless':
return { username: variables.username, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
return { username: variables.username, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse, domain: variables.domain }
case 'FIDOUsernameless':
return { assertionResponse: variables.assertionResponse }
return { assertionResponse: variables.assertionResponse, domain: variables.domain }
default:
return {}
}

24
lib/new-admin/graphql/types/users.type.js
View file

@ -3,14 +3,14 @@ const authentication = require('../modules/authentication')
const getFIDOStrategyQueryTypes = () => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return `generateAttestationOptions(userID: ID!): JSONObject
generateAssertionOptions(username: String!, password: String!): JSONObject`
return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
generateAssertionOptions(username: String!, password: String!, domain: String!): JSONObject`
case 'FIDOPasswordless':
return `generateAttestationOptions(userID: ID!): JSONObject
generateAssertionOptions(username: String!): JSONObject`
return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
generateAssertionOptions(username: String!, domain: String!): JSONObject`
case 'FIDOUsernameless':
return `generateAttestationOptions(userID: ID!): JSONObject
generateAssertionOptions: JSONObject`
return `generateAttestationOptions(userID: ID!, domain: String!): JSONObject
generateAssertionOptions(domain: String!): JSONObject`
default:
return ``
}
@ -19,14 +19,14 @@ const getFIDOStrategyQueryTypes = () => {
const getFIDOStrategyMutationsTypes = () => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!): Boolean
validateAssertion(username: String!, password: String!, rememberMe: Boolean!, assertionResponse: JSONObject!): Boolean`
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
validateAssertion(username: String!, password: String!, rememberMe: Boolean!, assertionResponse: JSONObject!, domain: String!): Boolean`
case 'FIDOPasswordless':
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!): Boolean
validateAssertion(username: String!, rememberMe: Boolean!, assertionResponse: JSONObject!): Boolean`
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
validateAssertion(username: String!, rememberMe: Boolean!, assertionResponse: JSONObject!, domain: String!): Boolean`
case 'FIDOUsernameless':
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!): Boolean
validateAssertion(assertionResponse: JSONObject!): Boolean`
return `validateAttestation(userID: ID!, attestationResponse: JSONObject!, domain: String!): Boolean
validateAssertion(assertionResponse: JSONObject!, domain: String!): Boolean`
default:
return ``
}

1
lib/new-admin/middlewares/session.js
View file

@ -21,7 +21,6 @@ router.use('*', async (req, res, next) => getOperatorId('authentication').then((
cookie: {
httpOnly: true,
secure: true,
domain: hostname,
sameSite: true,
maxAge: 60 * 10 * 1000 // 10 minutes
}

18
new-lamassu-admin/src/pages/Authentication/InputFIDOState.js
View file

@ -42,10 +42,10 @@ const InputFIDOState = ({ state, strategy }) => {
const GENERATE_ASSERTION = gql`
query generateAssertionOptions($username: String!${
strategy === 'FIDO2FA' ? `, $password: String!` : ``
}) {
}, $domain: String!) {
generateAssertionOptions(username: $username${
strategy === 'FIDO2FA' ? `, password: $password` : ``
})
}, domain: $domain)
}
`
@ -55,12 +55,14 @@ const InputFIDOState = ({ state, strategy }) => {
${strategy === 'FIDO2FA' ? `, $password: String!` : ``}
$rememberMe: Boolean!
$assertionResponse: JSONObject!
$domain: String!
) {
validateAssertion(
username: $username
${strategy === 'FIDO2FA' ? `password: $password` : ``}
rememberMe: $rememberMe
assertionResponse: $assertionResponse
domain: $domain
)
}
`
@ -90,10 +92,12 @@ const InputFIDOState = ({ state, strategy }) => {
strategy === 'FIDO2FA'
? {
username: state.clientField,
password: state.passwordField
password: state.passwordField,
domain: window.location.hostname
}
: {
username: localClientField
username: localClientField,
domain: window.location.hostname
},
onCompleted: ({ generateAssertionOptions: options }) => {
startAssertion(options)
@ -104,12 +108,14 @@ const InputFIDOState = ({ state, strategy }) => {
username: state.clientField,
password: state.passwordField,
rememberMe: state.rememberMeField,
assertionResponse: res
assertionResponse: res,
domain: window.location.hostname
}
: {
username: localClientField,
rememberMe: localRememberMeField,
assertionResponse: res
assertionResponse: res,
domain: window.location.hostname
}
validateAssertion({
variables

18
new-lamassu-admin/src/pages/Authentication/LoginState.js
View file

@ -24,14 +24,17 @@ const LOGIN = gql`
`
const GENERATE_ASSERTION = gql`
query generateAssertionOptions {
generateAssertionOptions
query generateAssertionOptions($domain: String!) {
generateAssertionOptions(domain: $domain)
}
`
const VALIDATE_ASSERTION = gql`
mutation validateAssertion($assertionResponse: JSONObject!) {
validateAssertion(assertionResponse: $assertionResponse)
mutation validateAssertion(
$assertionResponse: JSONObject!
$domain: String!
) {
validateAssertion(assertionResponse: $assertionResponse, domain: $domain)
}
`
@ -117,7 +120,8 @@ const LoginState = ({ state, dispatch, strategy }) => {
.then(res => {
validateAssertion({
variables: {
assertionResponse: res
assertionResponse: res,
domain: window.location.hostname
}
})
})
@ -212,7 +216,9 @@ const LoginState = ({ state, dispatch, strategy }) => {
type="button"
onClick={() => {
return strategy === 'FIDOUsernameless'
? assertionOptions()
? assertionOptions({
variables: { domain: window.location.hostname }
})
: dispatch({
type: 'FIDO',
payload: {}

34
new-lamassu-admin/src/pages/UserManagement/UserManagement.js
View file

@ -16,11 +16,13 @@ import { ReactComponent as WhiteLockIcon } from 'src/styling/icons/button/lock/w
import { ReactComponent as LockIcon } from 'src/styling/icons/button/lock/zodiac.svg'
import { ReactComponent as WhiteUserRoleIcon } from 'src/styling/icons/button/user-role/white.svg'
import { ReactComponent as UserRoleIcon } from 'src/styling/icons/button/user-role/zodiac.svg'
import { IP_CHECK_REGEX } from 'src/utils/constants'
import styles from './UserManagement.styles'
import ChangeRoleModal from './modals/ChangeRoleModal'
import CreateUserModal from './modals/CreateUserModal'
import EnableUserModal from './modals/EnableUserModal'
import FIDOModal from './modals/FIDOModal'
import Reset2FAModal from './modals/Reset2FAModal'
import ResetPasswordModal from './modals/ResetPasswordModal'
@ -41,8 +43,8 @@ const GET_USERS = gql`
`
const GENERATE_ATTESTATION = gql`
query generateAttestationOptions($userID: ID!) {
generateAttestationOptions(userID: $userID)
query generateAttestationOptions($userID: ID!, $domain: String!) {
generateAttestationOptions(userID: $userID, domain: $domain)
}
`
@ -50,10 +52,12 @@ const VALIDATE_ATTESTATION = gql`
mutation validateAttestation(
$userID: ID!
$attestationResponse: JSONObject!
$domain: String!
) {
validateAttestation(
userID: $userID
attestationResponse: $attestationResponse
domain: $domain
)
}
`
@ -100,11 +104,12 @@ const Users = () => {
const [generateAttestationOptions] = useLazyQuery(GENERATE_ATTESTATION, {
onCompleted: ({ generateAttestationOptions: options }) => {
startAttestation(options).then(res => {
return startAttestation(options).then(res => {
validateAttestation({
variables: {
userID: userInfo.id,
attestationResponse: res
attestationResponse: res,
domain: window.location.hostname
}
})
})
@ -191,12 +196,20 @@ const Users = () => {
InverseIcon={WhiteUserRoleIcon}
color="primary"
onClick={() => {
setUserInfo(u)
generateAttestationOptions({
variables: {
userID: u.id
}
})
if (IP_CHECK_REGEX.test(window.location.hostname)) {
dispatch({
type: 'open',
payload: 'showFIDOModal'
})
} else {
setUserInfo(u)
generateAttestationOptions({
variables: {
userID: u.id,
domain: window.location.hostname
}
})
}
}}>
Add FIDO
</ActionButton>
@ -272,6 +285,7 @@ const Users = () => {
user={userInfo}
requiresConfirmation={userInfo?.role === 'superuser'}
/>
<FIDOModal state={state} dispatch={dispatch} />
</>
)
}

47
new-lamassu-admin/src/pages/UserManagement/modals/FIDOModal.js Normal file
View file

@ -0,0 +1,47 @@
import { makeStyles } from '@material-ui/core/styles'
import React from 'react'
import Modal from 'src/components/Modal'
import { Button } from 'src/components/buttons'
import { Info2, P } from 'src/components/typography'
import styles from '../UserManagement.styles'
const useStyles = makeStyles(styles)
const ChangeRoleModal = ({ state, dispatch }) => {
const classes = useStyles()
const handleClose = () => {
dispatch({
type: 'close',
payload: 'showFIDOModal'
})
}
return (
<Modal
closeOnBackdropClick={true}
width={450}
height={275}
handleClose={handleClose}
open={state.showFIDOModal}>
<Info2 className={classes.modalTitle}>About FIDO authentication</Info2>
<P className={classes.info}>
This feature is only available for websites with configured domains, and
we detected that a domain is not configured at the moment.
</P>
<P>
Make sure that a domain is configured for this website and try again
later.
</P>
<div className={classes.footer}>
<Button className={classes.submit} onClick={() => handleClose()}>
Confirm
</Button>
</div>
</Modal>
)
}
export default ChangeRoleModal

5
new-lamassu-admin/src/utils/constants.js
View file

@ -6,11 +6,14 @@ const WALLET_SCORING_DEFAULT_THRESHOLD = 9
const AUTOMATIC = 'automatic'
const MANUAL = 'manual'
const IP_CHECK_REGEX = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/
export {
CURRENCY_MAX,
MIN_NUMBER_OF_CASSETTES,
MAX_NUMBER_OF_CASSETTES,
AUTOMATIC,
MANUAL,
WALLET_SCORING_DEFAULT_THRESHOLD
WALLET_SCORING_DEFAULT_THRESHOLD,
IP_CHECK_REGEX
}