lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: multiple small fixes

Browse source
This commit is contained in:
Sérgio Salgado 2021-11-24 22:11:25 +00:00
parent 6b44c6aa37
commit d8f163af74
11 changed files with 135 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

57
lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -4,7 +4,6 @@ const _ = require('lodash/fp')
const userManagement = require('../userManagement')
const credentials = require('../../../../hardware-credentials')
const db = require('../../../../db')
const options = require('../../../../options')
const T = require('../../../../time')
const users = require('../../../../users')
@ -17,9 +16,9 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => {
return users.getUserById(userID).then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user])
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const options = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
@ -49,10 +48,10 @@ const generateAttestationOptions = (userID, session) => {
})
}
const generateAssertionOptions = (username, password, context) => {
return userManagement.authenticateUser(username, password).then(user => {
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const options = simpleWebauthn.generateAssertionOptions({
const generateAssertionOptions = (session, options) => {
return userManagement.authenticateUser(options.username, options.password).then(user => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000,
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
@ -63,25 +62,25 @@ const generateAssertionOptions = (username, password, context) => {
rpID
})
context.req.session.webauthn = {
session.webauthn = {
assertion: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
})
}
const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation
const validateAttestation = (session, options) => {
const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge
return Promise.all([
users.getUserById(userID),
users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse,
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
@ -91,7 +90,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
session.webauthn = null
return false
}
@ -101,7 +100,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentialID
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -114,23 +113,23 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})
}
const validateAssertion = (username, password, rememberMe, assertionResponse, context) => {
return userManagement.authenticateUser(username, password).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge
const validateAssertion = (session, options) => {
return userManagement.authenticateUser(options.username, options.password).then(user => {
const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
}
const convertedAuthenticator = _.merge(
@ -141,7 +140,7 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
let verification
try {
verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse,
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
@ -155,7 +154,7 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
const { verified, assertionInfo } = verification
if (!verified) {
context.req.session.webauthn = null
session.webauthn = null
return false
}
@ -163,10 +162,10 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})

60
lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -15,11 +15,11 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => {
return users.getUserById(userID).then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user])
const generateAttestationOptions = (session, options) => {
return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => {
const options = simpleWebauthn.generateAttestationOptions({
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID,
userName: user.username,
@ -39,18 +39,18 @@ const generateAttestationOptions = (userID, session) => {
session.webauthn = {
attestation: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
}
const generateAssertionOptions = (username, context) => {
return users.getUserByUsername(username).then(user => {
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
const options = simpleWebauthn.generateAssertionOptions({
const generateAssertionOptions = (session, options) => {
return users.getUserByUsername(options.username).then(user => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000,
allowCredentials: devices.map(dev => ({
id: dev.data.credentialID,
@ -61,25 +61,25 @@ const generateAssertionOptions = (username, context) => {
rpID
})
context.req.session.webauthn = {
session.webauthn = {
assertion: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
})
}
const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation
const validateAttestation = (session, options) => {
const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge
return Promise.all([
users.getUserById(userID),
users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse,
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
@ -89,7 +89,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
session.webauthn = null
return false
}
@ -99,7 +99,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentialID
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -112,23 +112,23 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})
}
const validateAssertion = (username, rememberMe, assertionResponse, context) => {
return users.getUserByUsername(username).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge
const validateAssertion = (session, options) => {
return users.getUserByUsername(options.username).then(user => {
const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
}
const convertedAuthenticator = _.merge(
@ -139,7 +139,7 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
let verification
try {
verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse,
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
@ -161,10 +161,10 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
session.user = finalUser
if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})

46
lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -15,13 +15,13 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => {
const generateAttestationOptions = (session, options) => {
return credentials.getHardwareCredentials().then(devices => {
const options = simpleWebauthn.generateAttestationOptions({
const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu',
rpID,
userName: `Usernameless user created at ${new Date().toISOString()}`,
userID: userID,
userID: options.userId,
timeout: 60000,
attestationType: 'direct',
excludeCredentials: devices.map(dev => ({
@ -38,15 +38,15 @@ const generateAttestationOptions = (userID, session) => {
session.webauthn = {
attestation: {
challenge: options.challenge
challenge: opts.challenge
}
}
return options
return opts
})
}
const generateAssertionOptions = context => {
const generateAssertionOptions = session => {
return credentials.getHardwareCredentials().then(devices => {
const options = simpleWebauthn.generateAssertionOptions({
timeout: 60000,
@ -59,7 +59,7 @@ const generateAssertionOptions = context => {
rpID
})
context.req.session.webauthn = {
session.webauthn = {
assertion: {
challenge: options.challenge
}
@ -68,14 +68,14 @@ const generateAssertionOptions = context => {
})
}
const validateAttestation = (userID, attestationResponse, context) => {
const webauthnData = context.req.session.webauthn.attestation
const validateAttestation = (session, options) => {
const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge
return Promise.all([
users.getUserById(userID),
users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse,
credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID
@ -85,7 +85,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) {
context.req.session.webauthn = null
session.webauthn = null
return verified
}
@ -100,7 +100,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
attestationObject
} = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id)
return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -118,22 +118,22 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice)
}
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})
}
const validateAssertion = (assertionResponse, context) => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge
const validateAssertion = (session, options) => {
const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentials().then(devices => {
const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices)
if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
}
const convertedAuthenticator = _.merge(
@ -144,7 +144,7 @@ const validateAssertion = (assertionResponse, context) => {
let verification
try {
verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse,
credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin,
expectedRPID: rpID,
@ -158,7 +158,7 @@ const validateAssertion = (assertionResponse, context) => {
const { verified, assertionInfo } = verification
if (!verified) {
context.req.session.webauthn = null
session.webauthn = null
return false
}
@ -169,10 +169,10 @@ const validateAssertion = (assertionResponse, context) => {
])
.then(([_, user]) => {
const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser
context.req.session.cookie.maxAge = REMEMBER_ME_AGE
session.user = finalUser
session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null
session.webauthn = null
return verified
})
})

2
lib/new-admin/graphql/modules/userManagement.js
View file

@ -144,7 +144,7 @@ const deleteSession = (sessionID, context) => {
const login = (username, password) => {
return authenticateUser(username, password)
.then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user.twofa_code])
return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user.twofa_code])
})
.then(([devices, twoFASecret]) => {
if (!_.isEmpty(devices)) return 'FIDO'

66
lib/new-admin/graphql/resolvers/users.resolver.js
View file

@ -3,45 +3,53 @@ const userManagement = require('../modules/userManagement')
const users = require('../../../users')
const sessionManager = require('../../../session-manager')
const getFIDOStrategyQueries = () => {
const getAttestationQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return {
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { username, password }, context]) => authentication.strategy.generateAssertionOptions(username, password, context)
}
return { userId: variables.userID }
case 'FIDOPasswordless':
return {
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { username }, context]) => authentication.strategy.generateAssertionOptions(username, context)
}
return { userId: variables.userID }
case 'FIDOUsernameless':
return {
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { }, context]) => authentication.strategy.generateAssertionOptions(context)
}
return { userId: variables.userID }
default:
return {}
}
}
const getFIDOStrategyMutations = () => {
const getAssertionQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return {
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context),
validateAssertion: (...[, { username, password, rememberMe, assertionResponse }, context]) => authentication.strategy.validateAssertion(username, password, rememberMe, assertionResponse, context)
}
return { username: variables.username, password: variables.password }
case 'FIDOPasswordless':
return {
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context),
validateAssertion: (...[, { username, rememberMe, assertionResponse }, context]) => authentication.strategy.validateAssertion(username, rememberMe, assertionResponse, context)
}
return { username: variables.username }
case 'FIDOUsernameless':
return {
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context),
validateAssertion: (...[, { assertionResponse }, context]) => authentication.strategy.validateAssertion(assertionResponse, context)
}
return {}
default:
return {}
}
}
const getAttestationMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
case 'FIDOPasswordless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
case 'FIDOUsernameless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
default:
return {}
}
}
const getAssertionMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { username: variables.username, password: variables.password, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
case 'FIDOPasswordless':
return { username: variables.username, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
case 'FIDOUsernameless':
return { assertionResponse: variables.assertionResponse }
default:
return {}
}
@ -58,7 +66,8 @@ const resolver = {
validateRegisterLink: (...[, { token }]) => userManagement.validateRegisterLink(token),
validateResetPasswordLink: (...[, { token }]) => userManagement.validateResetPasswordLink(token),
validateReset2FALink: (...[, { token }]) => userManagement.validateReset2FALink(token),
...getFIDOStrategyQueries()
generateAttestationOptions: (...[, variables, context]) => authentication.strategy.generateAttestationOptions(context.req.session, getAttestationQueryOptions(variables)),
generateAssertionOptions: (...[, variables, context]) => authentication.strategy.generateAssertionOptions(context.req.session, getAssertionQueryOptions(variables))
},
Mutation: {
enableUser: (...[, { confirmationCode, id }, context]) => userManagement.enableUser(confirmationCode, id, context),
@ -75,7 +84,8 @@ const resolver = {
register: (...[, { token, username, password, role }]) => userManagement.register(token, username, password, role),
resetPassword: (...[, { token, userID, newPassword }, context]) => userManagement.resetPassword(token, userID, newPassword, context),
reset2FA: (...[, { token, userID, code }, context]) => userManagement.reset2FA(token, userID, code, context),
...getFIDOStrategyMutations()
validateAttestation: (...[, variables, context]) => authentication.strategy.validateAttestation(context.req.session, getAttestationMutationOptions(variables)),
validateAssertion: (...[, variables, context]) => authentication.strategy.validateAssertion(context.req.session, getAssertionMutationOptions(variables))
}
}