lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: multiple small fixes

Browse source
This commit is contained in:
Sérgio Salgado 2021-11-24 22:11:25 +00:00
parent 6b44c6aa37
commit d8f163af74
11 changed files with 135 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

4
bin/lamassu-register
View file

@ -1,7 +1,7 @@
#!/usr/bin/env node #!/usr/bin/env node
const { asyncLocalStorage, defaultStore } = require('../lib/async-storage') const { asyncLocalStorage, defaultStore } = require('../lib/async-storage')
const authentication = require('../lib/new-admin/graphql/modules/authentication') const userManagement = require('../lib/new-admin/graphql/modules/userManagement')
const options = require('../lib/options') const options = require('../lib/options')
const name = process.argv[2] const name = process.argv[2]
@ -31,7 +31,7 @@ if (role !== 'user' && role !== 'superuser') {
} }
asyncLocalStorage.run(defaultStore(), () => { asyncLocalStorage.run(defaultStore(), () => {
authentication.createRegisterToken(name, role).then(token => { userManagement.createRegisterToken(name, role).then(token => {
if (!token) { if (!token) {
console.log(`A user named ${name} already exists!`) console.log(`A user named ${name} already exists!`)
process.exit(2) process.exit(2)

4
lib/hardware-credentials.js
View file

@ -12,7 +12,7 @@ function getHardwareCredentials () {
return db.any(sql) return db.any(sql)
} }
function getHardwareCredentialsOfUser (userID) { function getHardwareCredentialsByUserId (userID) {
const sql = `SELECT * FROM hardware_credentials WHERE user_id=$1` const sql = `SELECT * FROM hardware_credentials WHERE user_id=$1`
return db.any(sql, [userID]) return db.any(sql, [userID])
} }
@ -30,7 +30,7 @@ function updateHardwareCredential (credential) {
module.exports = { module.exports = {
createHardwareCredential, createHardwareCredential,
getHardwareCredentials, getHardwareCredentials,
getHardwareCredentialsOfUser, getHardwareCredentialsByUserId,
getUserByUserHandle, getUserByUserHandle,
updateHardwareCredential updateHardwareCredential
} }

57
lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js
View file

@ -4,7 +4,6 @@ const _ = require('lodash/fp')
const userManagement = require('../userManagement') const userManagement = require('../userManagement')
const credentials = require('../../../../hardware-credentials') const credentials = require('../../../../hardware-credentials')
const db = require('../../../../db')
const options = require('../../../../options') const options = require('../../../../options')
const T = require('../../../../time') const T = require('../../../../time')
const users = require('../../../../users') const users = require('../../../../users')
@ -17,9 +16,9 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (session, options) => {
return users.getUserById(userID).then(user => { return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user]) return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => { }).then(([userDevices, user]) => {
const options = simpleWebauthn.generateAttestationOptions({ const options = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu', rpName: 'Lamassu',
@ -49,10 +48,10 @@ const generateAttestationOptions = (userID, session) => {
}) })
} }
const generateAssertionOptions = (username, password, context) => { const generateAssertionOptions = (session, options) => {
return userManagement.authenticateUser(username, password).then(user => { return userManagement.authenticateUser(options.username, options.password).then(user => {
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => { return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const options = simpleWebauthn.generateAssertionOptions({ const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000, timeout: 60000,
allowCredentials: devices.map(dev => ({ allowCredentials: devices.map(dev => ({
id: dev.data.credentialID, id: dev.data.credentialID,
@ -63,25 +62,25 @@ const generateAssertionOptions = (username, password, context) => {
rpID rpID
}) })
context.req.session.webauthn = { session.webauthn = {
assertion: { assertion: {
challenge: options.challenge challenge: opts.challenge
} }
} }
return options return opts
}) })
}) })
} }
const validateAttestation = (userID, attestationResponse, context) => { const validateAttestation = (session, options) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return Promise.all([ return Promise.all([
users.getUserById(userID), users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({ simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
@ -91,7 +90,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null session.webauthn = null
return false return false
} }
@ -101,7 +100,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentialID credentialID
} = attestationInfo } = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => { .then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -114,23 +113,23 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })
} }
const validateAssertion = (username, password, rememberMe, assertionResponse, context) => { const validateAssertion = (session, options) => {
return userManagement.authenticateUser(username, password).then(user => { return userManagement.authenticateUser(options.username, options.password).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => { return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices) }, devices)
if (!dbAuthenticator.data) { if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`) throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
} }
const convertedAuthenticator = _.merge( const convertedAuthenticator = _.merge(
@ -141,7 +140,7 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
let verification let verification
try { try {
verification = simpleWebauthn.verifyAssertionResponse({ verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse, credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID, expectedRPID: rpID,
@ -155,7 +154,7 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (!verified) { if (!verified) {
context.req.session.webauthn = null session.webauthn = null
return false return false
} }
@ -163,10 +162,10 @@ const validateAssertion = (username, password, rememberMe, assertionResponse, co
return credentials.updateHardwareCredential(dbAuthenticator) return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => { .then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })

60
lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js
View file

@ -15,11 +15,11 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (session, options) => {
return users.getUserById(userID).then(user => { return users.getUserById(options.userId).then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user]) return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user])
}).then(([userDevices, user]) => { }).then(([userDevices, user]) => {
const options = simpleWebauthn.generateAttestationOptions({ const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu', rpName: 'Lamassu',
rpID, rpID,
userName: user.username, userName: user.username,
@ -39,18 +39,18 @@ const generateAttestationOptions = (userID, session) => {
session.webauthn = { session.webauthn = {
attestation: { attestation: {
challenge: options.challenge challenge: opts.challenge
} }
} }
return options return opts
}) })
} }
const generateAssertionOptions = (username, context) => { const generateAssertionOptions = (session, options) => {
return users.getUserByUsername(username).then(user => { return users.getUserByUsername(options.username).then(user => {
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => { return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const options = simpleWebauthn.generateAssertionOptions({ const opts = simpleWebauthn.generateAssertionOptions({
timeout: 60000, timeout: 60000,
allowCredentials: devices.map(dev => ({ allowCredentials: devices.map(dev => ({
id: dev.data.credentialID, id: dev.data.credentialID,
@ -61,25 +61,25 @@ const generateAssertionOptions = (username, context) => {
rpID rpID
}) })
context.req.session.webauthn = { session.webauthn = {
assertion: { assertion: {
challenge: options.challenge challenge: opts.challenge
} }
} }
return options return opts
}) })
}) })
} }
const validateAttestation = (userID, attestationResponse, context) => { const validateAttestation = (session, options) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return Promise.all([ return Promise.all([
users.getUserById(userID), users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({ simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
@ -89,7 +89,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null session.webauthn = null
return false return false
} }
@ -99,7 +99,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentialID credentialID
} = attestationInfo } = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => { .then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -112,23 +112,23 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })
} }
const validateAssertion = (username, rememberMe, assertionResponse, context) => { const validateAssertion = (session, options) => {
return users.getUserByUsername(username).then(user => { return users.getUserByUsername(options.username).then(user => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentialsOfUser(user.id).then(devices => { return credentials.getHardwareCredentialsByUserId(user.id).then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices) }, devices)
if (!dbAuthenticator.data) { if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`) throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
} }
const convertedAuthenticator = _.merge( const convertedAuthenticator = _.merge(
@ -139,7 +139,7 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
let verification let verification
try { try {
verification = simpleWebauthn.verifyAssertionResponse({ verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse, credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID, expectedRPID: rpID,
@ -161,10 +161,10 @@ const validateAssertion = (username, rememberMe, assertionResponse, context) =>
return credentials.updateHardwareCredential(dbAuthenticator) return credentials.updateHardwareCredential(dbAuthenticator)
.then(() => { .then(() => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser session.user = finalUser
if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE if (options.rememberMe) session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })

46
lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js
View file

@ -15,13 +15,13 @@ const REMEMBER_ME_AGE = 90 * T.day
const rpID = devMode ? `localhost` : domain const rpID = devMode ? `localhost` : domain
const expectedOrigin = `https://${rpID}:3001` const expectedOrigin = `https://${rpID}:3001`
const generateAttestationOptions = (userID, session) => { const generateAttestationOptions = (session, options) => {
return credentials.getHardwareCredentials().then(devices => { return credentials.getHardwareCredentials().then(devices => {
const options = simpleWebauthn.generateAttestationOptions({ const opts = simpleWebauthn.generateAttestationOptions({
rpName: 'Lamassu', rpName: 'Lamassu',
rpID, rpID,
userName: `Usernameless user created at ${new Date().toISOString()}`, userName: `Usernameless user created at ${new Date().toISOString()}`,
userID: userID, userID: options.userId,
timeout: 60000, timeout: 60000,
attestationType: 'direct', attestationType: 'direct',
excludeCredentials: devices.map(dev => ({ excludeCredentials: devices.map(dev => ({
@ -38,15 +38,15 @@ const generateAttestationOptions = (userID, session) => {
session.webauthn = { session.webauthn = {
attestation: { attestation: {
challenge: options.challenge challenge: opts.challenge
} }
} }
return options return opts
}) })
} }
const generateAssertionOptions = context => { const generateAssertionOptions = session => {
return credentials.getHardwareCredentials().then(devices => { return credentials.getHardwareCredentials().then(devices => {
const options = simpleWebauthn.generateAssertionOptions({ const options = simpleWebauthn.generateAssertionOptions({
timeout: 60000, timeout: 60000,
@ -59,7 +59,7 @@ const generateAssertionOptions = context => {
rpID rpID
}) })
context.req.session.webauthn = { session.webauthn = {
assertion: { assertion: {
challenge: options.challenge challenge: options.challenge
} }
@ -68,14 +68,14 @@ const generateAssertionOptions = context => {
}) })
} }
const validateAttestation = (userID, attestationResponse, context) => { const validateAttestation = (session, options) => {
const webauthnData = context.req.session.webauthn.attestation const webauthnData = session.webauthn.attestation
const expectedChallenge = webauthnData.challenge const expectedChallenge = webauthnData.challenge
return Promise.all([ return Promise.all([
users.getUserById(userID), users.getUserById(options.userId),
simpleWebauthn.verifyAttestationResponse({ simpleWebauthn.verifyAttestationResponse({
credential: attestationResponse, credential: options.attestationResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID expectedRPID: rpID
@ -85,7 +85,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
const { verified, attestationInfo } = verification const { verified, attestationInfo } = verification
if (!(verified || attestationInfo)) { if (!(verified || attestationInfo)) {
context.req.session.webauthn = null session.webauthn = null
return verified return verified
} }
@ -100,7 +100,7 @@ const validateAttestation = (userID, attestationResponse, context) => {
attestationObject attestationObject
} = attestationInfo } = attestationInfo
return credentials.getHardwareCredentialsOfUser(user.id) return credentials.getHardwareCredentialsByUserId(user.id)
.then(userDevices => { .then(userDevices => {
const existingDevice = userDevices.find(device => device.data.credentialID === credentialID) const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
@ -118,22 +118,22 @@ const validateAttestation = (userID, attestationResponse, context) => {
credentials.createHardwareCredential(user.id, newDevice) credentials.createHardwareCredential(user.id, newDevice)
} }
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })
} }
const validateAssertion = (assertionResponse, context) => { const validateAssertion = (session, options) => {
const expectedChallenge = context.req.session.webauthn.assertion.challenge const expectedChallenge = session.webauthn.assertion.challenge
return credentials.getHardwareCredentials().then(devices => { return credentials.getHardwareCredentials().then(devices => {
const dbAuthenticator = _.find(dev => { const dbAuthenticator = _.find(dev => {
return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0 return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(options.assertionResponse.rawId)) === 0
}, devices) }, devices)
if (!dbAuthenticator.data) { if (!dbAuthenticator.data) {
throw new Error(`Could not find authenticator matching ${assertionResponse.id}`) throw new Error(`Could not find authenticator matching ${options.assertionResponse.id}`)
} }
const convertedAuthenticator = _.merge( const convertedAuthenticator = _.merge(
@ -144,7 +144,7 @@ const validateAssertion = (assertionResponse, context) => {
let verification let verification
try { try {
verification = simpleWebauthn.verifyAssertionResponse({ verification = simpleWebauthn.verifyAssertionResponse({
credential: assertionResponse, credential: options.assertionResponse,
expectedChallenge: `${expectedChallenge}`, expectedChallenge: `${expectedChallenge}`,
expectedOrigin, expectedOrigin,
expectedRPID: rpID, expectedRPID: rpID,
@ -158,7 +158,7 @@ const validateAssertion = (assertionResponse, context) => {
const { verified, assertionInfo } = verification const { verified, assertionInfo } = verification
if (!verified) { if (!verified) {
context.req.session.webauthn = null session.webauthn = null
return false return false
} }
@ -169,10 +169,10 @@ const validateAssertion = (assertionResponse, context) => {
]) ])
.then(([_, user]) => { .then(([_, user]) => {
const finalUser = { id: user.id, username: user.username, role: user.role } const finalUser = { id: user.id, username: user.username, role: user.role }
context.req.session.user = finalUser session.user = finalUser
context.req.session.cookie.maxAge = REMEMBER_ME_AGE session.cookie.maxAge = REMEMBER_ME_AGE
context.req.session.webauthn = null session.webauthn = null
return verified return verified
}) })
}) })

2
lib/new-admin/graphql/modules/userManagement.js
View file

@ -144,7 +144,7 @@ const deleteSession = (sessionID, context) => {
const login = (username, password) => { const login = (username, password) => {
return authenticateUser(username, password) return authenticateUser(username, password)
.then(user => { .then(user => {
return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user.twofa_code]) return Promise.all([credentials.getHardwareCredentialsByUserId(user.id), user.twofa_code])
}) })
.then(([devices, twoFASecret]) => { .then(([devices, twoFASecret]) => {
if (!_.isEmpty(devices)) return 'FIDO' if (!_.isEmpty(devices)) return 'FIDO'

66
lib/new-admin/graphql/resolvers/users.resolver.js
View file

@ -3,45 +3,53 @@ const userManagement = require('../modules/userManagement')
const users = require('../../../users') const users = require('../../../users')
const sessionManager = require('../../../session-manager') const sessionManager = require('../../../session-manager')
const getFIDOStrategyQueries = () => { const getAttestationQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) { switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA': case 'FIDO2FA':
return { return { userId: variables.userID }
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { username, password }, context]) => authentication.strategy.generateAssertionOptions(username, password, context)
}
case 'FIDOPasswordless': case 'FIDOPasswordless':
return { return { userId: variables.userID }
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { username }, context]) => authentication.strategy.generateAssertionOptions(username, context)
}
case 'FIDOUsernameless': case 'FIDOUsernameless':
return { return { userId: variables.userID }
generateAttestationOptions: (...[, { userID }, context]) => authentication.strategy.generateAttestationOptions(userID, context.req.session),
generateAssertionOptions: (...[, { }, context]) => authentication.strategy.generateAssertionOptions(context)
}
default: default:
return {} return {}
} }
} }
const getFIDOStrategyMutations = () => { const getAssertionQueryOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) { switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA': case 'FIDO2FA':
return { return { username: variables.username, password: variables.password }
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context),
validateAssertion: (...[, { username, password, rememberMe, assertionResponse }, context]) => authentication.strategy.validateAssertion(username, password, rememberMe, assertionResponse, context)
}
case 'FIDOPasswordless': case 'FIDOPasswordless':
return { return { username: variables.username }
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context),
validateAssertion: (...[, { username, rememberMe, assertionResponse }, context]) => authentication.strategy.validateAssertion(username, rememberMe, assertionResponse, context)
}
case 'FIDOUsernameless': case 'FIDOUsernameless':
return { return {}
validateAttestation: (...[, { userID, attestationResponse }, context]) => authentication.strategy.validateAttestation(userID, attestationResponse, context), default:
validateAssertion: (...[, { assertionResponse }, context]) => authentication.strategy.validateAssertion(assertionResponse, context) return {}
} }
}
const getAttestationMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
case 'FIDOPasswordless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
case 'FIDOUsernameless':
return { userId: variables.userID, attestationResponse: variables.attestationResponse }
default:
return {}
}
}
const getAssertionMutationOptions = variables => {
switch (authentication.CHOSEN_STRATEGY) {
case 'FIDO2FA':
return { username: variables.username, password: variables.password, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
case 'FIDOPasswordless':
return { username: variables.username, rememberMe: variables.rememberMe, assertionResponse: variables.assertionResponse }
case 'FIDOUsernameless':
return { assertionResponse: variables.assertionResponse }
default: default:
return {} return {}
} }
@ -58,7 +66,8 @@ const resolver = {
validateRegisterLink: (...[, { token }]) => userManagement.validateRegisterLink(token), validateRegisterLink: (...[, { token }]) => userManagement.validateRegisterLink(token),
validateResetPasswordLink: (...[, { token }]) => userManagement.validateResetPasswordLink(token), validateResetPasswordLink: (...[, { token }]) => userManagement.validateResetPasswordLink(token),
validateReset2FALink: (...[, { token }]) => userManagement.validateReset2FALink(token), validateReset2FALink: (...[, { token }]) => userManagement.validateReset2FALink(token),
...getFIDOStrategyQueries() generateAttestationOptions: (...[, variables, context]) => authentication.strategy.generateAttestationOptions(context.req.session, getAttestationQueryOptions(variables)),
generateAssertionOptions: (...[, variables, context]) => authentication.strategy.generateAssertionOptions(context.req.session, getAssertionQueryOptions(variables))
}, },
Mutation: { Mutation: {
enableUser: (...[, { confirmationCode, id }, context]) => userManagement.enableUser(confirmationCode, id, context), enableUser: (...[, { confirmationCode, id }, context]) => userManagement.enableUser(confirmationCode, id, context),
@ -75,7 +84,8 @@ const resolver = {
register: (...[, { token, username, password, role }]) => userManagement.register(token, username, password, role), register: (...[, { token, username, password, role }]) => userManagement.register(token, username, password, role),
resetPassword: (...[, { token, userID, newPassword }, context]) => userManagement.resetPassword(token, userID, newPassword, context), resetPassword: (...[, { token, userID, newPassword }, context]) => userManagement.resetPassword(token, userID, newPassword, context),
reset2FA: (...[, { token, userID, code }, context]) => userManagement.reset2FA(token, userID, code, context), reset2FA: (...[, { token, userID, code }, context]) => userManagement.reset2FA(token, userID, code, context),
...getFIDOStrategyMutations() validateAttestation: (...[, variables, context]) => authentication.strategy.validateAttestation(context.req.session, getAttestationMutationOptions(variables)),
validateAssertion: (...[, variables, context]) => authentication.strategy.validateAssertion(context.req.session, getAssertionMutationOptions(variables))
} }
} }

31
new-lamassu-admin/package-lock.json generated
View file

@ -17172,25 +17172,6 @@
} }
} }
}, },
"keccak": {
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/keccak/-/keccak-3.0.2.tgz",
"integrity": "sha512-PyKKjkH53wDMLGrvmRGSNWgmSxZOUqbnXwKL9tmgbFYA1iAYqW21kfR7mZXV0MlESiefxQQE9X9fTa3X+2MPDQ==",
"requires": {
"node-addon-api": "^2.0.0",
"node-gyp-build": "^4.2.0",
"readable-stream": "^3.6.0"
}
},
"keccak256": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/keccak256/-/keccak256-1.0.3.tgz",
"integrity": "sha512-EkF/4twuPm1V/gn75nejOUrKfDUJn87RMLzDWosXF3pXuOvesiSgX35GcmbqzdImCASEkE/WaklWGWSa+Ha5bQ==",
"requires": {
"bn.js": "^4.11.8",
"keccak": "^3.0.1"
}
},
"killable": { "killable": {
"version": "1.0.1", "version": "1.0.1",
"resolved": "https://registry.npmjs.org/killable/-/killable-1.0.1.tgz", "resolved": "https://registry.npmjs.org/killable/-/killable-1.0.1.tgz",
@ -17232,14 +17213,12 @@
"from": "git+https://github.com/lamassu/lamassu-coins.git", "from": "git+https://github.com/lamassu/lamassu-coins.git",
"requires": { "requires": {
"bech32": "2.0.0", "bech32": "2.0.0",
"big-integer": "^1.6.48",
"bignumber.js": "^9.0.0", "bignumber.js": "^9.0.0",
"bitcoinjs-lib": "4.0.3", "bitcoinjs-lib": "4.0.3",
"bs58check": "^2.0.2", "bs58check": "^2.0.2",
"cashaddrjs": "~0.2.8", "cashaddrjs": "~0.2.8",
"crypto-js": "^3.1.9-1", "crypto-js": "^3.1.9-1",
"ethereumjs-icap": "^0.3.1", "ethereumjs-icap": "^0.3.1",
"keccak256": "^1.0.2",
"lodash": "^4.17.10" "lodash": "^4.17.10"
}, },
"dependencies": { "dependencies": {
@ -18486,11 +18465,6 @@
} }
} }
}, },
"node-addon-api": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-2.0.2.tgz",
"integrity": "sha512-Ntyt4AIXyaLIuMHF6IOoTakB3K+RWxwtsHNRxllEoA6vPwP9o4866g6YWDLUdnucilZhmkxiHwHr11gAENw+QA=="
},
"node-dir": { "node-dir": {
"version": "0.1.17", "version": "0.1.17",
"resolved": "https://registry.npmjs.org/node-dir/-/node-dir-0.1.17.tgz", "resolved": "https://registry.npmjs.org/node-dir/-/node-dir-0.1.17.tgz",
@ -18512,11 +18486,6 @@
"integrity": "sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==", "integrity": "sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==",
"dev": true "dev": true
}, },
"node-gyp-build": {
"version": "4.3.0",
"resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.3.0.tgz",
"integrity": "sha512-iWjXZvmboq0ja1pUGULQBexmxq8CV4xBhX7VDOTbL7ZR4FOowwY/VOtRxBN/yKxmdGoIp4j5ysNT4u3S2pDQ3Q=="
},
"node-int64": { "node-int64": {
"version": "0.4.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz", "resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz",

4
new-lamassu-admin/src/pages/Authentication/InputFIDOState.js
View file

@ -196,7 +196,9 @@ const InputFIDOState = ({ state, strategy }) => {
)} )}
{strategy === 'FIDO2FA' && ( {strategy === 'FIDO2FA' && (
<> <>
<H2 className={classes.info}>Insert your Yubikey and touch it</H2> <H2 className={classes.info}>
Insert your hardware key and follow the instructions
</H2>
<Button <Button
type="button" type="button"
form="fido-form" form="fido-form"

7
new-lamassu-admin/src/pages/Authentication/LoginState.js
View file

@ -14,7 +14,6 @@ import { Checkbox, SecretInput, TextInput } from 'src/components/inputs/formik'
import { Label3, P } from 'src/components/typography' import { Label3, P } from 'src/components/typography'
import styles from './shared.styles' import styles from './shared.styles'
import { STATES } from './states'
const useStyles = makeStyles(styles) const useStyles = makeStyles(styles)
@ -92,10 +91,8 @@ const LoginState = ({ state, dispatch, strategy }) => {
if (!loginResponse.login) return if (!loginResponse.login) return
const stateVar = STATES[loginResponse.login]
return dispatch({ return dispatch({
type: stateVar, type: loginResponse.login,
payload: { payload: {
clientField: username, clientField: username,
passwordField: password, passwordField: password,
@ -222,7 +219,7 @@ const LoginState = ({ state, dispatch, strategy }) => {
}} }}
buttonClassName={classes.loginButton} buttonClassName={classes.loginButton}
className={classes.fidoLoginButtonWrapper}> className={classes.fidoLoginButtonWrapper}>
I have a YubiKey I have a hardware key
</Button> </Button>
)} )}
<Button <Button

6
package-lock.json generated
View file

@ -14637,6 +14637,7 @@
"from": "git+https://github.com/lamassu/lamassu-coins.git", "from": "git+https://github.com/lamassu/lamassu-coins.git",
"requires": { "requires": {
"bech32": "2.0.0", "bech32": "2.0.0",
"big-integer": "^1.6.48",
"bignumber.js": "^9.0.0", "bignumber.js": "^9.0.0",
"bitcoinjs-lib": "4.0.3", "bitcoinjs-lib": "4.0.3",
"bs58check": "^2.0.2", "bs58check": "^2.0.2",
@ -14652,6 +14653,11 @@
"resolved": "https://registry.npmjs.org/bech32/-/bech32-2.0.0.tgz", "resolved": "https://registry.npmjs.org/bech32/-/bech32-2.0.0.tgz",
"integrity": "sha512-LcknSilhIGatDAsY1ak2I8VtGaHNhgMSYVxFrGLXv+xLHytaKZKcaUJJUE7qmBr7h33o5YQwP55pMI0xmkpJwg==" "integrity": "sha512-LcknSilhIGatDAsY1ak2I8VtGaHNhgMSYVxFrGLXv+xLHytaKZKcaUJJUE7qmBr7h33o5YQwP55pMI0xmkpJwg=="
}, },
"big-integer": {
"version": "1.6.51",
"resolved": "https://registry.npmjs.org/big-integer/-/big-integer-1.6.51.tgz",
"integrity": "sha512-GPEid2Y9QU1Exl1rpO9B2IPJGHPSupF5GnVIP0blYvNOMer2bTvSWs1jGOUg04hTmu67nmLsQ9TBo1puaotBHg=="
},
"bip32": { "bip32": {
"version": "1.0.4", "version": "1.0.4",
"resolved": "https://registry.npmjs.org/bip32/-/bip32-1.0.4.tgz", "resolved": "https://registry.npmjs.org/bip32/-/bip32-1.0.4.tgz",