feat: implement hardware key auth

lib/new-admin/graphql/modules/authentication/FIDO2FAStrategy.js

@@ -0,0 +1,165 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const userManagement = require('../userManagement')
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const rpID = `localhost`
+const expectedOrigin = `https://${rpID}:3001`
+
+const generateAttestationOptions = (userID, session) => {
+  return users.getUserById(userID).then(user => {
+    return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user])
+  }).then(([userDevices, user]) => {
+    const options = simpleWebauthn.generateAttestationOptions({
+      rpName: 'Lamassu',
+      rpID,
+      userName: user.username,
+      userID: user.id,
+      timeout: 60000,
+      attestationType: 'indirect',
+      excludeCredentials: userDevices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal']
+      })),
+      authenticatorSelection: {
+        userVerification: 'discouraged',
+        requireResidentKey: false
+      }
+    })
+
+    session.webauthn = {
+      attestation: {
+        challenge: options.challenge
+      }
+    }
+
+    return options
+  })
+}
+
+const generateAssertionOptions = (username, password, context) => {
+  return userManagement.authenticateUser(username, password).then(user => {
+    return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
+      const options = simpleWebauthn.generateAssertionOptions({
+        timeout: 60000,
+        allowCredentials: devices.map(dev => ({
+          id: dev.data.credentialID,
+          type: 'public-key',
+          transports: ['usb', 'ble', 'nfc', 'internal']
+        })),
+        userVerification: 'discouraged',
+        rpID
+      })
+
+      context.req.session.webauthn = {
+        assertion: {
+          challenge: options.challenge
+        }
+      }
+
+      return options
+    })
+  })
+}
+
+const validateAttestation = (userID, attestationResponse, context) => {
+  const webauthnData = context.req.session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return users.getUserById(userID).then(user => {
+    return simpleWebauthn.verifyAttestationResponse({
+      credential: attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin,
+      expectedRPID: rpID
+    }).then(async verification => {
+      const { verified, attestationInfo } = verification
+
+      if (verified && attestationInfo) {
+        const {
+          counter,
+          credentialPublicKey,
+          credentialID
+        } = attestationInfo
+
+        const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
+        const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
+
+        if (!existingDevice) {
+          const newDevice = {
+            counter,
+            credentialPublicKey,
+            credentialID
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+      }
+
+      context.req.session.webauthn = null
+      return verified
+    })
+  })
+}
+
+const validateAssertion = (username, password, rememberMe, assertionResponse, context) => {
+  return userManagement.authenticateUser(username, password).then(user => {
+    const expectedChallenge = context.req.session.webauthn.assertion.challenge
+
+    return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => {
+      const dbAuthenticator = _.find(dev => {
+        return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
+      }, devices)
+
+      if (!dbAuthenticator.data) {
+        throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
+      }
+
+      const convertedAuthenticator = _.merge(
+        dbAuthenticator.data,
+        { credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
+      )
+
+      let verification
+      try {
+        verification = simpleWebauthn.verifyAssertionResponse({
+          credential: assertionResponse,
+          expectedChallenge: `${expectedChallenge}`,
+          expectedOrigin,
+          expectedRPID: rpID,
+          authenticator: convertedAuthenticator
+        })
+      } catch (err) {
+        console.error(err)
+        return false
+      }
+
+      const { verified, assertionInfo } = verification
+
+      if (verified) {
+        dbAuthenticator.data.counter = assertionInfo.newCounter
+        await credentials.updateHardwareCredential(dbAuthenticator)
+
+        const finalUser = { id: user.id, username: user.username, role: user.role }
+        context.req.session.user = finalUser
+        if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
+      }
+
+      context.req.session.webauthn = null
+      return verified
+    })
+  })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion
+}

lib/new-admin/graphql/modules/authentication/FIDOPasswordlessStrategy.js

@@ -0,0 +1,164 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const rpID = `localhost`
+const expectedOrigin = `https://${rpID}:3001`
+
+const generateAttestationOptions = (userID, session) => {
+  return users.getUserById(userID).then(user => {
+    return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user])
+  }).then(([userDevices, user]) => {
+    const options = simpleWebauthn.generateAttestationOptions({
+      rpName: 'Lamassu',
+      rpID,
+      userName: user.username,
+      userID: user.id,
+      timeout: 60000,
+      attestationType: 'indirect',
+      excludeCredentials: userDevices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal']
+      })),
+      authenticatorSelection: {
+        userVerification: 'discouraged',
+        requireResidentKey: false
+      }
+    })
+
+    session.webauthn = {
+      attestation: {
+        challenge: options.challenge
+      }
+    }
+
+    return options
+  })
+}
+
+const generateAssertionOptions = (username, context) => {
+  return users.getUserByUsername(username).then(user => {
+    return credentials.getHardwareCredentialsOfUser(user.id).then(devices => {
+      const options = simpleWebauthn.generateAssertionOptions({
+        timeout: 60000,
+        allowCredentials: devices.map(dev => ({
+          id: dev.data.credentialID,
+          type: 'public-key',
+          transports: ['usb', 'ble', 'nfc', 'internal']
+        })),
+        userVerification: 'discouraged',
+        rpID
+      })
+
+      context.req.session.webauthn = {
+        assertion: {
+          challenge: options.challenge
+        }
+      }
+
+      return options
+    })
+  })
+}
+
+const validateAttestation = (userID, attestationResponse, context) => {
+  const webauthnData = context.req.session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return users.getUserById(userID).then(user => {
+    return simpleWebauthn.verifyAttestationResponse({
+      credential: attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin,
+      expectedRPID: rpID
+    }).then(async verification => {
+      const { verified, attestationInfo } = verification
+
+      if (verified && attestationInfo) {
+        const {
+          counter,
+          credentialPublicKey,
+          credentialID
+        } = attestationInfo
+
+        const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
+        const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
+
+        if (!existingDevice) {
+          const newDevice = {
+            counter,
+            credentialPublicKey,
+            credentialID
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+      }
+
+      context.req.session.webauthn = null
+      return verified
+    })
+  })
+}
+
+const validateAssertion = (username, rememberMe, assertionResponse, context) => {
+  return users.getUserByUsername(username).then(user => {
+    const expectedChallenge = context.req.session.webauthn.assertion.challenge
+
+    return credentials.getHardwareCredentialsOfUser(user.id).then(async devices => {
+      const dbAuthenticator = _.find(dev => {
+        return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
+      }, devices)
+
+      if (!dbAuthenticator.data) {
+        throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
+      }
+
+      const convertedAuthenticator = _.merge(
+        dbAuthenticator.data,
+        { credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
+      )
+
+      let verification
+      try {
+        verification = simpleWebauthn.verifyAssertionResponse({
+          credential: assertionResponse,
+          expectedChallenge: `${expectedChallenge}`,
+          expectedOrigin,
+          expectedRPID: rpID,
+          authenticator: convertedAuthenticator
+        })
+      } catch (err) {
+        console.error(err)
+        return false
+      }
+
+      const { verified, assertionInfo } = verification
+
+      if (verified) {
+        dbAuthenticator.data.counter = assertionInfo.newCounter
+        await credentials.updateHardwareCredential(dbAuthenticator)
+
+        const finalUser = { id: user.id, username: user.username, role: user.role }
+        context.req.session.user = finalUser
+        if (rememberMe) context.req.session.cookie.maxAge = REMEMBER_ME_AGE
+      }
+
+      context.req.session.webauthn = null
+      return verified
+    })
+  })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion
+}

lib/new-admin/graphql/modules/authentication/FIDOUsernamelessStrategy.js

@@ -0,0 +1,169 @@
+const simpleWebauthn = require('@simplewebauthn/server')
+const base64url = require('base64url')
+const _ = require('lodash/fp')
+
+const credentials = require('../../../../hardware-credentials')
+const T = require('../../../../time')
+const users = require('../../../../users')
+
+const REMEMBER_ME_AGE = 90 * T.day
+
+const rpID = `localhost`
+const expectedOrigin = `https://${rpID}:3001`
+
+const generateAttestationOptions = (userID, session) => {
+  return credentials.getHardwareCredentials().then(devices => {
+    const options = simpleWebauthn.generateAttestationOptions({
+      rpName: 'Lamassu',
+      rpID,
+      userName: `Usernameless user created at ${new Date().toISOString()}`,
+      userID: userID,
+      timeout: 60000,
+      attestationType: 'direct',
+      excludeCredentials: devices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal']
+      })),
+      authenticatorSelection: {
+        authenticatorAttachment: 'cross-platform',
+        userVerification: 'discouraged',
+        requireResidentKey: false
+      }
+    })
+
+    session.webauthn = {
+      attestation: {
+        challenge: options.challenge
+      }
+    }
+
+    return options
+  })
+}
+
+const generateAssertionOptions = context => {
+  return credentials.getHardwareCredentials().then(devices => {
+    const options = simpleWebauthn.generateAssertionOptions({
+      timeout: 60000,
+      allowCredentials: devices.map(dev => ({
+        id: dev.data.credentialID,
+        type: 'public-key',
+        transports: ['usb', 'ble', 'nfc', 'internal']
+      })),
+      userVerification: 'discouraged',
+      rpID
+    })
+
+    context.req.session.webauthn = {
+      assertion: {
+        challenge: options.challenge
+      }
+    }
+    return options
+  })
+}
+
+const validateAttestation = (userID, attestationResponse, context) => {
+  const webauthnData = context.req.session.webauthn.attestation
+  const expectedChallenge = webauthnData.challenge
+
+  return users.getUserById(userID).then(user => {
+    return simpleWebauthn.verifyAttestationResponse({
+      credential: attestationResponse,
+      expectedChallenge: `${expectedChallenge}`,
+      expectedOrigin,
+      expectedRPID: rpID
+    }).then(async verification => {
+      const { verified, attestationInfo } = verification
+
+      if (verified && attestationInfo) {
+        const {
+          fmt,
+          counter,
+          aaguid,
+          credentialPublicKey,
+          credentialID,
+          credentialType,
+          userVerified,
+          attestationObject
+        } = attestationInfo
+
+        const userDevices = await credentials.getHardwareCredentialsOfUser(user.id)
+        const existingDevice = userDevices.find(device => device.data.credentialID === credentialID)
+
+        if (!existingDevice) {
+          const newDevice = {
+            fmt,
+            counter,
+            aaguid,
+            credentialPublicKey,
+            credentialID,
+            credentialType,
+            userVerified,
+            attestationObject
+          }
+          credentials.createHardwareCredential(user.id, newDevice)
+        }
+      }
+
+      context.req.session.webauthn = null
+      return verified
+    })
+  })
+}
+
+const validateAssertion = (assertionResponse, context) => {
+  const expectedChallenge = context.req.session.webauthn.assertion.challenge
+
+  return credentials.getHardwareCredentials().then(async devices => {
+    const dbAuthenticator = _.find(dev => {
+      return Buffer.from(dev.data.credentialID).compare(base64url.toBuffer(assertionResponse.rawId)) === 0
+    }, devices)
+
+    if (!dbAuthenticator.data) {
+      throw new Error(`Could not find authenticator matching ${assertionResponse.id}`)
+    }
+
+    const convertedAuthenticator = _.merge(
+      dbAuthenticator.data,
+      { credentialPublicKey: Buffer.from(dbAuthenticator.data.credentialPublicKey) }
+    )
+
+    let verification
+    try {
+      verification = simpleWebauthn.verifyAssertionResponse({
+        credential: assertionResponse,
+        expectedChallenge: `${expectedChallenge}`,
+        expectedOrigin,
+        expectedRPID: rpID,
+        authenticator: convertedAuthenticator
+      })
+    } catch (err) {
+      console.error(err)
+      return false
+    }
+
+    const { verified, assertionInfo } = verification
+
+    if (verified) {
+      dbAuthenticator.data.counter = assertionInfo.newCounter
+      await credentials.updateHardwareCredential(dbAuthenticator)
+
+      const user = await users.getUserById(dbAuthenticator.user_id)
+      const finalUser = { id: user.id, username: user.username, role: user.role }
+      context.req.session.user = finalUser
+      context.req.session.cookie.maxAge = REMEMBER_ME_AGE
+    }
+
+    context.req.session.webauthn = null
+    return verified
+  })
+}
+
+module.exports = {
+  generateAttestationOptions,
+  generateAssertionOptions,
+  validateAttestation,
+  validateAssertion
+}

lib/new-admin/graphql/modules/authentication/index.js

@@ -0,0 +1,17 @@
+const FIDO2FA = require('./FIDO2FAStrategy')
+const FIDOPasswordless = require('./FIDOPasswordlessStrategy')
+const FIDOUsernameless = require('./FIDOUsernamelessStrategy')
+
+const STRATEGIES = {
+  FIDO2FA,
+  FIDOPasswordless,
+  FIDOUsernameless
+}
+
+// FIDO2FA, FIDOPasswordless or FIDOUsernameless
+const CHOSEN_STRATEGY = 'FIDOPasswordless'
+
+module.exports = {
+  CHOSEN_STRATEGY,
+  strategy: STRATEGIES[CHOSEN_STRATEGY]
+}

lib/new-admin/graphql/modules/userManagement.js

@@ -1,5 +1,6 @@
 const otplib = require('otplib')
 const argon2 = require('argon2')
+const _ = require('lodash/fp')
 
 const constants = require('../../../constants')
 const authTokens = require('../../../auth-tokens')
@@ -8,6 +9,7 @@ const T = require('../../../time')
 const users = require('../../../users')
 const sessionManager = require('../../../session-manager')
 const authErrors = require('../errors/authentication')
+const credentials = require('../../../hardware-credentials')
 
 const REMEMBER_ME_AGE = 90 * T.day
 
@@ -140,10 +142,14 @@ const deleteSession = (sessionID, context) => {
 }
 
 const login = (username, password) => {
-  return authenticateUser(username, password).then(user => {
-    const twoFASecret = user.twofa_code
-    return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
-  })
+  return authenticateUser(username, password)
+    .then(user => {
+      return Promise.all([credentials.getHardwareCredentialsOfUser(user.id), user.twofa_code])
+    })
+    .then(([devices, twoFASecret]) => {
+      if (!_.isEmpty(devices)) return 'FIDO'
+      return twoFASecret ? 'INPUT2FA' : 'SETUP2FA'
+    })
 }
 
 const input2FA = (username, password, rememberMe, code, context) => {
@@ -234,6 +240,7 @@ const reset2FA = (token, userID, code, context) => {
 }
 
 module.exports = {
+  authenticateUser,
   getUserData,
   get2FASecret,
   confirm2FA,