Support webauthn (#17957)

Migrate from U2F to Webauthn

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

6 files changed, 192 insertions, 155 deletions

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index b9765abfb5..d6b3635584 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -236,14 +236,14 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// Check if the user has u2f registration
-	hasU2Ftwofa, err := auth.HasU2FRegistrationsByUID(u.ID)
+	// Check if the user has webauthn registration
+	hasWebAuthnTwofa, err := auth.HasWebAuthnRegistrationsByUID(u.ID)
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return
 	}
 
-	if !hasTOTPtwofa && !hasU2Ftwofa {
+	if !hasTOTPtwofa && !hasWebAuthnTwofa {
 		// No two factor auth configured we can sign in the user
 		handleSignIn(ctx, u, form.Remember)
 		return
@@ -254,7 +254,7 @@ func SignInPost(ctx *context.Context) {
 		return
 	}
 
-	// User will need to use 2FA TOTP or U2F, save data
+	// User will need to use 2FA TOTP or WebAuthn, save data
 	if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
 		ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
 		return
@@ -268,7 +268,7 @@ func SignInPost(ctx *context.Context) {
 	if hasTOTPtwofa {
 		// User will need to use U2F, save data
 		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
-			ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
+			ctx.ServerError("UserSignIn: Unable to set WebAuthn Enrolled in session", err)
 			return
 		}
 	}
@@ -279,8 +279,8 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	// If we have U2F redirect there first
-	if hasU2Ftwofa {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+	if hasWebAuthnTwofa {
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 9d5a6eb3f8..27eb954a58 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -172,10 +172,10 @@ func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, r
 		log.Error("Error storing session: %v", err)
 	}
 
-	// If U2F is enrolled -> Redirect to U2F instead
-	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	// If WebAuthn is enrolled -> Redirect to WebAuthn instead
+	regs, err := auth.GetWebAuthnCredentialsByUID(u.ID)
 	if err == nil && len(regs) > 0 {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index d20bf97f3c..65ab9f358e 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -34,7 +34,7 @@ import (
 	user_service "code.gitea.io/gitea/services/user"
 
 	"gitea.com/go-chi/binding"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/markbates/goth"
 )
 
@@ -149,7 +149,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 	accessToken := &oauth2.Token{
 		GrantID: grant.ID,
 		Type:    oauth2.TypeAccessToken,
-		StandardClaims: jwt.StandardClaims{
+		// FIXME: Migrate to RegisteredClaims
+		StandardClaims: jwt.StandardClaims{ //nolint
 			ExpiresAt: expirationDate.AsTime().Unix(),
 		},
 	}
@@ -167,7 +168,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 		GrantID: grant.ID,
 		Counter: grant.Counter,
 		Type:    oauth2.TypeRefreshToken,
-		StandardClaims: jwt.StandardClaims{
+		// FIXME: Migrate to RegisteredClaims
+		StandardClaims: jwt.StandardClaims{ // nolint
 			ExpiresAt: refreshExpirationDate,
 		},
 	}
@@ -205,7 +207,8 @@ func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2
 		}
 
 		idToken := &oauth2.OIDCToken{
-			StandardClaims: jwt.StandardClaims{
+			// FIXME: migrate to RegisteredClaims
+			StandardClaims: jwt.StandardClaims{ //nolint
 				ExpiresAt: expirationDate.AsTime().Unix(),
 				Issuer:    setting.AppURL,
 				Audience:  app.ClientID,
@@ -326,7 +329,8 @@ func IntrospectOAuth(ctx *context.Context) {
 	var response struct {
 		Active bool   `json:"active"`
 		Scope  string `json:"scope,omitempty"`
-		jwt.StandardClaims
+		// FIXME: Migrate to RegisteredClaims
+		jwt.StandardClaims //nolint
 	}
 
 	form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
@@ -1066,10 +1070,10 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
 		log.Error("Error storing session: %v", err)
 	}
 
-	// If U2F is enrolled -> Redirect to U2F instead
-	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	// If WebAuthn is enrolled -> Redirect to WebAuthn instead
+	regs, err := auth.GetWebAuthnCredentialsByUID(u.ID)
 	if err == nil && len(regs) > 0 {
-		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		ctx.Redirect(setting.AppSubURL + "/user/webauthn")
 		return
 	}
 
diff --git a/routers/web/auth/oauth_test.go b/routers/web/auth/oauth_test.go
index c652d901f3..669d7431fc 100644
--- a/routers/web/auth/oauth_test.go
+++ b/routers/web/auth/oauth_test.go
@@ -12,7 +12,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
 )
 
diff --git a/routers/web/auth/u2f.go b/routers/web/auth/u2f.go
deleted file mode 100644
index 915671cd1e..0000000000
--- a/routers/web/auth/u2f.go
+++ /dev/null
@@ -1,136 +0,0 @@
-// Copyright 2017 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package auth
-
-import (
-	"errors"
-	"net/http"
-
-	"code.gitea.io/gitea/models/auth"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
-	"code.gitea.io/gitea/modules/context"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/web"
-	"code.gitea.io/gitea/services/externalaccount"
-
-	"github.com/tstranex/u2f"
-)
-
-var tplU2F base.TplName = "user/auth/u2f"
-
-// U2F shows the U2F login page
-func U2F(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("twofa")
-	ctx.Data["RequireU2F"] = true
-	// Check auto-login.
-	if checkAutoLogin(ctx) {
-		return
-	}
-
-	// Ensure user is in a 2FA session.
-	if ctx.Session.Get("twofaUid") == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-
-	// See whether TOTP is also available.
-	if ctx.Session.Get("totpEnrolled") != nil {
-		ctx.Data["TOTPEnrolled"] = true
-	}
-
-	ctx.HTML(http.StatusOK, tplU2F)
-}
-
-// U2FChallenge submits a sign challenge to the browser
-func U2FChallenge(ctx *context.Context) {
-	// Ensure user is in a U2F session.
-	idSess := ctx.Session.Get("twofaUid")
-	if idSess == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-	id := idSess.(int64)
-	regs, err := auth.GetU2FRegistrationsByUID(id)
-	if err != nil {
-		ctx.ServerError("UserSignIn", err)
-		return
-	}
-	if len(regs) == 0 {
-		ctx.ServerError("UserSignIn", errors.New("no device registered"))
-		return
-	}
-	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
-	if err != nil {
-		ctx.ServerError("u2f.NewChallenge", err)
-		return
-	}
-	if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
-		ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
-		return
-	}
-	if err := ctx.Session.Release(); err != nil {
-		ctx.ServerError("UserSignIn: unable to store session", err)
-	}
-
-	ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
-}
-
-// U2FSign authenticates the user by signResp
-func U2FSign(ctx *context.Context) {
-	signResp := web.GetForm(ctx).(*u2f.SignResponse)
-	challSess := ctx.Session.Get("u2fChallenge")
-	idSess := ctx.Session.Get("twofaUid")
-	if challSess == nil || idSess == nil {
-		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
-		return
-	}
-	challenge := challSess.(*u2f.Challenge)
-	id := idSess.(int64)
-	regs, err := auth.GetU2FRegistrationsByUID(id)
-	if err != nil {
-		ctx.ServerError("UserSignIn", err)
-		return
-	}
-	for _, reg := range regs {
-		r, err := reg.Parse()
-		if err != nil {
-			log.Error("parsing u2f registration: %v", err)
-			continue
-		}
-		newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
-		if authErr == nil {
-			reg.Counter = newCounter
-			user, err := user_model.GetUserByID(id)
-			if err != nil {
-				ctx.ServerError("UserSignIn", err)
-				return
-			}
-			remember := ctx.Session.Get("twofaRemember").(bool)
-			if err := reg.UpdateCounter(); err != nil {
-				ctx.ServerError("UserSignIn", err)
-				return
-			}
-
-			if ctx.Session.Get("linkAccount") != nil {
-				if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
-					ctx.ServerError("UserSignIn", err)
-					return
-				}
-			}
-			redirect := handleSignInFull(ctx, user, remember, false)
-			if ctx.Written() {
-				return
-			}
-			if redirect == "" {
-				redirect = setting.AppSubURL + "/"
-			}
-			ctx.PlainText(http.StatusOK, redirect)
-			return
-		}
-	}
-	ctx.Error(http.StatusUnauthorized)
-}
diff --git a/routers/web/auth/webauthn.go b/routers/web/auth/webauthn.go
new file mode 100644
index 0000000000..50dcb919e5
--- /dev/null
+++ b/routers/web/auth/webauthn.go
@@ -0,0 +1,169 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"encoding/base64"
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	wa "code.gitea.io/gitea/modules/auth/webauthn"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/externalaccount"
+
+	"github.com/duo-labs/webauthn/protocol"
+	"github.com/duo-labs/webauthn/webauthn"
+)
+
+var tplWebAuthn base.TplName = "user/auth/webauthn"
+
+// WebAuthn shows the WebAuthn login page
+func WebAuthn(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	//Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+
+	ctx.HTML(200, tplWebAuthn)
+}
+
+// WebAuthnLoginAssertion submits a WebAuthn challenge to the browser
+func WebAuthnLoginAssertion(ctx *context.Context) {
+	// Ensure user is in a WebAuthn session.
+	idSess, ok := ctx.Session.Get("twofaUid").(int64)
+	if !ok || idSess == 0 {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+
+	user, err := user_model.GetUserByID(idSess)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	exists, err := auth.ExistsWebAuthnCredentialsForUID(user.ID)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	if !exists {
+		ctx.ServerError("UserSignIn", errors.New("no device registered"))
+		return
+	}
+
+	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user), webauthn.WithAssertionExtensions(protocol.AuthenticationExtensions{
+		"appid": setting.U2F.AppID,
+	}))
+	if err != nil {
+		ctx.ServerError("webauthn.BeginLogin", err)
+		return
+	}
+
+	if err := ctx.Session.Set("webauthnAssertion", sessionData); err != nil {
+		ctx.ServerError("Session.Set", err)
+		return
+	}
+	ctx.JSON(http.StatusOK, assertion)
+}
+
+// WebAuthnLoginAssertionPost validates the signature and logs the user in
+func WebAuthnLoginAssertionPost(ctx *context.Context) {
+	idSess, ok := ctx.Session.Get("twofaUid").(int64)
+	sessionData, okData := ctx.Session.Get("webauthnAssertion").(*webauthn.SessionData)
+	if !ok || !okData || sessionData == nil || idSess == 0 {
+		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))
+		return
+	}
+	defer func() {
+		_ = ctx.Session.Delete("webauthnAssertion")
+	}()
+
+	// Load the user from the db
+	user, err := user_model.GetUserByID(idSess)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	log.Trace("Finishing webauthn authentication with user: %s", user.Name)
+
+	// Now we do the equivalent of webauthn.FinishLogin using a combination of our session data
+	// (from webauthnAssertion) and verify the provided request.0
+	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)
+	if err != nil {
+		// Failed authentication attempt.
+		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Validate the parsed response.
+	cred, err := wa.WebAuthn.ValidateLogin((*wa.User)(user), *sessionData, parsedResponse)
+	if err != nil {
+		// Failed authentication attempt.
+		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Ensure that the credential wasn't cloned by checking if CloneWarning is set.
+	// (This is set if the sign counter is less than the one we have stored.)
+	if cred.Authenticator.CloneWarning {
+		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr())
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	// Success! Get the credential and update the sign count with the new value we received.
+	dbCred, err := auth.GetWebAuthnCredentialByCredID(base64.RawStdEncoding.EncodeToString(cred.ID))
+	if err != nil {
+		ctx.ServerError("GetWebAuthnCredentialByCredID", err)
+		return
+	}
+
+	dbCred.SignCount = cred.Authenticator.SignCount
+	if err := dbCred.UpdateSignCount(); err != nil {
+		ctx.ServerError("UpdateSignCount", err)
+		return
+	}
+
+	// Now handle account linking if that's requested
+	if ctx.Session.Get("linkAccount") != nil {
+		if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
+			ctx.ServerError("LinkAccountFromStore", err)
+			return
+		}
+	}
+
+	remember := ctx.Session.Get("twofaRemember").(bool)
+	redirect := handleSignInFull(ctx, user, remember, false)
+	if redirect == "" {
+		redirect = setting.AppSubURL + "/"
+	}
+	_ = ctx.Session.Delete("twofaUid")
+
+	// Finally check if the appid extension was used:
+	if value, ok := parsedResponse.ClientExtensionResults["appid"]; ok {
+		if appid, ok := value.(bool); ok && appid {
+			ctx.Flash.Error(ctx.Tr("webauthn_u2f_deprecated", dbCred.Name))
+		}
+	}
+
+	ctx.JSON(200, map[string]string{"redirect": redirect})
+}