summaryrefslogtreecommitdiffstats
path: root/routers/user
diff options
context:
space:
mode:
Diffstat (limited to 'routers/user')
-rw-r--r--routers/user/auth.go139
-rw-r--r--routers/user/setting/security.go8
-rw-r--r--routers/user/setting/security_u2f.go99
3 files changed, 241 insertions, 5 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index c8e1ada0db..9a59f52db2 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -21,6 +21,7 @@ import (
"github.com/go-macaron/captcha"
"github.com/markbates/goth"
+ "github.com/tstranex/u2f"
)
const (
@@ -35,6 +36,7 @@ const (
tplTwofa base.TplName = "user/auth/twofa"
tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
tplLinkAccount base.TplName = "user/auth/link_account"
+ tplU2F base.TplName = "user/auth/u2f"
)
// AutoSignIn reads cookie and try to auto-login.
@@ -159,7 +161,6 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
}
return
}
-
// If this user is enrolled in 2FA, we can't sign the user in just yet.
// Instead, redirect them to the 2FA authentication page.
_, err = models.GetTwoFactorByUID(u.ID)
@@ -175,6 +176,13 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
// User needs to use 2FA, save data and redirect to 2FA page.
ctx.Session.Set("twofaUid", u.ID)
ctx.Session.Set("twofaRemember", form.Remember)
+
+ regs, err := models.GetU2FRegistrationsByUID(u.ID)
+ if err == nil && len(regs) > 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
}
@@ -317,12 +325,115 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo
ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, auth.TwoFactorScratchAuthForm{})
}
+// U2F shows the U2F login page
+func U2F(ctx *context.Context) {
+ ctx.Data["Title"] = ctx.Tr("twofa")
+ ctx.Data["RequireU2F"] = true
+ // Check auto-login.
+ if checkAutoLogin(ctx) {
+ return
+ }
+
+ // Ensure user is in a 2FA session.
+ if ctx.Session.Get("twofaUid") == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+
+ ctx.HTML(200, tplU2F)
+}
+
+// U2FChallenge submits a sign challenge to the browser
+func U2FChallenge(ctx *context.Context) {
+ // Ensure user is in a U2F session.
+ idSess := ctx.Session.Get("twofaUid")
+ if idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+ id := idSess.(int64)
+ regs, err := models.GetU2FRegistrationsByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ if len(regs) == 0 {
+ ctx.ServerError("UserSignIn", errors.New("no device registered"))
+ return
+ }
+ challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+ if err = ctx.Session.Set("u2fChallenge", challenge); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ ctx.JSON(200, challenge.SignRequest(regs.ToRegistrations()))
+}
+
+// U2FSign authenticates the user by signResp
+func U2FSign(ctx *context.Context, signResp u2f.SignResponse) {
+ challSess := ctx.Session.Get("u2fChallenge")
+ idSess := ctx.Session.Get("twofaUid")
+ if challSess == nil || idSess == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+ return
+ }
+ challenge := challSess.(*u2f.Challenge)
+ id := idSess.(int64)
+ regs, err := models.GetU2FRegistrationsByUID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ for _, reg := range regs {
+ r, err := reg.Parse()
+ if err != nil {
+ log.Fatal(4, "parsing u2f registration: %v", err)
+ continue
+ }
+ newCounter, authErr := r.Authenticate(signResp, *challenge, reg.Counter)
+ if authErr == nil {
+ reg.Counter = newCounter
+ user, err := models.GetUserByID(id)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ remember := ctx.Session.Get("twofaRemember").(bool)
+ if err := reg.UpdateCounter(); err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if ctx.Session.Get("linkAccount") != nil {
+ gothUser := ctx.Session.Get("linkAccountGothUser")
+ if gothUser == nil {
+ ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+ return
+ }
+
+ err = models.LinkAccountToUser(user, gothUser.(goth.User))
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+ }
+ redirect := handleSignInFull(ctx, user, remember, false)
+ if redirect == "" {
+ redirect = setting.AppSubURL + "/"
+ }
+ ctx.PlainText(200, []byte(redirect))
+ return
+ }
+ }
+ ctx.Error(401)
+}
+
// This handles the final part of the sign-in process of the user.
func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
handleSignInFull(ctx, u, remember, true)
}
-func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) {
+func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
if remember {
days := 86400 * setting.LogInRememberDays
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
@@ -336,6 +447,8 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
ctx.Session.Delete("openid_determined_username")
ctx.Session.Delete("twofaUid")
ctx.Session.Delete("twofaRemember")
+ ctx.Session.Delete("u2fChallenge")
+ ctx.Session.Delete("linkAccount")
ctx.Session.Set("uid", u.ID)
ctx.Session.Set("uname", u.Name)
@@ -345,7 +458,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
u.Language = ctx.Locale.Language()
if err := models.UpdateUserCols(u, "language"); err != nil {
log.Error(4, fmt.Sprintf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
- return
+ return setting.AppSubURL + "/"
}
}
@@ -358,7 +471,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
u.SetLastLogin()
if err := models.UpdateUserCols(u, "last_login_unix"); err != nil {
ctx.ServerError("UpdateUserCols", err)
- return
+ return setting.AppSubURL + "/"
}
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
@@ -366,12 +479,13 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
if obeyRedirect {
ctx.RedirectToFirst(redirectTo)
}
- return
+ return redirectTo
}
if obeyRedirect {
ctx.Redirect(setting.AppSubURL + "/")
}
+ return setting.AppSubURL + "/"
}
// SignInOAuth handles the OAuth2 login buttons
@@ -467,6 +581,14 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
// User needs to use 2FA, save data and redirect to 2FA page.
ctx.Session.Set("twofaUid", u.ID)
ctx.Session.Set("twofaRemember", false)
+
+ // If U2F is enrolled -> Redirect to U2F instead
+ regs, err := models.GetU2FRegistrationsByUID(u.ID)
+ if err == nil && len(regs) > 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
}
@@ -593,6 +715,13 @@ func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
ctx.Session.Set("twofaRemember", signInForm.Remember)
ctx.Session.Set("linkAccount", true)
+ // If U2F is enrolled -> Redirect to U2F instead
+ regs, err := models.GetU2FRegistrationsByUID(u.ID)
+ if err == nil && len(regs) > 0 {
+ ctx.Redirect(setting.AppSubURL + "/user/u2f")
+ return
+ }
+
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
}
diff --git a/routers/user/setting/security.go b/routers/user/setting/security.go
index 5346f349ff..860730303f 100644
--- a/routers/user/setting/security.go
+++ b/routers/user/setting/security.go
@@ -33,6 +33,14 @@ func Security(ctx *context.Context) {
}
}
ctx.Data["TwofaEnrolled"] = enrolled
+ if enrolled {
+ ctx.Data["U2FRegistrations"], err = models.GetU2FRegistrationsByUID(ctx.User.ID)
+ if err != nil {
+ ctx.ServerError("GetU2FRegistrationsByUID", err)
+ return
+ }
+ ctx.Data["RequireU2F"] = true
+ }
tokens, err := models.ListAccessTokens(ctx.User.ID)
if err != nil {
diff --git a/routers/user/setting/security_u2f.go b/routers/user/setting/security_u2f.go
new file mode 100644
index 0000000000..c1d6eab967
--- /dev/null
+++ b/routers/user/setting/security_u2f.go
@@ -0,0 +1,99 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package setting
+
+import (
+ "errors"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/auth"
+ "code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/setting"
+
+ "github.com/tstranex/u2f"
+)
+
+// U2FRegister initializes the u2f registration procedure
+func U2FRegister(ctx *context.Context, form auth.U2FRegistrationForm) {
+ if form.Name == "" {
+ ctx.Error(409)
+ return
+ }
+ challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+ if err != nil {
+ ctx.ServerError("NewChallenge", err)
+ return
+ }
+ err = ctx.Session.Set("u2fChallenge", challenge)
+ if err != nil {
+ ctx.ServerError("Session.Set", err)
+ return
+ }
+ regs, err := models.GetU2FRegistrationsByUID(ctx.User.ID)
+ if err != nil {
+ ctx.ServerError("GetU2FRegistrationsByUID", err)
+ return
+ }
+ for _, reg := range regs {
+ if reg.Name == form.Name {
+ ctx.Error(409, "Name already taken")
+ return
+ }
+ }
+ ctx.Session.Set("u2fName", form.Name)
+ ctx.JSON(200, u2f.NewWebRegisterRequest(challenge, regs.ToRegistrations()))
+}
+
+// U2FRegisterPost receives the response of the security key
+func U2FRegisterPost(ctx *context.Context, response u2f.RegisterResponse) {
+ challSess := ctx.Session.Get("u2fChallenge")
+ u2fName := ctx.Session.Get("u2fName")
+ if challSess == nil || u2fName == nil {
+ ctx.ServerError("U2FRegisterPost", errors.New("not in U2F session"))
+ return
+ }
+ challenge := challSess.(*u2f.Challenge)
+ name := u2fName.(string)
+ config := &u2f.Config{
+ // Chrome 66+ doesn't return the device's attestation
+ // certificate by default.
+ SkipAttestationVerify: true,
+ }
+ reg, err := u2f.Register(response, *challenge, config)
+ if err != nil {
+ ctx.ServerError("u2f.Register", err)
+ return
+ }
+ if _, err = models.CreateRegistration(ctx.User, name, reg); err != nil {
+ ctx.ServerError("u2f.Register", err)
+ return
+ }
+ ctx.Status(200)
+}
+
+// U2FDelete deletes an security key by id
+func U2FDelete(ctx *context.Context, form auth.U2FDeleteForm) {
+ reg, err := models.GetU2FRegistrationByID(form.ID)
+ if err != nil {
+ if models.IsErrU2FRegistrationNotExist(err) {
+ ctx.Status(200)
+ return
+ }
+ ctx.ServerError("GetU2FRegistrationByID", err)
+ return
+ }
+ if reg.UserID != ctx.User.ID {
+ ctx.Status(401)
+ return
+ }
+ if err := models.DeleteRegistration(reg); err != nil {
+ ctx.ServerError("DeleteRegistration", err)
+ return
+ }
+ ctx.JSON(200, map[string]interface{}{
+ "redirect": setting.AppSubURL + "/user/settings/security",
+ })
+ return
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-08 02:59:58 +0000