mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12628 Commits
17 Branches
Tree: 35c3553870
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35c3553870'
${ noResults }
gitea/routers/web/auth/webauthn.go

webauthn.go 5.0KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package auth

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"errors"

  10. 	"net/http"

  11. 

  12. 	"code.gitea.io/gitea/models/auth"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	wa "code.gitea.io/gitea/modules/auth/webauthn"

  15. 	"code.gitea.io/gitea/modules/base"

  16. 	"code.gitea.io/gitea/modules/context"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	"code.gitea.io/gitea/services/externalaccount"

  20. 

  21. 	"github.com/duo-labs/webauthn/protocol"

  22. 	"github.com/duo-labs/webauthn/webauthn"

  23. )

  24. 

  25. var tplWebAuthn base.TplName = "user/auth/webauthn"

  26. 

  27. // WebAuthn shows the WebAuthn login page

  28. func WebAuthn(ctx *context.Context) {

  29. 	ctx.Data["Title"] = ctx.Tr("twofa")

  30. 

  31. 	// Check auto-login.

  32. 	if checkAutoLogin(ctx) {

  33. 		return

  34. 	}

  35. 

  36. 	//Ensure user is in a 2FA session.

  37. 	if ctx.Session.Get("twofaUid") == nil {

  38. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  39. 		return

  40. 	}

  41. 

  42. 	ctx.HTML(200, tplWebAuthn)

  43. }

  44. 

  45. // WebAuthnLoginAssertion submits a WebAuthn challenge to the browser

  46. func WebAuthnLoginAssertion(ctx *context.Context) {

  47. 	// Ensure user is in a WebAuthn session.

  48. 	idSess, ok := ctx.Session.Get("twofaUid").(int64)

  49. 	if !ok || idSess == 0 {

  50. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  51. 		return

  52. 	}

  53. 

  54. 	user, err := user_model.GetUserByID(idSess)

  55. 	if err != nil {

  56. 		ctx.ServerError("UserSignIn", err)

  57. 		return

  58. 	}

  59. 

  60. 	exists, err := auth.ExistsWebAuthnCredentialsForUID(user.ID)

  61. 	if err != nil {

  62. 		ctx.ServerError("UserSignIn", err)

  63. 		return

  64. 	}

  65. 	if !exists {

  66. 		ctx.ServerError("UserSignIn", errors.New("no device registered"))

  67. 		return

  68. 	}

  69. 

  70. 	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user), webauthn.WithAssertionExtensions(protocol.AuthenticationExtensions{

  71. 		"appid": setting.U2F.AppID,

  72. 	}))

  73. 	if err != nil {

  74. 		ctx.ServerError("webauthn.BeginLogin", err)

  75. 		return

  76. 	}

  77. 

  78. 	if err := ctx.Session.Set("webauthnAssertion", sessionData); err != nil {

  79. 		ctx.ServerError("Session.Set", err)

  80. 		return

  81. 	}

  82. 	ctx.JSON(http.StatusOK, assertion)

  83. }

  84. 

  85. // WebAuthnLoginAssertionPost validates the signature and logs the user in

  86. func WebAuthnLoginAssertionPost(ctx *context.Context) {

  87. 	idSess, ok := ctx.Session.Get("twofaUid").(int64)

  88. 	sessionData, okData := ctx.Session.Get("webauthnAssertion").(*webauthn.SessionData)

  89. 	if !ok || !okData || sessionData == nil || idSess == 0 {

  90. 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session"))

  91. 		return

  92. 	}

  93. 	defer func() {

  94. 		_ = ctx.Session.Delete("webauthnAssertion")

  95. 	}()

  96. 

  97. 	// Load the user from the db

  98. 	user, err := user_model.GetUserByID(idSess)

  99. 	if err != nil {

  100. 		ctx.ServerError("UserSignIn", err)

  101. 		return

  102. 	}

  103. 

  104. 	log.Trace("Finishing webauthn authentication with user: %s", user.Name)

  105. 

  106. 	// Now we do the equivalent of webauthn.FinishLogin using a combination of our session data

  107. 	// (from webauthnAssertion) and verify the provided request.0

  108. 	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req)

  109. 	if err != nil {

  110. 		// Failed authentication attempt.

  111. 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)

  112. 		ctx.Status(http.StatusForbidden)

  113. 		return

  114. 	}

  115. 

  116. 	// Validate the parsed response.

  117. 	cred, err := wa.WebAuthn.ValidateLogin((*wa.User)(user), *sessionData, parsedResponse)

  118. 	if err != nil {

  119. 		// Failed authentication attempt.

  120. 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err)

  121. 		ctx.Status(http.StatusForbidden)

  122. 		return

  123. 	}

  124. 

  125. 	// Ensure that the credential wasn't cloned by checking if CloneWarning is set.

  126. 	// (This is set if the sign counter is less than the one we have stored.)

  127. 	if cred.Authenticator.CloneWarning {

  128. 		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr())

  129. 		ctx.Status(http.StatusForbidden)

  130. 		return

  131. 	}

  132. 

  133. 	// Success! Get the credential and update the sign count with the new value we received.

  134. 	dbCred, err := auth.GetWebAuthnCredentialByCredID(base64.RawStdEncoding.EncodeToString(cred.ID))

  135. 	if err != nil {

  136. 		ctx.ServerError("GetWebAuthnCredentialByCredID", err)

  137. 		return

  138. 	}

  139. 

  140. 	dbCred.SignCount = cred.Authenticator.SignCount

  141. 	if err := dbCred.UpdateSignCount(); err != nil {

  142. 		ctx.ServerError("UpdateSignCount", err)

  143. 		return

  144. 	}

  145. 

  146. 	// Now handle account linking if that's requested

  147. 	if ctx.Session.Get("linkAccount") != nil {

  148. 		if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {

  149. 			ctx.ServerError("LinkAccountFromStore", err)

  150. 			return

  151. 		}

  152. 	}

  153. 

  154. 	remember := ctx.Session.Get("twofaRemember").(bool)

  155. 	redirect := handleSignInFull(ctx, user, remember, false)

  156. 	if redirect == "" {

  157. 		redirect = setting.AppSubURL + "/"

  158. 	}

  159. 	_ = ctx.Session.Delete("twofaUid")

  160. 

  161. 	// Finally check if the appid extension was used:

  162. 	if value, ok := parsedResponse.ClientExtensionResults["appid"]; ok {

  163. 		if appid, ok := value.(bool); ok && appid {

  164. 			ctx.Flash.Error(ctx.Tr("webauthn_u2f_deprecated", dbCred.Name))

  165. 		}

  166. 	}

  167. 

  168. 	ctx.JSON(200, map[string]string{"redirect": redirect})

  169. }