mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14568 Commits
17 Branches
Tree: d32af84a10
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd32af84a10'
${ noResults }
gitea/web_src/js/features/user-auth-webauthn.js

user-auth-webauthn.js 7.0KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222 
  1. import $ from 'jquery';

  2. import {encode, decode} from 'uint8-to-base64';

  3. import {hideElem, showElem} from '../utils/dom.js';

  4. 

  5. const {appSubUrl, csrfToken} = window.config;

  6. 

  7. export function initUserAuthWebAuthn() {

  8.   if ($('.user.signin.webauthn-prompt').length === 0) {

  9.     return;

  10.   }

  11. 

  12.   if (!detectWebAuthnSupport()) {

  13.     return;

  14.   }

  15. 

  16.   $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})

  17.     .done((makeAssertionOptions) => {

  18.       makeAssertionOptions.publicKey.challenge = decodeURLEncodedBase64(makeAssertionOptions.publicKey.challenge);

  19.       for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {

  20.         makeAssertionOptions.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);

  21.       }

  22.       navigator.credentials.get({

  23.         publicKey: makeAssertionOptions.publicKey

  24.       })

  25.         .then((credential) => {

  26.           verifyAssertion(credential);

  27.         }).catch((err) => {

  28.           // Try again... without the appid

  29.           if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) {

  30.             delete makeAssertionOptions.publicKey.extensions['appid'];

  31.             navigator.credentials.get({

  32.               publicKey: makeAssertionOptions.publicKey

  33.             })

  34.               .then((credential) => {

  35.                 verifyAssertion(credential);

  36.               }).catch((err) => {

  37.                 webAuthnError('general', err.message);

  38.               });

  39.             return;

  40.           }

  41.           webAuthnError('general', err.message);

  42.         });

  43.     }).fail(() => {

  44.       webAuthnError('unknown');

  45.     });

  46. }

  47. 

  48. function verifyAssertion(assertedCredential) {

  49.   // Move data into Arrays incase it is super long

  50.   const authData = new Uint8Array(assertedCredential.response.authenticatorData);

  51.   const clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON);

  52.   const rawId = new Uint8Array(assertedCredential.rawId);

  53.   const sig = new Uint8Array(assertedCredential.response.signature);

  54.   const userHandle = new Uint8Array(assertedCredential.response.userHandle);

  55.   $.ajax({

  56.     url: `${appSubUrl}/user/webauthn/assertion`,

  57.     type: 'POST',

  58.     data: JSON.stringify({

  59.       id: assertedCredential.id,

  60.       rawId: encodeURLEncodedBase64(rawId),

  61.       type: assertedCredential.type,

  62.       clientExtensionResults: assertedCredential.getClientExtensionResults(),

  63.       response: {

  64.         authenticatorData: encodeURLEncodedBase64(authData),

  65.         clientDataJSON: encodeURLEncodedBase64(clientDataJSON),

  66.         signature: encodeURLEncodedBase64(sig),

  67.         userHandle: encodeURLEncodedBase64(userHandle),

  68.       },

  69.     }),

  70.     contentType: 'application/json; charset=utf-8',

  71.     dataType: 'json',

  72.     success: (resp) => {

  73.       if (resp && resp['redirect']) {

  74.         window.location.href = resp['redirect'];

  75.       } else {

  76.         window.location.href = '/';

  77.       }

  78.     },

  79.     error: (xhr) => {

  80.       if (xhr.status === 500) {

  81.         webAuthnError('unknown');

  82.         return;

  83.       }

  84.       webAuthnError('unable-to-process');

  85.     }

  86.   });

  87. }

  88. 

  89. // Encode an ArrayBuffer into a URLEncoded base64 string.

  90. function encodeURLEncodedBase64(value) {

  91.   return encode(value)

  92.     .replace(/\+/g, '-')

  93.     .replace(/\//g, '_')

  94.     .replace(/=/g, '');

  95. }

  96. 

  97. // Dccode a URLEncoded base64 to an ArrayBuffer string.

  98. function decodeURLEncodedBase64(value) {

  99.   return decode(value

  100.     .replace(/_/g, '/')

  101.     .replace(/-/g, '+'));

  102. }

  103. 

  104. function webauthnRegistered(newCredential) {

  105.   const attestationObject = new Uint8Array(newCredential.response.attestationObject);

  106.   const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);

  107.   const rawId = new Uint8Array(newCredential.rawId);

  108. 

  109.   return $.ajax({

  110.     url: `${appSubUrl}/user/settings/security/webauthn/register`,

  111.     type: 'POST',

  112.     headers: {'X-Csrf-Token': csrfToken},

  113.     data: JSON.stringify({

  114.       id: newCredential.id,

  115.       rawId: encodeURLEncodedBase64(rawId),

  116.       type: newCredential.type,

  117.       response: {

  118.         attestationObject: encodeURLEncodedBase64(attestationObject),

  119.         clientDataJSON: encodeURLEncodedBase64(clientDataJSON),

  120.       },

  121.     }),

  122.     dataType: 'json',

  123.     contentType: 'application/json; charset=utf-8',

  124.   }).then(() => {

  125.     window.location.reload();

  126.   }).fail((xhr) => {

  127.     if (xhr.status === 409) {

  128.       webAuthnError('duplicated');

  129.       return;

  130.     }

  131.     webAuthnError('unknown');

  132.   });

  133. }

  134. 

  135. function webAuthnError(errorType, message) {

  136.   hideElem($('#webauthn-error [data-webauthn-error-msg]'));

  137.   const $errorGeneral = $(`#webauthn-error [data-webauthn-error-msg=general]`);

  138.   if (errorType === 'general') {

  139.     showElem($errorGeneral);

  140.     $errorGeneral.text(message || 'unknown error');

  141.   } else {

  142.     const $errorTyped = $(`#webauthn-error [data-webauthn-error-msg=${errorType}]`);

  143.     if ($errorTyped.length) {

  144.       showElem($errorTyped);

  145.     } else {

  146.       showElem($errorGeneral);

  147.       $errorGeneral.text(`unknown error type: ${errorType}`);

  148.     }

  149.   }

  150.   $('#webauthn-error').modal('show');

  151. }

  152. 

  153. function detectWebAuthnSupport() {

  154.   if (!window.isSecureContext) {

  155.     $('#register-button').prop('disabled', true);

  156.     $('#login-button').prop('disabled', true);

  157.     webAuthnError('insecure');

  158.     return false;

  159.   }

  160. 

  161.   if (typeof window.PublicKeyCredential !== 'function') {

  162.     $('#register-button').prop('disabled', true);

  163.     $('#login-button').prop('disabled', true);

  164.     webAuthnError('browser');

  165.     return false;

  166.   }

  167. 

  168.   return true;

  169. }

  170. 

  171. export function initUserAuthWebAuthnRegister() {

  172.   if ($('#register-webauthn').length === 0) {

  173.     return;

  174.   }

  175. 

  176.   $('#webauthn-error').modal({allowMultiple: false});

  177.   $('#register-webauthn').on('click', (e) => {

  178.     e.preventDefault();

  179.     if (!detectWebAuthnSupport()) {

  180.       return;

  181.     }

  182.     webAuthnRegisterRequest();

  183.   });

  184. }

  185. 

  186. function webAuthnRegisterRequest() {

  187.   if ($('#nickname').val() === '') {

  188.     webAuthnError('empty');

  189.     return;

  190.   }

  191.   $.post(`${appSubUrl}/user/settings/security/webauthn/request_register`, {

  192.     _csrf: csrfToken,

  193.     name: $('#nickname').val(),

  194.   }).done((makeCredentialOptions) => {

  195.     $('#nickname').closest('div.field').removeClass('error');

  196. 

  197.     makeCredentialOptions.publicKey.challenge = decodeURLEncodedBase64(makeCredentialOptions.publicKey.challenge);

  198.     makeCredentialOptions.publicKey.user.id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.user.id);

  199.     if (makeCredentialOptions.publicKey.excludeCredentials) {

  200.       for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {

  201.         makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);

  202.       }

  203.     }

  204. 

  205.     navigator.credentials.create({

  206.       publicKey: makeCredentialOptions.publicKey

  207.     }).then(webauthnRegistered)

  208.       .catch((err) => {

  209.         if (!err) {

  210.           webAuthnError('unknown');

  211.           return;

  212.         }

  213.         webAuthnError('general', err.message);

  214.       });

  215.   }).fail((xhr) => {

  216.     if (xhr.status === 409) {

  217.       webAuthnError('duplicated');

  218.       return;

  219.     }

  220.     webAuthnError('unknown');

  221.   });

  222. }