Allow non password protected keys for 2FA only

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2024-11-25 08:36:22 -06:00 · 2024-11-25 08:36:22 -06:00 · 96ca0f1d9e
commit 96ca0f1d9e
parent f3eeb711a0
4 changed files with 17 additions and 8 deletions
--- a/packages/backend/src/core/WebAuthnService.ts
+++ b/packages/backend/src/core/WebAuthnService.ts
@ -83,7 +83,11 @@ export class WebAuthnService {
 	}

 	@bindThis
-	public async verifyRegistration(userId: MiUser['id'], response: RegistrationResponseJSON): Promise<{
+	public async verifyRegistration(
+		userId: MiUser['id'], 
+		response: RegistrationResponseJSON,
+		twoFactorOnly: boolean = false,
+	): Promise<{
 		credentialID: string;
 		credentialPublicKey: Uint8Array;
 		attestationObject: Uint8Array;
@ -111,7 +115,7 @@ export class WebAuthnService {
 				expectedChallenge: challenge,
 				expectedOrigin: relyingParty.origin,
 				expectedRPID: relyingParty.rpId,
-				requireUserVerification: true,
+				requireUserVerification: !twoFactorOnly,
 			});
 		} catch (error) {
 			console.error(error);
@ -245,7 +249,11 @@ export class WebAuthnService {
 	}

 	@bindThis
-	public async verifyAuthentication(userId: MiUser['id'], response: AuthenticationResponseJSON): Promise<boolean> {
+	public async verifyAuthentication(
+		userId: MiUser['id'], 
+		response: AuthenticationResponseJSON,
+		twoFactorOnly: boolean = false,
+	): Promise<boolean> {
 		const challenge = await this.redisClient.get(`webauthn:challenge:${userId}`);

 		if (!challenge) {
@ -302,7 +310,7 @@ export class WebAuthnService {
 					counter: key.counter,
 					transports: key.transports ? key.transports as AuthenticatorTransportFuture[] : undefined,
 				},
-				requireUserVerification: true,
+				requireUserVerification: !twoFactorOnly,
 			});
 		} catch (error) {
 			console.error(error);
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@ -255,7 +255,7 @@ export class SigninApiService {
 				});
 			}

-			const authorized = await this.webAuthnService.verifyAuthentication(user.id, body.credential);
+			const authorized = await this.webAuthnService.verifyAuthentication(user.id, body.credential, !profile.usePasswordLessLogin);

 			if (authorized) {
 				return this.signinService.signin(request, reply, user);
--- a/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts
+++ b/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts
@ -95,7 +95,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				throw new ApiError(meta.errors.twoFactorNotEnabled);
 			}

-			const keyInfo = await this.webAuthnService.verifyRegistration(me.id, ps.credential);
+			const keyInfo = await this.webAuthnService.verifyRegistration(me.id, ps.credential, true);
 			const keyId = keyInfo.credentialID;

 			await this.userSecurityKeysRepository.insert({
--- a/packages/frontend/src/components/MkSignin.passkey.vue
+++ b/packages/frontend/src/components/MkSignin.passkey.vue
@ -45,7 +45,8 @@ const queryingKey = ref(true);
 async function queryKey() {
 	queryingKey.value = true;
 	await webAuthnRequest(props.credentialRequest)
-		.catch(() => {
+		.catch((e) => {
+			console.error(e);
 			return Promise.reject(null);
 		})
 		.then((credential) => {
@ -53,7 +54,7 @@ async function queryKey() {
 		})
 		.finally(() => {
 			queryingKey.value = false;
-		});
+	});
 }

 onMounted(() => {