efb0ffc4ec
* Fix API Schema Error * Delete SimpleSchema/SimpleObj and Move schemas to dedicated files * Userのスキーマを分割してみる * define packMany type * add , * Ensure enum schema and Make "as const" put once * test? * Revert "test?" This reverts commit 97dc9bfa70851bfb7d1cf38e883f8df20fb78b79. * Revert "Fix API Schema Error" This reverts commit 21b6176d974ed8e3eb73723ad21a105c5d297323. * ✌️ * clean up * test? * wip * wip * better schema def * ✌️ * fix * add minLength property * wip * wip * wip * anyOf/oneOf/allOfに対応? ~ relation.ts * refactor! * Define MinimumSchema * wip * wip * anyOf/oneOf/allOfが動作するようにUnionSchemaTypeを修正 * anyOf/oneOf/allOfが動作するようにUnionSchemaTypeを修正 * Update packages/backend/src/misc/schema.ts Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com> * fix * array oneOfをより正確な型に * array oneOfをより正確な型に * wip * ✌️ * なんかもういろいろ * remove * very good schema * api schema * wip * refactor: awaitAllの型定義を変えてみる * fix * specify types in awaitAll * specify types in awaitAll * ✌️ * wip * ... * ✌️ * AllowDateはやめておく * 不必要なoptional: false, nullable: falseを廃止 * Packedが展開されないように * 続packed * wip * define note type * wip * UserDetailedをMeDetailedかUserDetailedNotMeかを区別できるように * wip * wip * wip specify user type of other schemas * ok * convertSchemaToOpenApiSchemaを改修 * convertSchemaToOpenApiSchemaを改修 * Fix * fix * ✌️ * wip * 分割代入ではなくallOfで定義するように Co-authored-by: Acid Chicken (硫酸鶏) <root@acid-chicken.com>
151 lines
3.6 KiB
TypeScript
151 lines
3.6 KiB
TypeScript
import $ from 'cafy';
|
|
import * as bcrypt from 'bcryptjs';
|
|
import { promisify } from 'util';
|
|
import * as cbor from 'cbor';
|
|
import define from '../../../define';
|
|
import {
|
|
UserProfiles,
|
|
UserSecurityKeys,
|
|
AttestationChallenges,
|
|
Users,
|
|
} from '@/models/index';
|
|
import config from '@/config/index';
|
|
import { procedures, hash } from '../../../2fa';
|
|
import { publishMainStream } from '@/services/stream';
|
|
|
|
const cborDecodeFirst = promisify(cbor.decodeFirst) as any;
|
|
|
|
export const meta = {
|
|
requireCredential: true,
|
|
|
|
secure: true,
|
|
|
|
params: {
|
|
clientDataJSON: {
|
|
validator: $.str,
|
|
},
|
|
attestationObject: {
|
|
validator: $.str,
|
|
},
|
|
password: {
|
|
validator: $.str,
|
|
},
|
|
challengeId: {
|
|
validator: $.str,
|
|
},
|
|
name: {
|
|
validator: $.str,
|
|
},
|
|
},
|
|
} as const;
|
|
|
|
const rpIdHashReal = hash(Buffer.from(config.hostname, 'utf-8'));
|
|
|
|
// eslint-disable-next-line import/no-default-export
|
|
export default define(meta, async (ps, user) => {
|
|
const profile = await UserProfiles.findOneOrFail(user.id);
|
|
|
|
// Compare password
|
|
const same = await bcrypt.compare(ps.password, profile.password!);
|
|
|
|
if (!same) {
|
|
throw new Error('incorrect password');
|
|
}
|
|
|
|
if (!profile.twoFactorEnabled) {
|
|
throw new Error('2fa not enabled');
|
|
}
|
|
|
|
const clientData = JSON.parse(ps.clientDataJSON);
|
|
|
|
if (clientData.type != 'webauthn.create') {
|
|
throw new Error('not a creation attestation');
|
|
}
|
|
if (clientData.origin != config.scheme + '://' + config.host) {
|
|
throw new Error('origin mismatch');
|
|
}
|
|
|
|
const clientDataJSONHash = hash(Buffer.from(ps.clientDataJSON, 'utf-8'));
|
|
|
|
const attestation = await cborDecodeFirst(ps.attestationObject);
|
|
|
|
const rpIdHash = attestation.authData.slice(0, 32);
|
|
if (!rpIdHashReal.equals(rpIdHash)) {
|
|
throw new Error('rpIdHash mismatch');
|
|
}
|
|
|
|
const flags = attestation.authData[32];
|
|
|
|
// eslint:disable-next-line:no-bitwise
|
|
if (!(flags & 1)) {
|
|
throw new Error('user not present');
|
|
}
|
|
|
|
const authData = Buffer.from(attestation.authData);
|
|
const credentialIdLength = authData.readUInt16BE(53);
|
|
const credentialId = authData.slice(55, 55 + credentialIdLength);
|
|
const publicKeyData = authData.slice(55 + credentialIdLength);
|
|
const publicKey: Map<number, any> = await cborDecodeFirst(publicKeyData);
|
|
if (publicKey.get(3) != -7) {
|
|
throw new Error('alg mismatch');
|
|
}
|
|
|
|
if (!(procedures as any)[attestation.fmt]) {
|
|
throw new Error('unsupported fmt');
|
|
}
|
|
|
|
const verificationData = (procedures as any)[attestation.fmt].verify({
|
|
attStmt: attestation.attStmt,
|
|
authenticatorData: authData,
|
|
clientDataHash: clientDataJSONHash,
|
|
credentialId,
|
|
publicKey,
|
|
rpIdHash,
|
|
});
|
|
if (!verificationData.valid) throw new Error('signature invalid');
|
|
|
|
const attestationChallenge = await AttestationChallenges.findOne({
|
|
userId: user.id,
|
|
id: ps.challengeId,
|
|
registrationChallenge: true,
|
|
challenge: hash(clientData.challenge).toString('hex'),
|
|
});
|
|
|
|
if (!attestationChallenge) {
|
|
throw new Error('non-existent challenge');
|
|
}
|
|
|
|
await AttestationChallenges.delete({
|
|
userId: user.id,
|
|
id: ps.challengeId,
|
|
});
|
|
|
|
// Expired challenge (> 5min old)
|
|
if (
|
|
new Date().getTime() - attestationChallenge.createdAt.getTime() >=
|
|
5 * 60 * 1000
|
|
) {
|
|
throw new Error('expired challenge');
|
|
}
|
|
|
|
const credentialIdString = credentialId.toString('hex');
|
|
|
|
await UserSecurityKeys.save({
|
|
userId: user.id,
|
|
id: credentialIdString,
|
|
lastUsed: new Date(),
|
|
name: ps.name,
|
|
publicKey: verificationData.publicKey.toString('hex'),
|
|
});
|
|
|
|
// Publish meUpdated event
|
|
publishMainStream(user.id, 'meUpdated', await Users.pack(user.id, user, {
|
|
detail: true,
|
|
includeSecrets: true,
|
|
}));
|
|
|
|
return {
|
|
id: credentialIdString,
|
|
name: ps.name,
|
|
};
|
|
});
|