luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-05-25 11:22:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

[FEAT] Add support for webauthn credential level 3

Browse source 
- For WebAuthn Credential level 3, the `backup_eligible` and
`backup_state` flags are checked if they are consistent with the values
given on login. Forgejo never stored this data, so add a database
migration that makes all webauthn credentials 'legacy' and on the next
first use capture the values of `backup_eligible` and `backup_state`.
As suggested in https://github.com/go-webauthn/webauthn/discussions/219#discussioncomment-10429662
- Adds unit tests.
- Add E2E test.
This commit is contained in:
Gusted 2024-08-28 07:40:40 +02:00
parent 28c3f1e254
commit 63736e8301
No known key found for this signature in database
GPG key ID: FD821B732837125F
7 changed files with 131 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

23
models/auth/webauthn.go
View file

@ -40,7 +40,7 @@ func IsErrWebAuthnCredentialNotExist(err error) bool {
}
// WebAuthnCredential represents the WebAuthn credential data for a public-key
// credential conformant to WebAuthn Level 1
// credential conformant to WebAuthn Level 3
type WebAuthnCredential struct {
ID int64 `xorm:"pk autoincr"`
Name string
@ -52,8 +52,12 @@ type WebAuthnCredential struct {
AAGUID []byte
SignCount uint32 `xorm:"BIGINT"`
CloneWarning bool
CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
BackupEligible bool `XORM:"NOT NULL DEFAULT false"`
BackupState bool `XORM:"NOT NULL DEFAULT false"`
// If legacy is set to true, backup_eligible and backup_state isn't set.
Legacy bool `XORM:"NOT NULL DEFAULT true"`
CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}
func init() {
@ -71,6 +75,12 @@ func (cred *WebAuthnCredential) UpdateSignCount(ctx context.Context) error {
return err
}
// UpdateFromLegacy update the values that aren't present on legacy credentials.
func (cred *WebAuthnCredential) UpdateFromLegacy(ctx context.Context) error {
_, err := db.GetEngine(ctx).ID(cred.ID).Cols("legacy", "backup_eligible", "backup_state").Update(cred)
return err
}
// BeforeInsert will be invoked by XORM before updating a record
func (cred *WebAuthnCredential) BeforeInsert() {
cred.LowerName = strings.ToLower(cred.Name)
@ -97,6 +107,10 @@ func (list WebAuthnCredentialList) ToCredentials() []webauthn.Credential {
ID: cred.CredentialID,
PublicKey: cred.PublicKey,
AttestationType: cred.AttestationType,
Flags: webauthn.CredentialFlags{
BackupEligible: cred.BackupEligible,
BackupState: cred.BackupState,
},
Authenticator: webauthn.Authenticator{
AAGUID: cred.AAGUID,
SignCount: cred.SignCount,
@ -167,6 +181,9 @@ func CreateCredential(ctx context.Context, userID int64, name string, cred *weba
AAGUID: cred.Authenticator.AAGUID,
SignCount: cred.Authenticator.SignCount,
CloneWarning: false,
BackupEligible: cred.Flags.BackupEligible,
BackupState: cred.Flags.BackupState,
Legacy: false,
}
if err := db.Insert(ctx, c); err != nil {