| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | // Copyright 2018 The Gitea Authors. All rights reserved. | 
					
						
							| 
									
										
										
										
											2022-11-27 13:20:29 -05:00
										 |  |  | // SPDX-License-Identifier: MIT | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 
 | 
					
						
							|  |  |  | package auth | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							|  |  |  | 	"errors" | 
					
						
							|  |  |  | 	"net/http" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-27 20:13:05 +00:00
										 |  |  | 	"forgejo.org/models/auth" | 
					
						
							|  |  |  | 	user_model "forgejo.org/models/user" | 
					
						
							|  |  |  | 	wa "forgejo.org/modules/auth/webauthn" | 
					
						
							|  |  |  | 	"forgejo.org/modules/base" | 
					
						
							|  |  |  | 	"forgejo.org/modules/log" | 
					
						
							|  |  |  | 	"forgejo.org/modules/setting" | 
					
						
							|  |  |  | 	"forgejo.org/services/context" | 
					
						
							|  |  |  | 	"forgejo.org/services/externalaccount" | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-01-11 21:51:00 -05:00
										 |  |  | 	"github.com/go-webauthn/webauthn/protocol" | 
					
						
							|  |  |  | 	"github.com/go-webauthn/webauthn/webauthn" | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | var tplWebAuthn base.TplName = "user/auth/webauthn" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // WebAuthn shows the WebAuthn login page | 
					
						
							|  |  |  | func WebAuthn(ctx *context.Context) { | 
					
						
							|  |  |  | 	ctx.Data["Title"] = ctx.Tr("twofa") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-10-14 02:56:41 +02:00
										 |  |  | 	if CheckAutoLogin(ctx) { | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-20 18:46:10 +01:00
										 |  |  | 	// Ensure user is in a 2FA session. | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	if ctx.Session.Get("twofaUid") == nil { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session")) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-10-11 22:12:54 +02:00
										 |  |  | 	hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, ctx.Session.Get("twofaUid").(int64)) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("HasTwoFactorByUID", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	ctx.Data["HasTwoFactor"] = hasTwoFactor | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-03-23 05:54:07 +01:00
										 |  |  | 	ctx.HTML(http.StatusOK, tplWebAuthn) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // WebAuthnLoginAssertion submits a WebAuthn challenge to the browser | 
					
						
							|  |  |  | func WebAuthnLoginAssertion(ctx *context.Context) { | 
					
						
							|  |  |  | 	// Ensure user is in a WebAuthn session. | 
					
						
							|  |  |  | 	idSess, ok := ctx.Session.Get("twofaUid").(int64) | 
					
						
							|  |  |  | 	if !ok || idSess == 0 { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session")) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-12-03 10:48:26 +08:00
										 |  |  | 	user, err := user_model.GetUserByID(ctx, idSess) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-09-16 16:39:12 +02:00
										 |  |  | 	exists, err := auth.ExistsWebAuthnCredentialsForUID(ctx, user.ID) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if !exists { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", errors.New("no device registered")) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-06-27 04:20:58 +02:00
										 |  |  | 	assertion, sessionData, err := wa.WebAuthn.BeginLogin((*wa.User)(user)) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("webauthn.BeginLogin", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if err := ctx.Session.Set("webauthnAssertion", sessionData); err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("Session.Set", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	ctx.JSON(http.StatusOK, assertion) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // WebAuthnLoginAssertionPost validates the signature and logs the user in | 
					
						
							|  |  |  | func WebAuthnLoginAssertionPost(ctx *context.Context) { | 
					
						
							|  |  |  | 	idSess, ok := ctx.Session.Get("twofaUid").(int64) | 
					
						
							|  |  |  | 	sessionData, okData := ctx.Session.Get("webauthnAssertion").(*webauthn.SessionData) | 
					
						
							|  |  |  | 	if !ok || !okData || sessionData == nil || idSess == 0 { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", errors.New("not in WebAuthn session")) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	defer func() { | 
					
						
							|  |  |  | 		_ = ctx.Session.Delete("webauthnAssertion") | 
					
						
							|  |  |  | 	}() | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// Load the user from the db | 
					
						
							| 
									
										
										
										
											2022-12-03 10:48:26 +08:00
										 |  |  | 	user, err := user_model.GetUserByID(ctx, idSess) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("UserSignIn", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	log.Trace("Finishing webauthn authentication with user: %s", user.Name) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// Now we do the equivalent of webauthn.FinishLogin using a combination of our session data | 
					
						
							|  |  |  | 	// (from webauthnAssertion) and verify the provided request.0 | 
					
						
							|  |  |  | 	parsedResponse, err := protocol.ParseCredentialRequestResponse(ctx.Req) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		// Failed authentication attempt. | 
					
						
							|  |  |  | 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err) | 
					
						
							|  |  |  | 		ctx.Status(http.StatusForbidden) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-08-28 07:40:40 +02:00
										 |  |  | 	dbCred, err := auth.GetWebAuthnCredentialByCredID(ctx, user.ID, parsedResponse.RawID) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		ctx.ServerError("GetWebAuthnCredentialByCredID", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// If the credential is legacy, assume the values are correct. The | 
					
						
							|  |  |  | 	// specification mandates these flags don't change. | 
					
						
							|  |  |  | 	if dbCred.Legacy { | 
					
						
							|  |  |  | 		dbCred.BackupEligible = parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() | 
					
						
							|  |  |  | 		dbCred.BackupState = parsedResponse.Response.AuthenticatorData.Flags.HasBackupState() | 
					
						
							|  |  |  | 		dbCred.Legacy = false | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		if err := dbCred.UpdateFromLegacy(ctx); err != nil { | 
					
						
							|  |  |  | 			ctx.ServerError("UpdateFromLegacy", err) | 
					
						
							|  |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 	// Validate the parsed response. | 
					
						
							|  |  |  | 	cred, err := wa.WebAuthn.ValidateLogin((*wa.User)(user), *sessionData, parsedResponse) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		// Failed authentication attempt. | 
					
						
							|  |  |  | 		log.Info("Failed authentication attempt for %s from %s: %v", user.Name, ctx.RemoteAddr(), err) | 
					
						
							|  |  |  | 		ctx.Status(http.StatusForbidden) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// Ensure that the credential wasn't cloned by checking if CloneWarning is set. | 
					
						
							|  |  |  | 	// (This is set if the sign counter is less than the one we have stored.) | 
					
						
							|  |  |  | 	if cred.Authenticator.CloneWarning { | 
					
						
							|  |  |  | 		log.Info("Failed authentication attempt for %s from %s: cloned credential", user.Name, ctx.RemoteAddr()) | 
					
						
							|  |  |  | 		ctx.Status(http.StatusForbidden) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	dbCred.SignCount = cred.Authenticator.SignCount | 
					
						
							| 
									
										
										
										
											2023-09-16 16:39:12 +02:00
										 |  |  | 	if err := dbCred.UpdateSignCount(ctx); err != nil { | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 		ctx.ServerError("UpdateSignCount", err) | 
					
						
							|  |  |  | 		return | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// Now handle account linking if that's requested | 
					
						
							|  |  |  | 	if ctx.Session.Get("linkAccount") != nil { | 
					
						
							| 
									
										
										
										
											2023-09-25 15:17:37 +02:00
										 |  |  | 		if err := externalaccount.LinkAccountFromStore(ctx, ctx.Session, user); err != nil { | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | 			ctx.ServerError("LinkAccountFromStore", err) | 
					
						
							|  |  |  | 			return | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	remember := ctx.Session.Get("twofaRemember").(bool) | 
					
						
							|  |  |  | 	redirect := handleSignInFull(ctx, user, remember, false) | 
					
						
							|  |  |  | 	if redirect == "" { | 
					
						
							|  |  |  | 		redirect = setting.AppSubURL + "/" | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	_ = ctx.Session.Delete("twofaUid") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-07-26 14:04:01 +08:00
										 |  |  | 	ctx.JSONRedirect(redirect) | 
					
						
							| 
									
										
										
										
											2022-01-14 23:03:31 +08:00
										 |  |  | } |