feat: consider WebAuthn & SSH for instance signing (#7693)

- Currently the options `pubkey` and `twofa` only consider TOTP and GPG keys respectively. Adjust the code to also consider WebAuthn credentials and SSH keys. - While adding the new unified functions I noticed that certain places also benefited from using these unified functions and took the liberty (where it was either a trivial translation or it was covered under testing) to use the new unified functions. - Resolves forgejo/forgejo#7658 - Adds unit and integration tests. Documentation PR: https://codeberg.org/forgejo/docs/pulls/1166 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7693 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-08-01 17:38:33 +00:00 · 2025-04-29 10:34:07 +00:00 · 2025-04-29 10:34:07 +00:00 · df5d656827
commit df5d656827
parent 386e7f8208
15 changed files with 222 additions and 65 deletions
--- a/models/auth/two_factor.go
+++ b/models/auth/two_factor.go
@ -0,0 +1,21 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+package auth
+
+import (
+	"context"
+)
+
+// HasTwoFactorByUID returns true if the user has TOTP or WebAuthn enabled for
+// their account.
+func HasTwoFactorByUID(ctx context.Context, userID int64) (bool, error) {
+	hasTOTP, err := HasTOTPByUID(ctx, userID)
+	if err != nil {
+		return false, err
+	}
+	if hasTOTP {
+		return true, nil
+	}
+
+	return HasWebAuthnRegistrationsByUID(ctx, userID)
+}
--- a/models/auth/two_factor_test.go
+++ b/models/auth/two_factor_test.go
@ -0,0 +1,34 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+package auth
+
+import (
+	"testing"
+
+	"forgejo.org/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHasTwoFactorByUID(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("No twofactor", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(t.Context(), 2)
+		require.NoError(t, err)
+		assert.False(t, ok)
+	})
+
+	t.Run("WebAuthn credential", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(t.Context(), 32)
+		require.NoError(t, err)
+		assert.True(t, ok)
+	})
+
+	t.Run("TOTP", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(t.Context(), 24)
+		require.NoError(t, err)
+		assert.True(t, ok)
+	})
+}
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@ -135,9 +135,9 @@ func GetTwoFactorByUID(ctx context.Context, uid int64) (*TwoFactor, error) {
 	return twofa, nil
 }

-// HasTwoFactorByUID returns the two-factor authentication token associated with
-// the user, if any.
-func HasTwoFactorByUID(ctx context.Context, uid int64) (bool, error) {
+// HasTOTPByUID returns the TOTP authentication token associated with
+// the user, if the user has TOTP enabled for their account.
+func HasTOTPByUID(ctx context.Context, uid int64) (bool, error) {
 	return db.GetEngine(ctx).Where("uid=?", uid).Exist(&TwoFactor{})
 }