[rokwire#659] webauthn authentication (#8)

* initial webauthn implementation (in progress)

* refactor webauthn to handle credentials, update docs

* avoid creating inaccessible accounts

* fix webauthn registration issues, add webauthn test page

* fix webauthn login flow

* update changelog

* fix error handling

* fix login issues for mobile

* upgrade dependencies

core/auth/auth.go

@@ -1019,7 +1019,7 @@ func (a *Auth) findAccountAuthType(account *model.Account, supportedAuthType mod
 	if accountAuthType.Credential != nil {
 		//populate credentials in accountAuthType
 		credential, err := a.storage.FindCredential(nil, accountAuthType.Credential.ID)
-		if err != nil {
+		if err != nil || credential == nil {
 			return nil, errors.WrapErrorAction(logutils.ActionFind, model.TypeCredential, nil, err)
 		}
 		credential.AuthType = supportedAuthType.AuthType

core/auth/auth_type_webauthn.go

@@ -90,11 +90,18 @@ func buildWebAuthn(supportedAuthType model.SupportedAuthType, appOrg model.Appli
 		return nil, errors.ErrorData(logutils.StatusInvalid, "supported auth type param", &logutils.FieldArgs{"param": "rp_origins", "app_org_id": appOrg.ID})
 	}
 
-	//TODO: Figure out how to dynamically populate params
+	requiredResidentKey := true
 	wconfig := &webauthn.Config{
-		RPDisplayName: appOrg.Application.Name,       // Display Name for your site
-		RPID:          rpID,                          // Generally the FQDN for your site
-		RPOrigins:     strings.Split(rpOrigins, ","), // The origin URLs allowed for WebAuthn requests
+		RPDisplayName:         appOrg.Application.Name,       // Display Name for your site
+		RPID:                  rpID,                          // Generally the FQDN for your site
+		RPOrigins:             strings.Split(rpOrigins, ","), // The origin URLs allowed for WebAuthn requests
+		AttestationPreference: protocol.PreferNoAttestation,
+		AuthenticatorSelection: protocol.AuthenticatorSelection{
+			// AuthenticatorAttachment: protocol.Platform,
+			RequireResidentKey: &requiredResidentKey,
+			ResidentKey:        protocol.ResidentKeyRequirementRequired,
+			UserVerification:   protocol.VerificationRequired,
+		},
 	}
 
 	auth, err := webauthn.New(wconfig)
@@ -114,7 +121,7 @@ func (a *webAuthnAuthImpl) getUserIdentifier(creds string) (string, error) {
 	if parsedCreds.Username == "" {
 		return "", errors.ErrorData(logutils.StatusMissing, "username", nil)
 	}
-	return parsedCreds.Username, nil
+	return strings.TrimSpace(strings.ToLower(parsedCreds.Username)), nil
 }
 
 func (a *webAuthnAuthImpl) signUp(supportedAuthType model.SupportedAuthType, appOrg model.ApplicationOrganization,
@@ -132,6 +139,7 @@ func (a *webAuthnAuthImpl) signUp(supportedAuthType model.SupportedAuthType, app
 	if parsedCreds.Username == "" {
 		return "", nil, errors.ErrorData(logutils.StatusMissing, "username", nil)
 	}
+	parsedCreds.Username = strings.TrimSpace(strings.ToLower(parsedCreds.Username))
 
 	var parsedParams webAuthnParams
 	err = json.Unmarshal([]byte(params), &parsedParams)
@@ -186,10 +194,14 @@ func (a *webAuthnAuthImpl) checkCredentials(accountAuthType model.AccountAuthTyp
 				}
 
 				accountAuthType.Credential.Value = credData
-				a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+				err = a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+				if err != nil {
+					return "", errors.WrapErrorAction(logutils.ActionUpdate, model.TypeCredential, nil, err)
+				}
+
 				return message, nil
 			}
-			return "", errors.ErrorData("unverified", model.TypeCredential, nil)
+			return "", errors.ErrorData(logutils.StatusMissing, model.TypeCredential, nil)
 		}
 		return a.beginLogin(auth, accountAuthType, user, l)
 	}
@@ -206,7 +218,11 @@ func (a *webAuthnAuthImpl) checkCredentials(accountAuthType model.AccountAuthTyp
 	}
 
 	if credential == nil {
-		return "", a.completeRegistration(auth, session, accountAuthType, parsedCreds.Response, user, l)
+		err = a.completeRegistration(auth, session, accountAuthType, parsedCreds.Response, user, l)
+		if err != nil {
+			return "", err
+		}
+		return "registration complete", nil
 	}
 
 	return "", a.completeLogin(auth, session, accountAuthType, parsedCreds.Response, user, l)
@@ -253,14 +269,17 @@ func (a *webAuthnAuthImpl) completeRegistration(auth *webauthn.WebAuthn, session
 
 	credentialData, err := json.Marshal(credential)
 	if err != nil {
-		return errors.WrapErrorAction(logutils.ActionMarshal, "session", nil, err)
+		return errors.WrapErrorAction(logutils.ActionMarshal, "credential", nil, err)
 	}
 
 	accountAuthType.Credential.Value = map[string]interface{}{
 		"credential": string(credentialData),
 	}
 	accountAuthType.Credential.Verified = true
-	a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+	err = a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionUpdate, model.TypeCredential, nil, err)
+	}
 
 	return nil
 }
@@ -277,7 +296,10 @@ func (a *webAuthnAuthImpl) beginLogin(auth *webauthn.WebAuthn, accountAuthType m
 	}
 
 	accountAuthType.Credential.Value["session"] = string(sessionData)
-	a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+	err = a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+	if err != nil {
+		return "", errors.WrapErrorAction(logutils.ActionUpdate, model.TypeCredential, nil, err)
+	}
 
 	optionData, err := json.Marshal(options)
 	if err != nil {
@@ -294,11 +316,24 @@ func (a *webAuthnAuthImpl) completeLogin(auth *webauthn.WebAuthn, session webaut
 		return errors.WrapErrorAction(logutils.ActionParse, "cred request response", nil, err)
 	}
 
-	_, err = auth.ValidateLogin(user, session, response)
+	newCred, err := auth.ValidateLogin(user, session, response)
 	if err != nil {
 		return errors.WrapErrorAction(logutils.ActionValidate, "login", nil, err)
 	}
 
+	credentialData, err := json.Marshal(newCred)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionMarshal, "credential", nil, err)
+	}
+
+	accountAuthType.Credential.Value = map[string]interface{}{
+		"credential": string(credentialData),
+	}
+	accountAuthType.Credential.Verified = true
+	err = a.auth.storage.UpdateCredential(nil, accountAuthType.Credential)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionUpdate, model.TypeCredential, nil, err)
+	}
 	return nil
 }
 

driver/web/adapter.go

@@ -91,6 +91,7 @@ func (we Adapter) Start() {
 	subRouter.HandleFunc("/ui/credential/reset", we.serveResetCredential)                                                     //Public
 	subRouter.HandleFunc("/ui/webauthn-test", we.serveWebAuthnTest)                                                           //Public
 	subRouter.HandleFunc("/ui/credential/verify", we.uiWrapFunc(we.servicesApisHandler.verifyCredential, nil)).Methods("GET") //Public (validates code)
+	// subRouter.HandleFunc("/ui/webauthn-test", we.serveWebAuthnTest)                                                           //Public
 
 	///default ///
 	subRouter.HandleFunc("/version", we.wrapFunc(we.defaultApisHandler.getVersion, nil)).Methods("GET")                                      //Public

go.mod

@@ -4,8 +4,8 @@ go 1.20
 
 require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
-	github.com/deepmap/oapi-codegen v1.12.4
-	github.com/getkin/kin-openapi v0.116.0
+	github.com/deepmap/oapi-codegen v1.13.0
+	github.com/getkin/kin-openapi v0.118.0
 	github.com/go-webauthn/webauthn v0.8.2
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.3.0
@@ -14,43 +14,63 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/rokwire/core-auth-library-go/v3 v3.0.1
 	github.com/rokwire/logging-library-go/v2 v2.2.0
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	github.com/swaggo/http-swagger v1.3.4
-	go.mongodb.org/mongo-driver v1.11.6
-	golang.org/x/crypto v0.8.0
-	golang.org/x/sync v0.1.0
+	go.mongodb.org/mongo-driver v1.11.7
+	golang.org/x/crypto v0.9.0
+	golang.org/x/sync v0.2.0
 	gopkg.in/go-playground/validator.v9 v9.31.0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gotest.tools v2.2.0+incompatible
 )
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/gin-gonic/gin v1.9.1 // indirect
+	github.com/go-playground/validator/v10 v10.14.1 // indirect
 	github.com/go-webauthn/revoke v0.1.9 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/labstack/echo/v4 v4.10.2 // indirect
+	github.com/labstack/gommon v0.4.0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/perimeterx/marshmallow v1.1.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.11 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasttemplate v1.2.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/arch v0.3.0 // indirect
 )
 
 require (
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/aws/aws-sdk-go v1.44.256 // indirect
+	github.com/aws/aws-sdk-go v1.44.279 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
-	github.com/casbin/casbin/v2 v2.68.0 // indirect
+	github.com/casbin/casbin/v2 v2.70.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -67,22 +87,22 @@ require (
 	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/montanaflynn/stats v0.7.0 // indirect
+	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/pquerna/cachecontrol v0.2.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/swaggo/files v1.0.1 // indirect
 	github.com/swaggo/swag v1.16.1 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.2 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/tools v0.8.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect