[#659] WebAuthn authentication

.secrets.baseline

@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -161,7 +165,7 @@
         "filename": "core/auth/auth.go",
         "hashed_secret": "58f3388441fbce0e48aef2bf74413a6f43f6dc70",
         "is_verified": false,
-        "line_number": 936
+        "line_number": 937
       },
       {
         "type": "Secret Keyword",
@@ -335,7 +339,7 @@
         "filename": "driver/web/docs/gen/gen_types.go",
         "hashed_secret": "c9739eab2dfa093cc0e450bf0ea81a43ae67b581",
         "is_verified": false,
-        "line_number": 1797
+        "line_number": 1812
       }
     ],
     "driver/web/docs/resources/admin/auth/login.yaml": [
@@ -366,5 +370,5 @@
       }
     ]
   },
-  "generated_at": "2023-07-11T15:43:42Z"
+  "generated_at": "2023-09-11T20:21:53Z"
 }

CHANGELOG.md

@@ -6,11 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
-
 ### Added
+- WebAuthn authentication [#659](https://github.com/rokwire/core-building-block/issues/659)
 - Searching follows looks for substring matches [#670](https://github.com/rokwire/core-building-block/issues/670)
-
-### Added
 - Support following accounts [#667](https://github.com/rokwire/core-building-block/issues/667)
 - Device ID not nullable [#672](https://github.com/rokwire/core-building-block/issues/672)
 

core/auth/apis.go

@@ -81,7 +81,7 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 
 	//validate if the provided auth type is supported by the provided application and organization
 	authType, appType, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, orgID)
-	if err != nil {
+	if err != nil || authType == nil {
 		return nil, nil, nil, errors.WrapErrorAction(logutils.ActionValidate, model.TypeAuthType, nil, err)
 	}
 
@@ -109,12 +109,12 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 	var state string
 
 	//get the auth type implementation for the auth type
-	if authType.IsAnonymous && !admin {
+	if authType.AuthType.IsAnonymous && !admin {
 		anonymous = true
 
 		anonymousID := ""
 		var account *model.Account
-		anonymousID, account, responseParams, err = a.applyAnonymousAuthType(*authType, creds)
+		anonymousID, account, responseParams, err = a.applyAnonymousAuthType(authType.AuthType, creds)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction(logutils.ActionApply, typeAnonymousAuthType, logutils.StringArgs("user"), err)
 		}
@@ -123,7 +123,7 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 		if account != nil {
 			accountAuthType = &model.AccountAuthType{Account: *account}
 		}
-	} else if authType.IsExternal {
+	} else if authType.AuthType.IsExternal {
 		accountAuthType, responseParams, mfaTypes, externalIDs, err = a.applyExternalAuthType(*authType, *appType, *appOrg, creds, params, clientVersion, profile, privacy, preferences, username, admin, l)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction(logutils.ActionApply, typeExternalAuthType, logutils.StringArgs("user"), err)
@@ -147,7 +147,7 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 	}
 
 	//check if account is enrolled in MFA
-	if !authType.IgnoreMFA && len(mfaTypes) > 0 {
+	if !authType.AuthType.IgnoreMFA && len(mfaTypes) > 0 {
 		state, err = utils.GenerateRandomString(loginStateLength)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction(logutils.ActionGenerate, "login state", nil, err)
@@ -161,7 +161,7 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 	}
 
 	//now we are ready to apply login for the user or anonymous
-	loginSession, err := a.applyLogin(anonymous, sub, *authType, *appOrg, accountAuthType, *appType, externalIDs, ipAddress, deviceType, deviceOS, deviceID, clientVersion, responseParams, state, l)
+	loginSession, err := a.applyLogin(anonymous, sub, authType.AuthType, *appOrg, accountAuthType, *appType, externalIDs, ipAddress, deviceType, deviceOS, deviceID, clientVersion, responseParams, state, l)
 	if err != nil {
 		return nil, nil, nil, errors.WrapErrorAction(logutils.ActionApply, "login", logutils.StringArgs("user"), err)
 	}
@@ -443,13 +443,13 @@ func (a *Auth) GetLoginURL(authenticationType string, appTypeIdentifier string,
 	}
 
 	//get the auth type implementation for the auth type
-	authImpl, err := a.getExternalAuthTypeImpl(*authType)
+	authImpl, err := a.getExternalAuthTypeImpl(authType.AuthType)
 	if err != nil {
 		return "", nil, errors.WrapErrorAction(logutils.ActionLoadCache, model.TypeAuthType, nil, err)
 	}
 
 	//get login URL
-	loginURL, params, err := authImpl.getLoginURL(*authType, *appType, redirectURI, l)
+	loginURL, params, err := authImpl.getLoginURL(authType.AuthType, *appType, redirectURI, l)
 	if err != nil {
 		return "", nil, errors.WrapErrorAction(logutils.ActionGet, "login url", nil, err)
 	}
@@ -928,7 +928,7 @@ func (a *Auth) UpdateCredential(accountID string, accountAuthTypeID string, para
 
 	credential := accountAuthType.Credential
 	//Determine the auth type for resetPassword
-	authType := accountAuthType.AuthType
+	authType := accountAuthType.SupportedAuthType.AuthType
 	if !authType.UseCredentials {
 		return errors.ErrorData(logutils.StatusInvalid, model.TypeAuthType, logutils.StringArgs("reset password"))
 	}
@@ -1008,7 +1008,7 @@ func (a *Auth) ResetForgotCredential(credsID string, resetCode string, params st
 func (a *Auth) ForgotCredential(authenticationType string, appTypeIdentifier string, orgID string, apiKey string, identifier string, l *logs.Log) error {
 	//validate if the provided auth type is supported by the provided application and organization
 	authType, _, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, orgID)
-	if err != nil {
+	if err != nil || authType == nil || appOrg == nil {
 		return errors.WrapErrorAction(logutils.ActionValidate, model.TypeAuthType, nil, err)
 	}
 
@@ -1025,23 +1025,23 @@ func (a *Auth) ForgotCredential(authenticationType string, appTypeIdentifier str
 	}
 
 	//check if the auth types uses credentials
-	if !authType.UseCredentials {
+	if !authType.AuthType.UseCredentials {
 		return errors.ErrorData(logutils.StatusInvalid, model.TypeAuthType, logutils.StringArgs("credential reset"))
 	}
 
-	authImpl, err := a.getAuthTypeImpl(*authType)
+	authImpl, err := a.getAuthTypeImpl(authType.AuthType)
 	if err != nil {
 		return errors.WrapErrorAction(logutils.ActionLoadCache, model.TypeAuthType, nil, err)
 	}
-	authTypeID := authType.ID
+	authTypeID := authType.AuthType.ID
 
 	//Find the credential for setting reset code and expiry and sending credID in reset link
 	account, err := a.storage.FindAccount(nil, appOrg.ID, authTypeID, identifier)
 	if err != nil {
 		return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccount, nil, err)
 	}
 
-	accountAuthType, err := a.findAccountAuthType(account, authType, identifier)
+	accountAuthType, err := a.findAccountAuthType(account, *authType, identifier)
 	if accountAuthType == nil {
 		return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccountAuthType, nil, err)
 	}
@@ -1052,7 +1052,7 @@ func (a *Auth) ForgotCredential(authenticationType string, appTypeIdentifier str
 	a.setLogContext(account, l)
 
 	//do not allow to reset credential for unverified credentials
-	err = a.checkCredentialVerified(authImpl, accountAuthType, l)
+	err = a.checkCredentialVerified(authImpl, *accountAuthType, l)
 	if err != nil {
 		return err
 	}
@@ -1073,7 +1073,7 @@ func (a *Auth) ForgotCredential(authenticationType string, appTypeIdentifier str
 func (a *Auth) SendVerifyCredential(authenticationType string, appTypeIdentifier string, orgID string, apiKey string, identifier string, l *logs.Log) error {
 	//validate if the provided auth type is supported by the provided application and organization
 	authType, _, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, orgID)
-	if err != nil {
+	if err != nil || authType == nil || appOrg == nil {
 		return errors.WrapErrorAction(logutils.ActionValidate, model.TypeAuthType, nil, err)
 	}
 	//validate api key before making db calls
@@ -1082,18 +1082,18 @@ func (a *Auth) SendVerifyCredential(authenticationType string, appTypeIdentifier
 		return errors.WrapErrorData(logutils.StatusInvalid, model.TypeAPIKey, nil, err)
 	}
 
-	if !authType.UseCredentials {
+	if !authType.AuthType.UseCredentials {
 		return errors.ErrorData(logutils.StatusInvalid, model.TypeAuthType, logutils.StringArgs("credential verification code"))
 	}
-	authImpl, err := a.getAuthTypeImpl(*authType)
+	authImpl, err := a.getAuthTypeImpl(authType.AuthType)
 	if err != nil {
 		return errors.WrapErrorAction(logutils.ActionLoadCache, model.TypeAuthType, nil, err)
 	}
-	account, err := a.storage.FindAccount(nil, appOrg.ID, authType.ID, identifier)
+	account, err := a.storage.FindAccount(nil, appOrg.ID, authType.AuthType.ID, identifier)
 	if err != nil {
 		return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccount, nil, err)
 	}
-	accountAuthType, err := a.findAccountAuthType(account, authType, identifier)
+	accountAuthType, err := a.findAccountAuthType(account, *authType, identifier)
 	if accountAuthType == nil {
 		return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccountAuthType, nil, err)
 	}
@@ -1696,13 +1696,13 @@ func (a *Auth) LinkAccountAuthType(accountID string, authenticationType string,
 
 	//validate if the provided auth type is supported by the provided application and organization
 	authType, appType, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, account.AppOrg.Organization.ID)
-	if err != nil {
+	if err != nil || authType == nil || appType == nil || appOrg == nil {
 		return nil, nil, errors.WrapErrorAction(logutils.ActionValidate, model.TypeAuthType, nil, err)
 	}
 
-	if authType.IsAnonymous {
+	if authType.AuthType.IsAnonymous {
 		return nil, nil, errors.ErrorData(logutils.StatusInvalid, model.TypeAuthType, &logutils.FieldArgs{"anonymous": true})
-	} else if authType.IsExternal {
+	} else if authType.AuthType.IsExternal {
 		newAccountAuthType, err = a.linkAccountAuthTypeExternal(*account, *authType, *appType, *appOrg, creds, params, l)
 		if err != nil {
 			return nil, nil, errors.WrapErrorAction("linking", model.TypeCredential, nil, err)