summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/api/SigninApiService.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server/api/SigninApiService.ts')
-rw-r--r--packages/backend/src/server/api/SigninApiService.ts145
1 files changed, 31 insertions, 114 deletions
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index bd3d8a28da..150f3f24d4 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -1,19 +1,29 @@
-import { randomBytes } from 'node:crypto';
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
import * as OTPAuth from 'otpauth';
import { IsNull } from 'typeorm';
import { DI } from '@/di-symbols.js';
-import type { UserSecurityKeysRepository, SigninsRepository, UserProfilesRepository, AttestationChallengesRepository, UsersRepository } from '@/models/index.js';
+import type {
+ SigninsRepository,
+ UserProfilesRepository,
+ UsersRepository,
+} from '@/models/_.js';
import type { Config } from '@/config.js';
import { getIpHash } from '@/misc/get-ip-hash.js';
-import type { LocalUser } from '@/models/entities/User.js';
+import type { MiLocalUser } from '@/models/User.js';
import { IdService } from '@/core/IdService.js';
-import { TwoFactorAuthenticationService } from '@/core/TwoFactorAuthenticationService.js';
import { bindThis } from '@/decorators.js';
+import { WebAuthnService } from '@/core/WebAuthnService.js';
+import { UserAuthService } from '@/core/UserAuthService.js';
import { RateLimiterService } from './RateLimiterService.js';
import { SigninService } from './SigninService.js';
-import type { FastifyRequest, FastifyReply } from 'fastify';
+import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types';
+import type { FastifyReply, FastifyRequest } from 'fastify';
@Injectable()
export class SigninApiService {
@@ -24,22 +34,17 @@ export class SigninApiService {
@Inject(DI.usersRepository)
private usersRepository: UsersRepository,
- @Inject(DI.userSecurityKeysRepository)
- private userSecurityKeysRepository: UserSecurityKeysRepository,
-
@Inject(DI.userProfilesRepository)
private userProfilesRepository: UserProfilesRepository,
- @Inject(DI.attestationChallengesRepository)
- private attestationChallengesRepository: AttestationChallengesRepository,
-
@Inject(DI.signinsRepository)
private signinsRepository: SigninsRepository,
private idService: IdService,
private rateLimiterService: RateLimiterService,
private signinService: SigninService,
- private twoFactorAuthenticationService: TwoFactorAuthenticationService,
+ private userAuthService: UserAuthService,
+ private webAuthnService: WebAuthnService,
) {
}
@@ -50,11 +55,7 @@ export class SigninApiService {
username: string;
password: string;
token?: string;
- signature?: string;
- authenticatorData?: string;
- clientDataJSON?: string;
- credentialId?: string;
- challengeId?: string;
+ credential?: AuthenticationResponseJSON;
};
}>,
reply: FastifyReply,
@@ -105,7 +106,7 @@ export class SigninApiService {
const user = await this.usersRepository.findOneBy({
usernameLower: username.toLowerCase(),
host: IsNull(),
- }) as LocalUser;
+ }) as MiLocalUser;
if (user == null) {
return error(404, {
@@ -125,7 +126,7 @@ export class SigninApiService {
const same = await bcrypt.compare(password, profile.password!);
const fail = async (status?: number, failure?: { id: string }) => {
- // Append signin history
+ // Append signin history
await this.signinsRepository.insert({
id: this.idService.genId(),
createdAt: new Date(),
@@ -155,78 +156,25 @@ export class SigninApiService {
});
}
- const delta = OTPAuth.TOTP.validate({
- secret: OTPAuth.Secret.fromBase32(profile.twoFactorSecret!),
- digits: 6,
- token,
- window: 1,
- });
-
- if (delta === null) {
+ try {
+ await this.userAuthService.twoFactorAuthenticate(profile, token);
+ } catch (e) {
return await fail(403, {
id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f',
});
- } else {
- return this.signinService.signin(request, reply, user);
}
- } else if (body.credentialId && body.clientDataJSON && body.authenticatorData && body.signature) {
+
+ return this.signinService.signin(request, reply, user);
+ } else if (body.credential) {
if (!same && !profile.usePasswordLessLogin) {
return await fail(403, {
id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
});
}
- const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
- const clientData = JSON.parse(clientDataJSON.toString('utf-8'));
- const challenge = await this.attestationChallengesRepository.findOneBy({
- userId: user.id,
- id: body.challengeId,
- registrationChallenge: false,
- challenge: this.twoFactorAuthenticationService.hash(clientData.challenge).toString('hex'),
- });
-
- if (!challenge) {
- return await fail(403, {
- id: '2715a88a-2125-4013-932f-aa6fe72792da',
- });
- }
-
- await this.attestationChallengesRepository.delete({
- userId: user.id,
- id: body.challengeId,
- });
-
- if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
- return await fail(403, {
- id: '2715a88a-2125-4013-932f-aa6fe72792da',
- });
- }
-
- const securityKey = await this.userSecurityKeysRepository.findOneBy({
- id: Buffer.from(
- body.credentialId
- .replace(/-/g, '+')
- .replace(/_/g, '/'),
- 'base64',
- ).toString('hex'),
- });
-
- if (!securityKey) {
- return await fail(403, {
- id: '66269679-aeaf-4474-862b-eb761197e046',
- });
- }
+ const authorized = await this.webAuthnService.verifyAuthentication(user.id, body.credential);
- const isValid = this.twoFactorAuthenticationService.verifySignin({
- publicKey: Buffer.from(securityKey.publicKey, 'hex'),
- authenticatorData: Buffer.from(body.authenticatorData, 'hex'),
- clientDataJSON,
- clientData,
- signature: Buffer.from(body.signature, 'hex'),
- challenge: challenge.challenge,
- });
-
- if (isValid) {
+ if (authorized) {
return this.signinService.signin(request, reply, user);
} else {
return await fail(403, {
@@ -240,42 +188,11 @@ export class SigninApiService {
});
}
- const keys = await this.userSecurityKeysRepository.findBy({
- userId: user.id,
- });
-
- if (keys.length === 0) {
- return await fail(403, {
- id: 'f27fd449-9af4-4841-9249-1f989b9fa4a4',
- });
- }
-
- // 32 byte challenge
- const challenge = randomBytes(32).toString('base64')
- .replace(/=/g, '')
- .replace(/\+/g, '-')
- .replace(/\//g, '_');
-
- const challengeId = this.idService.genId();
-
- await this.attestationChallengesRepository.insert({
- userId: user.id,
- id: challengeId,
- challenge: this.twoFactorAuthenticationService.hash(Buffer.from(challenge, 'utf-8')).toString('hex'),
- createdAt: new Date(),
- registrationChallenge: false,
- });
+ const authRequest = await this.webAuthnService.initiateAuthentication(user.id);
reply.code(200);
- return {
- challenge,
- challengeId,
- securityKeys: keys.map(key => ({
- id: key.id,
- })),
- };
+ return authRequest;
}
- // never get here
+ // never get here
}
}
-
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-12 16:04:01 +0000