diff options
| author | Mary <Ipadlover8322@gmail.com> | 2019-07-03 07:18:07 -0400 |
|---|---|---|
| committer | syuilo <Syuilotan@yahoo.co.jp> | 2019-07-03 20:18:07 +0900 |
| commit | fd94b817abd8fa628586746eed3a1f61b4a2b3d8 (patch) | |
| tree | 53eccf1b923f9b29f73ec6651b361b1682af3247 /src/client/app/common | |
| parent | Resolve #5072 (diff) | |
| download | sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.gz sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.tar.bz2 sharkey-fd94b817abd8fa628586746eed3a1f61b4a2b3d8.zip | |
Implement Webauthn ๐ (#5088)
* Implement Webauthn :tada:
* Share hexifyAB
* Move hr inside template and add AttestationChallenges janitor daemon
* Apply suggestions from code review
Co-Authored-By: Acid Chicken (็กซ้
ธ้ถ) <root@acid-chicken.com>
* Add newline at the end of file
* Fix stray newline in promise chain
* Ignore var in try{}catch(){} block
Co-Authored-By: Acid Chicken (็กซ้
ธ้ถ) <root@acid-chicken.com>
* Add missing comma
* Add missing semicolon
* Support more attestation formats
* add support for more key types and linter pass
* Refactor
* Refactor
* credentialId --> id
* Fix
* Improve readability
* Add indexes
* fixes for credentialId->id
* Avoid changing store state
* Fix syntax error and code style
* Remove unused import
* Refactor of getkey API
* Create 1561706992953-webauthn.ts
* Update ja-JP.yml
* Add type annotations
* Fix code style
* Specify depedency version
* Fix code style
* Fix janitor daemon and login requesting 2FA regardless of status
Diffstat (limited to 'src/client/app/common')
| -rw-r--r-- | src/client/app/common/scripts/2fa.ts | 5 | ||||
| -rw-r--r-- | src/client/app/common/views/components/settings/2fa.vue | 163 | ||||
| -rw-r--r-- | src/client/app/common/views/components/signin.vue | 182 |
3 files changed, 322 insertions, 28 deletions
diff --git a/src/client/app/common/scripts/2fa.ts b/src/client/app/common/scripts/2fa.ts new file mode 100644 index 0000000000..f638cce156 --- /dev/null +++ b/src/client/app/common/scripts/2fa.ts @@ -0,0 +1,5 @@ +export function hexifyAB(buffer) { + return Array.from(new Uint8Array(buffer)) + .map(item => item.toString(16).padStart(2, 0)) + .join(''); +} diff --git a/src/client/app/common/views/components/settings/2fa.vue b/src/client/app/common/views/components/settings/2fa.vue index 6e8d19d83a..eb645898e2 100644 --- a/src/client/app/common/views/components/settings/2fa.vue +++ b/src/client/app/common/views/components/settings/2fa.vue @@ -1,11 +1,54 @@ <template> -<div class="2fa"> +<div class="2fa totp-section"> <p style="margin-top:0;">{{ $t('intro') }}<a :href="$t('url')" target="_blank">{{ $t('detail') }}</a></p> <ui-info warn>{{ $t('caution') }}</ui-info> <p v-if="!data && !$store.state.i.twoFactorEnabled"><ui-button @click="register">{{ $t('register') }}</ui-button></p> <template v-if="$store.state.i.twoFactorEnabled"> + <h2 class="heading">{{ $t('totp-header') }}</h2> <p>{{ $t('already-registered') }}</p> <ui-button @click="unregister">{{ $t('unregister') }}</ui-button> + + <template v-if="supportsCredentials"> + <hr class="totp-method-sep"> + + <h2 class="heading">{{ $t('security-key-header') }}</h2> + <p>{{ $t('security-key') }}</p> + <div class="key-list"> + <div class="key" v-for="key in $store.state.i.securityKeysList"> + <h3> + {{ key.name }} + </h3> + <div class="last-used"> + {{ $t('last-used') }} + <mk-time :time="key.lastUsed"/> + </div> + <ui-button @click="unregisterKey(key)"> + {{ $t('unregister') }} + </ui-button> + </div> + </div> + + <ui-info warn v-if="registration && registration.error">{{ $t('something-went-wrong') }} {{ registration.error }}</ui-info> + <ui-button v-if="!registration || registration.error" @click="addSecurityKey">{{ $t('register') }}</ui-button> + + <ol v-if="registration && !registration.error"> + <li v-if="registration.stage >= 0"> + {{ $t('activate-key') }} + <fa icon="spinner" pulse fixed-width v-if="registration.saving && registration.stage == 0" /> + </li> + <li v-if="registration.stage >= 1"> + <ui-form :disabled="registration.stage != 1 || registration.saving"> + <ui-input v-model="keyName" :max="30"> + <span>{{ $t('security-key-name') }}</span> + </ui-input> + <ui-button @click="registerKey" :disabled="this.keyName.length == 0"> + {{ $t('register-security-key') }} + </ui-button> + <fa icon="spinner" pulse fixed-width v-if="registration.saving && registration.stage == 1" /> + </ui-form> + </li> + </ol> + </template> </template> <div v-if="data && !$store.state.i.twoFactorEnabled"> <ol> @@ -24,12 +67,21 @@ <script lang="ts"> import Vue from 'vue'; import i18n from '../../../../i18n'; +import { hostname } from '../../../../config'; +import { hexifyAB } from '../../../scripts/2fa'; + +function stringifyAB(buffer) { + return String.fromCharCode.apply(null, new Uint8Array(buffer)); +} export default Vue.extend({ i18n: i18n('desktop/views/components/settings.2fa.vue'), data() { return { data: null, + supportsCredentials: !!navigator.credentials, + registration: null, + keyName: '', token: null }; }, @@ -76,7 +128,116 @@ export default Vue.extend({ }).catch(() => { this.$notify(this.$t('failed')); }); + }, + + registerKey() { + this.registration.saving = true; + this.$root.api('i/2fa/key-done', { + password: this.registration.password, + name: this.keyName, + challengeId: this.registration.challengeId, + // we convert each 16 bits to a string to serialise + clientDataJSON: stringifyAB(this.registration.credential.response.clientDataJSON), + attestationObject: hexifyAB(this.registration.credential.response.attestationObject) + }).then(key => { + this.registration = null; + key.lastUsed = new Date(); + this.$notify(this.$t('success')); + }) + }, + + unregisterKey(key) { + this.$root.dialog({ + title: this.$t('enter-password'), + input: { + type: 'password' + } + }).then(({ canceled, result: password }) => { + if (canceled) return; + return this.$root.api('i/2fa/remove-key', { + password, + credentialId: key.id + }).then(() => { + this.$notify(this.$t('key-unregistered')); + }); + }); + }, + + addSecurityKey() { + this.$root.dialog({ + title: this.$t('enter-password'), + input: { + type: 'password' + } + }).then(({ canceled, result: password }) => { + if (canceled) return; + this.$root.api('i/2fa/register-key', { + password + }).then(registration => { + this.registration = { + password, + challengeId: registration.challengeId, + stage: 0, + publicKeyOptions: { + challenge: Buffer.from( + registration.challenge + .replace(/\-/g, "+") + .replace(/_/g, "/"), + 'base64' + ), + rp: { + id: hostname, + name: 'Misskey' + }, + user: { + id: Uint8Array.from(this.$store.state.i.id, c => c.charCodeAt(0)), + name: this.$store.state.i.username, + displayName: this.$store.state.i.name, + }, + pubKeyCredParams: [{alg: -7, type: 'public-key'}], + timeout: 60000, + attestation: 'direct' + }, + saving: true + }; + return navigator.credentials.create({ + publicKey: this.registration.publicKeyOptions + }); + }).then(credential => { + this.registration.credential = credential; + this.registration.saving = false; + this.registration.stage = 1; + }).catch(err => { + console.warn('Error while registering?', err); + this.registration.error = err.message; + this.registration.stage = -1; + }); + }); } } }); </script> + +<style lang="stylus" scoped> +.totp-section + .totp-method-sep + margin 1.5em 0 1em + border none + border-top solid var(--lineWidth) var(--faceDivider) + + h2.heading + margin 0 + + .key + padding 1em + margin 0.5em 0 + background #161616 + border-radius 6px + + h3 + margin-top 0 + margin-bottom .3em + + .last-used + margin-bottom .5em +</style> diff --git a/src/client/app/common/views/components/signin.vue b/src/client/app/common/views/components/signin.vue index 03ee51d06e..53cc62c333 100644 --- a/src/client/app/common/views/components/signin.vue +++ b/src/client/app/common/views/components/signin.vue @@ -1,23 +1,40 @@ <template> -<form class="mk-signin" :class="{ signing }" @submit.prevent="onSubmit"> +<form class="mk-signin" :class="{ signing, totpLogin }" @submit.prevent="onSubmit"> <div class="avatar" :style="{ backgroundImage: user ? `url('${ user.avatarUrl }')` : null }" v-show="withAvatar"></div> - <ui-input v-model="username" type="text" pattern="^[a-zA-Z0-9_]+$" spellcheck="false" autofocus required @input="onUsernameChange"> - <span>{{ $t('username') }}</span> - <template #prefix>@</template> - <template #suffix>@{{ host }}</template> - </ui-input> - <ui-input v-model="password" type="password" :with-password-toggle="true" required> - <span>{{ $t('password') }}</span> - <template #prefix><fa icon="lock"/></template> - </ui-input> - <ui-input v-if="user && user.twoFactorEnabled" v-model="token" type="text" pattern="^[0-9]{6}$" autocomplete="off" spellcheck="false" required> - <span>{{ $t('@.2fa') }}</span> - <template #prefix><fa icon="gavel"/></template> - </ui-input> - <ui-button type="submit" :disabled="signing">{{ signing ? $t('signing-in') : $t('@.signin') }}</ui-button> - <p v-if="meta && meta.enableTwitterIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/twitter`"><fa :icon="['fab', 'twitter']"/> {{ $t('signin-with-twitter') }}</a></p> - <p v-if="meta && meta.enableGithubIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/github`"><fa :icon="['fab', 'github']"/> {{ $t('signin-with-github') }}</a></p> - <p v-if="meta && meta.enableDiscordIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/discord`"><fa :icon="['fab', 'discord']"/> {{ $t('signin-with-discord') /* TODO: Make these layouts better */ }}</a></p> + <div class="normal-signin" v-if="!totpLogin"> + <ui-input v-model="username" type="text" pattern="^[a-zA-Z0-9_]+$" spellcheck="false" autofocus required @input="onUsernameChange"> + <span>{{ $t('username') }}</span> + <template #prefix>@</template> + <template #suffix>@{{ host }}</template> + </ui-input> + <ui-input v-model="password" type="password" :with-password-toggle="true" required> + <span>{{ $t('password') }}</span> + <template #prefix><fa icon="lock"/></template> + </ui-input> + <ui-button type="submit" :disabled="signing">{{ signing ? $t('signing-in') : $t('@.signin') }}</ui-button> + <p v-if="meta && meta.enableTwitterIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/twitter`"><fa :icon="['fab', 'twitter']"/> {{ $t('signin-with-twitter') }}</a></p> + <p v-if="meta && meta.enableGithubIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/github`"><fa :icon="['fab', 'github']"/> {{ $t('signin-with-github') }}</a></p> + <p v-if="meta && meta.enableDiscordIntegration" style="margin: 8px 0;"><a :href="`${apiUrl}/signin/discord`"><fa :icon="['fab', 'discord']"/> {{ $t('signin-with-discord') /* TODO: Make these layouts better */ }}</a></p> + </div> + <div class="2fa-signin" v-if="totpLogin" :class="{ securityKeys: user && user.securityKeys }"> + <div v-if="user && user.securityKeys" class="twofa-group tap-group"> + <p>{{ $t('tap-key') }}</p> + <ui-button @click="queryKey" v-if="!queryingKey"> + {{ $t('@.error.retry') }} + </ui-button> + </div> + <div class="or-hr" v-if="user && user.securityKeys"> + <p class="or-msg">{{ $t('or') }}</p> + </div> + <div class="twofa-group totp-group"> + <p style="margin-bottom:0;">{{ $t('enter-2fa-code') }}</p> + <ui-input v-model="token" type="text" pattern="^[0-9]{6}$" autocomplete="off" spellcheck="false" required> + <span>{{ $t('@.2fa') }}</span> + <template #prefix><fa icon="gavel"/></template> + </ui-input> + <ui-button type="submit" :disabled="signing">{{ signing ? $t('signing-in') : $t('@.signin') }}</ui-button> + </div> + </div> </form> </template> @@ -26,6 +43,7 @@ import Vue from 'vue'; import i18n from '../../../i18n'; import { apiUrl, host } from '../../../config'; import { toUnicode } from 'punycode'; +import { hexifyAB } from '../../scripts/2fa'; export default Vue.extend({ i18n: i18n('common/views/components/signin.vue'), @@ -47,7 +65,11 @@ export default Vue.extend({ token: '', apiUrl, host: toUnicode(host), - meta: null + meta: null, + totpLogin: false, + credential: null, + challengeData: null, + queryingKey: false, }; }, @@ -68,23 +90,87 @@ export default Vue.extend({ }); }, - onSubmit() { - this.signing = true; - - this.$root.api('signin', { - username: this.username, - password: this.password, - token: this.user && this.user.twoFactorEnabled ? this.token : undefined + queryKey() { + this.queryingKey = true; + return navigator.credentials.get({ + publicKey: { + challenge: Buffer.from( + this.challengeData.challenge + .replace(/\-/g, '+') + .replace(/_/g, '/'), + 'base64' + ), + allowCredentials: this.challengeData.securityKeys.map(key => ({ + id: Buffer.from(key.id, 'hex'), + type: 'public-key', + transports: ['usb', 'ble', 'nfc'] + })), + timeout: 60 * 1000 + } + }).catch(err => { + this.queryingKey = false; + console.warn(err); + return Promise.reject(null); + }).then(credential => { + this.queryingKey = false; + this.signing = true; + return this.$root.api('signin', { + username: this.username, + password: this.password, + signature: hexifyAB(credential.response.signature), + authenticatorData: hexifyAB(credential.response.authenticatorData), + clientDataJSON: hexifyAB(credential.response.clientDataJSON), + credentialId: credential.id, + challengeId: this.challengeData.challengeId + }); }).then(res => { localStorage.setItem('i', res.i); location.reload(); - }).catch(() => { + }).catch(err => { + if(err === null) return; + console.error(err); this.$root.dialog({ type: 'error', text: this.$t('login-failed') }); this.signing = false; }); + }, + + onSubmit() { + this.signing = true; + + if (!this.totpLogin && this.user && this.user.twoFactorEnabled) { + if (window.PublicKeyCredential && this.user.securityKeys) { + this.$root.api('i/2fa/getkeys', { + username: this.username, + password: this.password + }).then(res => { + this.totpLogin = true; + this.signing = false; + this.challengeData = res; + return this.queryKey(); + }); + } else { + this.totpLogin = true; + this.signing = false; + } + } else { + this.$root.api('signin', { + username: this.username, + password: this.password, + token: this.user && this.user.twoFactorEnabled ? this.token : undefined + }).then(res => { + localStorage.setItem('i', res.i); + location.reload(); + }).catch(() => { + this.$root.dialog({ + type: 'error', + text: this.$t('login-failed') + }); + this.signing = false; + }); + } } } }); @@ -94,6 +180,48 @@ export default Vue.extend({ .mk-signin color #555 + .or-hr, + .or-hr .or-msg, + .twofa-group, + .twofa-group p + color var(--text) + + .tap-group > button + margin-bottom 1em + + .securityKeys .or-hr + & + position relative + + .or-msg + &:before + right 100% + margin-right 0.125em + + &:after + left 100% + margin-left 0.125em + + &:before, &:after + content "" + position absolute + top 50% + width 100% + height 2px + background #555 + + & + position relative + margin auto + left 0 + right 0 + top 0 + bottom 0 + font-size 1.5em + height 1.5em + width 3em + text-align center + &.signing &, * cursor wait !important |