summaryrefslogtreecommitdiff
path: root/packages/backend/src/server/api/SigninApiService.ts
diff options
context:
space:
mode:
Diffstat (limited to 'packages/backend/src/server/api/SigninApiService.ts')
-rw-r--r--packages/backend/src/server/api/SigninApiService.ts99
1 files changed, 48 insertions, 51 deletions
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index a5e2b09012..8b3d86e5a6 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -3,6 +3,7 @@ import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs';
import * as speakeasy from 'speakeasy';
import { IsNull } from 'typeorm';
+import { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
import { DI } from '@/di-symbols.js';
import type { UserSecurityKeysRepository, SigninsRepository, UserProfilesRepository, AttestationChallengesRepository, UsersRepository } from '@/models/index.js';
import type { Config } from '@/config.js';
@@ -12,7 +13,6 @@ import { IdService } from '@/core/IdService.js';
import { TwoFactorAuthenticationService } from '@/core/TwoFactorAuthenticationService.js';
import { RateLimiterService } from './RateLimiterService.js';
import { SigninService } from './SigninService.js';
-import type Koa from 'koa';
@Injectable()
export class SigninApiService {
@@ -42,47 +42,60 @@ export class SigninApiService {
) {
}
- public async signin(ctx: Koa.Context) {
- ctx.set('Access-Control-Allow-Origin', this.config.url);
- ctx.set('Access-Control-Allow-Credentials', 'true');
+ public async signin(
+ request: FastifyRequest<{
+ Body: {
+ username: string;
+ password: string;
+ token?: string;
+ signature?: string;
+ authenticatorData?: string;
+ clientDataJSON?: string;
+ credentialId?: string;
+ challengeId?: string;
+ };
+ }>,
+ reply: FastifyReply,
+ ) {
+ reply.header('Access-Control-Allow-Origin', this.config.url);
+ reply.header('Access-Control-Allow-Credentials', 'true');
- const body = ctx.request.body as any;
+ const body = request.body;
const username = body['username'];
const password = body['password'];
const token = body['token'];
function error(status: number, error: { id: string }) {
- ctx.status = status;
- ctx.body = { error };
+ reply.code(status);
+ return { error };
}
try {
// not more than 1 attempt per second and not more than 10 attempts per hour
- await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(ctx.ip));
+ await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
} catch (err) {
- ctx.status = 429;
- ctx.body = {
+ reply.code(429);
+ return {
error: {
message: 'Too many failed attempts to sign in. Try again later.',
code: 'TOO_MANY_AUTHENTICATION_FAILURES',
id: '22d05606-fbcf-421a-a2db-b32610dcfd1b',
},
};
- return;
}
if (typeof username !== 'string') {
- ctx.status = 400;
+ reply.code(400);
return;
}
if (typeof password !== 'string') {
- ctx.status = 400;
+ reply.code(400);
return;
}
if (token != null && typeof token !== 'string') {
- ctx.status = 400;
+ reply.code(400);
return;
}
@@ -93,17 +106,15 @@ export class SigninApiService {
}) as ILocalUser;
if (user == null) {
- error(404, {
+ return error(404, {
id: '6cc579cc-885d-43d8-95c2-b8c7fc963280',
});
- return;
}
if (user.isSuspended) {
- error(403, {
+ return error(403, {
id: 'e03a5f46-d309-4865-9b69-56282d94e1eb',
});
- return;
}
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
@@ -117,32 +128,29 @@ export class SigninApiService {
id: this.idService.genId(),
createdAt: new Date(),
userId: user.id,
- ip: ctx.ip,
- headers: ctx.headers,
+ ip: request.ip,
+ headers: request.headers,
success: false,
});
- error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
+ return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
};
if (!profile.twoFactorEnabled) {
if (same) {
- this.signinService.signin(ctx, user);
- return;
+ return this.signinService.signin(request, reply, user);
} else {
- await fail(403, {
+ return await fail(403, {
id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
});
- return;
}
}
if (token) {
if (!same) {
- await fail(403, {
+ return await fail(403, {
id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
});
- return;
}
const verified = (speakeasy as any).totp.verify({
@@ -153,20 +161,17 @@ export class SigninApiService {
});
if (verified) {
- this.signinService.signin(ctx, user);
- return;
+ return this.signinService.signin(request, reply, user);
} else {
- await fail(403, {
+ return await fail(403, {
id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f',
});
- return;
}
- } else if (body.credentialId) {
+ } else if (body.credentialId && body.clientDataJSON && body.authenticatorData && body.signature) {
if (!same && !profile.usePasswordLessLogin) {
- await fail(403, {
+ return await fail(403, {
id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
});
- return;
}
const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
@@ -179,10 +184,9 @@ export class SigninApiService {
});
if (!challenge) {
- await fail(403, {
+ return await fail(403, {
id: '2715a88a-2125-4013-932f-aa6fe72792da',
});
- return;
}
await this.attestationChallengesRepository.delete({
@@ -191,10 +195,9 @@ export class SigninApiService {
});
if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
- await fail(403, {
+ return await fail(403, {
id: '2715a88a-2125-4013-932f-aa6fe72792da',
});
- return;
}
const securityKey = await this.userSecurityKeysRepository.findOneBy({
@@ -207,10 +210,9 @@ export class SigninApiService {
});
if (!securityKey) {
- await fail(403, {
+ return await fail(403, {
id: '66269679-aeaf-4474-862b-eb761197e046',
});
- return;
}
const isValid = this.twoFactorAuthenticationService.verifySignin({
@@ -223,20 +225,17 @@ export class SigninApiService {
});
if (isValid) {
- this.signinService.signin(ctx, user);
- return;
+ return this.signinService.signin(request, reply, user);
} else {
- await fail(403, {
+ return await fail(403, {
id: '93b86c4b-72f9-40eb-9815-798928603d1e',
});
- return;
}
} else {
if (!same && !profile.usePasswordLessLogin) {
- await fail(403, {
+ return await fail(403, {
id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
});
- return;
}
const keys = await this.userSecurityKeysRepository.findBy({
@@ -244,10 +243,9 @@ export class SigninApiService {
});
if (keys.length === 0) {
- await fail(403, {
+ return await fail(403, {
id: 'f27fd449-9af4-4841-9249-1f989b9fa4a4',
});
- return;
}
// 32 byte challenge
@@ -266,15 +264,14 @@ export class SigninApiService {
registrationChallenge: false,
});
- ctx.body = {
+ reply.code(200);
+ return {
challenge,
challengeId,
securityKeys: keys.map(key => ({
id: key.id,
})),
};
- ctx.status = 200;
- return;
}
// never get here
}
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-03 17:59:26 +0000