From 3c4a5a53a16108408f516354666268d01e05a900 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Fri, 14 May 2021 12:18:21 +0200
Subject: [PATCH] Can authenticate using security key

---
 .../admin/admin_account_controller.rs         | 20 +++++++++++++++++++
 src/data/base_request_handler.rs              | 18 +++++++++++++++++
 src/routes.rs                                 |  1 +
 3 files changed, 39 insertions(+)

diff --git a/src/controllers/admin/admin_account_controller.rs b/src/controllers/admin/admin_account_controller.rs
index 364c606..0ca82b6 100644
--- a/src/controllers/admin/admin_account_controller.rs
+++ b/src/controllers/admin/admin_account_controller.rs
@@ -154,4 +154,24 @@ pub fn challenge_auth_with_key(r: &mut HttpRequestHandler) -> RequestResult {
     admin_key_authentication_challenges_helper::set(key.id, auth_state)?;
 
     r.set_response(challenge_response)
+}
+
+/// Authenticate a user with a security key
+pub fn auth_with_key(r: &mut HttpRequestHandler) -> RequestResult {
+    let key = r.post_admin_auth_key("mail", "key_id")?;
+    let credentials = r.post_auth_public_key_credential("credential")?;
+
+    let state = r.some_or_internal_error(
+        admin_key_authentication_challenges_helper::get(key.id)?,
+        "Associated authentication state not found!",
+    )?;
+
+    // Perform authentication
+    let state = get_wan().authenticate_credential(credentials, state)?;
+    r.some_or_bad_request(state, "Invalid key!")?;
+
+    // Generate access token
+    let token = admin_access_token_helper::create(key.admin_id)?;
+
+    r.set_response(AdminAuthSuccess::new(token))
 }
\ No newline at end of file
diff --git a/src/data/base_request_handler.rs b/src/data/base_request_handler.rs
index 28048b7..c2c68c9 100644
--- a/src/data/base_request_handler.rs
+++ b/src/data/base_request_handler.rs
@@ -177,6 +177,17 @@ pub trait BaseRequestHandler {
         }
     }
 
+    /// Unwrap an option, returning an error if none is returned
+    fn some_or_bad_request<E>(&mut self, opt: Option<E>, msg: &str) -> Res<E> {
+        match opt {
+            None => {
+                self.bad_request(msg.to_string())?;
+                unreachable!()
+            }
+            Some(e) => Ok(e)
+        }
+    }
+
 
     /// Get a user ID, if available
     fn user_id_opt(&self) -> Option<UserID> {
@@ -558,6 +569,13 @@ pub trait BaseRequestHandler {
         Ok(serde_json::from_str(&str)?)
     }
 
+    /// Get the response to a key authentication included in the request
+    fn post_auth_public_key_credential(&mut self, name: &str) -> Res<webauthn_rs::proto::PublicKeyCredential> {
+        let str = self.post_string(name)?;
+
+        Ok(serde_json::from_str(&str)?)
+    }
+
     /// Get the ID of a user included in a POST request
     fn post_user_id(&mut self, name: &str) -> ResultBoxError<UserID> {
         let user_id = UserID::new(self.post_u64(name)?);
diff --git a/src/routes.rs b/src/routes.rs
index 481992e..3e391e6 100644
--- a/src/routes.rs
+++ b/src/routes.rs
@@ -356,5 +356,6 @@ pub fn get_routes() -> Vec<Route> {
         Route::admin_post("/admin/accounts/challenge_register_key", Box::new(admin_account_controller::challenge_register_key)),
         Route::admin_post("/admin/accounts/register_key", Box::new(admin_account_controller::register_key)),
         Route::limited_admin_post_without_login("/admin/accounts/challenge_auth_with_key", Box::new(admin_account_controller::challenge_auth_with_key), LimitPolicy::ANY(10)),
+        Route::limited_admin_post_without_login("/admin/accounts/auth_with_key", Box::new(admin_account_controller::auth_with_key), LimitPolicy::ANY(10)),
     ]
 }
\ No newline at end of file