Add password to security keys

src/api_data/admin/admin_auth_options.rs

@@ -10,6 +10,7 @@ use crate::data::admin::{Admin, AdminKey};
 struct AuthKey {
     name: String,
     id: u64,
+    password: bool,
 }
 
 #[derive(Serialize)]
@@ -22,7 +23,7 @@ impl AdminAuthOptions {
     pub fn new(admin: &Admin, keys: &Vec<AdminKey>) -> Self {
         Self {
             reset_token: admin.reset_token.is_some(),
-            keys: keys.iter().map(|k| AuthKey { id: k.id, name: k.name.to_string() }).collect(),
+            keys: keys.iter().map(|k| AuthKey { id: k.id, name: k.name.to_string(), password: k.password.is_some() }).collect(),
         }
     }
 }

src/api_data/admin/admin_keys_api.rs

@@ -10,6 +10,7 @@ pub struct AdminKeyAPI {
     id: u64,
     name: String,
     time_add: u64,
+    has_password: bool,
 }
 
 impl AdminKeyAPI {
@@ -18,6 +19,7 @@ impl AdminKeyAPI {
             id: key.id,
             name: key.name.to_string(),
             time_add: key.time_add,
+            has_password: key.password.is_some(),
         }
     }
 }

src/controllers/admin/admin_keys_controller.rs

@@ -3,6 +3,8 @@
 //! @author Pierre Hubert
 
 
+use bcrypt::verify;
+
 use crate::api_data::admin::admin_auth_success::AdminAuthSuccess;
 use crate::api_data::admin::admin_keys_api::AdminKeyAPI;
 use crate::constants::admin::AdminRole;
@@ -63,6 +65,7 @@ pub fn challenge_register_key(r: &mut HttpRequestHandler) -> RequestResult {
 /// Register key
 pub fn register_key(r: &mut HttpRequestHandler) -> RequestResult {
     let key_name = r.post_string("name")?;
+    let key_password = r.post_string("password")?;
 
     let creds = r.post_register_public_key_credential("key")?;
     let state = r.some_or_internal_error(
@@ -73,7 +76,7 @@ pub fn register_key(r: &mut HttpRequestHandler) -> RequestResult {
     let wan = get_wan();
     let key = wan.register_credential(creds, state, |_| Ok(false))?;
 
-    let key_id = admin_account_key_helper::add_key(r.admin_id()?, &key_name, key)?;
+    let key_id = admin_account_key_helper::add_key(r.admin_id()?, &key_name, key, key_password)?;
 
     log_admin_action(r.admin_id()?, &r.remote_ip(),
                      AdminAction::RegisteredAdminKey {
@@ -138,6 +141,15 @@ pub fn auth_with_key(r: &mut HttpRequestHandler) -> RequestResult {
     let state = get_wan().authenticate_credential(credentials, state)?;
     r.some_or_bad_request(state, "Invalid key!")?;
 
+    // Check key password (if any)
+    if let Some(pass_hash) = key.password {
+        let password = r.post_string("password")?;
+
+        if !verify(password, &pass_hash)? {
+            r.forbidden("Bad key password!".to_string())?;
+        }
+    }
+
     // Generate access token
     let token = admin_access_token_helper::create(key.admin_id)?;
 

src/data/admin.rs

@@ -51,6 +51,7 @@ pub struct AdminKey {
     pub name: String,
     pub time_add: u64,
     pub key: Credential,
+    pub password: Option<String>,
 }
 
 /// Admin access token

src/helpers/admin_account_key_helper.rs

@@ -2,6 +2,7 @@
 //!
 //! @author Pierre Hubert
 
+use bcrypt::{DEFAULT_COST, hash_with_result};
 use webauthn_rs::proto::Credential;
 
 use crate::constants::database_tables_names::ADMIN_KEYS_TABLE;
@@ -11,12 +12,13 @@ use crate::helpers::database;
 use crate::utils::date_utils::time;
 
 /// Save a new key in the database
-pub fn add_key(id: AdminID, name: &str, key: Credential) -> Res<u64> {
+pub fn add_key(id: AdminID, name: &str, key: Credential, password: String) -> Res<u64> {
     database::InsertQuery::new(ADMIN_KEYS_TABLE)
         .add_admin_id("admin_id", id)
         .add_str("name", name)
         .add_u64("time_add", time())
         .add_str("credential", &serde_json::to_string(&key)?)
+        .add_str("password", &hash_with_result(password, DEFAULT_COST)?.to_string())
         .insert_expect_result()
 }
 
@@ -42,5 +44,6 @@ fn db_to_admin_key(row: &database::RowResult) -> Res<AdminKey> {
         name: row.get_str("name")?,
         time_add: row.get_u64("time_add")?,
         key: serde_json::from_str(&row.get_str("credential")?)?,
+        password: row.get_optional_str("password")?,
     })
 }