BasicOIDC/src/data/webauthn_manager.rs

use std::io::ErrorKind;
use std::sync::Arc;

use actix_web::web;
use uuid::Uuid;
use webauthn_rs::{Webauthn, WebauthnBuilder};
use webauthn_rs::prelude::{CreationChallengeResponse, Passkey, PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse};

use crate::constants::{APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE};
use crate::data::app_config::AppConfig;
use crate::data::crypto_wrapper::CryptoWrapper;
use crate::data::user::{User, UserID};
use crate::utils::err::Res;
use crate::utils::time::time;

#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
pub struct WebauthnPubKey {
    creds: Passkey,
}

pub struct RegisterKeyRequest {
    pub opaque_state: String,
    pub creation_challenge: CreationChallengeResponse,
}

#[derive(Debug, serde::Serialize, serde::Deserialize)]
struct RegisterKeyOpaqueData {
    registration_state: String,
    user_id: UserID,
    expire: u64,
}

pub struct AuthRequest {
    pub opaque_state: String,
    pub login_challenge: RequestChallengeResponse,
}

#[derive(Debug, serde::Serialize, serde::Deserialize)]
struct AuthStateOpaqueData {
    authentication_state: String,
    user_id: UserID,
    expire: u64,
}


pub type WebAuthManagerReq = web::Data<Arc<WebAuthManager>>;

pub struct WebAuthManager {
    core: Webauthn,
    crypto_wrapper: CryptoWrapper,
}

impl WebAuthManager {
    pub fn init(conf: &AppConfig) -> Self {
        Self {
            core: WebauthnBuilder::new(
                conf.domain_name().split_once(':')
                    .map(|s| s.0)
                    .unwrap_or_else(|| conf.domain_name()),
                &url::Url::parse(&conf.website_origin)
                    .expect("Failed to parse configuration origin!"))
                .expect("Invalid Webauthn configuration")
                .rp_name(APP_NAME)
                .build()
                .expect("Failed to build webauthn")

            ,
            crypto_wrapper: CryptoWrapper::new_random(),
        }
    }

    pub fn start_register(&self, user: &User) -> Res<RegisterKeyRequest> {
        let (creation_challenge, registration_state)
            = self.core.start_passkey_registration(
            Uuid::parse_str(&user.uid.0).expect("Failed to parse user id"),
            &user.username,
            &user.full_name(),
            None,
        )?;

        Ok(RegisterKeyRequest {
            opaque_state: self.crypto_wrapper.encrypt(&RegisterKeyOpaqueData {
                registration_state: serde_json::to_string(&registration_state)?,
                user_id: user.uid.clone(),
                expire: time() + WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,
            })?,
            creation_challenge,
        })
    }

    pub fn finish_registration(&self, user: &User, opaque_state: &str,
                               pub_cred: RegisterPublicKeyCredential) -> Res<WebauthnPubKey> {
        let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
        if state.user_id != user.uid {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }

        if state.expire < time() {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
        }

        let res = self.core
            .finish_passkey_registration(&pub_cred, &serde_json::from_str(&state.registration_state)?)?;

        Ok(WebauthnPubKey { creds: res })
    }

    pub fn start_authentication(&self, user_id: &UserID, key: &WebauthnPubKey) -> Res<AuthRequest> {
        let (login_challenge, authentication_state) = self.core.start_passkey_authentication(&vec![
            key.creds.clone()
        ])?;

        Ok(AuthRequest {
            opaque_state: self.crypto_wrapper.encrypt(&AuthStateOpaqueData {
                authentication_state: serde_json::to_string(&authentication_state)?,
                user_id: user_id.clone(),
                expire: time() + WEBAUTHN_LOGIN_CHALLENGE_EXPIRE,
            })?,
            login_challenge,
        })
    }

    pub fn finish_authentication(&self, user_id: &UserID, opaque_state: &str,
                                 pub_cred: &PublicKeyCredential) -> Res {
        let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
        if &state.user_id != user_id {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }

        if state.expire < time() {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
        }

        self.core.finish_passkey_authentication(pub_cred,
                                                &serde_json::from_str(&state.authentication_state)?)?;

        Ok(())
    }
}
Register user security keys 2022-04-21 17:24:26 +00:00			`use std::io::ErrorKind;`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`use std::sync::Arc;`

			`use actix_web::web;`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`use uuid::Uuid;`
			`use webauthn_rs::{Webauthn, WebauthnBuilder};`
			`use webauthn_rs::prelude::{CreationChallengeResponse, Passkey, PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse};`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00
Add RP name in webauthn 2022-08-25 06:03:49 +00:00			`use crate::constants::{APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE};`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`use crate::data::app_config::AppConfig;`
			`use crate::data::crypto_wrapper::CryptoWrapper;`
			`use crate::data::user::{User, UserID};`
			`use crate::utils::err::Res;`
Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`use crate::utils::time::time;`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00
Register user security keys 2022-04-21 17:24:26 +00:00			`#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]`
			`pub struct WebauthnPubKey {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`creds: Passkey,`
Register user security keys 2022-04-21 17:24:26 +00:00			`}`

Get auth challenge 2022-04-23 16:56:14 +00:00			`pub struct RegisterKeyRequest {`
			`pub opaque_state: String,`
			`pub creation_challenge: CreationChallengeResponse,`
			`}`

Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`#[derive(Debug, serde::Serialize, serde::Deserialize)]`
			`struct RegisterKeyOpaqueData {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`registration_state: String,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`user_id: UserID,`
Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`expire: u64,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`}`

Get auth challenge 2022-04-23 16:56:14 +00:00			`pub struct AuthRequest {`
			`pub opaque_state: String,`
			`pub login_challenge: RequestChallengeResponse,`
			`}`

			`#[derive(Debug, serde::Serialize, serde::Deserialize)]`
			`struct AuthStateOpaqueData {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`authentication_state: String,`
Get auth challenge 2022-04-23 16:56:14 +00:00			`user_id: UserID,`
Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`expire: u64,`
Get auth challenge 2022-04-23 16:56:14 +00:00			`}`


Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`pub type WebAuthManagerReq = web::Data<Arc<WebAuthManager>>;`

			`pub struct WebAuthManager {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`core: Webauthn,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`crypto_wrapper: CryptoWrapper,`
			`}`

			`impl WebAuthManager {`
			`pub fn init(conf: &AppConfig) -> Self {`
			`Self {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`core: WebauthnBuilder::new(`
			`conf.domain_name().split_once(':')`
Register user security keys 2022-04-21 17:24:26 +00:00			`.map(\|s\| s.0)`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`.unwrap_or_else(\|\| conf.domain_name()),`
			`&url::Url::parse(&conf.website_origin)`
			`.expect("Failed to parse configuration origin!"))`
			`.expect("Invalid Webauthn configuration")`
Add RP name in webauthn 2022-08-25 06:03:49 +00:00			`.rp_name(APP_NAME)`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`.build()`
			`.expect("Failed to build webauthn")`

			`,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`crypto_wrapper: CryptoWrapper::new_random(),`
			`}`
			`}`

			`pub fn start_register(&self, user: &User) -> Res<RegisterKeyRequest> {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`let (creation_challenge, registration_state)`
			`= self.core.start_passkey_registration(`
			`Uuid::parse_str(&user.uid.0).expect("Failed to parse user id"),`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`&user.username,`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`&user.full_name(),`
			`None,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`)?;`

			`Ok(RegisterKeyRequest {`
			`opaque_state: self.crypto_wrapper.encrypt(&RegisterKeyOpaqueData {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`registration_state: serde_json::to_string(&registration_state)?,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`user_id: user.uid.clone(),`
Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`expire: time() + WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`})?,`
			`creation_challenge,`
			`})`
			`}`
Register user security keys 2022-04-21 17:24:26 +00:00
			`pub fn finish_registration(&self, user: &User, opaque_state: &str,`
			`pub_cred: RegisterPublicKeyCredential) -> Res<WebauthnPubKey> {`
			`let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;`
			`if state.user_id != user.uid {`
			`return Err(Box::new(`
			`std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));`
			`}`

Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`if state.expire < time() {`
			`return Err(Box::new(`
			`std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));`
			`}`

Register user security keys 2022-04-21 17:24:26 +00:00			`let res = self.core`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`.finish_passkey_registration(&pub_cred, &serde_json::from_str(&state.registration_state)?)?;`
Register user security keys 2022-04-21 17:24:26 +00:00
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`Ok(WebauthnPubKey { creds: res })`
Register user security keys 2022-04-21 17:24:26 +00:00			`}`
Get auth challenge 2022-04-23 16:56:14 +00:00
			`pub fn start_authentication(&self, user_id: &UserID, key: &WebauthnPubKey) -> Res<AuthRequest> {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`let (login_challenge, authentication_state) = self.core.start_passkey_authentication(&vec![`
Get auth challenge 2022-04-23 16:56:14 +00:00			`key.creds.clone()`
			`])?;`

			`Ok(AuthRequest {`
			`opaque_state: self.crypto_wrapper.encrypt(&AuthStateOpaqueData {`
Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`authentication_state: serde_json::to_string(&authentication_state)?,`
Get auth challenge 2022-04-23 16:56:14 +00:00			`user_id: user_id.clone(),`
Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`expire: time() + WEBAUTHN_LOGIN_CHALLENGE_EXPIRE,`
Get auth challenge 2022-04-23 16:56:14 +00:00			`})?,`
			`login_challenge,`
			`})`
			`}`
Managed to authenticate user using Webauthn 2022-04-23 18:17:49 +00:00
			`pub fn finish_authentication(&self, user_id: &UserID, opaque_state: &str,`
			`pub_cred: &PublicKeyCredential) -> Res {`
			`let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;`
			`if &state.user_id != user_id {`
			`return Err(Box::new(`
			`std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));`
			`}`

Add expiration to webauthn challenges 2022-04-23 18:22:32 +00:00			`if state.expire < time() {`
			`return Err(Box::new(`
			`std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));`
			`}`

Update `webauthn-rs` dependency 2022-08-24 11:33:40 +00:00			`self.core.finish_passkey_authentication(pub_cred,`
			`&serde_json::from_str(&state.authentication_state)?)?;`
Managed to authenticate user using Webauthn 2022-04-23 18:17:49 +00:00
			`Ok(())`
			`}`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`}`