Add expiration to webauthn challenges

2022-04-23 20:22:32 +02:00
parent 9e345895ff
commit 933c8ff024
2 changed files with 21 additions and 4 deletions
--- a/src/data/webauthn_manager.rs
+++ b/src/data/webauthn_manager.rs
@@ -5,11 +5,12 @@ use actix_web::web;
 use webauthn_rs::{AuthenticationState, RegistrationState, Webauthn, WebauthnConfig};
 use webauthn_rs::proto::{CreationChallengeResponse, Credential, PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse};

-use crate::constants::APP_NAME;
+use crate::constants::{APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE};
 use crate::data::app_config::AppConfig;
 use crate::data::crypto_wrapper::CryptoWrapper;
 use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
+use crate::utils::time::time;

 #[derive(Debug)]
 struct WebAuthnAppConfig {
@@ -45,7 +46,7 @@ pub struct RegisterKeyRequest {
 struct RegisterKeyOpaqueData {
    registration_state: RegistrationState,
    user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }

 pub struct AuthRequest {
@@ -57,7 +58,7 @@ pub struct AuthRequest {
 struct AuthStateOpaqueData {
    authentication_state: AuthenticationState,
    user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }


@@ -93,6 +94,7 @@ impl WebAuthManager {
            opaque_state: self.crypto_wrapper.encrypt(&RegisterKeyOpaqueData {
                registration_state,
                user_id: user.uid.clone(),
+                expire: time() + WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,
            })?,
            creation_challenge,
        })
@@ -106,6 +108,11 @@ impl WebAuthManager {
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }

+        if state.expire < time() {
+            return Err(Box::new(
+                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
+        }
+
        let res = self.core
            .register_credential(&pub_cred, &state.registration_state, |_| Ok(false))?;

@@ -121,6 +128,7 @@ impl WebAuthManager {
            opaque_state: self.crypto_wrapper.encrypt(&AuthStateOpaqueData {
                authentication_state,
                user_id: user_id.clone(),
+                expire: time() + WEBAUTHN_LOGIN_CHALLENGE_EXPIRE,
            })?,
            login_challenge,
        })
@@ -134,6 +142,11 @@ impl WebAuthManager {
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }

+        if state.expire < time() {
+            return Err(Box::new(
+                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
+        }
+
        self.core.authenticate_credential(pub_cred, &state.authentication_state)?;

        Ok(())