Add expiration to webauthn challenges

2022-04-23 20:22:32 +02:00
parent 9e345895ff
commit 933c8ff024
2 changed files with 21 additions and 4 deletions
--- a/src/constants.rs
+++ b/src/constants.rs
@@ -57,3 +57,7 @@ pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;
 pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600;
 pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120;
 pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
 /// Webauthn constants
 pub const WEBAUTHN_REGISTER_CHALLENGE_EXPIRE: u64 = 3600;
 pub const WEBAUTHN_LOGIN_CHALLENGE_EXPIRE: u64 = 3600;
--- a/src/data/webauthn_manager.rs
+++ b/src/data/webauthn_manager.rs
@@ -5,11 +5,12 @@ use actix_web::web;
 use webauthn_rs::{AuthenticationState, RegistrationState, Webauthn, WebauthnConfig};
 use webauthn_rs::proto::{CreationChallengeResponse, Credential, PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse};
-use crate::constants::APP_NAME;
+use crate::constants::{APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE};
 use crate::data::app_config::AppConfig;
 use crate::data::crypto_wrapper::CryptoWrapper;
 use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
 use crate::utils::time::time;
 #[derive(Debug)]
 struct WebAuthnAppConfig {
@@ -45,7 +46,7 @@ pub struct RegisterKeyRequest {
 struct RegisterKeyOpaqueData {
    registration_state: RegistrationState,
    user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }
 pub struct AuthRequest {
@@ -57,7 +58,7 @@ pub struct AuthRequest {
 struct AuthStateOpaqueData {
    authentication_state: AuthenticationState,
    user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }
@@ -93,6 +94,7 @@ impl WebAuthManager {
            opaque_state: self.crypto_wrapper.encrypt(&RegisterKeyOpaqueData {
                registration_state,
                user_id: user.uid.clone(),
                expire: time() + WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,
            })?,
            creation_challenge,
        })
@@ -106,6 +108,11 @@ impl WebAuthManager {
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }
        if state.expire < time() {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
        }
        let res = self.core
            .register_credential(&pub_cred, &state.registration_state, |_| Ok(false))?;
@@ -121,6 +128,7 @@ impl WebAuthManager {
            opaque_state: self.crypto_wrapper.encrypt(&AuthStateOpaqueData {
                authentication_state,
                user_id: user_id.clone(),
                expire: time() + WEBAUTHN_LOGIN_CHALLENGE_EXPIRE,
            })?,
            login_challenge,
        })
@@ -134,6 +142,11 @@ impl WebAuthManager {
                std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
        }
        if state.expire < time() {
            return Err(Box::new(
                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
        }
        self.core.authenticate_credential(pub_cred, &state.authentication_state)?;
        Ok(())