pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge factors type for authentication

Browse Source
This commit is contained in:
Pierre HUBERT
2022-11-11 12:26:02 +01:00
parent 8d231c0b45
commit af383720b7
44 changed files with 1177 additions and 674 deletions
Download Patch File Download Diff File Expand all files Collapse all files

243
src/controllers/login_controller.rs
View File

@ -1,17 +1,19 @@
use actix::Addr;
use actix_identity::Identity;
use actix_web::{HttpRequest, HttpResponse, Responder, web};
use actix_web::{web, HttpRequest, HttpResponse, Responder};
use askama::Template;
use crate::actors::{bruteforce_actor, users_actor};
use crate::actors::bruteforce_actor::BruteForceActor;
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
use crate::actors::{bruteforce_actor, users_actor};
use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user, redirect_user_for_login};
use crate::controllers::base_controller::{
build_fatal_error_page, redirect_user, redirect_user_for_login,
};
use crate::data::login_redirect::LoginRedirect;
use crate::data::remote_ip::RemoteIP;
use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::data::user::{FactorID, TwoFactor, TwoFactorType, User};
use crate::data::user::User;
use crate::data::webauthn_manager::WebAuthManagerReq;
struct BaseLoginPage<'a> {
@ -40,26 +42,23 @@ struct PasswordResetTemplate<'a> {
#[template(path = "login/choose_second_factor.html")]
struct ChooseSecondFactorTemplate<'a> {
_p: BaseLoginPage<'a>,
factors: &'a [TwoFactor],
user: &'a User,
}
#[derive(Template)]
#[template(path = "login/opt_input.html")]
#[template(path = "login/otp_input.html")]
struct LoginWithOTPTemplate<'a> {
_p: BaseLoginPage<'a>,
factor: &'a TwoFactor,
}
#[derive(Template)]
#[template(path = "login/webauthn_input.html")]
struct LoginWithWebauthnTemplate<'a> {
_p: BaseLoginPage<'a>,
factor: &'a TwoFactor,
opaque_state: String,
challenge_json: String,
}
#[derive(serde::Deserialize)]
pub struct LoginRequestBody {
login: String,
@ -87,13 +86,17 @@ pub async fn login_route(
let mut success = None;
let mut login = String::new();
let failed_attempts = bruteforce.send(bruteforce_actor::CountFailedAttempt { ip: remote_ip.into() })
.await.unwrap();
let failed_attempts = bruteforce
.send(bruteforce_actor::CountFailedAttempt {
ip: remote_ip.into(),
})
.await
.unwrap();
if failed_attempts > MAX_FAILED_LOGIN_ATTEMPTS {
return HttpResponse::TooManyRequests().body(
build_fatal_error_page("Too many failed login attempts, please try again later!")
);
return HttpResponse::TooManyRequests().body(build_fatal_error_page(
"Too many failed login attempts, please try again later!",
));
}
// Check if user session must be closed
@ -103,22 +106,24 @@ pub async fn login_route(
}
success = Some("Goodbye!".to_string());
}
// Check if user is already authenticated
else if SessionIdentity(id.as_ref()).is_authenticated() {
return redirect_user(query.redirect.get());
}
// Check if the password of the user has to be changed
else if SessionIdentity(id.as_ref()).need_new_password() {
return redirect_user(&format!("/reset_password?redirect={}", query.redirect.get_encoded()));
return redirect_user(&format!(
"/reset_password?redirect={}",
query.redirect.get_encoded()
));
}
// Check if the user has to valide a second factor
else if SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user(&format!("/2fa_auth?redirect={}", query.redirect.get_encoded()));
return redirect_user(&format!(
"/2fa_auth?redirect={}",
query.redirect.get_encoded()
));
}
// Try to authenticate user
else if let Some(req) = &req {
login = req.login.clone();
@ -150,10 +155,20 @@ pub async fn login_route(
}
c => {
log::warn!("Failed login for ip {:?} / username {}: {:?}", remote_ip, login, c);
log::warn!(
"Failed login for ip {:?} / username {}: {:?}",
remote_ip,
login,
c
);
danger = Some("Login failed.".to_string());
bruteforce.send(bruteforce_actor::RecordFailedAttempt { ip: remote_ip.into() }).await.unwrap();
bruteforce
.send(bruteforce_actor::RecordFailedAttempt {
ip: remote_ip.into(),
})
.await
.unwrap();
}
}
}
@ -169,8 +184,8 @@ pub async fn login_route(
},
login,
}
.render()
.unwrap(),
.render()
.unwrap(),
)
}
@ -191,10 +206,13 @@ pub struct PasswordResetQuery {
}
/// Reset user password route
pub async fn reset_password_route(id: Option<Identity>, query: web::Query<PasswordResetQuery>,
req: Option<web::Form<ChangePasswordRequestBody>>,
users: web::Data<Addr<UsersActor>>,
http_req: HttpRequest) -> impl Responder {
pub async fn reset_password_route(
id: Option<Identity>,
query: web::Query<PasswordResetQuery>,
req: Option<web::Form<ChangePasswordRequestBody>>,
users: web::Data<Addr<UsersActor>>,
http_req: HttpRequest,
) -> impl Responder {
let mut danger = None;
if !SessionIdentity(id.as_ref()).need_new_password() {
@ -235,8 +253,8 @@ pub async fn reset_password_route(id: Option<Identity>, query: web::Query<Passwo
},
min_pass_len: MIN_PASS_LEN,
}
.render()
.unwrap(),
.render()
.unwrap(),
)
}
@ -249,18 +267,27 @@ pub struct ChooseSecondFactorQuery {
}
/// Let the user select the factor to use to authenticate
pub async fn choose_2fa_method(id: Option<Identity>, query: web::Query<ChooseSecondFactorQuery>,
users: web::Data<Addr<UsersActor>>) -> impl Responder {
pub async fn choose_2fa_method(
id: Option<Identity>,
query: web::Query<ChooseSecondFactorQuery>,
users: web::Data<Addr<UsersActor>>,
) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
log::trace!("User does not require 2fa auth, redirecting");
return redirect_user_for_login(query.redirect.get());
}
let user: User = users.send(users_actor::GetUserRequest(SessionIdentity(id.as_ref()).user_id()))
.await.unwrap().0.expect("Could not find user!");
let user: User = users
.send(users_actor::GetUserRequest(
SessionIdentity(id.as_ref()).user_id(),
))
.await
.unwrap()
.0
.expect("Could not find user!");
// Automatically choose factor if there is only one factor
if user.two_factor.len() == 1 && !query.force_display {
if user.get_distinct_factors_types().len() == 1 && !query.force_display {
log::trace!("User has only one factor, using it by default");
return redirect_user(&user.two_factor[0].login_url(&query.redirect));
}
@ -274,10 +301,10 @@ pub async fn choose_2fa_method(id: Option<Identity>, query: web::Query<ChooseSec
app_name: APP_NAME,
redirect_uri: &query.redirect,
},
factors: &user.two_factor,
user: &user,
}
.render()
.unwrap(),
.render()
.unwrap(),
)
}
@ -285,7 +312,6 @@ pub async fn choose_2fa_method(id: Option<Identity>, query: web::Query<ChooseSec
pub struct LoginWithOTPQuery {
#[serde(default)]
redirect: LoginRedirect,
id: FactorID,
}
#[derive(serde::Deserialize)]
@ -293,35 +319,39 @@ pub struct LoginWithOTPForm {
code: String,
}
/// Login with OTP
pub async fn login_with_otp(id: Option<Identity>, query: web::Query<LoginWithOTPQuery>,
form: Option<web::Form<LoginWithOTPForm>>,
users: web::Data<Addr<UsersActor>>,
http_req: HttpRequest) -> impl Responder {
pub async fn login_with_otp(
id: Option<Identity>,
query: web::Query<LoginWithOTPQuery>,
form: Option<web::Form<LoginWithOTPForm>>,
users: web::Data<Addr<UsersActor>>,
http_req: HttpRequest,
) -> impl Responder {
let mut danger = None;
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get());
}
let user: User = users.send(users_actor::GetUserRequest(SessionIdentity(id.as_ref()).user_id()))
.await.unwrap().0.expect("Could not find user!");
let user: User = users
.send(users_actor::GetUserRequest(
SessionIdentity(id.as_ref()).user_id(),
))
.await
.unwrap()
.0
.expect("Could not find user!");
let factor = match user.find_factor(&query.id) {
Some(f) => f,
None => return HttpResponse::Ok().body(build_fatal_error_page("Factor not found!"))
};
let key = match &factor.kind {
TwoFactorType::TOTP(key) => key,
_ => {
return HttpResponse::Ok().body(build_fatal_error_page("Factor is not a TOTP key!"));
}
};
let keys = user.get_otp_factors();
if keys.is_empty() {
return HttpResponse::Ok().body(build_fatal_error_page("Factor not found!"));
}
if let Some(form) = form {
if !key.check_code(&form.code).unwrap_or(false) {
if !keys
.iter()
.any(|k| k.check_code(&form.code).unwrap_or(false))
{
danger = Some("Specified code is invalid!".to_string());
} else {
SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
@ -329,56 +359,60 @@ pub async fn login_with_otp(id: Option<Identity>, query: web::Query<LoginWithOTP
}
}
HttpResponse::Ok().body(LoginWithOTPTemplate {
_p: BaseLoginPage {
danger,
success: None,
page_title: "Two-Factor Auth",
app_name: APP_NAME,
redirect_uri: &query.redirect,
},
factor,
}.render().unwrap())
HttpResponse::Ok().body(
LoginWithOTPTemplate {
_p: BaseLoginPage {
danger,
success: None,
page_title: "Two-Factor Auth",
app_name: APP_NAME,
redirect_uri: &query.redirect,
},
}
.render()
.unwrap(),
)
}
#[derive(serde::Deserialize)]
pub struct LoginWithWebauthnQuery {
#[serde(default)]
redirect: LoginRedirect,
id: FactorID,
}
/// Login with Webauthn
pub async fn login_with_webauthn(id: Option<Identity>, query: web::Query<LoginWithWebauthnQuery>,
manager: WebAuthManagerReq,
users: web::Data<Addr<UsersActor>>) -> impl Responder {
pub async fn login_with_webauthn(
id: Option<Identity>,
query: web::Query<LoginWithWebauthnQuery>,
manager: WebAuthManagerReq,
users: web::Data<Addr<UsersActor>>,
) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get());
}
let user: User = users.send(users_actor::GetUserRequest(SessionIdentity(id.as_ref()).user_id()))
.await.unwrap().0.expect("Could not find user!");
let user: User = users
.send(users_actor::GetUserRequest(
SessionIdentity(id.as_ref()).user_id(),
))
.await
.unwrap()
.0
.expect("Could not find user!");
let factor = match user.find_factor(&query.id) {
Some(f) => f,
None => return HttpResponse::Ok().body(build_fatal_error_page("Factor not found!"))
};
let pub_keys = user.get_webauthn_pub_keys();
if pub_keys.is_empty() {
return HttpResponse::Ok()
.body(build_fatal_error_page("No Webauthn public key registered!"));
}
let key = match &factor.kind {
TwoFactorType::WEBAUTHN(key) => key,
_ => {
return HttpResponse::Ok()
.body(build_fatal_error_page("Factor is not a Webauthn key!"));
}
};
let challenge = match manager.start_authentication(&user.uid, key) {
let challenge = match manager.start_authentication(&user.uid, &pub_keys) {
Ok(c) => c,
Err(e) => {
log::error!("Failed to generate webauthn challenge! {:?}", e);
return HttpResponse::InternalServerError()
.body(build_fatal_error_page("Failed to generate webauthn challenge"));
return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to generate webauthn challenge",
));
}
};
@ -390,16 +424,19 @@ pub async fn login_with_webauthn(id: Option<Identity>, query: web::Query<LoginWi
}
};
HttpResponse::Ok().body(LoginWithWebauthnTemplate {
_p: BaseLoginPage {
danger: None,
success: None,
page_title: "Two-Factor Auth",
app_name: APP_NAME,
redirect_uri: &query.redirect,
},
factor,
opaque_state: challenge.opaque_state,
challenge_json: urlencoding::encode(&challenge_json).to_string(),
}.render().unwrap())
}
HttpResponse::Ok().body(
LoginWithWebauthnTemplate {
_p: BaseLoginPage {
danger: None,
success: None,
page_title: "Two-Factor Auth",
app_name: APP_NAME,
redirect_uri: &query.redirect,
},
opaque_state: challenge.opaque_state,
challenge_json: urlencoding::encode(&challenge_json).to_string(),
}
.render()
.unwrap(),
)
}