src/constants.rs

@@ -56,4 +56,8 @@ pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
 pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;
 pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600;
 pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120;
-pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
+pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
+
+/// Webauthn constants
+pub const WEBAUTHN_REGISTER_CHALLENGE_EXPIRE: u64 = 3600;
+pub const WEBAUTHN_LOGIN_CHALLENGE_EXPIRE: u64 = 3600;

src/data/webauthn_manager.rs

@@ -5,11 +5,12 @@ use actix_web::web;
 use webauthn_rs::{AuthenticationState, RegistrationState, Webauthn, WebauthnConfig};
 use webauthn_rs::proto::{CreationChallengeResponse, Credential, PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse};
 
-use crate::constants::APP_NAME;
+use crate::constants::{APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE};
 use crate::data::app_config::AppConfig;
 use crate::data::crypto_wrapper::CryptoWrapper;
 use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
+use crate::utils::time::time;
 
 #[derive(Debug)]
 struct WebAuthnAppConfig {
@@ -45,7 +46,7 @@ pub struct RegisterKeyRequest {
 struct RegisterKeyOpaqueData {
     registration_state: RegistrationState,
     user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }
 
 pub struct AuthRequest {
@@ -57,7 +58,7 @@ pub struct AuthRequest {
 struct AuthStateOpaqueData {
     authentication_state: AuthenticationState,
     user_id: UserID,
-    // TODO : add time
+    expire: u64,
 }
 
 
@@ -93,6 +94,7 @@ impl WebAuthManager {
             opaque_state: self.crypto_wrapper.encrypt(&RegisterKeyOpaqueData {
                 registration_state,
                 user_id: user.uid.clone(),
+                expire: time() + WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,
             })?,
             creation_challenge,
         })
@@ -106,6 +108,11 @@ impl WebAuthManager {
                 std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
         }
 
+        if state.expire < time() {
+            return Err(Box::new(
+                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
+        }
+
         let res = self.core
             .register_credential(&pub_cred, &state.registration_state, |_| Ok(false))?;
 
@@ -121,6 +128,7 @@ impl WebAuthManager {
             opaque_state: self.crypto_wrapper.encrypt(&AuthStateOpaqueData {
                 authentication_state,
                 user_id: user_id.clone(),
+                expire: time() + WEBAUTHN_LOGIN_CHALLENGE_EXPIRE,
             })?,
             login_challenge,
         })
@@ -134,6 +142,11 @@ impl WebAuthManager {
                 std::io::Error::new(ErrorKind::Other, "Invalid user for pubkey!")));
         }
 
+        if state.expire < time() {
+            return Err(Box::new(
+                std::io::Error::new(ErrorKind::Other, "Challenge has expired!")));
+        }
+
         self.core.authenticate_credential(pub_cred, &state.authentication_state)?;
 
         Ok(())