2018-04-13 00:06:18 +03:00
|
|
|
import * as Koa from 'koa';
|
2017-01-18 07:19:50 +02:00
|
|
|
import * as bcrypt from 'bcryptjs';
|
2017-12-08 15:57:58 +02:00
|
|
|
import * as speakeasy from 'speakeasy';
|
2019-02-05 07:14:23 +02:00
|
|
|
import { publishMainStream } from '../../../services/stream';
|
2017-11-23 06:25:33 +02:00
|
|
|
import signin from '../common/signin';
|
2018-04-02 07:15:53 +03:00
|
|
|
import config from '../../../config';
|
2019-07-03 14:18:07 +03:00
|
|
|
import { Users, Signins, UserProfiles, UserSecurityKeys, AttestationChallenges } from '../../../models';
|
2019-04-07 15:50:36 +03:00
|
|
|
import { ILocalUser } from '../../../models/entities/user';
|
|
|
|
import { genId } from '../../../misc/gen-id';
|
2019-04-12 19:43:22 +03:00
|
|
|
import { ensure } from '../../../prelude/ensure';
|
2019-07-03 14:18:07 +03:00
|
|
|
import { verifyLogin, hash } from '../2fa';
|
2019-07-05 01:48:12 +03:00
|
|
|
import { randomBytes } from 'crypto';
|
2016-12-29 00:49:51 +02:00
|
|
|
|
2019-01-22 14:42:05 +02:00
|
|
|
export default async (ctx: Koa.BaseContext) => {
|
2018-04-13 00:06:18 +03:00
|
|
|
ctx.set('Access-Control-Allow-Origin', config.url);
|
|
|
|
ctx.set('Access-Control-Allow-Credentials', 'true');
|
2016-12-29 00:49:51 +02:00
|
|
|
|
2018-07-23 07:56:25 +03:00
|
|
|
const body = ctx.request.body as any;
|
2018-10-16 04:33:05 +03:00
|
|
|
const username = body['username'];
|
|
|
|
const password = body['password'];
|
2018-07-23 07:56:25 +03:00
|
|
|
const token = body['token'];
|
2016-12-29 00:49:51 +02:00
|
|
|
|
2017-02-22 12:39:34 +02:00
|
|
|
if (typeof username != 'string') {
|
2018-04-13 00:06:18 +03:00
|
|
|
ctx.status = 400;
|
2017-02-22 12:39:34 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (typeof password != 'string') {
|
2018-04-13 00:06:18 +03:00
|
|
|
ctx.status = 400;
|
2017-02-22 12:39:34 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-12-08 15:57:58 +02:00
|
|
|
if (token != null && typeof token != 'string') {
|
2018-04-13 00:06:18 +03:00
|
|
|
ctx.status = 400;
|
2017-12-08 15:57:58 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-12-29 00:49:51 +02:00
|
|
|
// Fetch user
|
2019-04-07 15:50:36 +03:00
|
|
|
const user = await Users.findOne({
|
2018-03-29 08:48:47 +03:00
|
|
|
usernameLower: username.toLowerCase(),
|
2018-03-27 10:51:12 +03:00
|
|
|
host: null
|
2019-04-07 15:50:36 +03:00
|
|
|
}) as ILocalUser;
|
2016-12-29 00:49:51 +02:00
|
|
|
|
2019-04-07 15:50:36 +03:00
|
|
|
if (user == null) {
|
2018-04-13 00:06:18 +03:00
|
|
|
ctx.throw(404, {
|
2017-03-09 23:42:57 +02:00
|
|
|
error: 'user not found'
|
|
|
|
});
|
2016-12-29 00:49:51 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-04-17 08:32:59 +03:00
|
|
|
const profile = await UserProfiles.findOne(user.id).then(ensure);
|
2019-04-10 09:04:27 +03:00
|
|
|
|
2016-12-29 00:49:51 +02:00
|
|
|
// Compare password
|
2019-04-12 19:43:22 +03:00
|
|
|
const same = await bcrypt.compare(password, profile.password!);
|
2016-12-29 00:49:51 +02:00
|
|
|
|
2019-07-03 14:18:07 +03:00
|
|
|
async function fail(status?: number, failure?: {error: string}) {
|
|
|
|
// Append signin history
|
|
|
|
const record = await Signins.save({
|
|
|
|
id: genId(),
|
|
|
|
createdAt: new Date(),
|
|
|
|
userId: user.id,
|
|
|
|
ip: ctx.ip,
|
|
|
|
headers: ctx.headers,
|
|
|
|
success: !!(status || failure)
|
|
|
|
});
|
2017-12-08 15:57:58 +02:00
|
|
|
|
2019-07-03 14:18:07 +03:00
|
|
|
// Publish signin event
|
|
|
|
publishMainStream(user.id, 'signin', await Signins.pack(record));
|
|
|
|
|
|
|
|
if (status && failure) {
|
|
|
|
ctx.throw(status, failure);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!profile.twoFactorEnabled) {
|
2019-07-06 19:38:36 +03:00
|
|
|
if (same) {
|
|
|
|
signin(ctx, user);
|
|
|
|
} else {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'incorrect password'
|
|
|
|
});
|
|
|
|
}
|
2019-07-03 14:18:07 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (token) {
|
2019-07-06 19:38:36 +03:00
|
|
|
if (!same) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'incorrect password'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-07-03 14:18:07 +03:00
|
|
|
const verified = (speakeasy as any).totp.verify({
|
|
|
|
secret: profile.twoFactorSecret,
|
|
|
|
encoding: 'base32',
|
|
|
|
token: token
|
|
|
|
});
|
|
|
|
|
|
|
|
if (verified) {
|
2018-04-13 05:44:39 +03:00
|
|
|
signin(ctx, user);
|
2019-07-03 14:18:07 +03:00
|
|
|
return;
|
|
|
|
} else {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'invalid token'
|
|
|
|
});
|
|
|
|
return;
|
2017-12-08 15:57:58 +02:00
|
|
|
}
|
2019-07-05 01:48:12 +03:00
|
|
|
} else if (body.credentialId) {
|
2019-07-06 19:38:36 +03:00
|
|
|
if (!same && !profile.usePasswordLessLogin) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'incorrect password'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-07-03 14:18:07 +03:00
|
|
|
const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
|
|
|
|
const clientData = JSON.parse(clientDataJSON.toString('utf-8'));
|
|
|
|
const challenge = await AttestationChallenges.findOne({
|
|
|
|
userId: user.id,
|
|
|
|
id: body.challengeId,
|
|
|
|
registrationChallenge: false,
|
|
|
|
challenge: hash(clientData.challenge).toString('hex')
|
2017-03-09 23:42:57 +02:00
|
|
|
});
|
2019-07-03 14:18:07 +03:00
|
|
|
|
|
|
|
if (!challenge) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'non-existent challenge'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
await AttestationChallenges.delete({
|
|
|
|
userId: user.id,
|
|
|
|
id: body.challengeId
|
|
|
|
});
|
|
|
|
|
|
|
|
if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'non-existent challenge'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const securityKey = await UserSecurityKeys.findOne({
|
|
|
|
id: Buffer.from(
|
|
|
|
body.credentialId
|
2019-07-05 01:48:12 +03:00
|
|
|
.replace(/-/g, '+')
|
2019-07-03 14:18:07 +03:00
|
|
|
.replace(/_/g, '/'),
|
|
|
|
'base64'
|
|
|
|
).toString('hex')
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!securityKey) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'invalid credentialId'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const isValid = verifyLogin({
|
|
|
|
publicKey: Buffer.from(securityKey.publicKey, 'hex'),
|
|
|
|
authenticatorData: Buffer.from(body.authenticatorData, 'hex'),
|
|
|
|
clientDataJSON,
|
|
|
|
clientData,
|
|
|
|
signature: Buffer.from(body.signature, 'hex'),
|
|
|
|
challenge: challenge.challenge
|
|
|
|
});
|
|
|
|
|
|
|
|
if (isValid) {
|
|
|
|
signin(ctx, user);
|
|
|
|
} else {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'invalid challenge data'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
2019-07-05 01:48:12 +03:00
|
|
|
} else {
|
2019-07-06 19:38:36 +03:00
|
|
|
if (!same && !profile.usePasswordLessLogin) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'incorrect password'
|
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-07-05 01:48:12 +03:00
|
|
|
const keys = await UserSecurityKeys.find({
|
|
|
|
userId: user.id
|
|
|
|
});
|
|
|
|
|
|
|
|
if (keys.length === 0) {
|
|
|
|
await fail(403, {
|
|
|
|
error: 'no keys found'
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// 32 byte challenge
|
|
|
|
const challenge = randomBytes(32).toString('base64')
|
|
|
|
.replace(/=/g, '')
|
|
|
|
.replace(/\+/g, '-')
|
|
|
|
.replace(/\//g, '_');
|
|
|
|
|
|
|
|
const challengeId = genId();
|
|
|
|
|
|
|
|
await AttestationChallenges.save({
|
|
|
|
userId: user.id,
|
|
|
|
id: challengeId,
|
|
|
|
challenge: hash(Buffer.from(challenge, 'utf-8')).toString('hex'),
|
|
|
|
createdAt: new Date(),
|
|
|
|
registrationChallenge: false
|
|
|
|
});
|
|
|
|
|
|
|
|
ctx.body = {
|
|
|
|
challenge,
|
|
|
|
challengeId,
|
|
|
|
securityKeys: keys.map(key => ({
|
|
|
|
id: key.id
|
|
|
|
}))
|
|
|
|
};
|
|
|
|
ctx.status = 200;
|
|
|
|
return;
|
2016-12-29 00:49:51 +02:00
|
|
|
}
|
|
|
|
|
2019-07-03 14:18:07 +03:00
|
|
|
await fail();
|
2016-12-29 00:49:51 +02:00
|
|
|
};
|