import * as Koa from 'koa'; import * as bcrypt from 'bcryptjs'; import * as speakeasy from 'speakeasy'; import { publishMainStream } from '../../../services/stream'; import signin from '../common/signin'; import config from '../../../config'; import { Users, Signins, UserProfiles, UserSecurityKeys, AttestationChallenges } from '../../../models'; import { ILocalUser } from '../../../models/entities/user'; import { genId } from '../../../misc/gen-id'; import { ensure } from '../../../prelude/ensure'; import { verifyLogin, hash } from '../2fa'; export default async (ctx: Koa.BaseContext) => { ctx.set('Access-Control-Allow-Origin', config.url); ctx.set('Access-Control-Allow-Credentials', 'true'); const body = ctx.request.body as any; const username = body['username']; const password = body['password']; const token = body['token']; if (typeof username != 'string') { ctx.status = 400; return; } if (typeof password != 'string') { ctx.status = 400; return; } if (token != null && typeof token != 'string') { ctx.status = 400; return; } // Fetch user const user = await Users.findOne({ usernameLower: username.toLowerCase(), host: null }) as ILocalUser; if (user == null) { ctx.throw(404, { error: 'user not found' }); return; } const profile = await UserProfiles.findOne(user.id).then(ensure); // Compare password const same = await bcrypt.compare(password, profile.password!); async function fail(status?: number, failure?: {error: string}) { // Append signin history const record = await Signins.save({ id: genId(), createdAt: new Date(), userId: user.id, ip: ctx.ip, headers: ctx.headers, success: !!(status || failure) }); // Publish signin event publishMainStream(user.id, 'signin', await Signins.pack(record)); if (status && failure) { ctx.throw(status, failure); } } if (!same) { await fail(403, { error: 'incorrect password' }); return; } if (!profile.twoFactorEnabled) { signin(ctx, user); return; } if (token) { const verified = (speakeasy as any).totp.verify({ secret: profile.twoFactorSecret, encoding: 'base32', token: token }); if (verified) { signin(ctx, user); return; } else { await fail(403, { error: 'invalid token' }); return; } } else { const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex'); const clientData = JSON.parse(clientDataJSON.toString('utf-8')); const challenge = await AttestationChallenges.findOne({ userId: user.id, id: body.challengeId, registrationChallenge: false, challenge: hash(clientData.challenge).toString('hex') }); if (!challenge) { await fail(403, { error: 'non-existent challenge' }); return; } await AttestationChallenges.delete({ userId: user.id, id: body.challengeId }); if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) { await fail(403, { error: 'non-existent challenge' }); return; } const securityKey = await UserSecurityKeys.findOne({ id: Buffer.from( body.credentialId .replace(/\-/g, '+') .replace(/_/g, '/'), 'base64' ).toString('hex') }); if (!securityKey) { await fail(403, { error: 'invalid credentialId' }); return; } const isValid = verifyLogin({ publicKey: Buffer.from(securityKey.publicKey, 'hex'), authenticatorData: Buffer.from(body.authenticatorData, 'hex'), clientDataJSON, clientData, signature: Buffer.from(body.signature, 'hex'), challenge: challenge.challenge }); if (isValid) { signin(ctx, user); } else { await fail(403, { error: 'invalid challenge data' }); return; } } await fail(); };