lato 3.16.0 → 3.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '05116771901e6364c0b094f61367d9869ca4d7e3d1a3de2791d03ef89ad2ff4d'
-  data.tar.gz: f187a060e0ac99079fc2c652301ce1d489d996163bf6e636d0c7cba66f8e72ef
+  metadata.gz: 693630b5ecdde3bd76143d39982e7313c266188c30a1dbbd41b482a56db541c7
+  data.tar.gz: 77c4a9d2ae92e3669f1936590cc8b2bf5799ccfea9eccd904965d9c51cb26ffa
 SHA512:
-  metadata.gz: 535712544161d9d74577c4f5d1032dfc1767ccd562c10befd16b81f46d91c7c269eba62480922549b39d77f47025021faa408a2f582d7d4c559db78383ee4b76
-  data.tar.gz: ad25e774ed14a29f14c7ebaf401ba6159bd94b7df9a578bdaf2634f6292a7753f0703b06f3bf74402f99299d4a21d11182dbbedb45ae85695b35bc8926ce838f
+  metadata.gz: f56cbc6971fbe27fc566edea26979f3912f6133e47e71c9b11089aa1f035e66e41600179cad6f52be6b622d0dbd3780ce7c4226108a65dc57c3e3d004268cbe2
+  data.tar.gz: a9a0c32cfb747eceaf5dde8ec03c3590eb441a3ce24f53987618835bb5a315c8e1a9c9e4d106b5bcf314f4e2e52479d22cfdb62603cc853c969a774f197b4ae0

data/README.md

@@ -154,3 +154,18 @@ ruby ./bin/generate_docs.rb
 
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+Stiamo integrando l'autenticazione WebAuthn nel pannello Lato.
+L'idea è che l'utente, dal suo account, può, volontariamente, attivare l'autenticazione WebAuthn per il suo account.
+Una volta attivata, al login, dopo aver inserito email e password, l'utente dovrà autenticarsi con il dispositivo WebAuthn registrato (ad esempio una chiave di sicurezza FIDO2 o l'autenticazione biometrica del dispositivo).
+Se è attiva anche l'autenticazione a due fattori con Google Authenticator, l'utente dovrà scegliere quale dei due metodi utilizzare per completare l'autenticazione.
+
+Il modello Lato::User ha già i campi webauthn_id e webauthn_public_key da utilizzati per memorizzare le informazioni del dispositivo WebAuthn registrato.
+
+Modifica il flow di login per includere il passaggio di autenticazione WebAuthn se l'utente ha un dispositivo WebAuthn registrato.
+
+La logica dovrebbe essere la seguente:
+- Se Google Auth e WebAuthn non sono attivi o se l'utente non li ha collegati, il login procede normalmente.
+- Se solo Google Auth è attivo e l'utente lo ha collegato, dopo aver inserito email e password, l'utente viene reindirizzato alla pagina di inserimento del codice di Google Authenticator.
+- Se solo WebAuthn è attivo e l'utente lo ha collegato, dopo aver inserito email e password, l'utente viene reindirizzato alla pagina di autenticazione WebAuthn.
+- Se entrambi sono attivi e l'utente li ha collegati, dopo aver inserito email e password, l'utente deve scegliere quale metodo utilizzare per completare l'autenticazione.

data/app/assets/javascripts/lato/controllers/lato_account_webauthn_controller.js

@@ -0,0 +1,93 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ['credentialInput', 'submit', 'status']
+  static values = {
+    options: Object,
+    errorMessage: String
+  }
+
+  async connect() {
+    if (!this.hasOptionsValue) return
+
+    try {
+      // Converti le options in formato corretto per il browser
+      const publicKey = this.preparePublicKeyOptions(this.optionsValue)
+      
+      // Richiedi la creazione della credential al browser
+      const credential = await navigator.credentials.create({ publicKey })
+      
+      if (!credential) {
+        this.showError(this.errorMessageValue)
+        return
+      }
+
+      // Prepara il payload da inviare al server
+      const credentialPayload = this.prepareCredentialPayload(credential)
+      
+      // Popola il campo hidden con il payload
+      this.credentialInputTarget.value = JSON.stringify(credentialPayload)
+      
+      // Submit automatico del form
+      this.submitTarget.click()
+    } catch (error) {
+      console.error('WebAuthn error:', error)
+      this.showError(this.errorMessageValue)
+    }
+  }
+
+  preparePublicKeyOptions(options) {
+    return {
+      challenge: Uint8Array.from(atob(options.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)),
+      rp: options.rp,
+      user: {
+        id: Uint8Array.from(atob(options.user.id), c => c.charCodeAt(0)),
+        name: options.user.name,
+        displayName: options.user.displayName
+      },
+      pubKeyCredParams: options.pubKeyCredParams,
+      timeout: options.timeout,
+      excludeCredentials: options.excludeCredentials?.map(cred => ({
+        id: Uint8Array.from(atob(cred), c => c.charCodeAt(0)),
+        type: 'public-key'
+      })) || [],
+      authenticatorSelection: {
+        authenticatorAttachment: 'platform',
+        requireResidentKey: false,
+        userVerification: 'preferred'
+      },
+      attestation: 'none'
+    }
+  }
+
+  prepareCredentialPayload(credential) {
+    return {
+      id: credential.id,
+      rawId: this.arrayBufferToBase64(credential.rawId),
+      type: credential.type,
+      response: {
+        clientDataJSON: this.arrayBufferToBase64(credential.response.clientDataJSON),
+        attestationObject: this.arrayBufferToBase64(credential.response.attestationObject)
+      }
+    }
+  }
+
+  arrayBufferToBase64(buffer) {
+    const bytes = new Uint8Array(buffer)
+    let binary = ''
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i])
+    }
+    return btoa(binary)
+  }
+
+  showError(message) {
+    if (this.hasStatusTarget) {
+      this.statusTarget.innerHTML = `
+        <div class="alert alert-danger">
+          <h4 class="alert-heading">${message}</h4>
+        </div>
+      `
+    }
+  }
+}

data/app/assets/javascripts/lato/controllers/lato_webauthn_auth_controller.js

@@ -0,0 +1,110 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ['credential']
+  static values = {
+    options: Object
+  }
+
+  async authenticate(event) {
+    event.preventDefault()
+
+    if (!this.hasOptionsValue) {
+      console.error('WebAuthn options not provided')
+      return
+    }
+
+    try {
+      // Log per debug
+      console.log('WebAuthn options:', this.optionsValue)
+      
+      // Converti le options in formato corretto per il browser
+      const publicKey = this.preparePublicKeyOptions(this.optionsValue)
+      
+      console.log('Prepared publicKey:', publicKey)
+      
+      // Richiedi l'autenticazione al browser
+      const credential = await navigator.credentials.get({ publicKey })
+      
+      if (!credential) {
+        alert('Autenticazione fallita')
+        return
+      }
+
+      // Prepara il payload da inviare al server
+      const credentialPayload = this.prepareCredentialPayload(credential)
+      
+      // Popola il campo hidden con il payload
+      this.credentialTarget.value = JSON.stringify(credentialPayload)
+      
+      // Submit del form
+      this.element.requestSubmit()
+    } catch (error) {
+      console.error('WebAuthn authentication error:', error)
+      alert('Errore durante l\'autenticazione: ' + error.message)
+    }
+  }
+
+  preparePublicKeyOptions(options) {
+    return {
+      challenge: this.base64urlToBuffer(options.challenge),
+      timeout: options.timeout || 60000,
+      rpId: options.rpId || options.rp_id,
+      allowCredentials: (options.allowCredentials || options.allow_credentials || []).map(cred => {
+        // Se cred è già un oggetto con id, usalo direttamente
+        if (typeof cred === 'object' && cred.id) {
+          return {
+            id: this.base64urlToBuffer(cred.id),
+            type: cred.type || 'public-key'
+          }
+        }
+        // Altrimenti, assumiamo che cred sia una stringa base64
+        return {
+          id: this.base64urlToBuffer(cred),
+          type: 'public-key'
+        }
+      }),
+      userVerification: options.userVerification || options.user_verification || 'preferred'
+    }
+  }
+
+  base64urlToBuffer(base64url) {
+    // Converti base64url in base64 standard
+    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/')
+    // Aggiungi padding se necessario
+    const padded = base64.padEnd(base64.length + (4 - base64.length % 4) % 4, '=')
+    // Decodifica e converti in Uint8Array
+    const binary = atob(padded)
+    const bytes = new Uint8Array(binary.length)
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i)
+    }
+    return bytes
+  }
+
+  prepareCredentialPayload(credential) {
+    return {
+      id: credential.id,
+      rawId: this.arrayBufferToBase64url(credential.rawId),
+      type: credential.type,
+      response: {
+        clientDataJSON: this.arrayBufferToBase64url(credential.response.clientDataJSON),
+        authenticatorData: this.arrayBufferToBase64url(credential.response.authenticatorData),
+        signature: this.arrayBufferToBase64url(credential.response.signature),
+        userHandle: credential.response.userHandle ? this.arrayBufferToBase64url(credential.response.userHandle) : null
+      }
+    }
+  }
+
+  arrayBufferToBase64url(buffer) {
+    const bytes = new Uint8Array(buffer)
+    let binary = ''
+    for (let i = 0; i < bytes.byteLength; i++) {
+      binary += String.fromCharCode(bytes[i])
+    }
+    // Converti in base64 standard
+    const base64 = btoa(binary)
+    // Converti in base64url (rimuovi padding e sostituisci caratteri)
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+  }
+}

data/app/controllers/lato/account_controller.rb

@@ -17,12 +17,12 @@ module Lato
       end
     end
 
-    def update_web3_action
-      return respond_to_with_not_found unless Lato.config.web3_connection
+    def update_authenticator_action
+      return respond_to_with_not_found unless Lato.config.authenticator_connection
 
-      if @session.user.web3_address
+      if @session.user.authenticator_secret
         respond_to do |format|
-          if @session.user.remove_web3_connection
+          if @session.user.remove_authenticator_secret
             format.html { redirect_to lato.account_path }
             format.json { render json: @session.user }
           else
@@ -30,47 +30,96 @@ module Lato
             format.json { render json: @session.user.errors, status: :unprocessable_entity }
           end
         end
-      elsif session[:web3_nonce]
+      else
         respond_to do |format|
-          if @session.user.add_web3_connection(params.require(:user).permit(:web3_address, :web3_signed_nonce).merge(web3_nonce: session[:web3_nonce]))
-            session[:web3_nonce] = nil
+          if @session.user.generate_authenticator_secret
             format.html { redirect_to lato.account_path }
             format.json { render json: @session.user }
           else
-            session[:web3_nonce] = nil
             format.html { render :index, status: :unprocessable_entity }
             format.json { render json: @session.user.errors, status: :unprocessable_entity }
           end
         end
-      else
-        respond_to do |format|
-          if session[:web3_nonce] = SecureRandom.hex(32)
+      end
+    end
+
+    def update_webauthn_action
+      return respond_to_with_not_found unless Lato.config.webauthn_connection
+
+      respond_to do |format|
+        command = params.dig(:user, :webauthn_command)
+
+        case command
+        when 'remove'
+          if @session.user.remove_webauthn_credential
+            reset_webauthn_registration_state
             format.html { redirect_to lato.account_path }
             format.json { render json: @session.user }
           else
             format.html { render :index, status: :unprocessable_entity }
             format.json { render json: @session.user.errors, status: :unprocessable_entity }
           end
+        when 'cancel'
+          reset_webauthn_registration_state
+          format.html { redirect_to lato.account_path }
+          format.json { render json: {} }
+        when 'complete'
+          permitted = params.require(:user).permit(:webauthn_credential)
+
+          if @session.user.register_webauthn_credential(permitted[:webauthn_credential], session[:webauthn_registration_challenge])
+            reset_webauthn_registration_state
+            format.html { redirect_to lato.account_path }
+            format.json { render json: @session.user }
+          else
+            reset_webauthn_registration_state
+            format.html { render :index, status: :unprocessable_entity }
+            format.json { render json: @session.user.errors, status: :unprocessable_entity }
+          end
+        else
+          options = @session.user.webauthn_registration_options
+          session[:webauthn_registration_challenge] = Base64.strict_encode64(options.challenge)
+          session[:webauthn_registration_options] = options.as_json
+          format.html { redirect_to lato.account_path }
+          format.json { render json: { options: session[:webauthn_registration_options] } }
         end
       end
+    rescue StandardError => e
+      Rails.logger.error(e)
+      reset_webauthn_registration_state
+      respond_to do |format|
+        format.html { render :index, status: :unprocessable_entity }
+        format.json { render json: { error: :webauthn_unexpected_error }, status: :unprocessable_entity }
+      end
     end
 
-    def update_authenticator_action
-      return respond_to_with_not_found unless Lato.config.authenticator_connection
+    def update_web3_action
+      return respond_to_with_not_found unless Lato.config.web3_connection
 
-      if @session.user.authenticator_secret
+      if @session.user.web3_address
         respond_to do |format|
-          if @session.user.remove_authenticator_secret
+          if @session.user.remove_web3_connection
+            format.html { redirect_to lato.account_path }
+            format.json { render json: @session.user }
+          else
+            format.html { render :index, status: :unprocessable_entity }
+            format.json { render json: @session.user.errors, status: :unprocessable_entity }
+          end
+        end
+      elsif session[:web3_nonce]
+        respond_to do |format|
+          if @session.user.add_web3_connection(params.require(:user).permit(:web3_address, :web3_signed_nonce).merge(web3_nonce: session[:web3_nonce]))
+            session[:web3_nonce] = nil
             format.html { redirect_to lato.account_path }
             format.json { render json: @session.user }
           else
+            session[:web3_nonce] = nil
             format.html { render :index, status: :unprocessable_entity }
             format.json { render json: @session.user.errors, status: :unprocessable_entity }
           end
         end
       else
         respond_to do |format|
-          if @session.user.generate_authenticator_secret
+          if session[:web3_nonce] = SecureRandom.hex(32)
             format.html { redirect_to lato.account_path }
             format.json { render json: @session.user }
           else
@@ -142,5 +191,12 @@ module Lato
         end
       end
     end
+
+    private
+
+    def reset_webauthn_registration_state
+      session[:webauthn_registration_challenge] = nil
+      session[:webauthn_registration_options] = nil
+    end
   end
 end

data/app/controllers/lato/authentication_controller.rb

@@ -6,11 +6,13 @@ module Lato
 
     before_action :find_user, only: %i[verify_email verify_email_action update_password update_password_action]
     before_action :find_invitation, only: %i[accept_invitation accept_invitation_action]
+    before_action :find_authentication_user, only: %i[authentication_method authentication_method_action webauthn webauthn_action]
 
     before_action :lock_signup_if_disabled, only: %i[signup signup_action]
     before_action :lock_recover_password_if_disabled, only: %i[recover_password recover_password_action update_password update_password_action]
     before_action :lock_web3_if_disabled, only: %i[web3_signin web3_signin_action]
     before_action :lock_authenticator_if_disabled, only: %i[authenticator authenticator_action]
+    before_action :lock_webauthn_if_disabled, only: %i[webauthn webauthn_action]
 
     before_action :hide_sidebar
 
@@ -29,11 +31,13 @@ module Lato
           ip_address: request.remote_ip,
           user_agent: request.user_agent
         ))
-          if create_session_or_start_authenticator(@user)
-            format.html { redirect_to lato.root_path }
+          redirect_path = determine_authentication_redirect(@user)
+          if redirect_path
+            format.html { redirect_to redirect_path }
             format.json { render json: @user }
           else
-            format.html { redirect_to lato.authentication_authenticator_path }
+            session_create(@user.id)
+            format.html { redirect_to lato.root_path }
             format.json { render json: @user }
           end
         else
@@ -58,11 +62,13 @@ module Lato
           web3_nonce: session[:web3_nonce]
         ))
           session[:web3_nonce] = nil
-          if create_session_or_start_authenticator(@user)
-            format.html { redirect_to lato.root_path }
+          redirect_path = determine_authentication_redirect(@user)
+          if redirect_path
+            format.html { redirect_to redirect_path }
             format.json { render json: @user }
           else
-            format.html { redirect_to lato.authentication_authenticator_path }
+            session_create(@user.id)
+            format.html { redirect_to lato.root_path }
             format.json { render json: @user }
           end
         else
@@ -191,20 +197,45 @@ module Lato
       end
     end
 
+    # Authentication method choice
+    ##
+
+    def authentication_method; end
+
+    def authentication_method_action
+      method = params[:method]
+      
+      respond_to do |format|
+        case method
+        when 'authenticator'
+          session[:authentication_method] = 'authenticator'
+          format.html { redirect_to lato.authentication_authenticator_path }
+          format.json { render json: { redirect: lato.authentication_authenticator_path } }
+        when 'webauthn'
+          session[:authentication_method] = 'webauthn'
+          format.html { redirect_to lato.authentication_webauthn_path }
+          format.json { render json: { redirect: lato.authentication_webauthn_path } }
+        else
+          format.html { redirect_to lato.authentication_signin_path }
+          format.json { render json: { error: 'Invalid method' }, status: :unprocessable_entity }
+        end
+      end
+    end
+
     # Authenticator
     ##
 
     def authenticator
-      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+      @user = Lato::User.find_by_id(session[:authentication_user_id])
       return respond_to_with_not_found unless @user
     end
 
     def authenticator_action
-      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+      @user = Lato::User.find_by_id(session[:authentication_user_id])
 
       respond_to do |format|
         if @user.authenticator(params.require(:user).permit(:authenticator_code))
-          session[:authenticator_user_id] = nil
+          clear_authentication_session
           session_create(@user.id)
 
           format.html { redirect_to lato.root_path }
@@ -216,6 +247,31 @@ module Lato
       end
     end
 
+    # WebAuthn
+    ##
+
+    def webauthn
+      @options = @user.webauthn_authentication_options
+      session[:webauthn_challenge] = @options.challenge
+    end
+
+    def webauthn_action
+      respond_to do |format|
+        if @user.webauthn_authentication(params.require(:user).permit(:webauthn_credential), session[:webauthn_challenge])
+          clear_authentication_session
+          session_create(@user.id)
+
+          format.html { redirect_to lato.root_path }
+          format.json { render json: @user }
+        else
+          @options = @user.webauthn_authentication_options
+          session[:webauthn_challenge] = @options.challenge
+          format.html { render :webauthn, status: :unprocessable_entity }
+          format.json { render json: @user.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+
     private
 
     def registration_params
@@ -232,14 +288,32 @@ module Lato
       respond_to_with_not_found unless @invitation
     end
 
-    def create_session_or_start_authenticator(user)
-      if !Lato.config.authenticator_connection || Lato.config.auth_disable_authenticator || !user.authenticator_enabled?
-        session_create(user.id)
-        return true
+    def find_authentication_user
+      @user = Lato::User.find_by_id(session[:authentication_user_id])
+      respond_to_with_not_found unless @user
+    end
+
+    def determine_authentication_redirect(user)
+      authenticator_enabled = Lato.config.authenticator_connection && !Lato.config.auth_disable_authenticator && user.authenticator_enabled?
+      webauthn_enabled = Lato.config.webauthn_connection && !Lato.config.auth_disable_webauthn && user.webauthn_enabled?
+
+      return nil unless authenticator_enabled || webauthn_enabled
+
+      session[:authentication_user_id] = user.id
+
+      if authenticator_enabled && webauthn_enabled
+        lato.authentication_authentication_method_path
+      elsif authenticator_enabled
+        lato.authentication_authenticator_path
+      elsif webauthn_enabled
+        lato.authentication_webauthn_path
       end
+    end
 
-      session[:authenticator_user_id] = user.id
-      false
+    def clear_authentication_session
+      session[:authentication_user_id] = nil
+      session[:authentication_method] = nil
+      session[:webauthn_challenge] = nil
     end
 
     def lock_signup_if_disabled
@@ -267,6 +341,12 @@ module Lato
       respond_to_with_not_found
     end
 
+    def lock_webauthn_if_disabled
+      return if Lato.config.webauthn_connection && !Lato.config.auth_disable_webauthn
+
+      respond_to_with_not_found
+    end
+
     def verify_hcaptcha(render_key)
       return true unless Lato.config.hcaptcha_site_key && Lato.config.hcaptcha_secret