@things-factory/auth-base 7.0.1-rc.1 → 7.0.1-rc.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "7.0.1-rc.1",
+  "version": "7.0.1-rc.10",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -30,20 +30,21 @@
     "migration:create": "node ../../node_modules/typeorm/cli.js migration:create -d ./server/migrations"
   },
   "dependencies": {
-    "@things-factory/email-base": "^7.0.1-rc.1",
-    "@things-factory/env": "^7.0.1-rc.0",
-    "@things-factory/shell": "^7.0.1-rc.1",
-    "@things-factory/utils": "^7.0.1-rc.0",
+    "@simplewebauthn/browser": "^10.0.0",
+    "@simplewebauthn/server": "^10.0.0",
+    "@things-factory/email-base": "^7.0.1-rc.10",
+    "@things-factory/env": "^7.0.1-rc.8",
+    "@things-factory/shell": "^7.0.1-rc.10",
+    "@things-factory/utils": "^7.0.1-rc.7",
     "@types/webappsec-credential-management": "^0.6.8",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
     "koa-session": "^6.4.0",
     "oauth2orize-koa": "^1.3.2",
     "passport": "^0.7.0",
-    "passport-fido2-webauthn": "^0.1.0",
+    "passport-custom": "^1.1.1",
     "passport-jwt": "^4.0.0",
-    "passport-local": "^1.0.0",
-    "popsicle-cookie-jar": "^1.0.0"
+    "passport-local": "^1.0.0"
   },
-  "gitHead": "fa52d291483c4aa913a9c6a9a4463a73058b1b0d"
+  "gitHead": "259524f7aeb4368a5a4792aa31e4d11b525dbb28"
 }

package/server/constants/error-code.ts

@@ -15,6 +15,6 @@ export const PASSWORD_PATTERN_NOT_MATCHED = 'password should match the rule'
 export const USER_DUPLICATED = 'user duplicated'
 export const PASSWORD_USED_PAST = 'password used in the past'
 export const VERIFICATION_ERROR = 'user or verification token not found'
+export const AUTHN_VERIFICATION_FAILED = 'authn verification failed'
 export const USER_CREDENTIAL_NOT_FOUND = 'user credential not found'
 export const AUTH_ERROR = 'auth error'
-export const FIDO2_CERT_UNSUPPORTED = 'fido2 certificate unsupported'

package/server/middlewares/webauthn-middleware.ts

@@ -1,80 +1,123 @@
 import passport from 'koa-passport'
-import { Strategy as WebAuthnStrategy, SessionChallengeStore } from 'passport-fido2-webauthn'
+import { Strategy as CustomStrategy } from 'passport-custom'
 
 import { getRepository } from '@things-factory/shell'
 
 import { User } from '../service/user/user'
 import { AuthError } from '../errors/auth-error'
+
 import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
+import { verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server'
 
-export const store = new SessionChallengeStore()
+import { AuthenticatorAssertionResponse } from '@simplewebauthn/types'
 
 passport.use(
-  new WebAuthnStrategy(
-    { store },
-    async function verify(id: string, userHandle: Uint8Array, cb) {
-      const user = await getRepository(User).findOne({ where: { id: userHandle.toString() } })
-      if (!user) {
-        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND })
-      }
-      const credential = await getRepository(WebAuthCredential).findOne({
-        where: { credentialId: id, user: { id: user.id } }
-      })
-      if (!credential) {
-        return cb(null, false, { errorCode: AuthError.ERROR_CODES.USER_CREDENTIAL_NOT_FOUND })
-      }
+  'webauthn-register',
+  new CustomStrategy(async (context, done) => {
+    const { body, session, user, hostname, origin } = context as any
+
+    const challenge = session.challenge
+
+    const verification = await verifyRegistrationResponse({
+      response: body,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: hostname,
+      expectedType: 'webauthn.create',
+      requireUserVerification: false
+    })
+
+    if (verification.verified) {
+      const { registrationInfo } = verification
+      const publicKey = Buffer.from(registrationInfo.credentialPublicKey).toString('base64')
 
-      try {
-        return cb(null, user, credential.publicKey)
-      } catch (error) {
-        console.error(error)
-        return cb(null, false, { errorCode: AuthError.ERROR_CODES.FIDO2_CERT_UNSUPPORTED })
+      if (user) {
+        const webAuthRepository = getRepository(WebAuthCredential)
+        await webAuthRepository.save({
+          user,
+          credentialId: registrationInfo.credentialID,
+          publicKey,
+          counter: registrationInfo.counter,
+          creator: user,
+          updater: user
+        })
       }
-    },
-    async function register(user, id, publicKey, cb) {
-      const userObject = await getRepository(User).findOne({ where: { id: user.id.toString() } })
-      const webAuthRepository = getRepository(WebAuthCredential)
-
-      const oldCredential = await webAuthRepository.findOne({
-        where: { user: { id: userObject.id }, publicKey: publicKey }
-      })
-
-      /* TODO publicKey 비교로는 중복된 등록을 막을 수 없다. */
-      if (oldCredential) {
-        await webAuthRepository.delete(oldCredential.id)
+
+      return done(null, user)
+    } else {
+      return done(null, false)
+    }
+  })
+)
+
+passport.use(
+  'webauthn-login',
+  new CustomStrategy(async (context, done) => {
+    const { body, session, origin, hostname } = context as any
+
+    const challenge = session.challenge
+
+    const assertionResponse = body as {
+      id: string
+      response: AuthenticatorAssertionResponse
+    }
+
+    const credential = await getRepository(WebAuthCredential).findOne({
+      where: {
+        credentialId: assertionResponse.id
+      },
+      relations: ['user']
+    })
+
+    if (!credential) {
+      return done(null, false)
+    }
+
+    const verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: challenge,
+      expectedOrigin: origin,
+      expectedRPID: hostname,
+      requireUserVerification: false,
+      authenticator: {
+        credentialID: credential.credentialId,
+        credentialPublicKey: new Uint8Array(Buffer.from(credential.publicKey, 'base64')),
+        counter: credential.counter
       }
+    })
 
-      await webAuthRepository.save({
-        user: userObject,
-        credentialId: id,
-        publicKey,
-        counter: 0
-      })
+    if (verification.verified) {
+      const { authenticationInfo } = verification
+      credential.counter = authenticationInfo.newCounter
+      await getRepository(WebAuthCredential).save(credential)
 
-      return cb(null, userObject)
+      const user = credential.user
+      return done(null, user)
+    } else {
+      return done(verification, false)
     }
-  )
+  })
 )
 
-export async function webAuthnMiddleware(context, next) {
-  return passport.authenticate(
-    'webauthn',
-    { session: true, failureMessage: true, failWithError: true },
-    async (err, user, info) => {
-      if (err || !user) {
-        if (info.errorCode) {
-          throw new AuthError(info)
-        } else {
+export function createWebAuthnMiddleware(strategy: 'webauthn-register' | 'webauthn-login') {
+  return async function webAuthnMiddleware(context, next) {
+    return passport.authenticate(
+      strategy,
+      { session: true, failureMessage: true, failWithError: true },
+      async (err, user) => {
+        if (err || !user) {
           throw new AuthError({
-            errorCode: AuthError.ERROR_CODES.AUTH_ERROR,
-            detail: info
+            errorCode: AuthError.ERROR_CODES.AUTHN_VERIFICATION_FAILED,
+            detail: err
           })
+        } else {
+          context.state.user = user
+
+          context.body = { user, verified: true }
         }
-      } else {
-        context.state.user = user
 
         await next()
       }
-    }
-  )(context, next)
+    )(context, next)
+  }
 }

package/server/router/webauthn-router.ts

@@ -1,55 +1,87 @@
-import util from 'util'
 import Router from 'koa-router'
+import { getRepository } from '@things-factory/shell'
+import { appPackage } from '@things-factory/env'
 
+import { generateRegistrationOptions, generateAuthenticationOptions } from '@simplewebauthn/server'
+
+import { WebAuthCredential } from '../service/web-auth-credential/web-auth-credential'
+import {
+  PublicKeyCredentialCreationOptionsJSON,
+} from '@simplewebauthn/server/script/deps'
 import { setAccessTokenCookie } from '../utils/access-token-cookie'
-import { store, webAuthnMiddleware } from '../middlewares/webauthn-middleware'
+import { createWebAuthnMiddleware } from '../middlewares/webauthn-middleware';
 
 export const webAuthnGlobalPublicRouter = new Router()
 export const webAuthnGlobalPrivateRouter = new Router()
 
-const challengeAsync = util.promisify(store.challenge).bind(store)
+const { name: rpName } = appPackage as any
 
-webAuthnGlobalPublicRouter.post('/auth/signin-webauthn/challenge', async (context, next) => {
-  const challenge = await challengeAsync({ ...context.request, session: context.session })
+webAuthnGlobalPrivateRouter.get('/auth/register-webauthn/challenge', async (context, next) => {
+  const { user } = context.state
+  const rpID = context.hostname
 
-  context.body = {
-    challenge: Buffer.from(challenge).toString('base64')
-  }
+  const webAuthCredentials = await getRepository(WebAuthCredential).find({
+    where: {
+      user: { id: user.id }
+    }
+  })
+
+  const options: PublicKeyCredentialCreationOptionsJSON = await generateRegistrationOptions({
+    rpName,
+    rpID,
+    userName: user.email,
+    userDisplayName: user.name,
+    // Don't prompt users for additional information about the authenticator
+    // (Recommended for smoother UX)
+    attestationType: 'none',
+    // Prevent users from re-registering existing authenticators
+    excludeCredentials: webAuthCredentials.map(credential => ({
+      id: credential.credentialId
+      // Optional
+      // transports: credential.transports
+    })),
+    authenticatorSelection: {
+      // Defaults
+      residentKey: 'preferred',
+      userVerification: 'preferred',
+      // Optional
+      authenticatorAttachment: 'platform'
+    }
+  })
+
+  context.session.challenge = options.challenge
+  context.body = options
 })
 
-webAuthnGlobalPublicRouter.post('/auth/signin-webauthn', webAuthnMiddleware, async (context, next) => {
-  const { domain, user } = context.state
-  const { request } = context
-  const { body: reqBody } = request
+webAuthnGlobalPrivateRouter.post('/auth/verify-registration', createWebAuthnMiddleware('webauthn-register'));
 
-  const token = await user.sign({ subdomain: domain?.subdomain })
-  setAccessTokenCookie(context, token)
+webAuthnGlobalPublicRouter.get('/auth/signin-webauthn/challenge', async (context, next) => {
+  const rpID = context.hostname
 
-  var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
+  const options = await generateAuthenticationOptions({
+    rpID,
+    userVerification: 'preferred'
+  })
 
-  /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
-  context.body = { redirectURL }
+  context.session.challenge = options.challenge
+  context.body = options
 })
 
-webAuthnGlobalPrivateRouter.post('/auth/register-webauthn/challenge', async (context, next) => {
-  const { user } = context.state
-  const { id, name } = user || {}
-
-  const challenge = await challengeAsync(
-    { ...context.request, session: context.session },
-    {
-      user: {
-        id
-      }
-    }
-  )
-
-  context.body = {
-    user: {
-      id: Buffer.from(id).toString('base64'),
-      name: name,
-      displayName: name
-    },
-    challenge: Buffer.from(challenge).toString('base64')
+webAuthnGlobalPublicRouter.post(
+  '/auth/signin-webauthn', createWebAuthnMiddleware('webauthn-login'),
+  async (context, next) => {
+    const { domain, user } = context. state
+    const { request } = context
+    const { body: reqBody } = request
+
+    const token = await user.sign({ subdomain: domain?.subdomain })
+    setAccessTokenCookie(context, token)
+
+    var redirectURL = `/auth/checkin${domain ? '/' + domain.subdomain : ''}?redirect_to=${encodeURIComponent(reqBody.redirectTo || '/')}`
+
+    /* 2단계 인터렉션 때문에 브라우저에서 fetch(...)로 진행될 것이므로, redirect(3xx) 응답으로 처리할 수 없다. 따라서, 데이타로 redirectURL를 응답한다. */
+    context.body = { redirectURL, verified: true }
+
+    await next();
   }
-})
+)

package/server/service/web-auth-credential/web-auth-credential.ts

@@ -11,6 +11,7 @@ import {
 } from 'typeorm'
 
 import { User } from '../user/user'
+import { AuthenticatorTransportFuture } from '@simplewebauthn/server/script/deps'
 
 @Entity()
 @Index(

package/translations/en.json

@@ -1,16 +1,17 @@
 {
   "error.auth error": "auth error. {message}",
+  "error.authn verification failed": "user credential verification failed.",
   "error.confirm password not matched": "new password and confirm password is not matched",
   "error.domain mismatch": "certificate is not for this domain",
   "error.domain not allowed": "user not allowed domain `{subdomain}`",
   "error.failed to find x": "failed to find {x}",
-  "error.fido2 certificate unsupported": "FIDO2 certificate unsupported",
   "error.password should match the rule": "password should match following rule. ${rule}",
   "error.password used in the past": "password used in the past",
   "error.subdomain not found": "domain not found",
   "error.token or password is invalid": "token or password is invalid",
   "error.unavailable-domain": "unavailable domain",
-  "error.user credential not found": "user credential not found. To use biometric authentication, you need to register your device first.",
+  "error.user credential registeration failed": "user credential registration failed. It may be an already registered credential.",
+  "error.user credential registration not allowed": "user credential registration failed. The registration timed out or was not allowed.",
   "error.user duplicated": "user duplicated",
   "error.user not activated": "user is not activated",
   "error.user not found": "user not found",

package/translations/ja.json

@@ -1,16 +1,17 @@
 {
   "error.auth error": "認証エラー。{message}",
+  "error.authn verification failed": "ユーザー認証に失敗しました。",
   "error.confirm password not matched": "新しいパスワードと確認パスワードが一致しません.",
   "error.domain mismatch": "証明書のドメインと現在のドメインが一致しません.",
   "error.domain not allowed": "'{subdomain}' 領域はこのユーザに許可されていません.",
   "error.failed to find x": "{x}が見つかりません.",
-  "error.fido2 certificate unsupported": "fido2証明書はサポートされていません",
   "error.password should match the rule": "パスワードは次の規則を守らなければなりません. {rule}",
   "error.password used in the past": "過去に使用されたパスワードです.",
   "error.subdomain not found": "サブドメインが見つかりません.",
   "error.token or password is invalid": "トークンまたはパスワードが無効です.",
   "error.unavailable-domain": "使用できないドメインです.",
-  "error.user credential not found": "ユーザー資格情報が見つかりません。生体認証を使用するには、まずデバイスを登録する必要があります。",
+  "error.user credential registeration failed": "ユーザー資格情報の登録に失敗しました。既に登録されている資格情報の可能性があります。",
+  "error.user credential registration not allowed": "ユーザー資格情報の登録に失敗しました。登録のタイムアウトまたは登録が許可されていません。",
   "error.user duplicated": "同じメールで登録されたアカウントが存在します.",
   "error.user not activated": "ユーザーがアクティブ化されていません.",
   "error.user not found": "ユーザーが存在しません.",

package/translations/ko.json

@@ -1,10 +1,10 @@
 {
   "error.auth error": "인증 오류. {message}",
+  "error.authn verification failed": "사용자 자격 증명을 실패하였습니다.",
   "error.confirm password not matched": "새 비밀번호와 확인 비밀번호가 일치하지 않습니다.",
   "error.domain mismatch": "인증서의 도메인과 현재 도메인이 일치하지 않습니다.",
   "error.domain not allowed": "'{subdomain}' 영역은 이 사용자에게 허가되지 않았습니다.",
   "error.failed to find x": "{x}을(를) 찾을 수 없습니다.",
-  "error.fido2 certificate unsupported": "제공된 인증서가 올바르지 않거나 지원되지 않는 형식입니다. 다른 로그인 방법을 사용하세요.",
   "error.password should match the rule": "비밀번호는 다음 규칙을 지켜야 합니다. {rule}",
   "error.password used in the past": "과거에 사용된 비밀번호입니다.",
   "error.subdomain not found": "서브도메인을 찾을 수 없습니다.",
@@ -15,6 +15,8 @@
   "error.user not activated": "사용자가 활성화되지 않았습니다.",
   "error.user not found": "사용자가 존재하지 않습니다.",
   "error.user or verification token not found": "사용자 또는 확인토큰을 찾을 수 없습니다.",
+  "error.user credential registeration failed": "사용자 인증서 등록이 실패하였습니다. 이미 등록된 인증서일 수 있습니다.",
+  "error.user credential registration not allowed": "사용자 인증서 등록이 실패하였습니다. 등록 시간이 초과되었거나 등록이 허용되지 않았습니다.",
   "error.user validation failed": "사용자 확인에 실패하였습니다.",
   "error.x is not a member of y": "{x}은(는) {y}의 멤버가 아닙니다.",
   "field.active": "활성화",

package/translations/ms.json

@@ -1,16 +1,17 @@
 {
   "error.auth error": "ralat pengesahan. {message}",
+  "error.authn verification failed": "pengesahan kelayakan pengguna gagal.",
   "error.confirm password not matched": "Kata laluan baru dan pengesahan kata laluan tidak sepadan",
   "error.domain mismatch": "Sijil tidak sesuai untuk domain ini",
   "error.domain not allowed": "Pengguna tidak dibenarkan domain `{subdomain}`",
   "error.failed to find x": "Gagal mencari {x}",
-  "error.fido2 certificate unsupported": "sijil fido2 tidak disokong",
   "error.password should match the rule": "Kata laluan harus mematuhi peraturan berikut. ${rule}",
   "error.password used in the past": "Kata laluan telah digunakan dalam masa lampau",
   "error.subdomain not found": "Domain tidak ditemui",
   "error.token or password is invalid": "Token atau kata laluan tidak sah",
   "error.unavailable-domain": "Domain tidak tersedia",
-  "error.user credential not found": "kelayakan pengguna tidak dijumpai. Untuk menggunakan pengesahan biometrik, anda perlu mendaftarkan peranti anda terlebih dahulu.",
+  "error.user credential registeration failed": "pendaftaran kelayakan pengguna gagal. Mungkin kelayakan tersebut sudah didaftarkan.",
+  "error.user credential registration not allowed": "pendaftaran kelayakan pengguna gagal. Masa pendaftaran telah tamat atau pendaftaran tidak dibenarkan.",
   "error.user duplicated": "Emel telah digunakan oleh akaun lain",
   "error.user not activated": "Pengguna tidak diaktifkan",
   "error.user not found": "Pengguna tidak ditemui",

package/translations/zh.json

@@ -1,16 +1,18 @@
 {
   "error.auth error": "认证错误。{message}",
+  "error.authn verification failed": "用户认证失败。",
+  "error.user verification failed": "用户验证失败",
   "error.confirm password not matched": "新密码与确认密码不匹配！",
   "error.domain mismatch": "证书不适用于该域！",
   "error.domain not allowed": "用户无权限使用`{subdomain}`域！",
   "error.failed to find x": "查询{x}失败！",
-  "error.fido2 certificate unsupported": "fido2证书不支持",
   "error.password should match the rule": "密码应符合以下规则。${rule}",
   "error.password used in the past": "使用过的密码！",
   "error.subdomain not found": "用户域查询失败！",
   "error.token or password is invalid": "令牌或密码无效！",
   "error.unavailable-domain": "不可用的域名",
-  "error.user credential not found": "用户凭证未找到。要使用生物识别认证，您需要先注册您的设备。",
+  "error.user credential registeration failed": "用户凭证注册失败。可能是已注册的凭证。",
+  "error.user credential registration not allowed": "用户凭证注册失败。注册超时或注册不被允许。",
   "error.user duplicated": "有一个用户帐户使用相同的电子邮件",
   "error.user not activated": "用户未激活！",
   "error.user not found": "找不到用户",