javascript-solid-server 0.0.75 → 0.0.77

package/src/idp/interactions.js

@@ -3,8 +3,8 @@
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById, createAccount } from './accounts.js';
-import { loginPage, consentPage, errorPage, registerPage } from './views.js';
+import { authenticate, findById, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
+import { loginPage, consentPage, errorPage, registerPage, passkeyPromptPage } from './views.js';
 import * as storage from '../storage/filesystem.js';
 import { createPodStructure } from '../handlers/container.js';
 import { validateInvite } from './invites.js';
@@ -122,7 +122,31 @@ export async function handleLogin(request, reply, provider) {
       return reply.redirect(`/idp/interaction/${uid}`);
     }
 
-    // Login successful - complete the interaction
+    // Login successful
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
+
+    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
+    const acceptHeader = request.headers.accept || '';
+    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
+
+    // Check if user should see passkey prompt (browser only, no passkeys, not dismissed)
+    const fullAccount = await findById(account.id);
+    const shouldPromptPasskey = wantsBrowserRedirect &&
+      !fullAccount.passkeys?.length &&
+      !fullAccount.passkeyPromptDismissed;
+
+    if (shouldPromptPasskey) {
+      // Show passkey registration prompt before completing login
+      // Store the pending login in the interaction
+      interaction.result = {
+        login: { accountId: account.id, remember: true }
+      };
+      interaction.passkeyPromptPending = true;
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.type('text/html').send(passkeyPromptPage(uid, account.id));
+    }
+
+    // Complete the interaction
     const result = {
       login: {
         accountId: account.id,
@@ -130,12 +154,6 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    request.log.info({ accountId: account.id, uid }, 'Login successful');
-
-    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
-    const acceptHeader = request.headers.accept || '';
-    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
-
     // Save the login result to the interaction
     interaction.result = result;
     await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
@@ -433,3 +451,94 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly));
   }
 }
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-complete
+ * Completes OIDC interaction after passkey login or registration
+ */
+export async function handlePasskeyComplete(request, reply, provider) {
+  const { uid } = request.params;
+  const { accountId } = request.query;
+
+  if (!accountId) {
+    return reply.code(400).type('text/html').send(errorPage('Missing account', 'Account ID is required.'));
+  }
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // If this is a post-login passkey registration flow, validate accountId matches
+    // the already-authenticated user to prevent account takeover
+    if (interaction.passkeyPromptPending && interaction.result?.login?.accountId) {
+      if (interaction.result.login.accountId !== accountId) {
+        request.log.warn({ expected: interaction.result.login.accountId, provided: accountId }, 'AccountId mismatch in passkey complete');
+        return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
+      }
+    }
+
+    const account = await findById(accountId);
+    if (!account) {
+      return reply.code(404).type('text/html').send(errorPage('Account not found', 'The account could not be found.'));
+    }
+
+    // Update last login
+    await updateLastLogin(accountId);
+
+    // Complete the OIDC interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    request.log.info({ accountId: account.id, uid }, 'Passkey login completed');
+
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey complete error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-skip
+ * User skipped passkey registration, complete login
+ */
+export async function handlePasskeySkip(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate the interaction is in the passkey prompt state
+    if (!interaction.passkeyPromptPending) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in passkey prompt flow.'));
+    }
+
+    // Get the pending login result
+    const result = interaction.result;
+    if (!result?.login?.accountId) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'No pending login found.'));
+    }
+
+    // Mark passkey prompt as dismissed so we don't nag again
+    await setPasskeyPromptDismissed(result.login.accountId, true);
+
+    request.log.info({ accountId: result.login.accountId, uid }, 'Passkey prompt skipped');
+
+    // Complete the OIDC interaction
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey skip error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/passkey.js

@@ -0,0 +1,311 @@
+/**
+ * Passkey (WebAuthn) authentication endpoints
+ * Handles registration and authentication of passkey credentials
+ */
+
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse
+} from '@simplewebauthn/server';
+import crypto from 'crypto';
+import * as accounts from './accounts.js';
+
+// Temporary challenge storage (in-memory, cleared on restart)
+// For production clusters, use Redis or session storage
+const challenges = new Map();
+const MAX_CHALLENGES = 10000; // Prevent unbounded growth
+
+// Clean up expired challenges periodically
+// Use unref() so this timer doesn't prevent process exit (important for tests)
+const cleanupInterval = setInterval(() => {
+  const now = Date.now();
+  for (const [key, value] of challenges.entries()) {
+    if (now > value.expires) {
+      challenges.delete(key);
+    }
+  }
+}, 60000);
+cleanupInterval.unref();
+
+/**
+ * Store a challenge with size limit enforcement
+ */
+function storeChallenge(key, value) {
+  // If at capacity, remove oldest expired entries first
+  if (challenges.size >= MAX_CHALLENGES) {
+    const now = Date.now();
+    for (const [k, v] of challenges.entries()) {
+      if (now > v.expires) {
+        challenges.delete(k);
+      }
+      if (challenges.size < MAX_CHALLENGES) break;
+    }
+  }
+  // If still at capacity, reject (DoS protection)
+  if (challenges.size >= MAX_CHALLENGES) {
+    return false;
+  }
+  challenges.set(key, value);
+  return true;
+}
+
+/**
+ * Get Relying Party configuration from request
+ * Handles both IPv4 (with port) and IPv6 addresses correctly
+ */
+function getRP(request) {
+  let hostname;
+  try {
+    // Use URL parsing to correctly extract hostname (handles IPv6)
+    const url = new URL(`${request.protocol}://${request.hostname}`);
+    hostname = url.hostname;
+  } catch {
+    // Fallback: strip port from hostname (IPv4 only)
+    hostname = String(request.hostname || '').split(':')[0];
+  }
+  return {
+    name: 'Solid Pod',
+    id: hostname
+  };
+}
+
+/**
+ * Get origin from request
+ */
+function getOrigin(request) {
+  return `${request.protocol}://${request.hostname}`;
+}
+
+/**
+ * POST /idp/passkey/register/options
+ * Generate registration options for a logged-in user
+ */
+export async function registrationOptions(request, reply) {
+  const { accountId } = request.body || {};
+
+  if (!accountId) {
+    return reply.code(401).send({ error: 'Must provide accountId' });
+  }
+
+  const account = await accounts.findById(accountId);
+  if (!account) {
+    return reply.code(404).send({ error: 'Account not found' });
+  }
+
+  const rp = getRP(request);
+
+  const options = await generateRegistrationOptions({
+    rpName: rp.name,
+    rpID: rp.id,
+    userID: new TextEncoder().encode(account.id),
+    userName: account.username,
+    userDisplayName: account.username,
+    attestationType: 'none', // Don't require attestation for privacy
+    excludeCredentials: (account.passkeys || []).map(pk => ({
+      id: Buffer.from(pk.credentialId, 'base64url'),
+      type: 'public-key',
+      transports: pk.transports
+    })),
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    }
+  });
+
+  // Store challenge for verification with unique key (prevents race conditions from multiple tabs)
+  const challengeKey = crypto.randomUUID();
+  const stored = storeChallenge(challengeKey, {
+    challenge: options.challenge,
+    type: 'registration',
+    accountId: account.id,
+    expires: Date.now() + 60000 // 1 minute
+  });
+
+  if (!stored) {
+    return reply.code(503).send({ error: 'Server busy, try again later' });
+  }
+
+  return reply.send({ ...options, challengeKey });
+}
+
+/**
+ * POST /idp/passkey/register/verify
+ * Verify and store the registration response
+ */
+export async function registrationVerify(request, reply) {
+  const { accountId, credential, name, challengeKey } = request.body || {};
+
+  if (!accountId || !credential || !challengeKey) {
+    return reply.code(400).send({ error: 'Missing required fields' });
+  }
+
+  const stored = challenges.get(challengeKey);
+  if (!stored || stored.type !== 'registration' || Date.now() > stored.expires) {
+    return reply.code(400).send({ error: 'Challenge expired or invalid' });
+  }
+
+  // Verify the accountId matches the challenge
+  if (stored.accountId !== accountId) {
+    return reply.code(403).send({ error: 'Account mismatch' });
+  }
+
+  const account = await accounts.findById(accountId);
+  if (!account) {
+    return reply.code(404).send({ error: 'Account not found' });
+  }
+
+  const rp = getRP(request);
+
+  try {
+    const verification = await verifyRegistrationResponse({
+      response: credential,
+      expectedChallenge: stored.challenge,
+      expectedOrigin: getOrigin(request),
+      expectedRPID: rp.id
+    });
+
+    if (!verification.verified || !verification.registrationInfo) {
+      request.log.warn({ verified: verification.verified, hasInfo: !!verification.registrationInfo }, 'Passkey registration verification failed');
+      return reply.code(400).send({ error: 'Verification failed' });
+    }
+
+    const { credential: regCredential } = verification.registrationInfo;
+
+    await accounts.addPasskey(accountId, {
+      credentialId: regCredential.id, // Already base64url string
+      publicKey: Buffer.from(regCredential.publicKey).toString('base64url'),
+      counter: regCredential.counter,
+      transports: regCredential.transports || credential.response?.transports || [],
+      name: name || 'Security Key'
+    });
+
+    challenges.delete(challengeKey);
+
+    return reply.send({ success: true });
+  } catch (err) {
+    request.log.error({ err }, 'Passkey registration error');
+    return reply.code(400).send({ error: 'Passkey registration failed' });
+  }
+}
+
+/**
+ * POST /idp/passkey/login/options
+ * Generate authentication options
+ */
+export async function authenticationOptions(request, reply) {
+  const { username } = request.body || {};
+  const rp = getRP(request);
+
+  let allowCredentials = [];
+  let accountId = null;
+
+  // If username provided, limit to that user's credentials
+  if (username) {
+    const account = await accounts.findByUsername(username);
+    if (account && account.passkeys?.length) {
+      accountId = account.id;
+      allowCredentials = account.passkeys.map(pk => ({
+        id: Buffer.from(pk.credentialId, 'base64url'),
+        type: 'public-key',
+        transports: pk.transports
+      }));
+    }
+  }
+
+  const options = await generateAuthenticationOptions({
+    rpID: rp.id,
+    allowCredentials,
+    userVerification: 'preferred'
+  });
+
+  // Store challenge - use visitorId for anonymous requests
+  const challengeKey = accountId || request.body?.visitorId || crypto.randomUUID();
+  const stored = storeChallenge(challengeKey, {
+    challenge: options.challenge,
+    type: 'authentication',
+    accountId,
+    expires: Date.now() + 60000 // 1 minute
+  });
+
+  if (!stored) {
+    return reply.code(503).send({ error: 'Server busy, try again later' });
+  }
+
+  return reply.send({ ...options, challengeKey });
+}
+
+/**
+ * POST /idp/passkey/login/verify
+ * Verify authentication and return account info
+ */
+export async function authenticationVerify(request, reply) {
+  const { challengeKey, credential } = request.body || {};
+
+  if (!challengeKey || !credential) {
+    return reply.code(400).send({ error: 'Missing challengeKey or credential' });
+  }
+
+  const stored = challenges.get(challengeKey);
+  if (!stored || stored.type !== 'authentication' || Date.now() > stored.expires) {
+    return reply.code(400).send({ error: 'Challenge expired or invalid' });
+  }
+
+  // Find account by credential ID
+  const credentialId = credential.id;
+  const account = stored.accountId
+    ? await accounts.findById(stored.accountId)
+    : await accounts.findByCredentialId(credentialId);
+
+  if (!account) {
+    return reply.code(400).send({ error: 'Unknown credential' });
+  }
+
+  const passkey = account.passkeys?.find(pk => pk.credentialId === credentialId);
+  if (!passkey) {
+    return reply.code(400).send({ error: 'Credential not found' });
+  }
+
+  const rp = getRP(request);
+
+  try {
+    const verification = await verifyAuthenticationResponse({
+      response: credential,
+      expectedChallenge: stored.challenge,
+      expectedOrigin: getOrigin(request),
+      expectedRPID: rp.id,
+      credential: {
+        id: Buffer.from(passkey.credentialId, 'base64url'),
+        publicKey: Buffer.from(passkey.publicKey, 'base64url'),
+        counter: passkey.counter
+      }
+    });
+
+    if (!verification.verified) {
+      return reply.code(400).send({ error: 'Verification failed' });
+    }
+
+    // Update counter to prevent replay attacks
+    await accounts.updatePasskeyCounter(
+      account.id,
+      credentialId,
+      verification.authenticationInfo.newCounter
+    );
+
+    // Update last login
+    await accounts.updateLastLogin(account.id);
+
+    challenges.delete(challengeKey);
+
+    // Return account info for session creation
+    return reply.send({
+      success: true,
+      accountId: account.id,
+      webId: account.webId
+    });
+  } catch (err) {
+    request.log.error({ err }, 'Passkey authentication error');
+    return reply.code(400).send({ error: 'Authentication failed' });
+  }
+}