mirror of
https://github.com/0xJacky/nginx-ui.git
synced 2025-05-11 10:25:52 +02:00
feat: 2fa via passkey
This commit is contained in:
Jacky
parent
bdfbbd0e8f
commit
0a6a7693a1
21 changed files with 384 additions and 218 deletions
156
api/user/2fa.go
Normal file
156
api/user/2fa.go
Normal file
|
|
@ -0,0 +1,156 @@
|
|||
package user
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"github.com/0xJacky/Nginx-UI/api"
|
||||
"github.com/0xJacky/Nginx-UI/internal/cache"
|
||||
"github.com/0xJacky/Nginx-UI/internal/passkey"
|
||||
"github.com/0xJacky/Nginx-UI/internal/user"
|
||||
"github.com/0xJacky/Nginx-UI/model"
|
||||
"github.com/0xJacky/Nginx-UI/query"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/go-webauthn/webauthn/webauthn"
|
||||
"github.com/google/uuid"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Status2FA struct {
|
||||
Enabled bool `json:"enabled"`
|
||||
OTPStatus bool `json:"otp_status"`
|
||||
PasskeyStatus bool `json:"passkey_status"`
|
||||
}
|
||||
|
||||
func get2FAStatus(c *gin.Context) (status Status2FA) {
|
||||
// when accessing the node from the main cluster, there is no user in the context
|
||||
u, ok := c.Get("user")
|
||||
if ok {
|
||||
userPtr := u.(*model.User)
|
||||
status.OTPStatus = userPtr.EnabledOTP()
|
||||
status.PasskeyStatus = userPtr.EnabledPasskey() && passkey.Enabled()
|
||||
status.Enabled = status.OTPStatus || status.PasskeyStatus
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func Get2FAStatus(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, get2FAStatus(c))
|
||||
}
|
||||
|
||||
func SecureSessionStatus(c *gin.Context) {
|
||||
status2FA := get2FAStatus(c)
|
||||
if !status2FA.Enabled {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
ssid := c.GetHeader("X-Secure-Session-ID")
|
||||
if ssid == "" {
|
||||
ssid = c.Query("X-Secure-Session-ID")
|
||||
}
|
||||
if ssid == "" {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
u := api.CurrentUser(c)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": user.VerifySecureSessionID(ssid, u.ID),
|
||||
})
|
||||
}
|
||||
|
||||
func Start2FASecureSessionByOTP(c *gin.Context) {
|
||||
var json struct {
|
||||
OTP string `json:"otp"`
|
||||
RecoveryCode string `json:"recovery_code"`
|
||||
}
|
||||
if !api.BindAndValid(c, &json) {
|
||||
return
|
||||
}
|
||||
u := api.CurrentUser(c)
|
||||
if !u.EnabledOTP() {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"message": "User has not configured OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if json.OTP == "" && json.RecoveryCode == "" {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "The user has enabled OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if err := user.VerifyOTP(u, json.OTP, json.RecoveryCode); err != nil {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "Invalid OTP or recovery code",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
}
|
||||
|
||||
func BeginStart2FASecureSessionByPasskey(c *gin.Context) {
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
options, sessionData, err := webauthnInstance.BeginLogin(u)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
passkeySessionID := uuid.NewString()
|
||||
cache.Set(passkeySessionID, sessionData, passkeyTimeout)
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": passkeySessionID,
|
||||
"options": options,
|
||||
})
|
||||
}
|
||||
|
||||
func FinishStart2FASecureSessionByPasskey(c *gin.Context) {
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
passkeySessionID := c.GetHeader("X-Passkey-Session-ID")
|
||||
sessionDataBytes, ok := cache.Get(passkeySessionID)
|
||||
if !ok {
|
||||
api.ErrHandler(c, fmt.Errorf("session not found"))
|
||||
return
|
||||
}
|
||||
sessionData := sessionDataBytes.(*webauthn.SessionData)
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
credential, err := webauthnInstance.FinishLogin(u, *sessionData, c.Request)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
rawID := strings.TrimRight(base64.StdEncoding.EncodeToString(credential.ID), "=")
|
||||
p := query.Passkey
|
||||
_, _ = p.Where(p.RawID.Eq(rawID)).Updates(&model.Passkey{
|
||||
LastUsedAt: time.Now().Unix(),
|
||||
})
|
||||
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
}
|
||||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/0xJacky/Nginx-UI/settings"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/pkg/errors"
|
||||
"math/rand/v2"
|
||||
"net/http"
|
||||
"sync"
|
||||
"time"
|
||||
|
|
@ -67,7 +68,8 @@ func Login(c *gin.Context) {
|
|||
|
||||
u, err := user.Login(json.Name, json.Password)
|
||||
if err != nil {
|
||||
// time.Sleep(5 * time.Second)
|
||||
random := time.Duration(rand.Int() % 10)
|
||||
time.Sleep(random * time.Second)
|
||||
switch {
|
||||
case errors.Is(err, user.ErrPasswordIncorrect):
|
||||
c.JSON(http.StatusForbidden, LoginResponse{
|
||||
|
|
|
|||
|
|
@ -8,8 +8,6 @@ import (
|
|||
"fmt"
|
||||
"github.com/0xJacky/Nginx-UI/api"
|
||||
"github.com/0xJacky/Nginx-UI/internal/crypto"
|
||||
"github.com/0xJacky/Nginx-UI/internal/user"
|
||||
"github.com/0xJacky/Nginx-UI/model"
|
||||
"github.com/0xJacky/Nginx-UI/query"
|
||||
"github.com/0xJacky/Nginx-UI/settings"
|
||||
"github.com/gin-gonic/gin"
|
||||
|
|
@ -147,82 +145,3 @@ func ResetOTP(c *gin.Context) {
|
|||
"message": "ok",
|
||||
})
|
||||
}
|
||||
|
||||
func OTPStatus(c *gin.Context) {
|
||||
status := false
|
||||
u, ok := c.Get("user")
|
||||
if ok {
|
||||
status = u.(*model.User).EnabledOTP()
|
||||
}
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": status,
|
||||
})
|
||||
}
|
||||
|
||||
func SecureSessionStatus(c *gin.Context) {
|
||||
u, ok := c.Get("user")
|
||||
if !ok || !u.(*model.User).EnabledOTP() {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
ssid := c.GetHeader("X-Secure-Session-ID")
|
||||
if ssid == "" {
|
||||
ssid = c.Query("X-Secure-Session-ID")
|
||||
}
|
||||
if ssid == "" {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if user.VerifySecureSessionID(ssid, u.(*model.User).ID) {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": true,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
}
|
||||
|
||||
func StartSecure2FASession(c *gin.Context) {
|
||||
var json struct {
|
||||
OTP string `json:"otp"`
|
||||
RecoveryCode string `json:"recovery_code"`
|
||||
}
|
||||
if !api.BindAndValid(c, &json) {
|
||||
return
|
||||
}
|
||||
u := api.CurrentUser(c)
|
||||
if !u.EnabledOTP() {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"message": "User not configured with 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if json.OTP == "" && json.RecoveryCode == "" {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "The user has enabled 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if err := user.VerifyOTP(u, json.OTP, json.RecoveryCode); err != nil {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "Invalid 2FA or recovery code",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,12 @@ func buildCachePasskeyRegKey(id int) string {
|
|||
return fmt.Sprintf("passkey-reg-%d", id)
|
||||
}
|
||||
|
||||
func GetPasskeyConfigStatus(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": passkey.Enabled(),
|
||||
})
|
||||
}
|
||||
|
||||
func BeginPasskeyRegistration(c *gin.Context) {
|
||||
u := api.CurrentUser(c)
|
||||
|
||||
|
|
@ -100,6 +106,10 @@ func BeginPasskeyLogin(c *gin.Context) {
|
|||
}
|
||||
|
||||
func FinishPasskeyLogin(c *gin.Context) {
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
sessionId := c.GetHeader("X-Passkey-Session-ID")
|
||||
sessionDataBytes, ok := cache.Get(sessionId)
|
||||
if !ok {
|
||||
|
|
|
|||
|
|
@ -25,17 +25,20 @@ func InitManageUserRouter(r *gin.RouterGroup) {
|
|||
}
|
||||
|
||||
func InitUserRouter(r *gin.RouterGroup) {
|
||||
r.GET("/otp_status", OTPStatus)
|
||||
r.GET("/2fa_status", Get2FAStatus)
|
||||
r.GET("/2fa_secure_session/status", SecureSessionStatus)
|
||||
r.POST("/2fa_secure_session/otp", Start2FASecureSessionByOTP)
|
||||
r.GET("/2fa_secure_session/passkey", BeginStart2FASecureSessionByPasskey)
|
||||
r.POST("/2fa_secure_session/passkey", FinishStart2FASecureSessionByPasskey)
|
||||
|
||||
r.GET("/otp_secret", GenerateTOTP)
|
||||
r.POST("/otp_enroll", EnrollTOTP)
|
||||
r.POST("/otp_reset", ResetOTP)
|
||||
|
||||
r.GET("/otp_secure_session_status", SecureSessionStatus)
|
||||
r.POST("/otp_secure_session", StartSecure2FASession)
|
||||
|
||||
r.GET("/begin_passkey_register", BeginPasskeyRegistration)
|
||||
r.POST("/finish_passkey_register", FinishPasskeyRegistration)
|
||||
|
||||
r.GET("/passkeys/config", GetPasskeyConfigStatus)
|
||||
r.GET("/passkeys", GetPasskeyList)
|
||||
r.POST("/passkeys/:id", UpdatePasskey)
|
||||
r.DELETE("/passkeys/:id", DeletePasskey)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue