mirror of
https://github.com/0xJacky/nginx-ui.git
synced 2025-05-11 10:25:52 +02:00
enhance: by default, passkey is used for 2fa if passkey is used to login
This commit is contained in:
parent
0a6a7693a1
commit
f42a6c2d08
13 changed files with 263 additions and 192 deletions
244
api/user/2fa.go
244
api/user/2fa.go
|
@ -1,156 +1,156 @@
|
|||
package user
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"github.com/0xJacky/Nginx-UI/api"
|
||||
"github.com/0xJacky/Nginx-UI/internal/cache"
|
||||
"github.com/0xJacky/Nginx-UI/internal/passkey"
|
||||
"github.com/0xJacky/Nginx-UI/internal/user"
|
||||
"github.com/0xJacky/Nginx-UI/model"
|
||||
"github.com/0xJacky/Nginx-UI/query"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/go-webauthn/webauthn/webauthn"
|
||||
"github.com/google/uuid"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"github.com/0xJacky/Nginx-UI/api"
|
||||
"github.com/0xJacky/Nginx-UI/internal/cache"
|
||||
"github.com/0xJacky/Nginx-UI/internal/passkey"
|
||||
"github.com/0xJacky/Nginx-UI/internal/user"
|
||||
"github.com/0xJacky/Nginx-UI/model"
|
||||
"github.com/0xJacky/Nginx-UI/query"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/go-webauthn/webauthn/webauthn"
|
||||
"github.com/google/uuid"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Status2FA struct {
|
||||
Enabled bool `json:"enabled"`
|
||||
OTPStatus bool `json:"otp_status"`
|
||||
PasskeyStatus bool `json:"passkey_status"`
|
||||
Enabled bool `json:"enabled"`
|
||||
OTPStatus bool `json:"otp_status"`
|
||||
PasskeyStatus bool `json:"passkey_status"`
|
||||
}
|
||||
|
||||
func get2FAStatus(c *gin.Context) (status Status2FA) {
|
||||
// when accessing the node from the main cluster, there is no user in the context
|
||||
u, ok := c.Get("user")
|
||||
if ok {
|
||||
userPtr := u.(*model.User)
|
||||
status.OTPStatus = userPtr.EnabledOTP()
|
||||
status.PasskeyStatus = userPtr.EnabledPasskey() && passkey.Enabled()
|
||||
status.Enabled = status.OTPStatus || status.PasskeyStatus
|
||||
}
|
||||
return
|
||||
// when accessing the node from the main cluster, there is no user in the context
|
||||
u, ok := c.Get("user")
|
||||
if ok {
|
||||
userPtr := u.(*model.User)
|
||||
status.OTPStatus = userPtr.EnabledOTP()
|
||||
status.PasskeyStatus = userPtr.EnabledPasskey() && passkey.Enabled()
|
||||
status.Enabled = status.OTPStatus || status.PasskeyStatus
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func Get2FAStatus(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, get2FAStatus(c))
|
||||
c.JSON(http.StatusOK, get2FAStatus(c))
|
||||
}
|
||||
|
||||
func SecureSessionStatus(c *gin.Context) {
|
||||
status2FA := get2FAStatus(c)
|
||||
if !status2FA.Enabled {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
status2FA := get2FAStatus(c)
|
||||
if !status2FA.Enabled {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
ssid := c.GetHeader("X-Secure-Session-ID")
|
||||
if ssid == "" {
|
||||
ssid = c.Query("X-Secure-Session-ID")
|
||||
}
|
||||
if ssid == "" {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
ssid := c.GetHeader("X-Secure-Session-ID")
|
||||
if ssid == "" {
|
||||
ssid = c.Query("X-Secure-Session-ID")
|
||||
}
|
||||
if ssid == "" {
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": false,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
u := api.CurrentUser(c)
|
||||
u := api.CurrentUser(c)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": user.VerifySecureSessionID(ssid, u.ID),
|
||||
})
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"status": user.VerifySecureSessionID(ssid, u.ID),
|
||||
})
|
||||
}
|
||||
|
||||
func Start2FASecureSessionByOTP(c *gin.Context) {
|
||||
var json struct {
|
||||
OTP string `json:"otp"`
|
||||
RecoveryCode string `json:"recovery_code"`
|
||||
}
|
||||
if !api.BindAndValid(c, &json) {
|
||||
return
|
||||
}
|
||||
u := api.CurrentUser(c)
|
||||
if !u.EnabledOTP() {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"message": "User has not configured OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
var json struct {
|
||||
OTP string `json:"otp"`
|
||||
RecoveryCode string `json:"recovery_code"`
|
||||
}
|
||||
if !api.BindAndValid(c, &json) {
|
||||
return
|
||||
}
|
||||
u := api.CurrentUser(c)
|
||||
if !u.EnabledOTP() {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"message": "User has not configured OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if json.OTP == "" && json.RecoveryCode == "" {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "The user has enabled OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
if json.OTP == "" && json.RecoveryCode == "" {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "The user has enabled OTP as 2FA",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if err := user.VerifyOTP(u, json.OTP, json.RecoveryCode); err != nil {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "Invalid OTP or recovery code",
|
||||
})
|
||||
return
|
||||
}
|
||||
if err := user.VerifyOTP(u, json.OTP, json.RecoveryCode); err != nil {
|
||||
c.JSON(http.StatusBadRequest, LoginResponse{
|
||||
Message: "Invalid OTP or recovery code",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
}
|
||||
|
||||
func BeginStart2FASecureSessionByPasskey(c *gin.Context) {
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
options, sessionData, err := webauthnInstance.BeginLogin(u)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
passkeySessionID := uuid.NewString()
|
||||
cache.Set(passkeySessionID, sessionData, passkeyTimeout)
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": passkeySessionID,
|
||||
"options": options,
|
||||
})
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
options, sessionData, err := webauthnInstance.BeginLogin(u)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
passkeySessionID := uuid.NewString()
|
||||
cache.Set(passkeySessionID, sessionData, passkeyTimeout)
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": passkeySessionID,
|
||||
"options": options,
|
||||
})
|
||||
}
|
||||
|
||||
func FinishStart2FASecureSessionByPasskey(c *gin.Context) {
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
passkeySessionID := c.GetHeader("X-Passkey-Session-ID")
|
||||
sessionDataBytes, ok := cache.Get(passkeySessionID)
|
||||
if !ok {
|
||||
api.ErrHandler(c, fmt.Errorf("session not found"))
|
||||
return
|
||||
}
|
||||
sessionData := sessionDataBytes.(*webauthn.SessionData)
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
credential, err := webauthnInstance.FinishLogin(u, *sessionData, c.Request)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
rawID := strings.TrimRight(base64.StdEncoding.EncodeToString(credential.ID), "=")
|
||||
p := query.Passkey
|
||||
_, _ = p.Where(p.RawID.Eq(rawID)).Updates(&model.Passkey{
|
||||
LastUsedAt: time.Now().Unix(),
|
||||
})
|
||||
if !passkey.Enabled() {
|
||||
api.ErrHandler(c, fmt.Errorf("WebAuthn settings are not configured"))
|
||||
return
|
||||
}
|
||||
passkeySessionID := c.GetHeader("X-Passkey-Session-ID")
|
||||
sessionDataBytes, ok := cache.Get(passkeySessionID)
|
||||
if !ok {
|
||||
api.ErrHandler(c, fmt.Errorf("session not found"))
|
||||
return
|
||||
}
|
||||
sessionData := sessionDataBytes.(*webauthn.SessionData)
|
||||
webauthnInstance := passkey.GetInstance()
|
||||
u := api.CurrentUser(c)
|
||||
credential, err := webauthnInstance.FinishLogin(u, *sessionData, c.Request)
|
||||
if err != nil {
|
||||
api.ErrHandler(c, err)
|
||||
return
|
||||
}
|
||||
rawID := strings.TrimRight(base64.StdEncoding.EncodeToString(credential.ID), "=")
|
||||
p := query.Passkey
|
||||
_, _ = p.Where(p.RawID.Eq(rawID)).Updates(&model.Passkey{
|
||||
LastUsedAt: time.Now().Unix(),
|
||||
})
|
||||
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
sessionId := user.SetSecureSessionID(u.ID)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"session_id": sessionId,
|
||||
})
|
||||
}
|
||||
|
|
|
@ -13,6 +13,8 @@ func InitAuthRouter(r *gin.RouterGroup) {
|
|||
|
||||
r.GET("/casdoor_uri", GetCasdoorUri)
|
||||
r.POST("/casdoor_callback", CasdoorCallback)
|
||||
|
||||
r.GET("/passkeys/config", GetPasskeyConfigStatus)
|
||||
}
|
||||
|
||||
func InitManageUserRouter(r *gin.RouterGroup) {
|
||||
|
@ -38,7 +40,6 @@ func InitUserRouter(r *gin.RouterGroup) {
|
|||
r.GET("/begin_passkey_register", BeginPasskeyRegistration)
|
||||
r.POST("/finish_passkey_register", FinishPasskeyRegistration)
|
||||
|
||||
r.GET("/passkeys/config", GetPasskeyConfigStatus)
|
||||
r.GET("/passkeys", GetPasskeyList)
|
||||
r.POST("/passkeys/:id", UpdatePasskey)
|
||||
r.DELETE("/passkeys/:id", DeletePasskey)
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue