Depot API & v4 (#298)

* feat: nginx + torrential basics & services system * fix: lint + i18n * fix: update torrential to remove openssl * feat: add torrential to Docker build * feat: move to self hosted runner * fix: move off self-hosted runner * fix: update nginx.conf * feat: torrential cache invalidation * fix: update torrential for cache invalidation * feat: integrity check task * fix: lint * feat: move to version ids * fix: client fixes and client-side checks * feat: new depot apis and version id fixes * feat: update torrential * feat: droplet bump and remove unsafe update functions * fix: lint * feat: v4 featureset: emulators, multi-launch commands * fix: lint * fix: mobile ui for game editor * feat: launch options * fix: lint * fix: remove axios, use $fetch * feat: metadata and task api improvements * feat: task actions * fix: slight styling issue * feat: fix style and lints * feat: totp backend routes * feat: oidc groups * fix: update drop-base * feat: creation of passkeys & totp * feat: totp signin * feat: webauthn mfa/signin * feat: launch selecting ui * fix: manually running tasks * feat: update add company game modal to use new SelectorGame * feat: executor selector * fix(docker): update rust to rust nightly for torrential build (#305) * feat: new version ui * feat: move package lookup to build time to allow for deno dev * fix: lint * feat: localisation cleanup * feat: apply localisation cleanup * feat: potential i18n refactor logic * feat: remove args from commands * fix: lint * fix: lockfile --------- Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
2026-01-13 15:32:39 +11:00
parent 8ef983304c
commit 63ac2b8ffc
190 changed files with 5848 additions and 2309 deletions
@@ -0,0 +1,22 @@
+import sessionHandler from "~/server/internal/session";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const linkedMFAMec = await prisma.linkedMFAMec.findMany({
+    where: {
+      userId: session.authenticated.userId,
+    },
+    select: {
+      mec: true,
+    },
+  });
+
+  return linkedMFAMec.map((v) => v.mec);
+});
@@ -0,0 +1,48 @@
+import sessionHandler from "~/server/internal/session";
+import { type } from "arktype";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import { SecretKey, totp } from "otp-io";
+import { hmac } from "otp-io/crypto-web";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const TOTPBody = type({
+  code: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const body = await readDropValidatedBody(h3, TOTPBody);
+
+  const linkedMFAMec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+  });
+  if (!linkedMFAMec)
+    throw createError({ statusCode: 400, message: "TOTP not enabled" });
+
+  const secret = (linkedMFAMec.credentials as unknown as TOTPv1Credentials)
+    .secret;
+  const secretKeyBuffer = dropDecodeArrayBase64(secret);
+  const secretKey = new SecretKey(secretKeyBuffer);
+
+  const code = await totp(hmac, { secret: secretKey });
+  if (code !== body.code)
+    throw createError({ statusCode: 403, message: "Invalid TOTP code." });
+
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});
@@ -0,0 +1,108 @@
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const body = await readBody(h3);
+  const credentialId = body?.id;
+  if (!credentialId || typeof credentialId !== "string")
+    throw createError({
+      statusCode: 400,
+      message: "Missing credential id in body.",
+    });
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn setup not started for this session.",
+    });
+  const options = JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/challenge");
+
+  const mfaMec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+  });
+  if (!mfaMec)
+    throw createError({ statusCode: 400, message: "WebAuthn not enabled" });
+
+  const rpID = await getRpId();
+  const passkeys = (mfaMec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+  const passkeyIndex = passkeys.findIndex((v) => v.id === body.id);
+  if (passkeyIndex == -1)
+    throw createError({ statusCode: 400, message: "Invalid credential ID." });
+  const passkey = passkeys[passkeyIndex];
+
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+      credential: {
+        id: passkey.id,
+        publicKey: Buffer.from(dropDecodeArrayBase64(passkey.publicKey)),
+        counter: passkey.counter,
+        transports: passkey.transports ?? [],
+      },
+    });
+  } catch (error) {
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const { verified } = verification;
+  if (!verified)
+    throw createError({ statusCode: 403, message: "Invalid passkey." });
+
+  const { authenticationInfo } = verification;
+  const { newCounter } = authenticationInfo;
+
+  passkeys[passkeyIndex].counter = newCounter;
+  (mfaMec.credentials as unknown as WebAuthNv1Credentials).passkeys = passkeys;
+
+  // Safe because we query it at the start of the route
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+    data: {
+      credentials: mfaMec.credentials!,
+    },
+  });
+
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});
@@ -0,0 +1,49 @@
+import { generateAuthenticationOptions } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const mec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+  });
+  if (!mec)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn not enabled on account.",
+    });
+
+  const rpID = await getRpId();
+  const passkeys = (mec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+
+  const options = await generateAuthenticationOptions({
+    rpID,
+    allowCredentials: passkeys.map((v) => ({
+      id: v.id,
+      transports: v.transports ?? [],
+    })),
+  });
+
+  await sessionHandler.setSessionDataKey(
+    h3,
+    "webauthn/options",
+    JSON.stringify(options),
+  );
+
+  return options;
+});
@@ -0,0 +1,105 @@
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const body = await readBody(h3);
+  const credentialId = body?.id;
+  if (!credentialId || typeof credentialId !== "string")
+    throw createError({
+      statusCode: 400,
+      message: "Missing credential id in body.",
+    });
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn setup not started for this session.",
+    });
+  const options = JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/challenge");
+
+  // See WebAuthNv1Credentials for schema
+  const mfaMec = await prisma.linkedMFAMec.findFirst({
+    where: {
+      credentials: {
+        path: ["passkeys"],
+        array_contains: [
+          {
+            id: credentialId,
+          },
+        ],
+      },
+    },
+  });
+  if (!mfaMec)
+    throw createError({ statusCode: 404, message: "Passkey not found" });
+
+  const passkeys = (mfaMec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+  const passkeyIndex = passkeys.findIndex((v) => v.id === credentialId);
+  const passkey = passkeys[passkeyIndex]; // Exists guarantee by database
+
+  const rpID = await getRpId();
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+      credential: {
+        id: passkey.id,
+        publicKey: Buffer.from(dropDecodeArrayBase64(passkey.publicKey)),
+        counter: passkey.counter,
+        transports: passkey.transports ?? [],
+      },
+    });
+  } catch (error) {
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const { verified } = verification;
+  if (!verified)
+    throw createError({ statusCode: 403, message: "Invalid passkey." });
+
+  const { authenticationInfo } = verification;
+  const { newCounter } = authenticationInfo;
+
+  passkeys[passkeyIndex].counter = newCounter;
+  (mfaMec.credentials as unknown as WebAuthNv1Credentials).passkeys = passkeys;
+
+  // Safe because we query it before
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: mfaMec.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+    data: {
+      credentials: mfaMec.credentials!,
+    },
+  });
+
+  await sessionHandler.signin(h3, mfaMec.userId, true);
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});
@@ -0,0 +1,26 @@
+import { generateAuthenticationOptions } from "@simplewebauthn/server";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const rpID = await getRpId();
+
+  const options = await generateAuthenticationOptions({
+    rpID,
+    allowCredentials: [],
+  });
+
+  if (
+    !(await sessionHandler.setSessionDataKey(
+      h3,
+      "webauthn/options",
+      JSON.stringify(options),
+    ))
+  )
+    throw createError({
+      statusCode: 500,
+      message: "Failed to set session data key",
+    });
+
+  return options;
+});
@@ -84,8 +84,17 @@ export default defineEventHandler<{
      });

    // TODO: send user to forgot password screen or something to force them to change their password to new system
-    await sessionHandler.signin(h3, authMek.userId, body.rememberMe);
-    return { result: true, userId: authMek.userId };
+    const result = await sessionHandler.signin(
+      h3,
+      authMek.userId,
+      body.rememberMe,
+    );
+    if (result === "fail")
+      throw createError({
+        statusCode: 500,
+        message: "Failed to create session",
+      });
+    return { userId: authMek.userId, result };
  }

  // V2: argon2
@@ -102,6 +111,12 @@ export default defineEventHandler<{
      statusMessage: t("errors.auth.invalidUserOrPass"),
    });

-  await sessionHandler.signin(h3, authMek.userId, body.rememberMe);
-  return { result: true, userId: authMek.userId };
+  const result = await sessionHandler.signin(
+    h3,
+    authMek.userId,
+    body.rememberMe,
+  );
+  if (result == "fail")
+    throw createError({ statusCode: 500, message: "Failed to create session" });
+  return { userId: authMek.userId, result };
 });