Depot API & v4 (#298)

* feat: nginx + torrential basics & services system

* fix: lint + i18n

* fix: update torrential to remove openssl

* feat: add torrential to Docker build

* feat: move to self hosted runner

* fix: move off self-hosted runner

* fix: update nginx.conf

* feat: torrential cache invalidation

* fix: update torrential for cache invalidation

* feat: integrity check task

* fix: lint

* feat: move to version ids

* fix: client fixes and client-side checks

* feat: new depot apis and version id fixes

* feat: update torrential

* feat: droplet bump and remove unsafe update functions

* fix: lint

* feat: v4 featureset: emulators, multi-launch commands

* fix: lint

* fix: mobile ui for game editor

* feat: launch options

* fix: lint

* fix: remove axios, use $fetch

* feat: metadata and task api improvements

* feat: task actions

* fix: slight styling issue

* feat: fix style and lints

* feat: totp backend routes

* feat: oidc groups

* fix: update drop-base

* feat: creation of passkeys & totp

* feat: totp signin

* feat: webauthn mfa/signin

* feat: launch selecting ui

* fix: manually running tasks

* feat: update add company game modal to use new SelectorGame

* feat: executor selector

* fix(docker): update rust to rust nightly for torrential build (#305)

* feat: new version ui

* feat: move package lookup to build time to allow for deno dev

* fix: lint

* feat: localisation cleanup

* feat: apply localisation cleanup

* feat: potential i18n refactor logic

* feat: remove args from commands

* fix: lint

* fix: lockfile

---------

Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>

server/api/v1/user/auth/index.get.ts

@@ -0,0 +1,19 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import { AuthMec } from "~/prisma/client/enums";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const authMecs = await prisma.linkedAuthMec.findMany({
+    where: {
+      userId,
+    },
+    omit: {
+      credentials: true,
+    },
+  });
+  const authMecMap = Object.fromEntries(authMecs.map((v) => [v.mec, v]));
+  return { mecs: authMecMap, available: Object.keys(AuthMec) };
+});

server/api/v1/user/mfa/index.get.ts

@@ -0,0 +1,38 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/enums";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const mfaMecs = await prisma.linkedMFAMec.findMany({
+    where: {
+      userId,
+    },
+  });
+  // Sanitise and convert to map
+  const mfaMecMap = Object.fromEntries(
+    mfaMecs.map((v) => {
+      switch (v.mec) {
+        case MFAMec.TOTP:
+          v.credentials = {};
+          break;
+        case MFAMec.WebAuthn: {
+          const newCredentials = (
+            v.credentials as unknown as WebAuthNv1Credentials
+          ).passkeys.map((v) => ({
+            name: v.name,
+            id: v.id,
+            created: v.created,
+          }));
+          v.credentials = newCredentials;
+          break;
+        }
+      }
+      return [v.mec, v];
+    }),
+  );
+  return { mecs: mfaMecMap, available: Object.keys(MFAMec) };
+});

server/api/v1/user/mfa/totp/finish.post.ts

@@ -0,0 +1,61 @@
+import aclManager from "~/server/internal/acls";
+import { totp, SecretKey } from "otp-io";
+import { hmac } from "otp-io/crypto";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import { createError } from "h3";
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const TOTPEnableBody = type({
+  code: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readDropValidatedBody(h3, TOTPEnableBody);
+
+  const existing = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+      enabled: false,
+    },
+  });
+  if (!existing)
+    throw createError({ statusCode: 400, message: "TOTP not started" });
+
+  const secret = (existing.credentials as unknown as TOTPv1Credentials).secret;
+  const secretKeyBuffer = dropDecodeArrayBase64(secret);
+  const secretKey = new SecretKey(secretKeyBuffer);
+
+  const code = await totp(hmac, { secret: secretKey });
+  if (body.code !== code)
+    throw createError({ statusCode: 400, message: "Invalid TOTP code." });
+
+  // Safe because we're updating something we just queried
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+    data: {
+      enabled: true,
+    },
+  });
+
+  return;
+});

server/api/v1/user/mfa/totp/start.post.ts

@@ -0,0 +1,63 @@
+import aclManager from "~/server/internal/acls";
+import { generateKey, getKeyUri } from "otp-io";
+import { randomBytes } from "otp-io/crypto";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropEncodeArrayBase64 } from "~/server/internal/auth/totp";
+import { b32e } from "~/server/internal/auth/base32";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const existing = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+  });
+
+  if (existing) {
+    if (!existing.enabled) {
+      // Safe because we're updating something we just queried
+      // eslint-disable-next-line drop/no-prisma-delete
+      await prisma.linkedMFAMec.delete({
+        where: { userId_mec: { userId: existing.userId, mec: existing.mec } },
+      });
+    } else {
+      throw createError({
+        statusCode: 400,
+        message: "Cannot set up TOTP authentication if already exists.",
+      });
+    }
+  }
+
+  const secret = generateKey(randomBytes, /* bytes: */ 20); // 5-20 good for Google Authenticator
+  const url = getKeyUri({
+    type: "totp",
+    secret,
+    name: userId,
+    issuer: "Drop",
+  });
+
+  await prisma.linkedMFAMec.create({
+    data: {
+      userId,
+      mec: MFAMec.TOTP,
+      version: 1,
+      credentials: {
+        secret: dropEncodeArrayBase64(secret.bytes),
+      } satisfies TOTPv1Credentials,
+      enabled: false,
+    },
+  });
+
+  return { url, secret: b32e(secret.bytes) };
+});

server/api/v1/user/mfa/webauthn/finish.post.ts

@@ -0,0 +1,110 @@
+import aclManager from "~/server/internal/acls";
+import { dropEncodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/enums";
+import sessionHandler from "~/server/internal/session";
+import type { PublicKeyCredentialCreationOptionsJSON } from "@simplewebauthn/server";
+import { verifyRegistrationResponse } from "@simplewebauthn/server";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readBody(h3);
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn not started for this session.",
+    });
+  const options: PublicKeyCredentialCreationOptionsJSON =
+    JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/options");
+
+  const rpID = await getRpId();
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+    });
+  } catch (error) {
+    console.error(error);
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const webauthnMec =
+    (await prisma.linkedMFAMec.findUnique({
+      where: { userId_mec: { userId, mec: MFAMec.WebAuthn } },
+    })) ??
+    (await prisma.linkedMFAMec.create({
+      data: {
+        userId,
+        mec: MFAMec.WebAuthn,
+        credentials: { passkeys: [] } satisfies WebAuthNv1Credentials,
+        version: 1,
+      },
+    }));
+
+  const { verified, registrationInfo } = verification;
+  if (!verified)
+    throw createError({
+      statusCode: 400,
+      message: "Failed to verify passkey.",
+    });
+  const { credential, credentialDeviceType, credentialBackedUp } =
+    registrationInfo!;
+
+  const name = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/passkeyname",
+  );
+
+  (webauthnMec.credentials as unknown as WebAuthNv1Credentials).passkeys.push({
+    name: name ?? "My New Passkey",
+    created: Date.now(),
+    userId,
+    webAuthnUserId: options.user.id,
+    id: credential.id,
+    publicKey: dropEncodeArrayBase64(credential.publicKey),
+    counter: credential.counter,
+    transports: credential.transports,
+    deviceType: credentialDeviceType,
+    backedUp: credentialBackedUp,
+  });
+
+  // Safe because we're updating something we just queried
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: webauthnMec.userId,
+        mec: webauthnMec.mec,
+      },
+    },
+    data: {
+      credentials: webauthnMec.credentials!,
+    },
+  });
+
+  return;
+});

server/api/v1/user/mfa/webauthn/start.post.ts

@@ -0,0 +1,56 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+import { generateRegistrationOptions } from "@simplewebauthn/server";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const CreatePasskey = type({
+  name: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readDropValidatedBody(h3, CreatePasskey);
+
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { displayName: true, username: true },
+  });
+  if (!user)
+    throw createError({
+      statusCode: 500,
+      message: "Session refers to non-existed user.",
+    });
+
+  const rpID = await getRpId();
+
+  const registrationOptions = await generateRegistrationOptions({
+    rpID,
+    rpName: "Drop",
+    userName: user.username,
+    attestationType: "none",
+    authenticatorSelection: {
+      requireResidentKey: true,
+      residentKey: "required",
+      userVerification: "preferred",
+    },
+  });
+
+  await sessionHandler.setSessionDataKey(
+    h3,
+    "webauthn/options",
+    JSON.stringify(registrationOptions),
+  );
+
+  await sessionHandler.setSessionDataKey(h3, "webauthn/passkeyname", body.name);
+
+  return registrationOptions;
+});

server/api/v1/user/superlevel.ts

@@ -0,0 +1,6 @@
+import aclManager from "~/server/internal/acls";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3);
+  return userId !== undefined;
+});