DecDuck
63ac2b8ffc
* feat: nginx + torrential basics & services system * fix: lint + i18n * fix: update torrential to remove openssl * feat: add torrential to Docker build * feat: move to self hosted runner * fix: move off self-hosted runner * fix: update nginx.conf * feat: torrential cache invalidation * fix: update torrential for cache invalidation * feat: integrity check task * fix: lint * feat: move to version ids * fix: client fixes and client-side checks * feat: new depot apis and version id fixes * feat: update torrential * feat: droplet bump and remove unsafe update functions * fix: lint * feat: v4 featureset: emulators, multi-launch commands * fix: lint * fix: mobile ui for game editor * feat: launch options * fix: lint * fix: remove axios, use $fetch * feat: metadata and task api improvements * feat: task actions * fix: slight styling issue * feat: fix style and lints * feat: totp backend routes * feat: oidc groups * fix: update drop-base * feat: creation of passkeys & totp * feat: totp signin * feat: webauthn mfa/signin * feat: launch selecting ui * fix: manually running tasks * feat: update add company game modal to use new SelectorGame * feat: executor selector * fix(docker): update rust to rust nightly for torrential build (#305) * feat: new version ui * feat: move package lookup to build time to allow for deno dev * fix: lint * feat: localisation cleanup * feat: apply localisation cleanup * feat: potential i18n refactor logic * feat: remove args from commands * fix: lint * fix: lockfile --------- Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
111 lines
3.2 KiB
TypeScript
111 lines
3.2 KiB
TypeScript
import aclManager from "~/server/internal/acls";
|
|
import { dropEncodeArrayBase64 } from "~/server/internal/auth/totp";
|
|
import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
|
|
import { getRpId } from "~/server/internal/auth/webauthn";
|
|
import prisma from "~/server/internal/db/database";
|
|
import { MFAMec } from "~/prisma/client/enums";
|
|
import sessionHandler from "~/server/internal/session";
|
|
import type { PublicKeyCredentialCreationOptionsJSON } from "@simplewebauthn/server";
|
|
import { verifyRegistrationResponse } from "@simplewebauthn/server";
|
|
import { systemConfig } from "~/server/internal/config/sys-conf";
|
|
|
|
export default defineEventHandler(async (h3) => {
|
|
const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
|
|
if (!userId)
|
|
throw createError({
|
|
statusCode: 403,
|
|
message: "Not signed in or superlevelled.",
|
|
});
|
|
|
|
const body = await readBody(h3);
|
|
|
|
const optionsRaw = await sessionHandler.getSessionDataKey<string>(
|
|
h3,
|
|
"webauthn/options",
|
|
);
|
|
if (!optionsRaw)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "WebAuthn not started for this session.",
|
|
});
|
|
const options: PublicKeyCredentialCreationOptionsJSON =
|
|
JSON.parse(optionsRaw);
|
|
await sessionHandler.deleteSessionDataKey(h3, "webauthn/options");
|
|
|
|
const rpID = await getRpId();
|
|
const externalUrl = await systemConfig.getExternalUrl();
|
|
const url = new URL(externalUrl);
|
|
|
|
let verification;
|
|
try {
|
|
verification = await verifyRegistrationResponse({
|
|
response: body,
|
|
expectedChallenge: options.challenge,
|
|
expectedOrigin: url.origin,
|
|
expectedRPID: rpID,
|
|
});
|
|
} catch (error) {
|
|
console.error(error);
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: (error as string)?.toString(),
|
|
});
|
|
}
|
|
|
|
const webauthnMec =
|
|
(await prisma.linkedMFAMec.findUnique({
|
|
where: { userId_mec: { userId, mec: MFAMec.WebAuthn } },
|
|
})) ??
|
|
(await prisma.linkedMFAMec.create({
|
|
data: {
|
|
userId,
|
|
mec: MFAMec.WebAuthn,
|
|
credentials: { passkeys: [] } satisfies WebAuthNv1Credentials,
|
|
version: 1,
|
|
},
|
|
}));
|
|
|
|
const { verified, registrationInfo } = verification;
|
|
if (!verified)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "Failed to verify passkey.",
|
|
});
|
|
const { credential, credentialDeviceType, credentialBackedUp } =
|
|
registrationInfo!;
|
|
|
|
const name = await sessionHandler.getSessionDataKey<string>(
|
|
h3,
|
|
"webauthn/passkeyname",
|
|
);
|
|
|
|
(webauthnMec.credentials as unknown as WebAuthNv1Credentials).passkeys.push({
|
|
name: name ?? "My New Passkey",
|
|
created: Date.now(),
|
|
userId,
|
|
webAuthnUserId: options.user.id,
|
|
id: credential.id,
|
|
publicKey: dropEncodeArrayBase64(credential.publicKey),
|
|
counter: credential.counter,
|
|
transports: credential.transports,
|
|
deviceType: credentialDeviceType,
|
|
backedUp: credentialBackedUp,
|
|
});
|
|
|
|
// Safe because we're updating something we just queried
|
|
// eslint-disable-next-line drop/no-prisma-delete
|
|
await prisma.linkedMFAMec.update({
|
|
where: {
|
|
userId_mec: {
|
|
userId: webauthnMec.userId,
|
|
mec: webauthnMec.mec,
|
|
},
|
|
},
|
|
data: {
|
|
credentials: webauthnMec.credentials!,
|
|
},
|
|
});
|
|
|
|
return;
|
|
});
|