mirror of
https://github.com/Drop-OSS/drop.git
synced 2026-01-31 15:37:09 +01:00
63ac2b8ffc
* feat: nginx + torrential basics & services system * fix: lint + i18n * fix: update torrential to remove openssl * feat: add torrential to Docker build * feat: move to self hosted runner * fix: move off self-hosted runner * fix: update nginx.conf * feat: torrential cache invalidation * fix: update torrential for cache invalidation * feat: integrity check task * fix: lint * feat: move to version ids * fix: client fixes and client-side checks * feat: new depot apis and version id fixes * feat: update torrential * feat: droplet bump and remove unsafe update functions * fix: lint * feat: v4 featureset: emulators, multi-launch commands * fix: lint * fix: mobile ui for game editor * feat: launch options * fix: lint * fix: remove axios, use $fetch * feat: metadata and task api improvements * feat: task actions * fix: slight styling issue * feat: fix style and lints * feat: totp backend routes * feat: oidc groups * fix: update drop-base * feat: creation of passkeys & totp * feat: totp signin * feat: webauthn mfa/signin * feat: launch selecting ui * fix: manually running tasks * feat: update add company game modal to use new SelectorGame * feat: executor selector * fix(docker): update rust to rust nightly for torrential build (#305) * feat: new version ui * feat: move package lookup to build time to allow for deno dev * fix: lint * feat: localisation cleanup * feat: apply localisation cleanup * feat: potential i18n refactor logic * feat: remove args from commands * fix: lint * fix: lockfile --------- Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
129 lines
3.7 KiB
TypeScript
129 lines
3.7 KiB
TypeScript
import { ArkErrors, type } from "arktype";
|
|
import { systemConfig } from "../config/sys-conf";
|
|
import { dropDecodeArrayBase64 } from "./totp";
|
|
import { decode } from "cbor2";
|
|
import { createHash } from "node:crypto";
|
|
import cosekey from "parse-cosekey";
|
|
import type { AuthenticatorTransportFuture } from "@simplewebauthn/server";
|
|
|
|
export async function getRpId() {
|
|
const externalUrl =
|
|
process.env.WEBAUTHN_DOMAIN ?? (await systemConfig.getExternalUrl());
|
|
const externalUrlParsed = new URL(externalUrl);
|
|
|
|
return externalUrlParsed.hostname;
|
|
}
|
|
|
|
export interface Passkey {
|
|
name: string;
|
|
created: number;
|
|
userId: string;
|
|
webAuthnUserId: string;
|
|
id: string;
|
|
publicKey: string;
|
|
counter: number;
|
|
transports: Array<AuthenticatorTransportFuture> | undefined;
|
|
deviceType: string;
|
|
backedUp: boolean;
|
|
}
|
|
|
|
export interface WebAuthNv1Credentials {
|
|
passkeys: Array<Passkey>;
|
|
}
|
|
|
|
const ClientData = type({
|
|
type: "'webauthn.create'",
|
|
challenge: "string",
|
|
origin: "string",
|
|
});
|
|
|
|
const AuthData = type({
|
|
fmt: "string",
|
|
authData: "TypedArray.Uint8",
|
|
});
|
|
|
|
export async function parseAndValidatePasskeyCreation(
|
|
clientDataString: string,
|
|
attestationObjectString: string,
|
|
challenge: string,
|
|
) {
|
|
const clientData = dropDecodeArrayBase64(clientDataString);
|
|
const attestationObject = dropDecodeArrayBase64(attestationObjectString);
|
|
|
|
const utf8Decoder = new TextDecoder("utf-8");
|
|
const decodedClientData = utf8Decoder.decode(clientData);
|
|
const clientDataObj = ClientData(JSON.parse(decodedClientData));
|
|
if (clientDataObj instanceof ArkErrors)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: `Invalid client data JSON object: ${clientDataObj.summary}`,
|
|
});
|
|
|
|
const convertedChallenge = Buffer.from(
|
|
dropDecodeArrayBase64(clientDataObj.challenge),
|
|
).toString("utf8");
|
|
|
|
if (convertedChallenge !== challenge)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "Challenge does not match.",
|
|
});
|
|
|
|
const tmp = decode(attestationObject);
|
|
const decodedAttestationObject = AuthData(tmp);
|
|
if (decodedAttestationObject instanceof ArkErrors)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: `Invalid attestation object: ${decodedAttestationObject.summary}`,
|
|
});
|
|
|
|
const userRpIdHash = decodedAttestationObject.authData.slice(0, 32);
|
|
const rpId = await getRpId();
|
|
const rpIdHash = createHash("sha256").update(rpId).digest();
|
|
|
|
if (!rpIdHash.equals(userRpIdHash))
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "Incorrect relying party ID",
|
|
});
|
|
|
|
const attestedCredentialData = decodedAttestationObject.authData.slice(37);
|
|
if (attestedCredentialData.length < 18)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message:
|
|
"Attested credential data is missing AAGUID and/or credentialIdLength",
|
|
});
|
|
// const aaguid = attestedCredentialData.slice(0, 16);
|
|
const credentialIdLengthBuffer = attestedCredentialData.slice(16, 18);
|
|
const credentialIdLength = Buffer.from(credentialIdLengthBuffer).readUintBE(
|
|
0,
|
|
2,
|
|
);
|
|
if (attestedCredentialData.length < 18 + credentialIdLength)
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "Missing credential data of length: " + credentialIdLength,
|
|
});
|
|
const credentialId = attestedCredentialData.slice(
|
|
18,
|
|
18 + credentialIdLength,
|
|
);
|
|
const credentialPublicKey: Map<number, number> = decode(
|
|
attestedCredentialData.slice(18 + credentialIdLength),
|
|
);
|
|
if (!(credentialPublicKey instanceof Map))
|
|
throw createError({
|
|
statusCode: 400,
|
|
message: "Could not decode public key from attestion credential data",
|
|
});
|
|
|
|
const credentialIdStr = Buffer.from(credentialId).toString("hex");
|
|
const jwk = cosekey.KeyParser.cose2jwk(credentialPublicKey);
|
|
|
|
return {
|
|
credentialIdStr,
|
|
jwk,
|
|
};
|
|
}
|