-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from cedarcode/add-optional-2fa-authentication
feat: add possibility of enabling WebAuthn as a second factor authentication
- Loading branch information
Showing
31 changed files
with
784 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
WEBAUTHN_ORIGIN=http:https://localhost:3000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
WEBAUTHN_ORIGIN=http:https://localhost:3030 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
app/controllers/webauthn_credential_authentication_controller.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
class WebauthnCredentialAuthenticationController < ApplicationController | ||
before_action :ensure_user_not_authenticated | ||
before_action :ensure_login_initiated | ||
|
||
def new | ||
end | ||
|
||
def options | ||
get_options = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id)) | ||
|
||
session[:current_challenge] = get_options.challenge | ||
|
||
respond_to do |format| | ||
format.json { render json: get_options } | ||
end | ||
end | ||
|
||
def create | ||
webauthn_credential = WebAuthn::Credential.from_get(params) | ||
|
||
credential = user.webauthn_credentials.find_by(external_id: webauthn_credential.id) | ||
|
||
begin | ||
webauthn_credential.verify( | ||
session[:current_challenge], | ||
public_key: credential.public_key, | ||
sign_count: credential.sign_count | ||
) | ||
|
||
credential.update!(sign_count: webauthn_credential.sign_count) | ||
session.delete(:webauthn_user_id) | ||
sign_in(user) | ||
|
||
render json: { status: "ok" }, status: :ok | ||
rescue WebAuthn::Error => e | ||
render json: "Verification failed: #{e.message}", status: :unprocessable_entity | ||
end | ||
end | ||
|
||
private | ||
|
||
def user | ||
@user ||= User.find_by(id: session[:webauthn_user_id]) | ||
end | ||
|
||
def ensure_login_initiated | ||
if session[:webauthn_user_id].blank? | ||
redirect_to new_session_path, alert: "Login was not initiated" | ||
end | ||
end | ||
|
||
def ensure_user_not_authenticated | ||
if current_user | ||
redirect_to root_path, alert: "User's already authenticated" | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
class WebauthnCredentialsController < ApplicationController | ||
before_action :enforce_authenticated_user | ||
|
||
def new | ||
end | ||
|
||
def options | ||
if current_user.webauthn_id.blank? | ||
current_user.update!(webauthn_id: WebAuthn.generate_user_id) | ||
end | ||
|
||
create_options = WebAuthn::Credential.options_for_create( | ||
user: { | ||
id: current_user.webauthn_id, | ||
name: current_user.username | ||
}, | ||
exclude: current_user.webauthn_credentials.pluck(:external_id) | ||
) | ||
|
||
session[:current_challenge] = create_options.challenge | ||
|
||
respond_to do |format| | ||
format.json { render json: create_options } | ||
end | ||
end | ||
|
||
def create | ||
webauthn_credential = WebAuthn::Credential.from_create(params) | ||
|
||
begin | ||
webauthn_credential.verify(session[:current_challenge]) | ||
|
||
credential = current_user.webauthn_credentials.build( | ||
external_id: webauthn_credential.id, | ||
nickname: params[:credential_nickname], | ||
public_key: webauthn_credential.public_key, | ||
sign_count: webauthn_credential.sign_count | ||
) | ||
|
||
if credential.save | ||
render json: { status: "ok" }, status: :ok | ||
else | ||
render json: "Couldn't add your Security Key", status: :unprocessable_entity | ||
end | ||
rescue WebAuthn::Error => e | ||
render json: "Verification failed: #{e.message}", status: :unprocessable_entity | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
import { Controller } from "stimulus" | ||
import * as Credential from "credential"; | ||
|
||
export default class extends Controller { | ||
create(event) { | ||
var [data, status, xhr] = event.detail; | ||
var credentialOptions = data; | ||
var credential_nickname = event.target.querySelector("input[name='webauthn_credential[nickname]']").value; | ||
var callback_url = `/webauthn_credentials/?credential_nickname=${credential_nickname}` | ||
|
||
Credential.create(encodeURI(callback_url), credentialOptions); | ||
} | ||
} |
11 changes: 11 additions & 0 deletions
11
app/javascript/controllers/credential_authenticator_controller.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
import { Controller } from "stimulus" | ||
import * as Credential from "credential"; | ||
|
||
export default class extends Controller { | ||
verifyKey(event) { | ||
var [data, status, xhr] = event.detail; | ||
console.log(data); | ||
var credentialOptions = data; | ||
Credential.get(credentialOptions); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
import * as WebAuthnJSON from "@github/webauthn-json" | ||
|
||
function getCSRFToken() { | ||
var CSRFSelector = document.querySelector('meta[name="csrf-token"]') | ||
if (CSRFSelector) { | ||
return CSRFSelector.getAttribute("content") | ||
} else { | ||
return null | ||
} | ||
} | ||
|
||
function callback(url, body) { | ||
fetch(url, { | ||
method: "POST", | ||
body: JSON.stringify(body), | ||
headers: { | ||
"Content-Type": "application/json", | ||
"Accept": "application/json", | ||
"X-CSRF-Token": getCSRFToken() | ||
}, | ||
credentials: 'same-origin' | ||
}).then(function(response) { | ||
if (response.ok) { | ||
window.location.replace("/") | ||
} else if (response.status < 500) { | ||
response.text().then(console.log); | ||
} else { | ||
console.log("Sorry, something wrong happened."); | ||
} | ||
}); | ||
} | ||
|
||
function create(callbackUrl, credentialOptions) { | ||
WebAuthnJSON.create({ "publicKey": credentialOptions }).then(function(credential) { | ||
callback(callbackUrl, credential); | ||
}).catch(function(error) { | ||
console.log(error); | ||
}); | ||
|
||
console.log("Creating new public key credential..."); | ||
} | ||
|
||
function get(credentialOptions) { | ||
WebAuthnJSON.get({ "publicKey": credentialOptions }).then(function(credential) { | ||
callback("/webauthn_credential_authentication", credential); | ||
}).catch(function(error) { | ||
console.log(error); | ||
}); | ||
|
||
console.log("Getting public key credential..."); | ||
} | ||
|
||
export { create, get } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,11 @@ | ||
class User < ApplicationRecord | ||
has_secure_password | ||
|
||
has_many :webauthn_credentials, dependent: :destroy | ||
|
||
validates :username, presence: true, uniqueness: true | ||
|
||
def second_factor_enabled? | ||
webauthn_credentials.any? | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
class WebauthnCredential < ApplicationRecord | ||
validates :external_id, :public_key, :nickname, :sign_count, presence: true | ||
validates :external_id, uniqueness: true | ||
validates :sign_count, | ||
numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 2**32 - 1 } | ||
end |
Oops, something went wrong.