authelia/internal/handlers/handler_sign_u2f_step1.go
2022-01-31 16:25:15 +11:00

94 lines
2.5 KiB
Go

package handlers
import (
"crypto/ecdsa"
"crypto/elliptic"
"fmt"
"github.com/tstranex/u2f"
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/regulation"
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/storage"
)
// SecondFactorU2FSignGet handler for initiating a signing request.
func SecondFactorU2FSignGet(ctx *middlewares.AutheliaCtx) {
if ctx.XForwardedProto() == nil {
ctx.Error(errMissingXForwardedProto, messageMFAValidationFailed)
return
}
if ctx.XForwardedHost() == nil {
ctx.Error(errMissingXForwardedHost, messageMFAValidationFailed)
return
}
userSession := ctx.GetSession()
appID := fmt.Sprintf("%s://%s", ctx.XForwardedProto(), ctx.XForwardedHost())
var trustedFacets = []string{appID}
challenge, err := u2f.NewChallenge(appID, trustedFacets)
if err != nil {
ctx.Logger.Errorf("Unable to create %s challenge for user '%s': %+v", regulation.AuthTypeU2F, userSession.Username, err)
respondUnauthorized(ctx, messageMFAValidationFailed)
return
}
device, err := ctx.Providers.StorageProvider.LoadU2FDevice(ctx, userSession.Username)
if err != nil {
respondUnauthorized(ctx, messageMFAValidationFailed)
if err == storage.ErrNoU2FDeviceHandle {
_ = markAuthenticationAttempt(ctx, false, nil, userSession.Username, regulation.AuthTypeU2F, fmt.Errorf("no registered U2F device"))
return
}
ctx.Logger.Errorf("Could not load %s devices for user '%s': %+v", regulation.AuthTypeU2F, userSession.Username, err)
return
}
x, y := elliptic.Unmarshal(elliptic.P256(), device.PublicKey)
registration := u2f.Registration{
KeyHandle: device.KeyHandle,
PubKey: ecdsa.PublicKey{
Curve: elliptic.P256(),
X: x,
Y: y,
},
}
// Save the challenge and registration for use in next request.
userSession.U2FRegistration = &session.U2FRegistration{
KeyHandle: device.KeyHandle,
PublicKey: device.PublicKey,
}
userSession.U2FChallenge = challenge
if err = ctx.SaveSession(userSession); err != nil {
ctx.Logger.Errorf(logFmtErrSessionSave, "challenge and registration", regulation.AuthTypeU2F, userSession.Username, err)
respondUnauthorized(ctx, messageMFAValidationFailed)
return
}
signRequest := challenge.SignRequest([]u2f.Registration{registration})
if err = ctx.SetJSONBody(signRequest); err != nil {
ctx.Logger.Errorf(logFmtErrWriteResponseBody, regulation.AuthTypeU2F, userSession.Username, err)
respondUnauthorized(ctx, messageMFAValidationFailed)
return
}
}