mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
255aaeb2ad
Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
75 lines
2.2 KiB
Go
75 lines
2.2 KiB
Go
package models
|
|
|
|
import (
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// NewIdentityVerification creates a new IdentityVerification from a given username and action.
|
|
func NewIdentityVerification(username, action string, ip net.IP) (verification IdentityVerification) {
|
|
return IdentityVerification{
|
|
JTI: uuid.New(),
|
|
IssuedAt: time.Now(),
|
|
ExpiresAt: time.Now().Add(5 * time.Minute),
|
|
Action: action,
|
|
Username: username,
|
|
IssuedIP: NewIP(ip),
|
|
}
|
|
}
|
|
|
|
// IdentityVerification represents an identity verification row in the database.
|
|
type IdentityVerification struct {
|
|
ID int `db:"id"`
|
|
JTI uuid.UUID `db:"jti"`
|
|
IssuedAt time.Time `db:"iat"`
|
|
IssuedIP IP `db:"issued_ip"`
|
|
ExpiresAt time.Time `db:"exp"`
|
|
Action string `db:"action"`
|
|
Username string `db:"username"`
|
|
Consumed *time.Time `db:"consumed"`
|
|
ConsumedIP NullIP `db:"consumed_ip"`
|
|
}
|
|
|
|
// ToIdentityVerificationClaim converts the IdentityVerification into a IdentityVerificationClaim.
|
|
func (v IdentityVerification) ToIdentityVerificationClaim() (claim *IdentityVerificationClaim) {
|
|
return &IdentityVerificationClaim{
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
ID: v.JTI.String(),
|
|
Issuer: "Authelia",
|
|
IssuedAt: jwt.NewNumericDate(v.IssuedAt),
|
|
ExpiresAt: jwt.NewNumericDate(v.ExpiresAt),
|
|
},
|
|
Action: v.Action,
|
|
Username: v.Username,
|
|
}
|
|
}
|
|
|
|
// IdentityVerificationClaim custom claim for specifying the action claim.
|
|
// The action can be to register a TOTP device, a U2F device or reset one's password.
|
|
type IdentityVerificationClaim struct {
|
|
jwt.RegisteredClaims
|
|
|
|
// The action this token has been crafted for.
|
|
Action string `json:"action"`
|
|
// The user this token has been crafted for.
|
|
Username string `json:"username"`
|
|
}
|
|
|
|
// ToIdentityVerification converts the IdentityVerificationClaim into a IdentityVerification.
|
|
func (v IdentityVerificationClaim) ToIdentityVerification() (verification *IdentityVerification, err error) {
|
|
jti, err := uuid.Parse(v.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &IdentityVerification{
|
|
JTI: jti,
|
|
Username: v.Username,
|
|
Action: v.Action,
|
|
ExpiresAt: v.ExpiresAt.Time,
|
|
}, nil
|
|
}
|