Add Optional 2FA Support (#61)

* Add TOTP MFA Support * Add Passkey MFA Support It's not impossible I missed some minor cleanup, but most things make sense and there isn't a lot of obvious duplication anymore. --------- Co-authored-by: Bruno Bernardino <me@brunobernardino.com>
2025-05-29 12:30:28 -04:00
parent 2a77915630
commit 455a7201e9
28 changed files with 2361 additions and 40 deletions
--- a/routes/api/auth/multi-factor/passkey/begin.ts
+++ b/routes/api/auth/multi-factor/passkey/begin.ts
@@ -0,0 +1,87 @@
+import { Handlers } from 'fresh/server.ts';
+import { PublicKeyCredentialCreationOptionsJSON } from '@simplewebauthn/server';
+
+import { FreshContextState } from '/lib/types.ts';
+import { PasskeyModel } from '/lib/models/multi-factor-auth/passkey.ts';
+import { UserModel } from '/lib/models/user.ts';
+import { AppConfig } from '/lib/config.ts';
+
+export interface RequestBody {
+  email: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+  options?: PublicKeyCredentialCreationOptionsJSON;
+  sessionData?: {
+    challenge: string;
+    methodId: string;
+  };
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request) {
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Passwordless passkey login requires multi-factor authentication to be enabled.',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const body = await request.clone().json() as RequestBody;
+    const { email } = body;
+
+    if (!email) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Email is required',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const user = await UserModel.getByEmail(email);
+
+    if (!user) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'User not found',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 404 });
+    }
+
+    const config = await AppConfig.getConfig();
+    const allowedCredentials = PasskeyModel.getCredentialsFromUser(user);
+
+    if (allowedCredentials.length === 0) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'No passkeys registered for this user',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const options = await PasskeyModel.generateAuthenticationOptions(
+      config.auth.baseUrl,
+      allowedCredentials,
+    );
+
+    const responseBody: ResponseBody = {
+      success: true,
+      options,
+      sessionData: {
+        challenge: options.challenge,
+        methodId: options.challenge,
+      },
+    };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/auth/multi-factor/passkey/setup-begin.ts
+++ b/routes/api/auth/multi-factor/passkey/setup-begin.ts
@@ -0,0 +1,67 @@
+import { Handlers } from 'fresh/server.ts';
+import { PublicKeyCredentialCreationOptionsJSON } from '@simplewebauthn/server';
+
+import { FreshContextState } from '/lib/types.ts';
+import { AppConfig } from '/lib/config.ts';
+import { PasskeyModel } from '/lib/models/multi-factor-auth/passkey.ts';
+import { MultiFactorAuthModel } from '/lib/models/multi-factor-auth.ts';
+
+export interface RequestBody {}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+  options?: PublicKeyCredentialCreationOptionsJSON;
+  sessionData?: {
+    challenge: string;
+    methodId: string;
+    userId: string;
+  };
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Passwordless passkey login requires multi-factor authentication to be enabled.',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const { user } = context.state;
+
+    const methodId = MultiFactorAuthModel.generateMethodId();
+
+    const config = await AppConfig.getConfig();
+    const existingCredentials = PasskeyModel.getCredentialsFromUser(user);
+
+    const options = await PasskeyModel.generateRegistrationOptions(
+      user.id,
+      user.email,
+      config.auth.baseUrl,
+      existingCredentials,
+    );
+
+    const sessionData: ResponseBody['sessionData'] = {
+      challenge: options.challenge,
+      methodId,
+      userId: user.id,
+    };
+
+    const responseBody: ResponseBody = {
+      success: true,
+      options,
+      sessionData,
+    };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/auth/multi-factor/passkey/setup-complete.ts
+++ b/routes/api/auth/multi-factor/passkey/setup-complete.ts
@@ -0,0 +1,102 @@
+import { Handlers } from 'fresh/server.ts';
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
+import { RegistrationResponseJSON } from '@simplewebauthn/server';
+
+import { FreshContextState } from '/lib/types.ts';
+import { PasskeyModel } from '/lib/models/multi-factor-auth/passkey.ts';
+import { UserModel } from '/lib/models/user.ts';
+import { AppConfig } from '/lib/config.ts';
+
+export interface RequestBody {
+  methodId: string;
+  challenge: string;
+  registrationResponse: RegistrationResponseJSON;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request, context) {
+    if (!context.state.user) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Passwordless passkey login requires multi-factor authentication to be enabled.',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const { user } = context.state;
+
+    const body = await request.clone().json() as RequestBody;
+    const { methodId, challenge, registrationResponse } = body;
+
+    if (!methodId || !challenge || !registrationResponse) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Method ID, challenge, and registration response are required',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const config = await AppConfig.getConfig();
+    const expectedOrigin = config.auth.baseUrl;
+    const expectedRPID = new URL(config.auth.baseUrl).hostname;
+
+    const verification = await PasskeyModel.verifyRegistration(
+      registrationResponse,
+      challenge,
+      expectedOrigin,
+      expectedRPID,
+    );
+
+    if (!verification.verified || !verification.registrationInfo) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Passkey registration verification failed',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const { registrationInfo } = verification;
+    const credentialID = registrationInfo.credential.id;
+    const credentialPublicKey = isoBase64URL.fromBuffer(registrationInfo.credential.publicKey);
+
+    const method = PasskeyModel.createMethod(
+      methodId,
+      'Passkey',
+      credentialID,
+      credentialPublicKey,
+      registrationInfo.credential.counter,
+      registrationInfo.credentialDeviceType,
+      registrationInfo.credentialBackedUp,
+      // @ts-expect-error SimpleWebAuthn supports a few more transports, and that's OK
+      registrationResponse.response?.transports || [],
+    );
+
+    if (!user.extra.multi_factor_auth_methods) {
+      user.extra.multi_factor_auth_methods = [];
+    }
+
+    user.extra.multi_factor_auth_methods.push(method);
+
+    await UserModel.update(user);
+
+    const responseBody: ResponseBody = {
+      success: true,
+    };
+
+    return new Response(JSON.stringify(responseBody));
+  },
+};
--- a/routes/api/auth/multi-factor/passkey/verify.ts
+++ b/routes/api/auth/multi-factor/passkey/verify.ts
@@ -0,0 +1,99 @@
+import { Handlers } from 'fresh/server.ts';
+import { AuthenticationResponseJSON } from '@simplewebauthn/server';
+
+import { FreshContextState } from '/lib/types.ts';
+import { PasskeyModel } from '/lib/models/multi-factor-auth/passkey.ts';
+import { UserModel } from '/lib/models/user.ts';
+import { AppConfig } from '/lib/config.ts';
+import { createSessionResponse } from '/lib/auth.ts';
+
+export interface RequestBody {
+  email: string;
+  challenge: string;
+  authenticationResponse: AuthenticationResponseJSON;
+  redirectUrl?: string;
+}
+
+export interface ResponseBody {
+  success: boolean;
+  error?: string;
+}
+
+export const handler: Handlers<unknown, FreshContextState> = {
+  async POST(request) {
+    const isMultiFactorAuthEnabled = await AppConfig.isMultiFactorAuthEnabled();
+
+    if (!isMultiFactorAuthEnabled) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Multi-factor authentication is not enabled on this server',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 403 });
+    }
+
+    const body = await request.clone().json() as RequestBody;
+    const { email, challenge, authenticationResponse, redirectUrl } = body;
+
+    if (!email || !challenge || !authenticationResponse) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Email, challenge, and authentication response are required',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const user = await UserModel.getByEmail(email);
+    if (!user) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'User not found',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 404 });
+    }
+
+    const config = await AppConfig.getConfig();
+    const expectedOrigin = config.auth.baseUrl;
+    const expectedRPID = new URL(config.auth.baseUrl).hostname;
+
+    const userCredentials = PasskeyModel.getCredentialsFromUser(user);
+    const credentialID = authenticationResponse.id;
+
+    const credential = userCredentials.find((credential) => credential.credentialID === credentialID);
+    if (!credential) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Credential not found for this user',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    const verification = await PasskeyModel.verifyAuthentication(
+      authenticationResponse,
+      challenge,
+      expectedOrigin,
+      expectedRPID,
+      credential,
+    );
+
+    if (!verification.verified) {
+      const responseBody: ResponseBody = {
+        success: false,
+        error: 'Passkey authentication verification failed',
+      };
+
+      return new Response(JSON.stringify(responseBody), { status: 400 });
+    }
+
+    // Update the counter to protect against replay attacks
+    PasskeyModel.updateCounterForUser(user, credentialID, verification.authenticationInfo.newCounter);
+    await UserModel.update(user);
+
+    return await createSessionResponse(request, user, {
+      urlToRedirectTo: redirectUrl || '/',
+    });
+  },
+};