about summary refs log blame commit diff
path: root/kittybox-rs/src/indieauth/webauthn.rs
blob: ea3ad3d31a7c6b149dea31e358b879ebe8ce6e3e (plain) (tree)










































































































































                                                                                             
use axum::{
    extract::{Json, Host},
    response::{IntoResponse, Response},
    http::StatusCode, Extension, TypedHeader, headers::{authorization::Bearer, Authorization}
};
use axum_extra::extract::cookie::{CookieJar, Cookie};

use super::backend::AuthBackend;
use crate::database::Storage;

pub(crate) const CHALLENGE_ID_COOKIE: &str = "kittybox_webauthn_challenge_id";

macro_rules! bail {
    ($msg:literal, $err:expr) => {
        {
            ::tracing::error!($msg, $err);
            return ::axum::http::StatusCode::INTERNAL_SERVER_ERROR.into_response()
        }
    }
}

pub async fn webauthn_pre_register<A: AuthBackend, D: Storage + 'static>(
    Host(host): Host,
    Extension(db): Extension<D>,
    Extension(auth): Extension<A>,
    cookies: CookieJar
) -> Response {
    let uid = format!("https://{}/", host.clone());
    let uid_url: url::Url = uid.parse().unwrap();
    // This will not find an h-card in onboarding!
    let display_name = match db.get_post(&uid).await {
        Ok(hcard) => match hcard {
            Some(mut hcard) => {
                match hcard["properties"]["uid"][0].take() {
                    serde_json::Value::String(name) => name,
                    _ => String::default()
                }
            },
            None => String::default()
        },
        Err(err) => bail!("Error retrieving h-card: {}", err)
    };

    let webauthn = webauthn::WebauthnBuilder::new(
        &host,
        &uid_url
    )
        .unwrap()
        .rp_name("Kittybox")
        .build()
        .unwrap();

    let (challenge, state) = match webauthn.start_passkey_registration(
        // Note: using a nil uuid here is fine
        // Because the user corresponds to a website anyway
        // We do not track multiple users
        webauthn::prelude::Uuid::nil(),
        &uid,
        &display_name,
        Some(vec![])
    ) {
        Ok((challenge, state)) => (challenge, state),
        Err(err) => bail!("Error generating WebAuthn registration data: {}", err)
    };

    match auth.persist_registration_challenge(&uid_url, state).await {
        Ok(challenge_id) => (
            cookies.add(
                Cookie::build(CHALLENGE_ID_COOKIE, challenge_id)
                    .secure(true)
                    .finish()
            ),
            Json(challenge)
        ).into_response(),
        Err(err) => bail!("Failed to persist WebAuthn challenge: {}", err)
    }
}

pub async fn webauthn_register<A: AuthBackend>(
    Host(host): Host,
    Json(credential): Json<webauthn::prelude::RegisterPublicKeyCredential>,
    // TODO determine if we can use a cookie maybe?
    user_credential: Option<TypedHeader<Authorization<Bearer>>>,
    Extension(auth): Extension<A>
) -> Response {
    let uid = format!("https://{}/", host.clone());
    let uid_url: url::Url = uid.parse().unwrap();

    let pubkeys = match auth.list_webauthn_pubkeys(&uid_url).await {
        Ok(pubkeys) => pubkeys,
        Err(err) => bail!("Error enumerating existing WebAuthn credentials: {}", err)
    };

    if !pubkeys.is_empty() {
        if let Some(TypedHeader(Authorization(token))) = user_credential {
            // TODO check validity of the credential
        } else {
            return StatusCode::UNAUTHORIZED.into_response()
        }
    }

    return StatusCode::OK.into_response()
}

pub(crate) async fn verify<A: AuthBackend>(
    auth: &A,
    website: &url::Url,
    credential: webauthn::prelude::PublicKeyCredential,
    challenge_id: &str
) -> std::io::Result<bool> {
    let host = website.host_str().unwrap();

    let webauthn = webauthn::WebauthnBuilder::new(
        host,
        website
    )
        .unwrap()
        .rp_name("Kittybox")
        .build()
        .unwrap();

    match webauthn.finish_passkey_authentication(
        &credential,
        &auth.retrieve_authentication_challenge(&website, challenge_id).await?
    ) {
        Err(err) => {
            tracing::error!("WebAuthn error: {}", err);
            Ok(false)
        },
        Ok(authentication_result) => {
            let counter = authentication_result.counter();
            let cred_id = authentication_result.cred_id();

            if authentication_result.needs_update() {
                todo!()
            }
            Ok(true)
        }
    }
}