use axum::{ extract::{Json, Host}, response::{IntoResponse, Response}, http::StatusCode, Extension, TypedHeader, headers::{authorization::Bearer, Authorization} }; use axum_extra::extract::cookie::{CookieJar, Cookie}; use super::backend::AuthBackend; use crate::database::Storage; pub(crate) const CHALLENGE_ID_COOKIE: &str = "kittybox_webauthn_challenge_id"; macro_rules! bail { ($msg:literal, $err:expr) => { { ::tracing::error!($msg, $err); return ::axum::http::StatusCode::INTERNAL_SERVER_ERROR.into_response() } } } pub async fn webauthn_pre_register<A: AuthBackend, D: Storage + 'static>( Host(host): Host, Extension(db): Extension<D>, Extension(auth): Extension<A>, cookies: CookieJar ) -> Response { let uid = format!("https://{}/", host.clone()); let uid_url: url::Url = uid.parse().unwrap(); // This will not find an h-card in onboarding! let display_name = match db.get_post(&uid).await { Ok(hcard) => match hcard { Some(mut hcard) => { match hcard["properties"]["uid"][0].take() { serde_json::Value::String(name) => name, _ => String::default() } }, None => String::default() }, Err(err) => bail!("Error retrieving h-card: {}", err) }; let webauthn = webauthn::WebauthnBuilder::new( &host, &uid_url ) .unwrap() .rp_name("Kittybox") .build() .unwrap(); let (challenge, state) = match webauthn.start_passkey_registration( // Note: using a nil uuid here is fine // Because the user corresponds to a website anyway // We do not track multiple users webauthn::prelude::Uuid::nil(), &uid, &display_name, Some(vec![]) ) { Ok((challenge, state)) => (challenge, state), Err(err) => bail!("Error generating WebAuthn registration data: {}", err) }; match auth.persist_registration_challenge(&uid_url, state).await { Ok(challenge_id) => ( cookies.add( Cookie::build(CHALLENGE_ID_COOKIE, challenge_id) .secure(true) .finish() ), Json(challenge) ).into_response(), Err(err) => bail!("Failed to persist WebAuthn challenge: {}", err) } } pub async fn webauthn_register<A: AuthBackend>( Host(host): Host, Json(credential): Json<webauthn::prelude::RegisterPublicKeyCredential>, // TODO determine if we can use a cookie maybe? user_credential: Option<TypedHeader<Authorization<Bearer>>>, Extension(auth): Extension<A> ) -> Response { let uid = format!("https://{}/", host.clone()); let uid_url: url::Url = uid.parse().unwrap(); let pubkeys = match auth.list_webauthn_pubkeys(&uid_url).await { Ok(pubkeys) => pubkeys, Err(err) => bail!("Error enumerating existing WebAuthn credentials: {}", err) }; if !pubkeys.is_empty() { if let Some(TypedHeader(Authorization(token))) = user_credential { // TODO check validity of the credential } else { return StatusCode::UNAUTHORIZED.into_response() } } return StatusCode::OK.into_response() } pub(crate) async fn verify<A: AuthBackend>( auth: &A, website: &url::Url, credential: webauthn::prelude::PublicKeyCredential, challenge_id: &str ) -> std::io::Result<bool> { let host = website.host_str().unwrap(); let webauthn = webauthn::WebauthnBuilder::new( host, website ) .unwrap() .rp_name("Kittybox") .build() .unwrap(); match webauthn.finish_passkey_authentication( &credential, &auth.retrieve_authentication_challenge(&website, challenge_id).await? ) { Err(err) => { tracing::error!("WebAuthn error: {}", err); Ok(false) }, Ok(authentication_result) => { let counter = authentication_result.counter(); let cred_id = authentication_result.cred_id(); if authentication_result.needs_update() { todo!() } Ok(true) } } }