2022-08-03 11:18:33 +00:00
|
|
|
import { randomBytes } from 'node:crypto';
|
|
|
|
|
import { IsNull } from 'typeorm';
|
2022-02-27 02:07:39 +00:00
|
|
|
import Koa from 'koa';
|
2017-12-08 13:57:58 +00:00
|
|
|
import * as speakeasy from 'speakeasy';
|
2022-11-20 22:15:22 +00:00
|
|
|
import { SECOND, MINUTE, HOUR } from '@/const.js';
|
2022-02-27 02:07:39 +00:00
|
|
|
import config from '@/config/index.js';
|
|
|
|
|
import { Users, Signins, UserProfiles, UserSecurityKeys, AttestationChallenges } from '@/models/index.js';
|
|
|
|
|
import { ILocalUser } from '@/models/entities/user.js';
|
|
|
|
|
import { genId } from '@/misc/gen-id.js';
|
2022-08-03 11:18:33 +00:00
|
|
|
import { getIpHash } from '@/misc/get-ip-hash.js';
|
2022-12-29 20:13:47 +00:00
|
|
|
import { comparePassword, hashPassword, isOldAlgorithm } from '@/misc/password.js';
|
2022-08-03 11:18:33 +00:00
|
|
|
import signin from '../common/signin.js';
|
2022-02-27 02:07:39 +00:00
|
|
|
import { verifyLogin, hash } from '../2fa.js';
|
2022-05-28 03:06:47 +00:00
|
|
|
import { limiter } from '../limiter.js';
|
2022-12-19 19:12:24 +00:00
|
|
|
import { ApiError, errors } from '../error.js';
|
2016-12-28 22:49:51 +00:00
|
|
|
|
2019-11-24 08:09:32 +00:00
|
|
|
export default async (ctx: Koa.Context) => {
|
2018-04-12 21:06:18 +00:00
|
|
|
ctx.set('Access-Control-Allow-Origin', config.url);
|
|
|
|
|
ctx.set('Access-Control-Allow-Credentials', 'true');
|
2016-12-28 22:49:51 +00:00
|
|
|
|
2018-07-23 04:56:25 +00:00
|
|
|
const body = ctx.request.body as any;
|
2022-11-08 18:40:58 +00:00
|
|
|
const { username, password, token } = body;
|
2016-12-28 22:49:51 +00:00
|
|
|
|
2022-12-19 19:12:24 +00:00
|
|
|
function error(e: keyof errors, info?: Record<string, any>): void {
|
|
|
|
|
new ApiError(e, info).apply(ctx, 'signin');
|
2021-09-18 17:23:12 +00:00
|
|
|
}
|
|
|
|
|
|
2022-05-28 03:06:47 +00:00
|
|
|
try {
|
|
|
|
|
// not more than 1 attempt per second and not more than 10 attempts per hour
|
2022-11-20 22:15:22 +00:00
|
|
|
await limiter({ key: 'signin', duration: HOUR, max: 10, minInterval: SECOND }, getIpHash(ctx.ip));
|
2022-05-28 03:06:47 +00:00
|
|
|
} catch (err) {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('RATE_LIMIT_EXCEEDED');
|
2022-05-28 03:06:47 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-03 06:33:22 +00:00
|
|
|
if (typeof username !== 'string') {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('INVALID_PARAM', { param: 'username', reason: 'not a string' });
|
2017-02-22 10:39:34 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-03 06:33:22 +00:00
|
|
|
if (typeof password !== 'string') {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('INVALID_PARAM', { param: 'password', reason: 'not a string' });
|
2017-02-22 10:39:34 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-03 06:33:22 +00:00
|
|
|
if (token != null && typeof token !== 'string') {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('INVALID_PARAM', { param: 'token', reason: 'provided but not a string' });
|
2017-12-08 13:57:58 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-28 22:49:51 +00:00
|
|
|
// Fetch user
|
2022-03-26 06:34:00 +00:00
|
|
|
const user = await Users.findOneBy({
|
2018-03-29 05:48:47 +00:00
|
|
|
usernameLower: username.toLowerCase(),
|
2022-03-26 06:34:00 +00:00
|
|
|
host: IsNull(),
|
2019-04-07 12:50:36 +00:00
|
|
|
}) as ILocalUser;
|
2016-12-28 22:49:51 +00:00
|
|
|
|
2019-04-07 12:50:36 +00:00
|
|
|
if (user == null) {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('NO_SUCH_USER');
|
2016-12-28 22:49:51 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-18 10:57:53 +00:00
|
|
|
if (user.isSuspended) {
|
2022-12-19 19:12:24 +00:00
|
|
|
error('SUSPENDED');
|
2021-07-18 10:57:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-26 06:34:00 +00:00
|
|
|
const profile = await UserProfiles.findOneByOrFail({ userId: user.id });
|
2019-04-10 06:04:27 +00:00
|
|
|
|
2016-12-28 22:49:51 +00:00
|
|
|
// Compare password
|
2022-12-25 14:49:06 +00:00
|
|
|
const same = await comparePassword(password, profile.password!);
|
2016-12-28 22:49:51 +00:00
|
|
|
|
2022-12-29 20:13:47 +00:00
|
|
|
if (same && isOldAlgorithm(profile.password!)) {
|
|
|
|
|
profile.password = await hashPassword(password);
|
|
|
|
|
await UserProfiles.save(profile);
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-08 18:40:58 +00:00
|
|
|
async function fail(): void {
|
2019-07-03 11:18:07 +00:00
|
|
|
// Append signin history
|
2021-03-21 12:27:09 +00:00
|
|
|
await Signins.insert({
|
2019-07-03 11:18:07 +00:00
|
|
|
id: genId(),
|
|
|
|
|
createdAt: new Date(),
|
|
|
|
|
userId: user.id,
|
|
|
|
|
ip: ctx.ip,
|
|
|
|
|
headers: ctx.headers,
|
2021-12-09 14:58:30 +00:00
|
|
|
success: false,
|
2019-07-03 11:18:07 +00:00
|
|
|
});
|
2017-12-08 13:57:58 +00:00
|
|
|
|
2022-12-19 19:12:24 +00:00
|
|
|
error('ACCESS_DENIED');
|
2019-07-03 11:18:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!profile.twoFactorEnabled) {
|
2019-07-06 16:38:36 +00:00
|
|
|
if (same) {
|
|
|
|
|
signin(ctx, user);
|
2019-07-17 20:26:58 +00:00
|
|
|
return;
|
2019-07-06 16:38:36 +00:00
|
|
|
} else {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-17 20:26:58 +00:00
|
|
|
return;
|
2019-07-06 16:38:36 +00:00
|
|
|
}
|
2019-07-03 11:18:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (token) {
|
2019-07-06 16:38:36 +00:00
|
|
|
if (!same) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-06 16:38:36 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-03 11:18:07 +00:00
|
|
|
const verified = (speakeasy as any).totp.verify({
|
|
|
|
|
secret: profile.twoFactorSecret,
|
|
|
|
|
encoding: 'base32',
|
2022-08-03 12:49:55 +00:00
|
|
|
token,
|
2021-12-09 14:58:30 +00:00
|
|
|
window: 2,
|
2019-07-03 11:18:07 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (verified) {
|
2018-04-13 02:44:39 +00:00
|
|
|
signin(ctx, user);
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
|
|
|
|
} else {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
2017-12-08 13:57:58 +00:00
|
|
|
}
|
2019-07-04 22:48:12 +00:00
|
|
|
} else if (body.credentialId) {
|
2019-07-06 16:38:36 +00:00
|
|
|
if (!same && !profile.usePasswordLessLogin) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-06 16:38:36 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-03 11:18:07 +00:00
|
|
|
const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
|
|
|
|
|
const clientData = JSON.parse(clientDataJSON.toString('utf-8'));
|
2022-03-26 06:34:00 +00:00
|
|
|
const challenge = await AttestationChallenges.findOneBy({
|
2019-07-03 11:18:07 +00:00
|
|
|
userId: user.id,
|
|
|
|
|
id: body.challengeId,
|
|
|
|
|
registrationChallenge: false,
|
2021-12-09 14:58:30 +00:00
|
|
|
challenge: hash(clientData.challenge).toString('hex'),
|
2017-03-09 21:42:57 +00:00
|
|
|
});
|
2019-07-03 11:18:07 +00:00
|
|
|
|
|
|
|
|
if (!challenge) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
await AttestationChallenges.delete({
|
|
|
|
|
userId: user.id,
|
2021-12-09 14:58:30 +00:00
|
|
|
id: body.challengeId,
|
2019-07-03 11:18:07 +00:00
|
|
|
});
|
|
|
|
|
|
2022-11-20 22:15:22 +00:00
|
|
|
if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * MINUTE) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-26 06:34:00 +00:00
|
|
|
const securityKey = await UserSecurityKeys.findOneBy({
|
2019-07-03 11:18:07 +00:00
|
|
|
id: Buffer.from(
|
|
|
|
|
body.credentialId
|
2019-07-04 22:48:12 +00:00
|
|
|
.replace(/-/g, '+')
|
2019-07-03 11:18:07 +00:00
|
|
|
.replace(/_/g, '/'),
|
2022-08-10 22:09:29 +00:00
|
|
|
'base64',
|
2021-12-09 14:58:30 +00:00
|
|
|
).toString('hex'),
|
2019-07-03 11:18:07 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!securityKey) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const isValid = verifyLogin({
|
|
|
|
|
publicKey: Buffer.from(securityKey.publicKey, 'hex'),
|
|
|
|
|
authenticatorData: Buffer.from(body.authenticatorData, 'hex'),
|
|
|
|
|
clientDataJSON,
|
|
|
|
|
clientData,
|
|
|
|
|
signature: Buffer.from(body.signature, 'hex'),
|
2021-12-09 14:58:30 +00:00
|
|
|
challenge: challenge.challenge,
|
2019-07-03 11:18:07 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (isValid) {
|
|
|
|
|
signin(ctx, user);
|
2019-07-17 20:26:58 +00:00
|
|
|
return;
|
2019-07-03 11:18:07 +00:00
|
|
|
} else {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-03 11:18:07 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2019-07-04 22:48:12 +00:00
|
|
|
} else {
|
2019-07-06 16:38:36 +00:00
|
|
|
if (!same && !profile.usePasswordLessLogin) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-06 16:38:36 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-26 06:34:00 +00:00
|
|
|
const keys = await UserSecurityKeys.findBy({
|
2021-12-09 14:58:30 +00:00
|
|
|
userId: user.id,
|
2019-07-04 22:48:12 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (keys.length === 0) {
|
2022-11-08 18:40:58 +00:00
|
|
|
await fail();
|
2019-07-17 20:26:58 +00:00
|
|
|
return;
|
2019-07-04 22:48:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 32 byte challenge
|
|
|
|
|
const challenge = randomBytes(32).toString('base64')
|
|
|
|
|
.replace(/=/g, '')
|
|
|
|
|
.replace(/\+/g, '-')
|
|
|
|
|
.replace(/\//g, '_');
|
|
|
|
|
|
|
|
|
|
const challengeId = genId();
|
|
|
|
|
|
2021-03-21 12:27:09 +00:00
|
|
|
await AttestationChallenges.insert({
|
2019-07-04 22:48:12 +00:00
|
|
|
userId: user.id,
|
|
|
|
|
id: challengeId,
|
|
|
|
|
challenge: hash(Buffer.from(challenge, 'utf-8')).toString('hex'),
|
|
|
|
|
createdAt: new Date(),
|
2021-12-09 14:58:30 +00:00
|
|
|
registrationChallenge: false,
|
2019-07-04 22:48:12 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
ctx.body = {
|
|
|
|
|
challenge,
|
|
|
|
|
challengeId,
|
|
|
|
|
securityKeys: keys.map(key => ({
|
2021-12-09 14:58:30 +00:00
|
|
|
id: key.id,
|
|
|
|
|
})),
|
2019-07-04 22:48:12 +00:00
|
|
|
};
|
|
|
|
|
ctx.status = 200;
|
|
|
|
|
return;
|
2016-12-28 22:49:51 +00:00
|
|
|
}
|
2019-07-17 20:26:58 +00:00
|
|
|
// never get here
|
2016-12-28 22:49:51 +00:00
|
|
|
};
|
