iceshrimp-legacy/packages/backend/src/server/api/private/signin.ts

import type Koa from "koa";
import * as OTPAuth from "otpauth";
import signin from "../common/signin.js";
import config from "@/config/index.js";
import {
	Users,
	Signins,
	UserProfiles,
	UserSecurityKeys,
	AttestationChallenges,
} from "@/models/index.js";
import type { ILocalUser } from "@/models/entities/user.js";
import { genId } from "@/misc/gen-id.js";
import {
	comparePassword,
	hashPassword,
	isOldAlgorithm,
} from "@/misc/password.js";
import { verifyLogin, hash } from "../2fa.js";
import { randomBytes } from "node:crypto";
import { IsNull } from "typeorm";
import { limiter } from "../limiter.js";
import { getIpHash } from "@/misc/get-ip-hash.js";

export default async (ctx: Koa.Context) => {
	ctx.set("Access-Control-Allow-Origin", config.url);
	ctx.set("Access-Control-Allow-Credentials", "true");

	const body = ctx.request.body as any;
	const username = body["username"];
	const password = body["password"];
	const token = body["token"];

	function error(status: number, error: { id: string }) {
		ctx.status = status;
		ctx.body = { error };
	}

	try {
		// not more than 1 attempt per second and not more than 10 attempts per hour
		await limiter(
			{ key: "signin", duration: 60 * 60 * 1000, max: 10, minInterval: 1000 },
			getIpHash(ctx.ip),
		);
	} catch (err) {
		ctx.status = 429;
		ctx.body = {
			error: {
				message: "Too many failed attempts to sign in. Try again later.",
				code: "TOO_MANY_AUTHENTICATION_FAILURES",
				id: "22d05606-fbcf-421a-a2db-b32610dcfd1b",
			},
		};
		return;
	}

	if (typeof username !== "string") {
		ctx.status = 400;
		return;
	}

	if (typeof password !== "string") {
		ctx.status = 400;
		return;
	}

	if (token != null && typeof token !== "string") {
		ctx.status = 400;
		return;
	}

	// Fetch user
	const user = (await Users.findOneBy({
		usernameLower: username.toLowerCase(),
		host: IsNull(),
	})) as ILocalUser;

	if (user == null) {
		error(404, {
			id: "6cc579cc-885d-43d8-95c2-b8c7fc963280",
		});
		return;
	}

	if (user.isSuspended) {
		error(403, {
			id: "e03a5f46-d309-4865-9b69-56282d94e1eb",
		});
		return;
	}

	const profile = await UserProfiles.findOneByOrFail({ userId: user.id });

	// Compare password
	const same = await comparePassword(password, profile.password!);

	if (same && isOldAlgorithm(profile.password!)) {
		profile.password = await hashPassword(password);
		await UserProfiles.save(profile);
	}

	async function fail(status?: number, failure?: { id: string }) {
		// Append signin history
		await Signins.insert({
			id: genId(),
			createdAt: new Date(),
			userId: user.id,
			ip: ctx.ip,
			headers: ctx.headers,
			success: false,
		});

		error(
			status || 500,
			failure || { id: "4e30e80c-e338-45a0-8c8f-44455efa3b76" },
		);
	}

	if (!profile.twoFactorEnabled) {
		if (same) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
			});
			return;
		}
	}

	if (token) {
		if (!same) {
			await fail(403, {
				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
			});
			return;
		}

		if (profile.twoFactorSecret == null) {
			throw new Error("Attempted 2FA signin without 2FA enabled.");
		}

		const delta = OTPAuth.TOTP.validate({
			secret: OTPAuth.Secret.fromBase32(profile.twoFactorSecret),
			digits: 6,
			token,
			window: 1,
		});

		if (delta != null) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: "cdf1235b-ac71-46d4-a3a6-84ccce48df6f",
			});
			return;
		}
	} else if (body.credentialId) {
		if (!(same || profile.usePasswordLessLogin)) {
			await fail(403, {
				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
			});
			return;
		}

		const clientDataJSON = Buffer.from(body.clientDataJSON, "hex");
		const clientData = JSON.parse(clientDataJSON.toString("utf-8"));
		const challenge = await AttestationChallenges.findOneBy({
			userId: user.id,
			id: body.challengeId,
			registrationChallenge: false,
			challenge: hash(clientData.challenge).toString("hex"),
		});

		if (!challenge) {
			await fail(403, {
				id: "2715a88a-2125-4013-932f-aa6fe72792da",
			});
			return;
		}

		await AttestationChallenges.delete({
			userId: user.id,
			id: body.challengeId,
		});

		if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
			await fail(403, {
				id: "2715a88a-2125-4013-932f-aa6fe72792da",
			});
			return;
		}

		const securityKey = await UserSecurityKeys.findOneBy({
			id: Buffer.from(
				body.credentialId.replace(/-/g, "+").replace(/_/g, "/"),
				"base64",
			).toString("hex"),
		});

		if (!securityKey) {
			await fail(403, {
				id: "66269679-aeaf-4474-862b-eb761197e046",
			});
			return;
		}

		const isValid = verifyLogin({
			publicKey: Buffer.from(securityKey.publicKey, "hex"),
			authenticatorData: Buffer.from(body.authenticatorData, "hex"),
			clientDataJSON,
			clientData,
			signature: Buffer.from(body.signature, "hex"),
			challenge: challenge.challenge,
		});

		if (isValid) {
			signin(ctx, user);
			return;
		} else {
			await fail(403, {
				id: "93b86c4b-72f9-40eb-9815-798928603d1e",
			});
			return;
		}
	} else {
		if (!(same || profile.usePasswordLessLogin)) {
			await fail(403, {
				id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
			});
			return;
		}

		const keys = await UserSecurityKeys.findBy({
			userId: user.id,
		});

		if (keys.length === 0) {
			await fail(403, {
				id: "f27fd449-9af4-4841-9249-1f989b9fa4a4",
			});
			return;
		}

		// 32 byte challenge
		const challenge = randomBytes(32)
			.toString("base64")
			.replace(/=/g, "")
			.replace(/\+/g, "-")
			.replace(/\//g, "_");

		const challengeId = genId();

		await AttestationChallenges.insert({
			userId: user.id,
			id: challengeId,
			challenge: hash(Buffer.from(challenge, "utf-8")).toString("hex"),
			createdAt: new Date(),
			registrationChallenge: false,
		});

		ctx.body = {
			challenge,
			challengeId,
			securityKeys: keys.map((key) => ({
				id: key.id,
			})),
		};
		ctx.status = 200;
		return;
	}
	// never get here
};