2023-01-13 05:40:33 +01:00
|
|
|
import type Koa from "koa";
|
2023-06-16 01:12:32 +02:00
|
|
|
import * as OTPAuth from "otpauth";
|
2023-01-13 05:40:33 +01:00
|
|
|
import signin from "../common/signin.js";
|
|
|
|
import config from "@/config/index.js";
|
|
|
|
import {
|
|
|
|
Users,
|
|
|
|
Signins,
|
|
|
|
UserProfiles,
|
|
|
|
UserSecurityKeys,
|
|
|
|
AttestationChallenges,
|
|
|
|
} from "@/models/index.js";
|
|
|
|
import type { ILocalUser } from "@/models/entities/user.js";
|
|
|
|
import { genId } from "@/misc/gen-id.js";
|
2023-03-31 04:10:03 +02:00
|
|
|
import {
|
|
|
|
comparePassword,
|
|
|
|
hashPassword,
|
|
|
|
isOldAlgorithm,
|
|
|
|
} from "@/misc/password.js";
|
2023-01-13 05:40:33 +01:00
|
|
|
import { verifyLogin, hash } from "../2fa.js";
|
|
|
|
import { randomBytes } from "node:crypto";
|
|
|
|
import { IsNull } from "typeorm";
|
|
|
|
import { limiter } from "../limiter.js";
|
|
|
|
import { getIpHash } from "@/misc/get-ip-hash.js";
|
2016-12-28 23:49:51 +01:00
|
|
|
|
2019-11-24 09:09:32 +01:00
|
|
|
export default async (ctx: Koa.Context) => {
|
2023-01-13 05:40:33 +01:00
|
|
|
ctx.set("Access-Control-Allow-Origin", config.url);
|
|
|
|
ctx.set("Access-Control-Allow-Credentials", "true");
|
2016-12-28 23:49:51 +01:00
|
|
|
|
2018-07-23 06:56:25 +02:00
|
|
|
const body = ctx.request.body as any;
|
2023-01-13 05:40:33 +01:00
|
|
|
const username = body["username"];
|
|
|
|
const password = body["password"];
|
|
|
|
const token = body["token"];
|
2016-12-28 23:49:51 +01:00
|
|
|
|
2021-09-18 19:23:12 +02:00
|
|
|
function error(status: number, error: { id: string }) {
|
|
|
|
ctx.status = status;
|
|
|
|
ctx.body = { error };
|
|
|
|
}
|
|
|
|
|
2022-05-28 05:06:47 +02:00
|
|
|
try {
|
|
|
|
// not more than 1 attempt per second and not more than 10 attempts per hour
|
2023-01-13 05:40:33 +01:00
|
|
|
await limiter(
|
|
|
|
{ key: "signin", duration: 60 * 60 * 1000, max: 10, minInterval: 1000 },
|
|
|
|
getIpHash(ctx.ip),
|
|
|
|
);
|
2022-05-28 05:06:47 +02:00
|
|
|
} catch (err) {
|
|
|
|
ctx.status = 429;
|
|
|
|
ctx.body = {
|
|
|
|
error: {
|
2023-01-13 05:40:33 +01:00
|
|
|
message: "Too many failed attempts to sign in. Try again later.",
|
|
|
|
code: "TOO_MANY_AUTHENTICATION_FAILURES",
|
|
|
|
id: "22d05606-fbcf-421a-a2db-b32610dcfd1b",
|
2022-05-28 05:06:47 +02:00
|
|
|
},
|
|
|
|
};
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-01-13 05:40:33 +01:00
|
|
|
if (typeof username !== "string") {
|
2018-04-12 23:06:18 +02:00
|
|
|
ctx.status = 400;
|
2017-02-22 11:39:34 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-01-13 05:40:33 +01:00
|
|
|
if (typeof password !== "string") {
|
2018-04-12 23:06:18 +02:00
|
|
|
ctx.status = 400;
|
2017-02-22 11:39:34 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-01-13 05:40:33 +01:00
|
|
|
if (token != null && typeof token !== "string") {
|
2018-04-12 23:06:18 +02:00
|
|
|
ctx.status = 400;
|
2017-12-08 14:57:58 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-12-28 23:49:51 +01:00
|
|
|
// Fetch user
|
2023-01-13 05:40:33 +01:00
|
|
|
const user = (await Users.findOneBy({
|
2018-03-29 07:48:47 +02:00
|
|
|
usernameLower: username.toLowerCase(),
|
2022-03-26 07:34:00 +01:00
|
|
|
host: IsNull(),
|
2023-01-13 05:40:33 +01:00
|
|
|
})) as ILocalUser;
|
2016-12-28 23:49:51 +01:00
|
|
|
|
2019-04-07 14:50:36 +02:00
|
|
|
if (user == null) {
|
2021-09-18 19:23:12 +02:00
|
|
|
error(404, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "6cc579cc-885d-43d8-95c2-b8c7fc963280",
|
2017-03-09 22:42:57 +01:00
|
|
|
});
|
2016-12-28 23:49:51 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-07-18 12:57:53 +02:00
|
|
|
if (user.isSuspended) {
|
2021-09-18 19:23:12 +02:00
|
|
|
error(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "e03a5f46-d309-4865-9b69-56282d94e1eb",
|
2021-07-18 12:57:53 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2022-03-26 07:34:00 +01:00
|
|
|
const profile = await UserProfiles.findOneByOrFail({ userId: user.id });
|
2019-04-10 08:04:27 +02:00
|
|
|
|
2016-12-28 23:49:51 +01:00
|
|
|
// Compare password
|
2023-03-31 04:09:44 +02:00
|
|
|
const same = await comparePassword(password, profile.password!);
|
|
|
|
|
|
|
|
if (same && isOldAlgorithm(profile.password!)) {
|
|
|
|
profile.password = await hashPassword(password);
|
|
|
|
await UserProfiles.save(profile);
|
|
|
|
}
|
2016-12-28 23:49:51 +01:00
|
|
|
|
2021-09-18 19:23:12 +02:00
|
|
|
async function fail(status?: number, failure?: { id: string }) {
|
2019-07-03 13:18:07 +02:00
|
|
|
// Append signin history
|
2021-03-21 13:27:09 +01:00
|
|
|
await Signins.insert({
|
2019-07-03 13:18:07 +02:00
|
|
|
id: genId(),
|
|
|
|
createdAt: new Date(),
|
|
|
|
userId: user.id,
|
|
|
|
ip: ctx.ip,
|
|
|
|
headers: ctx.headers,
|
2021-12-09 15:58:30 +01:00
|
|
|
success: false,
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
2017-12-08 14:57:58 +01:00
|
|
|
|
2023-01-13 05:40:33 +01:00
|
|
|
error(
|
|
|
|
status || 500,
|
|
|
|
failure || { id: "4e30e80c-e338-45a0-8c8f-44455efa3b76" },
|
|
|
|
);
|
2019-07-03 13:18:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!profile.twoFactorEnabled) {
|
2019-07-06 18:38:36 +02:00
|
|
|
if (same) {
|
|
|
|
signin(ctx, user);
|
2019-07-17 22:26:58 +02:00
|
|
|
return;
|
2019-07-06 18:38:36 +02:00
|
|
|
} else {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
|
2019-07-06 18:38:36 +02:00
|
|
|
});
|
2019-07-17 22:26:58 +02:00
|
|
|
return;
|
2019-07-06 18:38:36 +02:00
|
|
|
}
|
2019-07-03 13:18:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (token) {
|
2019-07-06 18:38:36 +02:00
|
|
|
if (!same) {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
|
2019-07-06 18:38:36 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-06-16 01:12:32 +02:00
|
|
|
if (profile.twoFactorSecret == null) {
|
|
|
|
throw new Error("Attempted 2FA signin without 2FA enabled.");
|
|
|
|
}
|
|
|
|
|
|
|
|
const delta = OTPAuth.TOTP.validate({
|
|
|
|
secret: OTPAuth.Secret.fromBase32(profile.twoFactorSecret),
|
|
|
|
digits: 6,
|
|
|
|
token,
|
|
|
|
window: 1,
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
|
2023-06-16 01:12:32 +02:00
|
|
|
if (delta != null) {
|
2018-04-13 04:44:39 +02:00
|
|
|
signin(ctx, user);
|
2019-07-03 13:18:07 +02:00
|
|
|
return;
|
|
|
|
} else {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "cdf1235b-ac71-46d4-a3a6-84ccce48df6f",
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
return;
|
2017-12-08 14:57:58 +01:00
|
|
|
}
|
2019-07-05 00:48:12 +02:00
|
|
|
} else if (body.credentialId) {
|
2023-01-13 05:40:33 +01:00
|
|
|
if (!(same || profile.usePasswordLessLogin)) {
|
2019-07-06 18:38:36 +02:00
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
|
2019-07-06 18:38:36 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-01-13 05:40:33 +01:00
|
|
|
const clientDataJSON = Buffer.from(body.clientDataJSON, "hex");
|
|
|
|
const clientData = JSON.parse(clientDataJSON.toString("utf-8"));
|
2022-03-26 07:34:00 +01:00
|
|
|
const challenge = await AttestationChallenges.findOneBy({
|
2019-07-03 13:18:07 +02:00
|
|
|
userId: user.id,
|
|
|
|
id: body.challengeId,
|
|
|
|
registrationChallenge: false,
|
2023-01-13 05:40:33 +01:00
|
|
|
challenge: hash(clientData.challenge).toString("hex"),
|
2017-03-09 22:42:57 +01:00
|
|
|
});
|
2019-07-03 13:18:07 +02:00
|
|
|
|
|
|
|
if (!challenge) {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "2715a88a-2125-4013-932f-aa6fe72792da",
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
await AttestationChallenges.delete({
|
|
|
|
userId: user.id,
|
2021-12-09 15:58:30 +01:00
|
|
|
id: body.challengeId,
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "2715a88a-2125-4013-932f-aa6fe72792da",
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2022-03-26 07:34:00 +01:00
|
|
|
const securityKey = await UserSecurityKeys.findOneBy({
|
2019-07-03 13:18:07 +02:00
|
|
|
id: Buffer.from(
|
2023-01-13 05:40:33 +01:00
|
|
|
body.credentialId.replace(/-/g, "+").replace(/_/g, "/"),
|
|
|
|
"base64",
|
|
|
|
).toString("hex"),
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
if (!securityKey) {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "66269679-aeaf-4474-862b-eb761197e046",
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const isValid = verifyLogin({
|
2023-01-13 05:40:33 +01:00
|
|
|
publicKey: Buffer.from(securityKey.publicKey, "hex"),
|
|
|
|
authenticatorData: Buffer.from(body.authenticatorData, "hex"),
|
2019-07-03 13:18:07 +02:00
|
|
|
clientDataJSON,
|
|
|
|
clientData,
|
2023-01-13 05:40:33 +01:00
|
|
|
signature: Buffer.from(body.signature, "hex"),
|
2021-12-09 15:58:30 +01:00
|
|
|
challenge: challenge.challenge,
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
if (isValid) {
|
|
|
|
signin(ctx, user);
|
2019-07-17 22:26:58 +02:00
|
|
|
return;
|
2019-07-03 13:18:07 +02:00
|
|
|
} else {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "93b86c4b-72f9-40eb-9815-798928603d1e",
|
2019-07-03 13:18:07 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
2019-07-05 00:48:12 +02:00
|
|
|
} else {
|
2023-01-13 05:40:33 +01:00
|
|
|
if (!(same || profile.usePasswordLessLogin)) {
|
2019-07-06 18:38:36 +02:00
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "932c904e-9460-45b7-9ce6-7ed33be7eb2c",
|
2019-07-06 18:38:36 +02:00
|
|
|
});
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2022-03-26 07:34:00 +01:00
|
|
|
const keys = await UserSecurityKeys.findBy({
|
2021-12-09 15:58:30 +01:00
|
|
|
userId: user.id,
|
2019-07-05 00:48:12 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
if (keys.length === 0) {
|
|
|
|
await fail(403, {
|
2023-01-13 05:40:33 +01:00
|
|
|
id: "f27fd449-9af4-4841-9249-1f989b9fa4a4",
|
2019-07-05 00:48:12 +02:00
|
|
|
});
|
2019-07-17 22:26:58 +02:00
|
|
|
return;
|
2019-07-05 00:48:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// 32 byte challenge
|
2023-01-13 05:40:33 +01:00
|
|
|
const challenge = randomBytes(32)
|
|
|
|
.toString("base64")
|
|
|
|
.replace(/=/g, "")
|
|
|
|
.replace(/\+/g, "-")
|
|
|
|
.replace(/\//g, "_");
|
2019-07-05 00:48:12 +02:00
|
|
|
|
|
|
|
const challengeId = genId();
|
|
|
|
|
2021-03-21 13:27:09 +01:00
|
|
|
await AttestationChallenges.insert({
|
2019-07-05 00:48:12 +02:00
|
|
|
userId: user.id,
|
|
|
|
id: challengeId,
|
2023-01-13 05:40:33 +01:00
|
|
|
challenge: hash(Buffer.from(challenge, "utf-8")).toString("hex"),
|
2019-07-05 00:48:12 +02:00
|
|
|
createdAt: new Date(),
|
2021-12-09 15:58:30 +01:00
|
|
|
registrationChallenge: false,
|
2019-07-05 00:48:12 +02:00
|
|
|
});
|
|
|
|
|
|
|
|
ctx.body = {
|
|
|
|
challenge,
|
|
|
|
challengeId,
|
2023-01-13 05:40:33 +01:00
|
|
|
securityKeys: keys.map((key) => ({
|
2021-12-09 15:58:30 +01:00
|
|
|
id: key.id,
|
|
|
|
})),
|
2019-07-05 00:48:12 +02:00
|
|
|
};
|
|
|
|
ctx.status = 200;
|
|
|
|
return;
|
2016-12-28 23:49:51 +01:00
|
|
|
}
|
2019-07-17 22:26:58 +02:00
|
|
|
// never get here
|
2016-12-28 23:49:51 +01:00
|
|
|
};
|