2023-05-24 10:22:00 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"io"
|
|
|
|
|
|
|
|
"github.com/zitadel/logging"
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
caos_errs "github.com/zitadel/zitadel/internal/errors"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
|
|
"github.com/zitadel/zitadel/internal/repository/user"
|
|
|
|
)
|
|
|
|
|
|
|
|
// RegisterUserPasskey creates a passkey registration for the current authenticated user.
|
2023-06-20 15:34:06 +00:00
|
|
|
// UserID, usually taken from the request is compared against the user ID in the context.
|
2023-06-27 12:36:07 +00:00
|
|
|
func (c *Commands) RegisterUserPasskey(ctx context.Context, userID, resourceOwner, rpID string, authenticator domain.AuthenticatorAttachment) (*domain.WebAuthNRegistrationDetails, error) {
|
2023-05-24 10:22:00 +00:00
|
|
|
if err := authz.UserIDInCTX(ctx, userID); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-06-27 12:36:07 +00:00
|
|
|
return c.registerUserPasskey(ctx, userID, resourceOwner, rpID, authenticator)
|
2023-05-24 10:22:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// RegisterUserPasskeyWithCode registers a new passkey for a unauthenticated user id.
|
|
|
|
// The resource is protected by the code, identified by the codeID.
|
2023-06-27 12:36:07 +00:00
|
|
|
func (c *Commands) RegisterUserPasskeyWithCode(ctx context.Context, userID, resourceOwner string, authenticator domain.AuthenticatorAttachment, codeID, code, rpID string, alg crypto.EncryptionAlgorithm) (*domain.WebAuthNRegistrationDetails, error) {
|
2023-05-24 10:22:00 +00:00
|
|
|
event, err := c.verifyUserPasskeyCode(ctx, userID, resourceOwner, codeID, code, alg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2023-06-27 12:36:07 +00:00
|
|
|
return c.registerUserPasskey(ctx, userID, resourceOwner, rpID, authenticator, event)
|
2023-05-24 10:22:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type eventCallback func(context.Context, *eventstore.Aggregate) eventstore.Command
|
|
|
|
|
|
|
|
// verifyUserPasskeyCode verifies a passkey code, identified by codeID and userID.
|
|
|
|
// A code can only be used once.
|
|
|
|
// Upon success an event callback is returned, which must be called after
|
|
|
|
// all other events for the current request are created.
|
2023-06-20 15:34:06 +00:00
|
|
|
// This prevents consuming a code when another error occurred after verification.
|
2023-05-24 10:22:00 +00:00
|
|
|
func (c *Commands) verifyUserPasskeyCode(ctx context.Context, userID, resourceOwner, codeID, code string, alg crypto.EncryptionAlgorithm) (eventCallback, error) {
|
|
|
|
wm := NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner)
|
|
|
|
err := c.eventstore.FilterToQueryReducer(ctx, wm)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
err = verifyCryptoCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordlessInitCode, alg, wm.ChangeDate, wm.Expiration, wm.CryptoCode, code)
|
|
|
|
if err != nil || wm.State != domain.PasswordlessInitCodeStateActive {
|
|
|
|
c.verifyUserPasskeyCodeFailed(ctx, wm)
|
|
|
|
return nil, caos_errs.ThrowInvalidArgument(err, "COMMAND-Eeb2a", "Errors.User.Code.Invalid")
|
|
|
|
}
|
|
|
|
return func(ctx context.Context, userAgg *eventstore.Aggregate) eventstore.Command {
|
|
|
|
return user.NewHumanPasswordlessInitCodeCheckSucceededEvent(ctx, userAgg, codeID)
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Commands) verifyUserPasskeyCodeFailed(ctx context.Context, wm *HumanPasswordlessInitCodeWriteModel) {
|
|
|
|
userAgg := UserAggregateFromWriteModel(&wm.WriteModel)
|
|
|
|
_, err := c.eventstore.Push(ctx, user.NewHumanPasswordlessInitCodeCheckFailedEvent(ctx, userAgg, wm.CodeID))
|
|
|
|
logging.WithFields("userID", userAgg.ID).OnError(err).Error("RegisterUserPasskeyWithCode push failed")
|
|
|
|
}
|
|
|
|
|
2023-06-27 12:36:07 +00:00
|
|
|
func (c *Commands) registerUserPasskey(ctx context.Context, userID, resourceOwner, rpID string, authenticator domain.AuthenticatorAttachment, events ...eventCallback) (*domain.WebAuthNRegistrationDetails, error) {
|
|
|
|
wm, userAgg, webAuthN, err := c.createUserPasskey(ctx, userID, resourceOwner, rpID, authenticator)
|
2023-05-24 10:22:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return c.pushUserPasskey(ctx, wm, userAgg, webAuthN, events...)
|
|
|
|
}
|
|
|
|
|
2023-06-27 12:36:07 +00:00
|
|
|
func (c *Commands) createUserPasskey(ctx context.Context, userID, resourceOwner, rpID string, authenticator domain.AuthenticatorAttachment) (*HumanWebAuthNWriteModel, *eventstore.Aggregate, *domain.WebAuthNToken, error) {
|
2023-05-24 10:22:00 +00:00
|
|
|
passwordlessTokens, err := c.getHumanPasswordlessTokens(ctx, userID, resourceOwner)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, nil, err
|
|
|
|
}
|
2023-06-27 12:36:07 +00:00
|
|
|
return c.addHumanWebAuthN(ctx, userID, resourceOwner, rpID, passwordlessTokens, authenticator, domain.UserVerificationRequirementRequired)
|
2023-05-24 10:22:00 +00:00
|
|
|
}
|
|
|
|
|
2023-06-15 05:32:40 +00:00
|
|
|
func (c *Commands) pushUserPasskey(ctx context.Context, wm *HumanWebAuthNWriteModel, userAgg *eventstore.Aggregate, webAuthN *domain.WebAuthNToken, events ...eventCallback) (*domain.WebAuthNRegistrationDetails, error) {
|
2023-05-24 10:22:00 +00:00
|
|
|
cmds := make([]eventstore.Command, len(events)+1)
|
2023-06-27 12:36:07 +00:00
|
|
|
cmds[0] = user.NewHumanPasswordlessAddedEvent(ctx, userAgg, wm.WebauthNTokenID, webAuthN.Challenge, webAuthN.RPID)
|
2023-05-24 10:22:00 +00:00
|
|
|
for i, event := range events {
|
|
|
|
cmds[i+1] = event(ctx, userAgg)
|
|
|
|
}
|
|
|
|
|
|
|
|
err := c.pushAppendAndReduce(ctx, wm, cmds...)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-06-15 05:32:40 +00:00
|
|
|
return &domain.WebAuthNRegistrationDetails{
|
2023-05-24 10:22:00 +00:00
|
|
|
ObjectDetails: writeModelToObjectDetails(&wm.WriteModel),
|
2023-06-15 05:32:40 +00:00
|
|
|
ID: wm.WebauthNTokenID,
|
2023-05-24 10:22:00 +00:00
|
|
|
PublicKeyCredentialCreationOptions: webAuthN.CredentialCreationData,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddUserPasskeyCode generates a Passkey code and sends an email
|
|
|
|
// with the default generated URL (pointing to zitadel).
|
|
|
|
func (c *Commands) AddUserPasskeyCode(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm) (*domain.ObjectDetails, error) {
|
|
|
|
details, err := c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, "", false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return details.ObjectDetails, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddUserPasskeyCodeURLTemplate generates a Passkey code and sends an email
|
|
|
|
// with the URL created from passed template string.
|
|
|
|
// The template is executed as a test, before pushing to the eventstore.
|
|
|
|
func (c *Commands) AddUserPasskeyCodeURLTemplate(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm, urlTmpl string) (*domain.ObjectDetails, error) {
|
|
|
|
if err := domain.RenderPasskeyURLTemplate(io.Discard, urlTmpl, userID, resourceOwner, "codeID", "code"); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
details, err := c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, urlTmpl, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return details.ObjectDetails, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddUserPasskeyCodeReturn generates and returns a Passkey code.
|
2023-06-20 15:34:06 +00:00
|
|
|
// No email will be sent to the user.
|
2023-05-24 10:22:00 +00:00
|
|
|
func (c *Commands) AddUserPasskeyCodeReturn(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm) (*domain.PasskeyCodeDetails, error) {
|
|
|
|
return c.addUserPasskeyCode(ctx, userID, resourceOwner, alg, "", true)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Commands) addUserPasskeyCode(ctx context.Context, userID, resourceOwner string, alg crypto.EncryptionAlgorithm, urlTmpl string, returnCode bool) (*domain.PasskeyCodeDetails, error) {
|
|
|
|
codeID, err := c.idGenerator.Next()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
code, err := c.newCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordlessInitCode, alg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
wm := NewHumanPasswordlessInitCodeWriteModel(userID, codeID, resourceOwner)
|
|
|
|
err = c.eventstore.FilterToQueryReducer(ctx, wm)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
agg := UserAggregateFromWriteModel(&wm.WriteModel)
|
|
|
|
|
|
|
|
cmd := user.NewHumanPasswordlessInitCodeRequestedEvent(ctx, agg, codeID, code.Crypted, code.Expiry, urlTmpl, returnCode)
|
|
|
|
err = c.pushAppendAndReduce(ctx, wm, cmd)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &domain.PasskeyCodeDetails{
|
|
|
|
ObjectDetails: writeModelToObjectDetails(&wm.WriteModel),
|
|
|
|
CodeID: codeID,
|
|
|
|
Code: code.Plain,
|
|
|
|
}, nil
|
|
|
|
}
|