feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/internal/iam/model/iam.go
+++ b/internal/iam/model/iam.go
@@ -14,6 +14,7 @@ const (
 	Step5
 	Step6
 	Step7
+	Step8
 	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
 	StepCount
 )
--- a/internal/iam/model/login_policy.go
+++ b/internal/iam/model/login_policy.go
@@ -16,6 +16,7 @@ type LoginPolicy struct {
 	ForceMFA              bool
 	SecondFactors         []SecondFactorType
 	MultiFactors          []MultiFactorType
+	PasswordlessType      PasswordlessType
 }

 type IDPProvider struct {
@@ -53,6 +54,13 @@ const (
 	MultiFactorTypeU2FWithPIN
 )

+type PasswordlessType int32
+
+const (
+	PasswordlessTypeNotAllowed PasswordlessType = iota
+	PasswordlessTypeAllowed
+)
+
 func (p *LoginPolicy) IsValid() bool {
 	return p.ObjectRoot.AggregateID != ""
 }
--- a/internal/iam/model/login_policy_view.go
+++ b/internal/iam/model/login_policy_view.go
@@ -11,6 +11,7 @@ type LoginPolicyView struct {
 	AllowRegister         bool
 	AllowExternalIDP      bool
 	ForceMFA              bool
+	PasswordlessType      PasswordlessType
 	SecondFactors         []SecondFactorType
 	MultiFactors          []MultiFactorType
 	Default               bool
--- a/internal/iam/repository/eventsourcing/eventstore_mock_test.go
+++ b/internal/iam/repository/eventsourcing/eventstore_mock_test.go
@@ -127,8 +127,8 @@ func GetMockManipulateIAMWithLoginPolicy(ctrl *gomock.Controller) *IAMEventstore
 func GetMockManipulateIAMWithLoginPolicyWithMFAs(ctrl *gomock.Controller) *IAMEventstore {
 	policyData, _ := json.Marshal(model.LoginPolicy{AllowRegister: true, AllowUsernamePassword: true, AllowExternalIdp: true})
 	idpProviderData, _ := json.Marshal(model.IDPProvider{IDPConfigID: "IDPConfigID", Type: 1})
-	secondFactor, _ := json.Marshal(model.MFA{MfaType: int32(model2.SecondFactorTypeOTP)})
-	multiFactor, _ := json.Marshal(model.MFA{MfaType: int32(model2.MultiFactorTypeU2FWithPIN)})
+	secondFactor, _ := json.Marshal(model.MFA{MFAType: int32(model2.SecondFactorTypeOTP)})
+	multiFactor, _ := json.Marshal(model.MFA{MFAType: int32(model2.MultiFactorTypeU2FWithPIN)})
 	events := []*es_models.Event{
 		{AggregateID: "AggregateID", Sequence: 1, Type: model.IAMSetupStarted},
 		{AggregateID: "AggregateID", Sequence: 1, Type: model.LoginPolicyAdded, Data: policyData},
--- a/internal/iam/repository/eventsourcing/iam.go
+++ b/internal/iam/repository/eventsourcing/iam.go
@@ -359,7 +359,7 @@ func LoginPolicySecondFactorAddedAggregate(aggCreator *es_models.AggregateCreato
 			AggregateTypeFilter(model.IAMAggregate).
 			AggregateIDFilter(existing.AggregateID)

-		validation := checkExistingLoginPolicySecondFactorValidation(mfa.MfaType)
+		validation := checkExistingLoginPolicySecondFactorValidation(mfa.MFAType)
 		agg.SetPrecondition(validationQuery, validation)
 		return agg.AppendEvent(model.LoginPolicySecondFactorAdded, mfa)
 	}
@@ -391,7 +391,7 @@ func LoginPolicyMultiFactorAddedAggregate(aggCreator *es_models.AggregateCreator
 			AggregateTypeFilter(model.IAMAggregate).
 			AggregateIDFilter(existing.AggregateID)

-		validation := checkExistingLoginPolicyMultiFactorValidation(mfa.MfaType)
+		validation := checkExistingLoginPolicyMultiFactorValidation(mfa.MFAType)
 		agg.SetPrecondition(validationQuery, validation)
 		return agg.AppendEvent(model.LoginPolicyMultiFactorAdded, mfa)
 	}
@@ -689,7 +689,7 @@ func checkExistingLoginPolicySecondFactorValidation(mfaType int32) func(...*es_m
 				if err != nil {
 					return err
 				}
-				mfas = append(mfas, idp.MfaType)
+				mfas = append(mfas, idp.MFAType)
 			case model.LoginPolicySecondFactorRemoved:
 				mfa := new(model.MFA)
 				err := mfa.SetData(event)
@@ -697,7 +697,7 @@ func checkExistingLoginPolicySecondFactorValidation(mfaType int32) func(...*es_m
 					return err
 				}
 				for i := len(mfas) - 1; i >= 0; i-- {
-					if mfas[i] == mfa.MfaType {
+					if mfas[i] == mfa.MFAType {
 						mfas[i] = mfas[len(mfas)-1]
 						mfas[len(mfas)-1] = 0
 						mfas = mfas[:len(mfas)-1]
@@ -726,7 +726,7 @@ func checkExistingLoginPolicyMultiFactorValidation(mfaType int32) func(...*es_mo
 				if err != nil {
 					return err
 				}
-				mfas = append(mfas, idp.MfaType)
+				mfas = append(mfas, idp.MFAType)
 			case model.LoginPolicyMultiFactorRemoved:
 				mfa := new(model.MFA)
 				err := mfa.SetData(event)
@@ -734,7 +734,7 @@ func checkExistingLoginPolicyMultiFactorValidation(mfaType int32) func(...*es_mo
 					return err
 				}
 				for i := len(mfas) - 1; i >= 0; i-- {
-					if mfas[i] == mfa.MfaType {
+					if mfas[i] == mfa.MFAType {
 						mfas[i] = mfas[len(mfas)-1]
 						mfas[len(mfas)-1] = 0
 						mfas = mfas[:len(mfas)-1]
--- a/internal/iam/repository/eventsourcing/iam_test.go
+++ b/internal/iam/repository/eventsourcing/iam_test.go
@@ -1497,7 +1497,7 @@ func TestLoginPolicySecondFactorAddedAggregate(t *testing.T) {
 						AllowUsernamePassword: true,
 					}},
 				newMFA: &model.MFA{
-					MfaType: int32(iam_model.SecondFactorTypeOTP),
+					MFAType: int32(iam_model.SecondFactorTypeOTP),
 				},
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
@@ -1587,7 +1587,7 @@ func TestLoginPolicySecondFactorRemovedAggregate(t *testing.T) {
 						},
 					}},
 				mfa: &model.MFA{
-					MfaType: int32(iam_model.SecondFactorTypeOTP),
+					MFAType: int32(iam_model.SecondFactorTypeOTP),
 				},
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
@@ -1674,7 +1674,7 @@ func TestLoginPolicyMultiFactorAddedAggregate(t *testing.T) {
 						AllowUsernamePassword: true,
 					}},
 				newMFA: &model.MFA{
-					MfaType: int32(iam_model.MultiFactorTypeU2FWithPIN),
+					MFAType: int32(iam_model.MultiFactorTypeU2FWithPIN),
 				},
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
@@ -1764,7 +1764,7 @@ func TestLoginPolicyMultiFactorRemovedAggregate(t *testing.T) {
 						},
 					}},
 				mfa: &model.MFA{
-					MfaType: int32(iam_model.SecondFactorTypeOTP),
+					MFAType: int32(iam_model.SecondFactorTypeOTP),
 				},
 				aggCreator: models.NewAggregateCreator("Test"),
 			},
--- a/internal/iam/repository/eventsourcing/model/login_policy.go
+++ b/internal/iam/repository/eventsourcing/model/login_policy.go
@@ -14,7 +14,8 @@ type LoginPolicy struct {
 	AllowUsernamePassword bool           `json:"allowUsernamePassword"`
 	AllowRegister         bool           `json:"allowRegister"`
 	AllowExternalIdp      bool           `json:"allowExternalIdp"`
-	ForceMFA              bool           `json:"forceMfa"`
+	ForceMFA              bool           `json:"forceMFA"`
+	PasswordlessType      int32          `json:"passwordlessType"`
 	IDPProviders          []*IDPProvider `json:"-"`
 	SecondFactors         []int32        `json:"-"`
 	MultiFactors          []int32        `json:"-"`
@@ -31,7 +32,7 @@ type IDPProviderID struct {
 }

 type MFA struct {
-	MfaType int32 `json:"mfaType"`
+	MFAType int32 `json:"mfaType"`
 }

 func GetIDPProvider(providers []*IDPProvider, id string) (int, *IDPProvider) {
@@ -65,6 +66,7 @@ func LoginPolicyToModel(policy *LoginPolicy) *iam_model.LoginPolicy {
 		ForceMFA:              policy.ForceMFA,
 		SecondFactors:         secondFactors,
 		MultiFactors:          multiFactors,
+		PasswordlessType:      iam_model.PasswordlessType(policy.PasswordlessType),
 	}
 }

@@ -82,6 +84,7 @@ func LoginPolicyFromModel(policy *iam_model.LoginPolicy) *LoginPolicy {
 		ForceMFA:              policy.ForceMFA,
 		SecondFactors:         secondFactors,
 		MultiFactors:          multiFactors,
+		PasswordlessType:      int32(policy.PasswordlessType),
 	}
 }

@@ -126,7 +129,7 @@ func SecondFactorsFromModel(mfas []iam_model.SecondFactorType) []int32 {
 }

 func SecondFactorFromModel(mfa iam_model.SecondFactorType) *MFA {
-	return &MFA{MfaType: int32(mfa)}
+	return &MFA{MFAType: int32(mfa)}
 }

 func SecondFactorsToModel(mfas []int32) []iam_model.SecondFactorType {
@@ -146,7 +149,7 @@ func MultiFactorsFromModel(mfas []iam_model.MultiFactorType) []int32 {
 }

 func MultiFactorFromModel(mfa iam_model.MultiFactorType) *MFA {
-	return &MFA{MfaType: int32(mfa)}
+	return &MFA{MFAType: int32(mfa)}
 }

 func MultiFactorsToModel(mfas []int32) []iam_model.MultiFactorType {
@@ -172,6 +175,9 @@ func (p *LoginPolicy) Changes(changed *LoginPolicy) map[string]interface{} {
 	if changed.ForceMFA != p.ForceMFA {
 		changes["forceMFA"] = changed.ForceMFA
 	}
+	if changed.PasswordlessType != p.PasswordlessType {
+		changes["passwordlessType"] = changed.PasswordlessType
+	}
 	return changes
 }

@@ -221,7 +227,7 @@ func (iam *IAM) appendAddSecondFactorToLoginPolicyEvent(event *es_models.Event)
 	if err != nil {
 		return err
 	}
-	iam.DefaultLoginPolicy.SecondFactors = append(iam.DefaultLoginPolicy.SecondFactors, mfa.MfaType)
+	iam.DefaultLoginPolicy.SecondFactors = append(iam.DefaultLoginPolicy.SecondFactors, mfa.MFAType)
 	return nil
 }

@@ -231,7 +237,7 @@ func (iam *IAM) appendRemoveSecondFactorFromLoginPolicyEvent(event *es_models.Ev
 	if err != nil {
 		return err
 	}
-	if i, m := GetMFA(iam.DefaultLoginPolicy.SecondFactors, mfa.MfaType); m != 0 {
+	if i, m := GetMFA(iam.DefaultLoginPolicy.SecondFactors, mfa.MFAType); m != 0 {
 		iam.DefaultLoginPolicy.SecondFactors[i] = iam.DefaultLoginPolicy.SecondFactors[len(iam.DefaultLoginPolicy.SecondFactors)-1]
 		iam.DefaultLoginPolicy.SecondFactors[len(iam.DefaultLoginPolicy.SecondFactors)-1] = 0
 		iam.DefaultLoginPolicy.SecondFactors = iam.DefaultLoginPolicy.SecondFactors[:len(iam.DefaultLoginPolicy.SecondFactors)-1]
@@ -246,7 +252,7 @@ func (iam *IAM) appendAddMultiFactorToLoginPolicyEvent(event *es_models.Event) e
 	if err != nil {
 		return err
 	}
-	iam.DefaultLoginPolicy.MultiFactors = append(iam.DefaultLoginPolicy.MultiFactors, mfa.MfaType)
+	iam.DefaultLoginPolicy.MultiFactors = append(iam.DefaultLoginPolicy.MultiFactors, mfa.MFAType)
 	return nil
 }

@@ -256,7 +262,7 @@ func (iam *IAM) appendRemoveMultiFactorFromLoginPolicyEvent(event *es_models.Eve
 	if err != nil {
 		return err
 	}
-	if i, m := GetMFA(iam.DefaultLoginPolicy.MultiFactors, mfa.MfaType); m != 0 {
+	if i, m := GetMFA(iam.DefaultLoginPolicy.MultiFactors, mfa.MFAType); m != 0 {
 		iam.DefaultLoginPolicy.MultiFactors[i] = iam.DefaultLoginPolicy.MultiFactors[len(iam.DefaultLoginPolicy.MultiFactors)-1]
 		iam.DefaultLoginPolicy.MultiFactors[len(iam.DefaultLoginPolicy.MultiFactors)-1] = 0
 		iam.DefaultLoginPolicy.MultiFactors = iam.DefaultLoginPolicy.MultiFactors[:len(iam.DefaultLoginPolicy.MultiFactors)-1]
--- a/internal/iam/repository/eventsourcing/model/login_policy_test.go
+++ b/internal/iam/repository/eventsourcing/model/login_policy_test.go
@@ -275,7 +275,7 @@ func TestAppendAddSecondFactorToPolicyEvent(t *testing.T) {
 			name: "append add second factor to login policy event",
 			args: args{
 				iam:   &IAM{DefaultLoginPolicy: &LoginPolicy{AllowExternalIdp: true, AllowRegister: true, AllowUsernamePassword: true}},
-				mfa:   &MFA{MfaType: int32(model.SecondFactorTypeOTP)},
+				mfa:   &MFA{MFAType: int32(model.SecondFactorTypeOTP)},
 				event: &es_models.Event{},
 			},
 			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
@@ -294,7 +294,7 @@ func TestAppendAddSecondFactorToPolicyEvent(t *testing.T) {
 			if len(tt.result.DefaultLoginPolicy.SecondFactors) != len(tt.args.iam.DefaultLoginPolicy.SecondFactors) {
 				t.Errorf("got wrong second factors len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.SecondFactors), len(tt.args.iam.DefaultLoginPolicy.SecondFactors))
 			}
-			if tt.result.DefaultLoginPolicy.SecondFactors[0] != tt.args.mfa.MfaType {
+			if tt.result.DefaultLoginPolicy.SecondFactors[0] != tt.args.mfa.MFAType {
 				t.Errorf("got wrong second factor: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.SecondFactors[0], tt.args.mfa)
 			}
 		})
@@ -320,7 +320,7 @@ func TestRemoveSecondFactorToPolicyEvent(t *testing.T) {
 						SecondFactors: []int32{
 							int32(model.SecondFactorTypeOTP),
 						}}},
-				mfa:   &MFA{MfaType: int32(model.SecondFactorTypeOTP)},
+				mfa:   &MFA{MFAType: int32(model.SecondFactorTypeOTP)},
 				event: &es_models.Event{},
 			},
 			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
@@ -359,7 +359,7 @@ func TestAppendAddMultiFactorToPolicyEvent(t *testing.T) {
 			name: "append add mfa to login policy event",
 			args: args{
 				iam:   &IAM{DefaultLoginPolicy: &LoginPolicy{AllowExternalIdp: true, AllowRegister: true, AllowUsernamePassword: true}},
-				mfa:   &MFA{MfaType: int32(model.MultiFactorTypeU2FWithPIN)},
+				mfa:   &MFA{MFAType: int32(model.MultiFactorTypeU2FWithPIN)},
 				event: &es_models.Event{},
 			},
 			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
@@ -378,7 +378,7 @@ func TestAppendAddMultiFactorToPolicyEvent(t *testing.T) {
 			if len(tt.result.DefaultLoginPolicy.MultiFactors) != len(tt.args.iam.DefaultLoginPolicy.MultiFactors) {
 				t.Errorf("got wrong mfas len: expected: %v, actual: %v ", len(tt.result.DefaultLoginPolicy.MultiFactors), len(tt.args.iam.DefaultLoginPolicy.MultiFactors))
 			}
-			if tt.result.DefaultLoginPolicy.MultiFactors[0] != tt.args.mfa.MfaType {
+			if tt.result.DefaultLoginPolicy.MultiFactors[0] != tt.args.mfa.MFAType {
 				t.Errorf("got wrong mfa: expected: %v, actual: %v ", tt.result.DefaultLoginPolicy.MultiFactors[0], tt.args.mfa)
 			}
 		})
@@ -404,7 +404,7 @@ func TestRemoveMultiFactorToPolicyEvent(t *testing.T) {
 						MultiFactors: []int32{
 							int32(model.MultiFactorTypeU2FWithPIN),
 						}}},
-				mfa:   &MFA{MfaType: int32(model.MultiFactorTypeU2FWithPIN)},
+				mfa:   &MFA{MFAType: int32(model.MultiFactorTypeU2FWithPIN)},
 				event: &es_models.Event{},
 			},
 			result: &IAM{DefaultLoginPolicy: &LoginPolicy{
--- a/internal/iam/repository/view/model/login_policy.go
+++ b/internal/iam/repository/view/model/login_policy.go
@@ -28,6 +28,7 @@ type LoginPolicyView struct {
 	AllowUsernamePassword bool          `json:"allowUsernamePassword" gorm:"column:allow_username_password"`
 	AllowExternalIDP      bool          `json:"allowExternalIdp" gorm:"column:allow_external_idp"`
 	ForceMFA              bool          `json:"forceMFA" gorm:"column:force_mfa"`
+	PasswordlessType      int32         `json:"passwordlessType" gorm:"column:passwordless_type"`
 	SecondFactors         pq.Int64Array `json:"-" gorm:"column:second_factors"`
 	MultiFactors          pq.Int64Array `json:"-" gorm:"column:multi_factors"`
 	Default               bool          `json:"-" gorm:"-"`
@@ -45,6 +46,7 @@ func LoginPolicyViewFromModel(policy *model.LoginPolicyView) *LoginPolicyView {
 		AllowExternalIDP:      policy.AllowExternalIDP,
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		ForceMFA:              policy.ForceMFA,
+		PasswordlessType:      int32(policy.PasswordlessType),
 		SecondFactors:         secondFactorsFromModel(policy.SecondFactors),
 		MultiFactors:          multiFactorsFromModel(policy.MultiFactors),
 		Default:               policy.Default,
@@ -77,6 +79,7 @@ func LoginPolicyViewToModel(policy *LoginPolicyView) *model.LoginPolicyView {
 		AllowExternalIDP:      policy.AllowExternalIDP,
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		ForceMFA:              policy.ForceMFA,
+		PasswordlessType:      model.PasswordlessType(policy.PasswordlessType),
 		SecondFactors:         secondFactorsToModel(policy.SecondFactors),
 		MultiFactors:          multiFactorsToToModel(policy.MultiFactors),
 		Default:               policy.Default,
@@ -115,7 +118,7 @@ func (p *LoginPolicyView) AppendEvent(event *models.Event) (err error) {
 		if err != nil {
 			return err
 		}
-		p.SecondFactors = append(p.SecondFactors, int64(mfa.MfaType))
+		p.SecondFactors = append(p.SecondFactors, int64(mfa.MFAType))
 	case es_model.LoginPolicySecondFactorRemoved, org_es_model.LoginPolicySecondFactorRemoved:
 		err = p.removeSecondFactor(event)
 	case es_model.LoginPolicyMultiFactorAdded, org_es_model.LoginPolicyMultiFactorAdded:
@@ -124,7 +127,7 @@ func (p *LoginPolicyView) AppendEvent(event *models.Event) (err error) {
 		if err != nil {
 			return err
 		}
-		p.MultiFactors = append(p.MultiFactors, int64(mfa.MfaType))
+		p.MultiFactors = append(p.MultiFactors, int64(mfa.MFAType))
 	case es_model.LoginPolicyMultiFactorRemoved, org_es_model.LoginPolicyMultiFactorRemoved:
 		err = p.removeMultiFactor(event)
 	}
@@ -150,7 +153,7 @@ func (p *LoginPolicyView) removeSecondFactor(event *models.Event) error {
 		return err
 	}
 	for i := len(p.SecondFactors) - 1; i >= 0; i-- {
-		if p.SecondFactors[i] == int64(mfa.MfaType) {
+		if p.SecondFactors[i] == int64(mfa.MFAType) {
 			copy(p.SecondFactors[i:], p.SecondFactors[i+1:])
 			p.SecondFactors[len(p.SecondFactors)-1] = 0
 			p.SecondFactors = p.SecondFactors[:len(p.SecondFactors)-1]
@@ -167,7 +170,7 @@ func (p *LoginPolicyView) removeMultiFactor(event *models.Event) error {
 		return err
 	}
 	for i := len(p.MultiFactors) - 1; i >= 0; i-- {
-		if p.MultiFactors[i] == int64(mfa.MfaType) {
+		if p.MultiFactors[i] == int64(mfa.MFAType) {
 			copy(p.MultiFactors[i:], p.MultiFactors[i+1:])
 			p.MultiFactors[len(p.MultiFactors)-1] = 0
 			p.MultiFactors = p.MultiFactors[:len(p.MultiFactors)-1]