feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-12-07 16:32:24 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/internal/ui/login/static/templates/mfa_init_done.html
+++ b/internal/ui/login/static/templates/mfa_init_done.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaInitDone.Description"}}</p>
+    <p>{{t "MFAInitDone.Description"}}</p>
 </div>

 <form action="{{ loginUrl }}" method="POST">
@@ -11,7 +11,7 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .MfaType }}" />
+    <input type="hidden" name="mfaType" value="{{ .MFAType }}" />

    <div class="actions">
        <button class="primary right" type="submit">{{t "Actions.Next"}}</button>
--- a/internal/ui/login/static/templates/mfa_init_u2f.html
+++ b/internal/ui/login/static/templates/mfa_init_u2f.html
@@ -0,0 +1,42 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "MFAInitU2F.Description"}}</p>
+</div>
+
+<form action="{{ mfaInitU2FVerifyUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
+    <input type="hidden" name="credentialCreationData" value="{{ .CredentialCreationData }}" />
+    <input type="hidden" name="credentialData" />
+
+    <div class="fields">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <div class="field">
+            <label class="label" for="name">{{t "WebAuthN.Name"}}</label>
+            <input class="input" type="text" id="name" name="name" autocomplete="off" autofocus>
+        </div>
+        <a id="btn-register" class="button primary wa-support">{{t "Actions.RegisterToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_register.js" }}"></script>
+
+{{template "main-bottom" .}}
+ 
--- a/internal/ui/login/static/templates/mfa_init_verify.html
+++ b/internal/ui/login/static/templates/mfa_init_verify.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaInitVerify.Description"}}</p>
+    <p>{{t "MFAInitVerify.Description"}}</p>
 </div>

 <form action="{{ mfaInitVerifyUrl }}" method="POST">
@@ -11,25 +11,25 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .MfaType }}" />
+    <input type="hidden" name="mfaType" value="{{ .MFAType }}" />
    <input type="hidden" name="url" value="{{ .Url }}" />
    <input type="hidden" name="secret" value="{{ .Secret }}" />

-    {{if (eq .MfaType 0) }}
-        <p>{{t "MfaInitVerify.OtpDescription"}}</p>
+    {{if (eq .MFAType 0) }}
+        <p>{{t "MFAInitVerify.OTPDescription"}}</p>
        <div id="qrcode">
            {{.QrCode}}
        </div>
        <div class="fields">
            <div class="field">
-                <span class="label" for="secret">{{t "MfaInitVerify.Secret"}}</span>
+                <span class="label" for="secret">{{t "MFAInitVerify.Secret"}}</span>
                <span class="input" id="secret">
                    {{.Secret}}
                    <span class="copy material-icons" data-copy="{{ .Secret }}" >content_copy</span>
                </span>
            </div>
            <div class="field">
-               <label class="label" for="code">{{t "MfaInitVerify.Code"}}</label>
+               <label class="label" for="code">{{t "MFAInitVerify.Code"}}</label>
                <input class="input" type="text" id="code" name="code" autocomplete="off" autofocus required>
            </div>
        </div>
@@ -37,7 +37,7 @@

    <div class="actions">
        <button class="primary right" id="submit-button" type="submit">{{t "Actions.Next"}}</button>
-        <a class="button secondary" href="{{ mfaPromptChangeUrl .AuthReqID .MfaType }}">
+        <a class="button secondary" href="{{ mfaPromptChangeUrl .AuthReqID .MFAType }}">
            {{t "Actions.Back"}}
        </a>
        <a class="button secondary" href="{{ loginUrl }}">
--- a/internal/ui/login/static/templates/mfa_prompt.html
+++ b/internal/ui/login/static/templates/mfa_prompt.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaPrompt.Description"}}</p>
+    <p>{{t "MFAPrompt.Description"}}</p>
 </div>

 <form action="{{ mfaPromptUrl }}" method="POST">
@@ -13,8 +13,8 @@
    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
    
    <div class="fields">
-        {{ range $provider := .MfaProviders}}
-        {{ $providerName := (t (printf "MfaPrompt.Provider%v" $provider)) }}
+        {{ range $provider := .MFAProviders}}
+        {{ $providerName := (t (printf "MFAPrompt.Provider%v" $provider)) }}
            <div class="field radio-button">
                <input id="{{ $provider }}" type="radio" name="provider" value="{{ $provider }}">
                <label for="{{ $provider }}">{{ $providerName }}</label>
@@ -24,7 +24,7 @@

    <div class="actions">
        <button class="primary right" type="submit">{{t "Actions.Next"}}</button>
-        {{if not .MfaRequired}}
+        {{if not .MFARequired}}
        <button class="default right" name="skip" value="true" type="submit" formnovalidate>{{t "Actions.Skip"}}</button>
        {{end}}
        <a class="button secondary" href="{{ loginUrl }}">
--- a/internal/ui/login/static/templates/mfa_verification_u2f.html
+++ b/internal/ui/login/static/templates/mfa_verification_u2f.html
@@ -0,0 +1,37 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "MFAVerifyU2F.Description"}}</p>
+</div>
+
+<form action="{{ mfaInitU2FLoginUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}"/>
+    <input type="hidden" name="credentialAssertionData" value="{{ .CredentialCreationData }}"/>
+    <input type="hidden" name="credentialData"/>
+
+    <div id="webauthn">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <a id="btn-login" class="button primary wa-support">{{t "Actions.ValidateToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_login.js" }}"></script>
+
+{{template "main-bottom" .}}
--- a/internal/ui/login/static/templates/mfa_verify.html
+++ b/internal/ui/login/static/templates/mfa_verify.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaVerify.Description"}}</p>
+    <p>{{t "MFAVerify.Description"}}</p>
 </div>

 <form action="{{ mfaVerifyUrl }}" method="POST">
@@ -11,11 +11,11 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .SelectedMfaProvider }}" />
+    <input type="hidden" name="mfaType" value="{{ .SelectedMFAProvider }}" />

    <div class="fields">
        <div class="field">
-            <label class="label" for="code">{{t "MfaVerify.Code"}}</label>
+            <label class="label" for="code">{{t "MFAVerify.Code"}}</label>
            <input class="input" type="text" id="code" name="code" autocomplete="off" autofocus required>
        </div>
    </div>
--- a/internal/ui/login/static/templates/passwordless.html
+++ b/internal/ui/login/static/templates/passwordless.html
@@ -0,0 +1,37 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "Passwordless.Description"}}</p>
+</div>
+
+<form action="{{ passwordLessVerificationUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}"/>
+    <input type="hidden" name="credentialAssertionData" value="{{ .CredentialCreationData }}"/>
+    <input type="hidden" name="credentialData"/>
+
+    <div id="webauthn">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <a id="btn-login" class="button primary wa-support">{{t "Actions.ValidateToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_login.js" }}"></script>
+
+{{template "main-bottom" .}}