feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works

* in memory test for login

* buttons to start webauthn process

* begin eventstore impl

* begin eventstore impl

* serialize into bytes

* fix: u2f, passwordless types

* fix for localhost

* fix script

* fix: u2f, passwordless types

* fix: add u2f

* fix: verify u2f

* fix: session data in event store

* fix: u2f credentials in eventstore

* fix: webauthn pkg handles business models

* feat: tests

* feat: append events

* fix: test

* fix: check only ready webauthn creds

* fix: move u2f methods to authrepo

* frontend improvements

* fix return

* feat: add passwordless

* feat: add passwordless

* improve ui / error handling

* separate call for login

* fix login

* js

* feat: u2f login methods

* feat: remove unused session id

* feat: error handling

* feat: error handling

* feat: refactor user eventstore

* feat: finish webauthn

* feat: u2f and passwordlss in auth.proto

* u2f step

* passwordless step

* cleanup js

* EndpointPasswordLessLogin

* migration

* update mfaChecked test

* next step test

* token name

* cleanup

* attribute

* passwordless as tokens

* remove sms as otp type

* add "user" to amr for webauthn

* error handling

* fixes

* fix tests

* naming

* naming

* fixes

* session handler

* i18n

* error handling in login

* Update internal/ui/login/static/i18n/de.yaml

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* Update internal/ui/login/static/i18n/en.yaml

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* improvements

* merge fixes

* fixes

* fixes

Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

internal/user/model/otp.go

@@ -11,26 +11,27 @@ type OTP struct {
 	Secret       *crypto.CryptoValue
 	SecretString string
 	Url          string
-	State        MfaState
+	State        MFAState
 }
 
-type MfaState int32
+type MFAState int32
 
 const (
-	MfaStateUnspecified MfaState = iota
-	MfaStateNotReady
-	MfaStateReady
+	MFAStateUnspecified MFAState = iota
+	MFAStateNotReady
+	MFAStateReady
 )
 
 type MultiFactor struct {
-	Type  MfaType
-	State MfaState
+	Type      MFAType
+	State     MFAState
+	Attribute string
 }
 
-type MfaType int32
+type MFAType int32
 
 const (
-	MfaTypeUnspecified MfaType = iota
-	MfaTypeOTP
-	MfaTypeSMS
+	MFATypeUnspecified MFAType = iota
+	MFATypeOTP
+	MFATypeU2F
 )

internal/user/model/user_human.go

@@ -1,9 +1,11 @@
 package model
 
 import (
-	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"bytes"
 	"time"
 
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+
 	"github.com/caos/zitadel/internal/crypto"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 )
@@ -14,12 +16,16 @@ type Human struct {
 	*Email
 	*Phone
 	*Address
-	ExternalIDPs []*ExternalIDP
-	InitCode     *InitUserCode
-	EmailCode    *EmailCode
-	PhoneCode    *PhoneCode
-	PasswordCode *PasswordCode
-	OTP          *OTP
+	ExternalIDPs       []*ExternalIDP
+	InitCode           *InitUserCode
+	EmailCode          *EmailCode
+	PhoneCode          *PhoneCode
+	PasswordCode       *PasswordCode
+	OTP                *OTP
+	U2FTokens          []*WebAuthNToken
+	PasswordlessTokens []*WebAuthNToken
+	U2FLogins          []*WebAuthNLogin
+	PasswordlessLogins []*WebAuthNLogin
 }
 
 type InitUserCode struct {
@@ -53,7 +59,7 @@ func (u *Human) IsInitialState() bool {
 }
 
 func (u *Human) IsOTPReady() bool {
-	return u.OTP != nil && u.OTP.State == MfaStateReady
+	return u.OTP != nil && u.OTP.State == MFAStateReady
 }
 
 func (u *Human) HashPasswordIfExisting(policy *iam_model.PasswordComplexityPolicyView, passwordAlg crypto.HashAlgorithm, onetime bool) error {
@@ -105,3 +111,75 @@ func (u *Human) GetExternalIDP(externalIDP *ExternalIDP) (int, *ExternalIDP) {
 	}
 	return -1, nil
 }
+
+func (u *Human) GetU2F(webAuthNTokenID string) (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if u2f.WebAuthNTokenID == webAuthNTokenID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FByKeyID(keyID []byte) (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if bytes.Compare(u2f.KeyID, keyID) == 0 {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FToVerify() (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if u2f.State == MFAStateNotReady {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordless(webAuthNTokenID string) (int, *WebAuthNToken) {
+	for i, u2f := range u.PasswordlessTokens {
+		if u2f.WebAuthNTokenID == webAuthNTokenID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessByKeyID(keyID []byte) (int, *WebAuthNToken) {
+	for i, pwl := range u.PasswordlessTokens {
+		if bytes.Compare(pwl.KeyID, keyID) == 0 {
+			return i, pwl
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessToVerify() (int, *WebAuthNToken) {
+	for i, u2f := range u.PasswordlessTokens {
+		if u2f.State == MFAStateNotReady {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FLogin(authReqID string) (int, *WebAuthNLogin) {
+	for i, u2f := range u.U2FLogins {
+		if u2f.AuthRequest.ID == authReqID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessLogin(authReqID string) (int, *WebAuthNLogin) {
+	for i, pw := range u.PasswordlessLogins {
+		if pw.AuthRequest.ID == authReqID {
+			return i, pw
+		}
+	}
+	return -1, nil
+}

internal/user/model/user_session_view.go

@@ -19,6 +19,7 @@ type UserSessionView struct {
 	DisplayName                  string
 	SelectedIDPConfigID          string
 	PasswordVerification         time.Time
+	PasswordlessVerification     time.Time
 	ExternalLoginVerification    time.Time
 	SecondFactorVerification     time.Time
 	SecondFactorVerificationType req_model.MFAType

internal/user/model/user_view.go

@@ -1,14 +1,15 @@
 package model
 
 import (
-	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"time"
 
+	"golang.org/x/text/language"
+
 	req_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/model"
-	"golang.org/x/text/language"
 )
 
 type UserView struct {
@@ -46,12 +47,20 @@ type HumanView struct {
 	PostalCode             string
 	Region                 string
 	StreetAddress          string
-	OTPState               MfaState
-	MfaMaxSetUp            req_model.MFALevel
-	MfaInitSkipped         time.Time
+	OTPState               MFAState
+	U2FTokens              []*WebAuthNView
+	PasswordlessTokens     []*WebAuthNView
+	MFAMaxSetUp            req_model.MFALevel
+	MFAInitSkipped         time.Time
 	InitRequired           bool
 }
 
+type WebAuthNView struct {
+	TokenID string
+	Name    string
+	State   MFAState
+}
+
 type MachineView struct {
 	LastKeyAdded time.Time
 	Name         string
@@ -108,7 +117,7 @@ func (r *UserSearchRequest) AppendMyOrgQuery(orgID string) {
 	r.Queries = append(r.Queries, &UserSearchQuery{Key: UserSearchKeyResourceOwner, Method: model.SearchMethodEquals, Value: orgID})
 }
 
-func (u *UserView) MfaTypesSetupPossible(level req_model.MFALevel, policy *iam_model.LoginPolicyView) []req_model.MFAType {
+func (u *UserView) MFATypesSetupPossible(level req_model.MFALevel, policy *iam_model.LoginPolicyView) []req_model.MFAType {
 	types := make([]req_model.MFAType, 0)
 	switch level {
 	default:
@@ -118,13 +127,14 @@ func (u *UserView) MfaTypesSetupPossible(level req_model.MFALevel, policy *iam_m
 			for _, mfaType := range policy.SecondFactors {
 				switch mfaType {
 				case iam_model.SecondFactorTypeOTP:
-					if u.OTPState != MfaStateReady {
+					if u.OTPState != MFAStateReady {
 						types = append(types, req_model.MFATypeOTP)
 					}
+				case iam_model.SecondFactorTypeU2F:
+					types = append(types, req_model.MFATypeU2F)
 				}
 			}
 		}
-
 		//PLANNED: add sms
 		fallthrough
 	case req_model.MFALevelMultiFactor:
@@ -132,17 +142,15 @@ func (u *UserView) MfaTypesSetupPossible(level req_model.MFALevel, policy *iam_m
 			for _, mfaType := range policy.MultiFactors {
 				switch mfaType {
 				case iam_model.MultiFactorTypeU2FWithPIN:
-					// TODO: Check if not set up already
-					// types = append(types, req_model.MFATypeU2F)
+					types = append(types, req_model.MFATypeU2FUserVerification)
 				}
 			}
 		}
-		//PLANNED: add token
 	}
 	return types
 }
 
-func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.LoginPolicyView) ([]req_model.MFAType, bool) {
+func (u *UserView) MFATypesAllowed(level req_model.MFALevel, policy *iam_model.LoginPolicyView) ([]req_model.MFAType, bool) {
 	types := make([]req_model.MFAType, 0)
 	required := true
 	switch level {
@@ -154,9 +162,13 @@ func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.L
 			for _, mfaType := range policy.SecondFactors {
 				switch mfaType {
 				case iam_model.SecondFactorTypeOTP:
-					if u.OTPState == MfaStateReady {
+					if u.OTPState == MFAStateReady {
 						types = append(types, req_model.MFATypeOTP)
 					}
+				case iam_model.SecondFactorTypeU2F:
+					if u.IsU2FReady() {
+						types = append(types, req_model.MFATypeU2F)
+					}
 				}
 			}
 		}
@@ -167,8 +179,9 @@ func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.L
 			for _, mfaType := range policy.MultiFactors {
 				switch mfaType {
 				case iam_model.MultiFactorTypeU2FWithPIN:
-					// TODO: Check if not set up already
-					// types = append(types, req_model.MFATypeU2F)
+					if u.IsPasswordlessReady() {
+						types = append(types, req_model.MFATypeU2FUserVerification)
+					}
 				}
 			}
 		}
@@ -177,15 +190,33 @@ func (u *UserView) MfaTypesAllowed(level req_model.MFALevel, policy *iam_model.L
 	return types, required
 }
 
+func (u *UserView) IsU2FReady() bool {
+	for _, token := range u.U2FTokens {
+		if token.State == MFAStateReady {
+			return true
+		}
+	}
+	return false
+}
+
+func (u *UserView) IsPasswordlessReady() bool {
+	for _, token := range u.PasswordlessTokens {
+		if token.State == MFAStateReady {
+			return true
+		}
+	}
+	return false
+}
+
 func (u *UserView) HasRequiredOrgMFALevel(policy *iam_model.LoginPolicyView) bool {
 	if !policy.ForceMFA {
 		return true
 	}
-	switch u.MfaMaxSetUp {
+	switch u.MFAMaxSetUp {
 	case req_model.MFALevelSecondFactor:
 		return policy.HasSecondFactors()
 	case req_model.MFALevelMultiFactor:
-		return true
+		return policy.HasMultiFactors()
 	default:
 		return false
 	}

internal/user/model/web_auth_n.go

@@ -0,0 +1,58 @@
+package model
+
+import (
+	"github.com/caos/zitadel/internal/auth_request/model"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)
+
+type WebAuthNToken struct {
+	es_models.ObjectRoot
+
+	WebAuthNTokenID        string
+	CredentialCreationData []byte
+	State                  MFAState
+	Challenge              string
+	AllowedCredentialIDs   [][]byte
+	UserVerification       UserVerificationRequirement
+	KeyID                  []byte
+	PublicKey              []byte
+	AttestationType        string
+	AAGUID                 []byte
+	SignCount              uint32
+	WebAuthNTokenName      string
+}
+
+type WebAuthNLogin struct {
+	es_models.ObjectRoot
+
+	CredentialAssertionData []byte
+	Challenge               string
+	AllowedCredentialIDs    [][]byte
+	UserVerification        UserVerificationRequirement
+	*model.AuthRequest
+}
+
+type WebAuthNMethod int32
+
+const (
+	WebAuthNMethodUnspecified WebAuthNMethod = iota
+	WebAuthNMethodU2F
+	WebAuthNMethodPasswordless
+)
+
+type UserVerificationRequirement int32
+
+const (
+	UserVerificationRequirementUnspecified UserVerificationRequirement = iota
+	UserVerificationRequirementRequired
+	UserVerificationRequirementPreferred
+	UserVerificationRequirementDiscouraged
+)
+
+type AuthenticatorAttachment int32
+
+const (
+	AuthenticatorAttachmentUnspecified AuthenticatorAttachment = iota
+	AuthenticatorAttachmentPlattform
+	AuthenticatorAttachmentCrossPlattform
+)