feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 19:17:32 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/pkg/grpc/auth/mock/auth.proto.mock.go
+++ b/pkg/grpc/auth/mock/auth.proto.mock.go
@@ -56,6 +56,46 @@ func (mr *MockAuthServiceClientMockRecorder) AddMfaOTP(arg0, arg1 interface{}, a
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMfaOTP), varargs...)
 }

+// AddMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) AddMyMfaU2F(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*auth.WebAuthNResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*auth.WebAuthNResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AddMyMfaU2F indicates an expected call of AddMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) AddMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMyMfaU2F), varargs...)
+}
+
+// AddMyPasswordless mocks base method
+func (m *MockAuthServiceClient) AddMyPasswordless(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*auth.WebAuthNResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*auth.WebAuthNResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AddMyPasswordless indicates an expected call of AddMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) AddMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMyPasswordless), varargs...)
+}
+
 // ChangeMyPassword mocks base method
 func (m *MockAuthServiceClient) ChangeMyPassword(arg0 context.Context, arg1 *auth.PasswordChange, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
@@ -416,6 +456,46 @@ func (mr *MockAuthServiceClientMockRecorder) RemoveMyExternalIDP(arg0, arg1 inte
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyExternalIDP", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyExternalIDP), varargs...)
 }

+// RemoveMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) RemoveMyMfaU2F(arg0 context.Context, arg1 *auth.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "RemoveMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RemoveMyMfaU2F indicates an expected call of RemoveMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) RemoveMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyMfaU2F), varargs...)
+}
+
+// RemoveMyPasswordless mocks base method
+func (m *MockAuthServiceClient) RemoveMyPasswordless(arg0 context.Context, arg1 *auth.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "RemoveMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RemoveMyPasswordless indicates an expected call of RemoveMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) RemoveMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMyPasswordless), varargs...)
+}
+
 // RemoveMyUserPhone mocks base method
 func (m *MockAuthServiceClient) RemoveMyUserPhone(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
@@ -596,6 +676,46 @@ func (mr *MockAuthServiceClientMockRecorder) VerifyMfaOTP(arg0, arg1 interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMfaOTP), varargs...)
 }

+// VerifyMyMfaU2F mocks base method
+func (m *MockAuthServiceClient) VerifyMyMfaU2F(arg0 context.Context, arg1 *auth.VerifyWebAuthN, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyMfaU2F", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyMfaU2F indicates an expected call of VerifyMyMfaU2F
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyMfaU2F", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyMfaU2F), varargs...)
+}
+
+// VerifyMyPasswordless mocks base method
+func (m *MockAuthServiceClient) VerifyMyPasswordless(arg0 context.Context, arg1 *auth.VerifyWebAuthN, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyPasswordless", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyPasswordless indicates an expected call of VerifyMyPasswordless
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyPasswordless", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyPasswordless), varargs...)
+}
+
 // VerifyMyUserEmail mocks base method
 func (m *MockAuthServiceClient) VerifyMyUserEmail(arg0 context.Context, arg1 *auth.VerifyMyUserEmailRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
 	m.ctrl.T.Helper()
--- a/pkg/grpc/auth/proto/auth.proto
+++ b/pkg/grpc/auth/proto/auth.proto
@@ -244,12 +244,12 @@ service AuthService {

  rpc GetMyPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) {
    option (google.api.http) = {
-            get: "/policies/passwords/complexity"
-        };
+      get: "/policies/passwords/complexity"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "authenticated"
-        };
+      permission: "authenticated"
+    };
  }

  //ExternalIDP
@@ -306,6 +306,68 @@ service AuthService {
    };
  }

+  rpc AddMyMfaU2F(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/mfas/u2f"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyMfaU2F(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/mfas/u2f/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyMfaU2F(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/mfas/u2f/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc AddMyPasswordless(google.protobuf.Empty) returns (WebAuthNResponse) {
+    option (google.api.http) = {
+      post: "/users/me/passwordless"
+      body: "*"
+    };
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc VerifyMyPasswordless(VerifyWebAuthN) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      put: "/users/me/passwordless/_verify"
+      body: "*"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
+  rpc RemoveMyPasswordless(WebAuthNTokenID) returns (google.protobuf.Empty) {
+    option (google.api.http) = {
+      delete: "/users/me/passwordless/{id}"
+    };
+
+    option (caos.zitadel.utils.v1.auth_option) = {
+      permission: "authenticated"
+    };
+  }
+
  rpc SearchMyUserGrant(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
    option (google.api.http) = {
      post: "/usergrants/me/_search"
@@ -578,8 +640,8 @@ message PasswordChange {

 enum MfaType {
  MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_SMS = 1;
-  MFATYPE_OTP = 2;
+  MFATYPE_OTP = 1;
+  MFATYPE_U2F = 2;
 }

 message VerifyMfaOtp {
@@ -593,6 +655,7 @@ message MultiFactors {
 message MultiFactor {
  MfaType type = 1;
  MFAState state = 2;
+  string attribute = 3;
 }

 message MfaOtpResponse {
@@ -602,6 +665,21 @@ message MfaOtpResponse {
  MFAState state = 4;
 }

+message WebAuthNResponse {
+  string id = 1;
+  bytes public_key = 2;
+  MFAState state = 3;
+}
+
+message VerifyWebAuthN {
+  bytes public_key_credential = 1;
+  string token_name = 2;
+}
+
+message WebAuthNTokenID {
+  string id = 1;
+}
+
 enum MFAState {
  MFASTATE_UNSPECIFIED = 0;
  MFASTATE_NOT_READY = 1;
@@ -691,7 +769,7 @@ enum SearchMethod {
 }

 message ChangesRequest {
-  uint64 limit= 1;
+  uint64 limit = 1;
  uint64 sequence_offset = 2;
  bool asc = 3;
 }