feat(api/v2): implement U2F session check (#6339)

internal/webauthn/client.go

@@ -9,9 +9,10 @@ import (
 )
 
 type Client struct {
-	rp         virtualwebauthn.RelyingParty
-	auth       virtualwebauthn.Authenticator
-	credential virtualwebauthn.Credential
+	rp             virtualwebauthn.RelyingParty
+	auth           virtualwebauthn.Authenticator
+	authVerifyUser virtualwebauthn.Authenticator
+	credential     virtualwebauthn.Credential
 }
 
 func NewClient(name, domain, origin string) *Client {
@@ -21,9 +22,12 @@ func NewClient(name, domain, origin string) *Client {
 		Origin: origin,
 	}
 	return &Client{
-		rp:         rp,
-		auth:       virtualwebauthn.NewAuthenticator(),
-		credential: virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2),
+		rp: rp,
+		auth: virtualwebauthn.NewAuthenticatorWithOptions(virtualwebauthn.AuthenticatorOptions{
+			UserNotVerified: true,
+		}),
+		authVerifyUser: virtualwebauthn.NewAuthenticator(),
+		credential:     virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2),
 	}
 }
 
@@ -46,7 +50,7 @@ func (c *Client) CreateAttestationResponse(optionsPb *structpb.Struct) (*structp
 	return resp, nil
 }
 
-func (c *Client) CreateAssertionResponse(optionsPb *structpb.Struct) (*structpb.Struct, error) {
+func (c *Client) CreateAssertionResponse(optionsPb *structpb.Struct, verifyUser bool) (*structpb.Struct, error) {
 	options, err := protojson.Marshal(optionsPb)
 	if err != nil {
 		return nil, fmt.Errorf("webauthn.Client.CreateAssertionResponse: %w", err)
@@ -55,9 +59,13 @@ func (c *Client) CreateAssertionResponse(optionsPb *structpb.Struct) (*structpb.
 	if err != nil {
 		return nil, fmt.Errorf("webauthn.Client.CreateAssertionResponse: %w", err)
 	}
+	authenticator := c.auth
+	if verifyUser {
+		authenticator = c.authVerifyUser
+	}
 	resp := new(structpb.Struct)
 	err = protojson.Unmarshal([]byte(virtualwebauthn.CreateAssertionResponse(
-		c.rp, c.auth, c.credential, *parsedAssertionOptions,
+		c.rp, authenticator, c.credential, *parsedAssertionOptions,
 	)), resp)
 	if err != nil {
 		return nil, fmt.Errorf("webauthn.Client.CreateAssertionResponse: %w", err)

internal/webauthn/webauthn.go

@@ -154,10 +154,10 @@ func (w *Config) BeginLogin(ctx context.Context, user *domain.Human, userVerific
 	}, nil
 }
 
-func (w *Config) FinishLogin(ctx context.Context, user *domain.Human, webAuthN *domain.WebAuthNLogin, credData []byte, webAuthNs ...*domain.WebAuthNToken) ([]byte, uint32, error) {
+func (w *Config) FinishLogin(ctx context.Context, user *domain.Human, webAuthN *domain.WebAuthNLogin, credData []byte, webAuthNs ...*domain.WebAuthNToken) (*webauthn.Credential, error) {
 	assertionData, err := protocol.ParseCredentialRequestResponseBody(bytes.NewReader(credData))
 	if err != nil {
-		return nil, 0, caos_errs.ThrowInternal(err, "WEBAU-ADgv4", "Errors.User.WebAuthN.ValidateLoginFailed")
+		return nil, caos_errs.ThrowInternal(err, "WEBAU-ADgv4", "Errors.User.WebAuthN.ValidateLoginFailed")
 	}
 	webUser := &webUser{
 		Human:       user,
@@ -165,17 +165,17 @@ func (w *Config) FinishLogin(ctx context.Context, user *domain.Human, webAuthN *
 	}
 	webAuthNServer, err := w.serverFromContext(ctx, webAuthN.RPID, assertionData.Response.CollectedClientData.Origin)
 	if err != nil {
-		return nil, 0, err
+		return nil, err
 	}
 	credential, err := webAuthNServer.ValidateLogin(webUser, WebAuthNLoginToSessionData(webAuthN), assertionData)
 	if err != nil {
-		return nil, 0, caos_errs.ThrowInternal(err, "WEBAU-3M9si", "Errors.User.WebAuthN.ValidateLoginFailed")
+		return nil, caos_errs.ThrowInternal(err, "WEBAU-3M9si", "Errors.User.WebAuthN.ValidateLoginFailed")
 	}
 
 	if credential.Authenticator.CloneWarning {
-		return credential.ID, credential.Authenticator.SignCount, caos_errs.ThrowInternal(err, "WEBAU-4M90s", "Errors.User.WebAuthN.CloneWarning")
+		return credential, caos_errs.ThrowInternal(err, "WEBAU-4M90s", "Errors.User.WebAuthN.CloneWarning")
 	}
-	return credential.ID, credential.Authenticator.SignCount, nil
+	return credential, nil
 }
 
 func (w *Config) serverFromContext(ctx context.Context, id, origin string) (*webauthn.WebAuthn, error) {