refactoring

Resolve #7779

packages/backend/src/server/api/private/signin.ts

@@ -0,0 +1,232 @@
+import * as Koa from 'koa';
+import * as bcrypt from 'bcryptjs';
+import * as speakeasy from 'speakeasy';
+import signin from '../common/signin';
+import config from '@/config/index';
+import { Users, Signins, UserProfiles, UserSecurityKeys, AttestationChallenges } from '@/models/index';
+import { ILocalUser } from '@/models/entities/user';
+import { genId } from '@/misc/gen-id';
+import { verifyLogin, hash } from '../2fa';
+import { randomBytes } from 'crypto';
+
+export default async (ctx: Koa.Context) => {
+	ctx.set('Access-Control-Allow-Origin', config.url);
+	ctx.set('Access-Control-Allow-Credentials', 'true');
+
+	const body = ctx.request.body as any;
+	const username = body['username'];
+	const password = body['password'];
+	const token = body['token'];
+
+	function error(status: number, error: { id: string }) {
+		ctx.status = status;
+		ctx.body = { error };
+	}
+
+	if (typeof username != 'string') {
+		ctx.status = 400;
+		return;
+	}
+
+	if (typeof password != 'string') {
+		ctx.status = 400;
+		return;
+	}
+
+	if (token != null && typeof token != 'string') {
+		ctx.status = 400;
+		return;
+	}
+
+	// Fetch user
+	const user = await Users.findOne({
+		usernameLower: username.toLowerCase(),
+		host: null
+	}) as ILocalUser;
+
+	if (user == null) {
+		error(404, {
+			id: '6cc579cc-885d-43d8-95c2-b8c7fc963280',
+		});
+		return;
+	}
+
+	if (user.isSuspended) {
+		error(403, {
+			id: 'e03a5f46-d309-4865-9b69-56282d94e1eb',
+		});
+		return;
+	}
+
+	const profile = await UserProfiles.findOneOrFail(user.id);
+
+	// Compare password
+	const same = await bcrypt.compare(password, profile.password!);
+
+	async function fail(status?: number, failure?: { id: string }) {
+		// Append signin history
+		await Signins.insert({
+			id: genId(),
+			createdAt: new Date(),
+			userId: user.id,
+			ip: ctx.ip,
+			headers: ctx.headers,
+			success: false
+		});
+
+		error(status || 500, failure || { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
+	}
+
+	if (!profile.twoFactorEnabled) {
+		if (same) {
+			signin(ctx, user);
+			return;
+		} else {
+			await fail(403, {
+				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c'
+			});
+			return;
+		}
+	}
+
+	if (token) {
+		if (!same) {
+			await fail(403, {
+				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c'
+			});
+			return;
+		}
+
+		const verified = (speakeasy as any).totp.verify({
+			secret: profile.twoFactorSecret,
+			encoding: 'base32',
+			token: token,
+			window: 2
+		});
+
+		if (verified) {
+			signin(ctx, user);
+			return;
+		} else {
+			await fail(403, {
+				id: 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f'
+			});
+			return;
+		}
+	} else if (body.credentialId) {
+		if (!same && !profile.usePasswordLessLogin) {
+			await fail(403, {
+				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c'
+			});
+			return;
+		}
+
+		const clientDataJSON = Buffer.from(body.clientDataJSON, 'hex');
+		const clientData = JSON.parse(clientDataJSON.toString('utf-8'));
+		const challenge = await AttestationChallenges.findOne({
+			userId: user.id,
+			id: body.challengeId,
+			registrationChallenge: false,
+			challenge: hash(clientData.challenge).toString('hex')
+		});
+
+		if (!challenge) {
+			await fail(403, {
+				id: '2715a88a-2125-4013-932f-aa6fe72792da'
+			});
+			return;
+		}
+
+		await AttestationChallenges.delete({
+			userId: user.id,
+			id: body.challengeId
+		});
+
+		if (new Date().getTime() - challenge.createdAt.getTime() >= 5 * 60 * 1000) {
+			await fail(403, {
+				id: '2715a88a-2125-4013-932f-aa6fe72792da'
+			});
+			return;
+		}
+
+		const securityKey = await UserSecurityKeys.findOne({
+			id: Buffer.from(
+				body.credentialId
+					.replace(/-/g, '+')
+					.replace(/_/g, '/'),
+					'base64'
+			).toString('hex')
+		});
+
+		if (!securityKey) {
+			await fail(403, {
+				id: '66269679-aeaf-4474-862b-eb761197e046'
+			});
+			return;
+		}
+
+		const isValid = verifyLogin({
+			publicKey: Buffer.from(securityKey.publicKey, 'hex'),
+			authenticatorData: Buffer.from(body.authenticatorData, 'hex'),
+			clientDataJSON,
+			clientData,
+			signature: Buffer.from(body.signature, 'hex'),
+			challenge: challenge.challenge
+		});
+
+		if (isValid) {
+			signin(ctx, user);
+			return;
+		} else {
+			await fail(403, {
+				id: '93b86c4b-72f9-40eb-9815-798928603d1e'
+			});
+			return;
+		}
+	} else {
+		if (!same && !profile.usePasswordLessLogin) {
+			await fail(403, {
+				id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c'
+			});
+			return;
+		}
+
+		const keys = await UserSecurityKeys.find({
+			userId: user.id
+		});
+
+		if (keys.length === 0) {
+			await fail(403, {
+				id: 'f27fd449-9af4-4841-9249-1f989b9fa4a4'
+			});
+			return;
+		}
+
+		// 32 byte challenge
+		const challenge = randomBytes(32).toString('base64')
+			.replace(/=/g, '')
+			.replace(/\+/g, '-')
+			.replace(/\//g, '_');
+
+		const challengeId = genId();
+
+		await AttestationChallenges.insert({
+			userId: user.id,
+			id: challengeId,
+			challenge: hash(Buffer.from(challenge, 'utf-8')).toString('hex'),
+			createdAt: new Date(),
+			registrationChallenge: false
+		});
+
+		ctx.body = {
+			challenge,
+			challengeId,
+			securityKeys: keys.map(key => ({
+				id: key.id
+			}))
+		};
+		ctx.status = 200;
+		return;
+	}
+	// never get here
+};