Merge branch 'webauthn' into 'master'

Draft: #646 Implement Webauthn support See merge request tildes/tildes!140
4 weeks ago · c85cfa6448
10 changed files with 235 additions and 5 deletions
--- a/tildes/requirements-dev.txt
+++ b/tildes/requirements-dev.txt
@ -127,3 +127,5 @@ zope.sqlalchemy==1.5
 # The following packages are considered to be unsafe in a requirements file:
 # pip
 # setuptools
+
+setuptools~=57.4.0
--- a/tildes/requirements.txt
+++ b/tildes/requirements.txt
@ -72,6 +72,7 @@ venusian==3.0.0
 wcwidth==0.2.5
 webargs==8.0.0
 webassets==2.0
+webauthn==1.8.1
 webencodings==0.5.1
 webob==1.8.7
 wheel==0.36.2
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@ -30,6 +30,10 @@ from sqlalchemy.ext.hybrid import hybrid_property
 from sqlalchemy.orm import deferred
 from sqlalchemy.sql.expression import text

+from webauthn import verify_authentication_response, base64url_to_bytes
+from webauthn.helpers.exceptions import InvalidAuthenticationResponse
+from webauthn.helpers.structs import AuthenticationCredential
+
 from tildes.enums import (
    CommentLabelOption,
    CommentTreeSortOption,
@ -48,7 +52,6 @@ from tildes.schemas.user import (
 )
 from tildes.typing import AclType

-
 class User(DatabaseModel):
    """Model for a user's account on the site.

@ -85,6 +88,8 @@ class User(DatabaseModel):
    two_factor_enabled: bool = Column(Boolean, nullable=False, server_default="false")
    two_factor_secret: Optional[str] = deferred(Column(Text))
    two_factor_backup_codes: list[str] = deferred(Column(ARRAY(Text)))
+    webauthn_enabled: bool = Column(Boolean, nullable=False, server_default="false")
+    webauthn_public_key: Optional[str] = deferred(Column(Text))
    created_time: datetime = Column(
        TIMESTAMP(timezone=True),
        nullable=False,
@ -296,6 +301,27 @@ class User(DatabaseModel):

        return False

+    def is_valid_assertion(self, challenge: str, assertion: str) -> bool:
+        if not self.webauthn_public_key:
+            raise ValueError("User does not have WebAuthn enabled")
+
+        try:
+            verification = verify_authentication_response(
+                credential=AuthenticationCredential.parse_raw(assertion),
+                expected_challenge=base64url_to_bytes(challenge),
+                expected_rp_id="tildes",
+                expected_origin=["https://tildes.net/login"],
+                credential_public_key=base64url_to_bytes(self.webauthn_public_key),
+                credential_current_sign_count=0,
+                require_user_verification=True
+            )
+            is_validated = True
+
+        except InvalidAuthenticationResponse:
+            is_validated = False
+
+        return is_validated
+
    @property
    def email_address(self) -> NoReturn:
        """Return an error since reading the email address isn't possible."""
--- a/tildes/tildes/templates/intercooler/login_webauthn.jinja2
+++ b/tildes/tildes/templates/intercooler/login_webauthn.jinja2
@ -0,0 +1,26 @@
+{# Copyright (c) 2018 Tildes contributors <code@tildes.net> #}
+{# SPDX-License-Identifier: AGPL-3.0-or-later #}
+
+<p>WebAuthn authentication is enabled on this account. Please use your authenticator when prompted. If you do not have access to your authenticator device, enter a backup code.</p>
+
+<form id="webauthn-login-form" class="form-narrow" method="post" autocomplete="off" action="/login_webauthn" data-ic-post-to="/login_webauthn" onload="assertCredentials()">
+  <input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}" />
+  <input type="hidden" name="from_url" value="{{ from_url }}" />
+  {% if keep %}
+  <input type="hidden" name="keep" value="on" />
+  {% endif %}
+  <input class="form-input" id="assertion" name="assertion" type="hidden" />
+  <script>
+      const auth_options = JSON.parse(atob('{{ auth_options }}'));
+      function assertCredentials() {
+          navigator.credentials.get(auth_options).then((credential) => {
+              document.getElementById("#webauthn-login-form").submit()
+              document.getElementById("#assertion").text(btoa(credential.response));
+          });
+      }
+  </script>
+
+  <div class="form-buttons">
+    <button class="btn btn-primary" type="submit">Continue</button>
+  </div>
+</form>
--- a/tildes/tildes/templates/intercooler/webauthn_disabled.jinja2
+++ b/tildes/tildes/templates/intercooler/webauthn_disabled.jinja2
@ -0,0 +1,5 @@
+{# Copyright (c) 2018 Tildes contributors <code@tildes.net> #}
+{# SPDX-License-Identifier: AGPL-3.0-or-later #}
+
+<p>Webauthn authentication has been disabled. You will no longer need a code when logging in.</p>
+
--- a/tildes/tildes/templates/intercooler/webauthn_enabled.jinja2
+++ b/tildes/tildes/templates/intercooler/webauthn_enabled.jinja2
@ -0,0 +1,4 @@
+{# Copyright (c) 2018 Tildes contributors <code@tildes.net> #}
+{# SPDX-License-Identifier: AGPL-3.0-or-later #}
+
+<p>Congratulations! Webauthn authentication has been enabled.</p>
--- a/tildes/tildes/templates/settings_webauthn.jinja2
+++ b/tildes/tildes/templates/settings_webauthn.jinja2
@ -0,0 +1,59 @@
+{# Copyright (c) 2018 Tildes contributors <code@tildes.net> #}
+{# SPDX-License-Identifier: AGPL-3.0-or-later #}
+
+{% extends 'base_settings.jinja2' %}
+
+{% block title %}Set up webauthn authentication{% endblock %}
+
+{% block main_heading %}Set up webauthn authentication{% endblock %}
+
+{% block settings %}
+{% if request.user.webauthn_enabled %}
+
+<div class="divider"></div>
+
+<p>To disable webauthn authentication, click the button below</p>
+
+<form
+  name="disable-webauthn"
+  autocomplete="off"
+  data-ic-post-to="{{ request.route_url('ic_user', username=request.user.username) }}"
+  data-ic-target="closest main"
+>
+
+  <div class="form-buttons">
+    <button class="btn btn-error" type="submit">Disable webauthn authentication</button>
+  </div>
+</form>
+{% else %}
+<p>To get started, you'll need an authenticator such as a Yubikey, or you can use your specific computer as an authenticator</p>
+
+<p>Next, click below to enroll your authenticator</p>
+<script>
+// It would probably be a lot better to load this on demand when trying to enroll an authenticator
+const credential_options = JSON.parse(atob('{{ webauthn_challenge }}'))
+
+function enrollAuthenticator() {
+    navigator.credentials.create(credential_options).then((credentials) => {
+        document.getElementById("#webauthn-assertion").text(btoa(JSON.stringify(credentials.response)));
+        return true;
+    });
+}
+</script>
+
+<div class="divider"></div>
+
+<form
+  name="enable-webauthn"
+  autocomplete="off"
+  data-ic-post-to="{{ request.route_url('ic_user', username=request.user.username) }}"
+  data-ic-target="closest main"
+>
+  <input class="form-input" id="webauthn-assertion" name="webauthn-assertion" type="hidden" />
+
+  <div class="form-buttons">
+    <button class="btn btn-primary" type="submit" onclick="enrollAuthenticator()">Enable Webauthn</button>
+  </div>
+</form>
+{% endif %}
+{% endblock %}
--- a/tildes/tildes/views/api/web/user.py
+++ b/tildes/tildes/views/api/web/user.py
@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 """Web API endpoints related to users."""
-
+import base64
 import random
 import string
 from typing import Optional
@ -28,7 +28,7 @@ from tildes.schemas.topic import TopicSchema
 from tildes.schemas.user import UserSchema
 from tildes.views import IC_NOOP
 from tildes.views.decorators import ic_view_config, use_kwargs
-
+from webauthn.helpers.structs import RegistrationCredential

 PASSWORD_FIELD = UserSchema(only=("password",)).fields["password"]

@ -101,6 +101,28 @@ def patch_change_email_address(
    return Response("Your email address has been updated")


+@ic_view_config(
+    route_name="user",
+    request_method="POST",
+    request_param="ic-trigger-name=enable-webauthn",
+    renderer="webauthn_enabled.jinja2",
+    permission="change_settings",
+)
+@use_kwargs({"code": String()}, location="form")
+def post_enable_webauthn(request: Request, assertion: str) -> dict:
+    user = request.context
+
+    if not user.is_valid_assertion(request.session["assertion_challenge"], assertion):
+        raise HTTPUnprocessableEntity("Invalid assertion, please try again.")
+
+    credentials = RegistrationCredential.parse_raw(base64.standard_b64decode(assertion))
+
+    request.user.webauthn_enabled = True
+    request.user.webauthn_public_key = base64.standard_b64encode(credentials.response.attestation_object)
+
+    return {}
+
+
@ic_view_config(
    route_name="user",
    request_method="POST",
@ -151,6 +173,25 @@ def post_disable_two_factor(request: Request, code: str) -> Response:
    return {}


+@ic_view_config(
+    route_name="user",
+    request_method="POST",
+    request_param="ic-trigger-name=disable-webauthn",
+    renderer="webauthn_disabled.jinja2",
+    permission="change_settings",
+)
+@use_kwargs({"code": String()}, location="form")
+def post_disable_webauthn(request: Request, assertion: str) -> Response:
+    """Disable two-factor authentication for the user."""
+    if not request.user.is_valid_assertion(assertion, request.session["webauthn_challenge"]):
+        raise HTTPUnauthorized(body="Invalid Assertion")
+
+    request.user.webauthn_enabled = False
+    request.user.webauthn_public_key = None
+
+    return {}
+
+
@ic_view_config(
    route_name="user",
    request_method="POST",
--- a/tildes/tildes/views/login.py
+++ b/tildes/tildes/views/login.py
@ -21,6 +21,7 @@ from tildes.models.log import Log
 from tildes.models.user import User
 from tildes.schemas.user import UserSchema
 from tildes.views.decorators import not_logged_in, rate_limit_view, use_kwargs
+from webauthn import generate_authentication_options, options_to_json


@view_config(
@ -137,6 +138,25 @@ def post_login(
            request=request,
        )

+    if user.webauthn_enabled:
+        request.session["webauthn_username"] = username
+
+        # Generate an authorization option set
+        auth_options = generate_authentication_options(rp_id="tilde")
+
+        # Copy the challenge into the session, to ensure it can't be tampered with
+        request.session["webauthn_challenge"] = auth_options.challenge
+
+        return render_to_response(
+            "tildes:templates/intercooler/login_webauthn.jinja2",
+            {
+                "keep": request.params.get("keep"),
+                "from_url": from_url,
+                "auth_options": options_to_json(auth_options),
+            },
+            request=request,
+        )
+
    raise finish_login(request, user, from_url)


@ -167,6 +187,33 @@ def post_login_two_factor(request: Request, code: str, from_url: str) -> NoRetur
    raise finish_login(request, user, from_url)


+@view_config(
+    route_name="login_webauthn",
+    request_method="POST",
+    permission=NO_PERMISSION_REQUIRED,
+)
+@not_logged_in
+@rate_limit_view("login_webauthn")
+@use_kwargs(
+    {"code": String(missing=""), "from_url": String(missing="")}, location="form"
+)
+def post_login_webauthn(request: Request, assertion: str, from_url: str) -> NoReturn:
+    """Process a log in request with WebAuthn"""
+    # Look up the user for the supplied username
+    user = (
+        request.query(User)
+        .undefer_all_columns()
+        .filter(User.username == request.session["webauthn_username"])
+        .one_or_none()
+    )
+
+    if not user.is_valid_assertion(request.session["webauthn_challenge"], assertion):
+        raise HTTPUnauthorized(body="Invalid assertion, please try again.")
+
+    del request.session["two_factor_username"]
+    raise finish_login(request, user, from_url)
+
+
@view_config(route_name="logout", request_method="POST")
 def post_logout(request: Request) -> HTTPFound:
    """Process a log out request."""
--- a/tildes/tildes/views/settings.py
+++ b/tildes/tildes/views/settings.py
@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 """Views related to user settings."""
-
+import base64
 from datetime import timedelta
 from io import BytesIO
 import sys
@ -28,7 +28,7 @@ from tildes.schemas.user import (
    UserSchema,
 )
 from tildes.views.decorators import use_kwargs
-
+from webauthn import generate_registration_options, options_to_json

 PASSWORD_FIELD = UserSchema(only=("password",)).fields["password"]

@ -97,6 +97,25 @@ def get_settings_two_factor(request: Request) -> dict:
    }


+@view_config(route_name="settings_webauthn", renderer="settings_webauthn.jinja2")
+def get_settings_settings_webauthn(request: Request) -> dict:
+    """Generate the webauthn authentication setting page."""
+    # Generate a registration challenge, if the user does not have webauthn enabled
+    if not request.user.webauthn_enabled:
+        registration_options = generate_registration_options(
+            rp_id="tilde",
+            rp_name="Tilde",
+            user_id=request.user.user_id,
+            user_name=request.user.username,
+        )
+        # Copy the challenge into the session so the user can't tamper with it before signing it
+        request.session["assertion_challenge"] = registration_options.challenge
+
+        return {
+            "webauthn_challenge": base64.standard_b64encode(options_to_json(registration_options))
+        }
+
+
@view_config(route_name="settings_filters", renderer="settings_filters.jinja2")
 def get_settings_filters(request: Request) -> dict:
    """Generate the filters settings page."""