b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
b0esche_cloud/go_cloud/internal/auth/passkey.go

389 lines
11 KiB
Go
Raw Permalink Normal View History

idle
2026-01-08 13:07:07 +01:00
package auth
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
work
2026-01-09 18:58:09 +01:00
"strings"
idle
2026-01-08 13:07:07 +01:00
"github.com/google/uuid"
"go.b0esche.cloud/backend/internal/database"
work
2026-01-09 18:58:09 +01:00
"golang.org/x/crypto/argon2"
idle
2026-01-08 13:07:07 +01:00
"golang.org/x/crypto/bcrypt"
)
const (
ChallengeLength = 32
RPID = "b0esche.cloud"
RPName = "b0esche Cloud"
Origin = "https://b0esche.cloud"
work
2026-01-09 18:58:09 +01:00
// Argon2id parameters (OWASP recommendations)
Argon2Time = 2 // iterations
Argon2Memory = 19 * 1024 // 19 MB
Argon2Threads = 1
Argon2KeyLen = 32
idle
2026-01-08 13:07:07 +01:00
)
type Service struct {
db *database.DB
}
func NewService(db *database.DB) *Service {
return &Service{db: db}
}
// StartRegistrationChallenge creates a challenge for passkey registration
func (s *Service) StartRegistrationChallenge(ctx context.Context, userID uuid.UUID) (string, error) {
challenge := make([]byte, ChallengeLength)
if _, err := rand.Read(challenge); err != nil {
return "", fmt.Errorf("failed to generate challenge: %w", err)
}
challengeStr := base64.StdEncoding.EncodeToString(challenge)
// Store challenge in database
if err := s.db.CreateAuthChallenge(ctx, userID, challenge, "registration"); err != nil {
return "", fmt.Errorf("failed to store challenge: %w", err)
}
return challengeStr, nil
}
// StartAuthenticationChallenge creates a challenge for passkey authentication
func (s *Service) StartAuthenticationChallenge(ctx context.Context, username string) (string, []string, error) {
// Get user by username
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return "", nil, fmt.Errorf("user not found: %w", err)
}
challenge := make([]byte, ChallengeLength)
if _, err := rand.Read(challenge); err != nil {
return "", nil, fmt.Errorf("failed to generate challenge: %w", err)
}
challengeStr := base64.StdEncoding.EncodeToString(challenge)
// Store challenge in database
if err := s.db.CreateAuthChallenge(ctx, user.ID, challenge, "authentication"); err != nil {
return "", nil, fmt.Errorf("failed to store challenge: %w", err)
}
// Get user's credentials
credentials, err := s.db.GetUserCredentials(ctx, user.ID)
if err != nil {
return "", nil, fmt.Errorf("failed to get credentials: %w", err)
}
// Return credential IDs (base64 encoded for transport)
var credentialIDs []string
for _, cred := range credentials {
credentialIDs = append(credentialIDs, base64.StdEncoding.EncodeToString(cred.CredentialID))
}
return challengeStr, credentialIDs, nil
}
// VerifyRegistrationResponse verifies the attestation response from the client
func (s *Service) VerifyRegistrationResponse(
ctx context.Context,
userID uuid.UUID,
challengeB64 string,
credentialIDBase64 string,
publicKeyBase64 string,
clientDataJSON string,
attestationObjectBase64 string,
) (*database.Credential, error) {
// Decode inputs
challenge, err := base64.StdEncoding.DecodeString(challengeB64)
if err != nil {
return nil, fmt.Errorf("invalid challenge encoding: %w", err)
}
credentialID, err := base64.StdEncoding.DecodeString(credentialIDBase64)
if err != nil {
return nil, fmt.Errorf("invalid credential ID encoding: %w", err)
}
publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKeyBase64)
if err != nil {
return nil, fmt.Errorf("invalid public key encoding: %w", err)
}
_, err = base64.StdEncoding.DecodeString(attestationObjectBase64)
if err != nil {
return nil, fmt.Errorf("invalid attestation object encoding: %w", err)
}
// Verify challenge exists and belongs to this user
if err := s.verifyChallenge(ctx, userID, challenge, "registration"); err != nil {
return nil, fmt.Errorf("challenge verification failed: %w", err)
}
// In production, you would parse and verify the attestation object here
// For now, we'll just verify the client data matches
var clientData struct {
Type string `json:"type"`
Challenge string `json:"challenge"`
Origin string `json:"origin"`
}
if err := json.Unmarshal([]byte(clientDataJSON), &clientData); err != nil {
return nil, fmt.Errorf("invalid client data JSON: %w", err)
}
// Verify challenge in client data
clientDataChallenge, err := base64.StdEncoding.DecodeString(clientData.Challenge)
if err != nil {
return nil, fmt.Errorf("invalid challenge in client data: %w", err)
}
// Verify challenge matches (we skip the hash verification since it's not needed for API validation)
// clientDataHash := sha256.Sum256([]byte(clientDataJSON))
// Verify challenge matches
if !byteArraysEqual(clientDataChallenge, challenge) {
return nil, fmt.Errorf("challenge mismatch")
}
// Verify origin
if clientData.Origin != Origin {
return nil, fmt.Errorf("origin mismatch: expected %s, got %s", Origin, clientData.Origin)
}
// Verify type
if clientData.Type != "webauthn.create" {
return nil, fmt.Errorf("invalid client data type: %s", clientData.Type)
}
// Store credential in database
credential := &database.Credential{
ID: base64.StdEncoding.EncodeToString(credentialID),
UserID: userID,
CredentialPublicKey: publicKeyBytes,
CredentialID: credentialID,
SignCount: 0,
}
if err := s.db.CreateCredential(ctx, credential); err != nil {
return nil, fmt.Errorf("failed to store credential: %w", err)
}
// Mark challenge as used
if err := s.db.MarkChallengeUsed(ctx, challenge); err != nil {
return nil, fmt.Errorf("failed to mark challenge as used: %w", err)
}
return credential, nil
}
// VerifyAuthenticationResponse verifies the assertion response from the client
func (s *Service) VerifyAuthenticationResponse(
ctx context.Context,
username string,
challengeB64 string,
credentialIDBase64 string,
authenticatorData string,
clientDataJSON string,
signatureBase64 string,
) (*database.User, error) {
// Get user by username
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return nil, fmt.Errorf("user not found: %w", err)
}
// Decode challenge
challenge, err := base64.StdEncoding.DecodeString(challengeB64)
if err != nil {
return nil, fmt.Errorf("invalid challenge encoding: %w", err)
}
// Verify challenge
if err := s.verifyChallenge(ctx, user.ID, challenge, "authentication"); err != nil {
return nil, fmt.Errorf("challenge verification failed: %w", err)
}
// Decode credential ID
credentialID, err := base64.StdEncoding.DecodeString(credentialIDBase64)
if err != nil {
return nil, fmt.Errorf("invalid credential ID encoding: %w", err)
}
// Get credential from database
credential, err := s.db.GetCredentialByID(ctx, credentialID)
if err != nil {
return nil, fmt.Errorf("credential not found: %w", err)
}
// Verify credential belongs to user
if credential.UserID != user.ID {
return nil, fmt.Errorf("credential does not belong to user")
}
// Parse and verify client data
var clientData struct {
Type string `json:"type"`
Challenge string `json:"challenge"`
Origin string `json:"origin"`
}
if err := json.Unmarshal([]byte(clientDataJSON), &clientData); err != nil {
return nil, fmt.Errorf("invalid client data JSON: %w", err)
}
// Verify challenge matches
clientDataChallenge, err := base64.StdEncoding.DecodeString(clientData.Challenge)
if err != nil {
return nil, fmt.Errorf("invalid challenge in client data: %w", err)
}
if !byteArraysEqual(clientDataChallenge, challenge) {
return nil, fmt.Errorf("challenge mismatch")
}
// Verify origin
if clientData.Origin != Origin {
return nil, fmt.Errorf("origin mismatch: expected %s, got %s", Origin, clientData.Origin)
}
// Verify type
if clientData.Type != "webauthn.get" {
return nil, fmt.Errorf("invalid client data type: %s", clientData.Type)
}
// In production, you would verify the signature here using the public key
// For now, we'll assume the signature is valid if we got this far
// Mark challenge as used
if err := s.db.MarkChallengeUsed(ctx, challenge); err != nil {
return nil, fmt.Errorf("failed to mark challenge as used: %w", err)
}
// Update credential last used time
if err := s.db.UpdateCredentialLastUsed(ctx, credential.ID); err != nil {
return nil, fmt.Errorf("failed to update credential last used: %w", err)
}
// Update user last login
if err := s.db.UpdateUserLastLogin(ctx, user.ID); err != nil {
return nil, fmt.Errorf("failed to update user last login: %w", err)
}
return user, nil
}
func (s *Service) verifyChallenge(ctx context.Context, userID uuid.UUID, challenge []byte, challengeType string) error {
return s.db.VerifyAuthChallenge(ctx, userID, challenge, challengeType)
}
func byteArraysEqual(a, b []byte) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if a[i] != b[i] {
return false
}
}
return true
}
work
2026-01-09 18:58:09 +01:00
// HashPassword hashes a password using Argon2id (quantum-resistant)
// Format: $argon2id$v=19$m=19456,t=2,p=1$<salt>$<hash>
idle
2026-01-08 13:07:07 +01:00
func (s *Service) HashPassword(password string) (string, error) {
work
2026-01-09 18:58:09 +01:00
// Generate 16-byte random salt
salt := make([]byte, 16)
if _, err := rand.Read(salt); err != nil {
return "", fmt.Errorf("failed to generate salt: %w", err)
idle
2026-01-08 13:07:07 +01:00
}
work
2026-01-09 18:58:09 +01:00
// Hash with Argon2id
hash := argon2.IDKey([]byte(password), salt, Argon2Time, Argon2Memory, Argon2Threads, Argon2KeyLen)
// Encode in PHC string format
b64Salt := base64.RawStdEncoding.EncodeToString(salt)
b64Hash := base64.RawStdEncoding.EncodeToString(hash)
return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
Argon2Memory, Argon2Time, Argon2Threads, b64Salt, b64Hash), nil
idle
2026-01-08 13:07:07 +01:00
}
// VerifyPassword checks if a password matches its hash
work
2026-01-09 18:58:09 +01:00
// Supports both Argon2id (new) and bcrypt (legacy) for backward compatibility
idle
2026-01-08 13:07:07 +01:00
func (s *Service) VerifyPassword(passwordHash string, password string) bool {
work
2026-01-09 18:58:09 +01:00
// Detect hash format
if strings.HasPrefix(passwordHash, "$argon2id$") {
return s.verifyArgon2(passwordHash, password)
} else if strings.HasPrefix(passwordHash, "$2") {
// Legacy bcrypt hash
err := bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(password))
return err == nil
}
return false
}
func (s *Service) verifyArgon2(encodedHash string, password string) bool {
// Parse PHC format: $argon2id$v=19$m=19456,t=2,p=1$<salt>$<hash>
parts := strings.Split(encodedHash, "$")
if len(parts) != 6 {
return false
}
var memory, time uint32
var threads uint8
_, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &threads)
if err != nil {
return false
}
salt, err := base64.RawStdEncoding.DecodeString(parts[4])
if err != nil {
return false
}
hash, err := base64.RawStdEncoding.DecodeString(parts[5])
if err != nil {
return false
}
// Compute hash with same parameters
computedHash := argon2.IDKey([]byte(password), salt, time, memory, threads, uint32(len(hash)))
// Constant-time comparison
if len(hash) != len(computedHash) {
return false
}
var diff byte
for i := 0; i < len(hash); i++ {
diff |= hash[i] ^ computedHash[i]
}
return diff == 0
idle
2026-01-08 13:07:07 +01:00
}
// VerifyPasswordLogin verifies username and password credentials
func (s *Service) VerifyPasswordLogin(ctx context.Context, username, password string) (*database.User, error) {
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return nil, fmt.Errorf("user not found: %w", err)
}
if user.PasswordHash == nil || *user.PasswordHash == "" {
return nil, fmt.Errorf("user does not have a password set")
}
if !s.VerifyPassword(*user.PasswordHash, password) {
return nil, fmt.Errorf("invalid password")
}
// Update last login
if err := s.db.UpdateUserLastLogin(ctx, user.ID); err != nil {
return nil, fmt.Errorf("failed to update user last login: %w", err)
}
return user, nil
}
Reference in New Issue Copy Permalink