cohabit/website
5
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cohabit:c6758721ecd578b0c319c0c6d858fe932a65050a
Branches Tags
cohabit:main
..
compare: cohabit:5cb71428245f8d945f334448e242d07304a64e99
Branches Tags
cohabit:main

8 commits
c6758721ec ... 5cb7142824

Author SHA1 Message Date
Julien Oculi 5cb7142824 fix(api): 🐛 patch passkey counter update 2024-06-24 16:06:03 +02:00
Julien Oculi cdcffff098 fix(api): 🐛 prevent protocol error through proxy 2024-06-24 16:02:53 +02:00
Julien Oculi a18142277f fix(api): 🐛 prevent webauthn relying party protocol mismatch when server is behind a proxy 2024-06-22 16:07:47 +02:00
Julien Oculi ad34e6a3e4 fix(api): 🐛 get correct client ip even through server proxy 2024-06-22 16:02:12 +02:00
Julien Oculi 7568cb43a6 fix(api): 🐛 3rd party cookies maybe blocked when opening magic link 2024-06-20 14:54:12 +02:00
Julien Oculi 3adc705e25 fix(api): 🐛 ctx.basePath maybe undefined and not suitable for redirect base url 2024-06-20 14:45:14 +02:00
Julien Oculi 79a6214f10 feat(ui): 📝 better label for login form passkey checkbox 2024-06-20 14:06:19 +02:00
Julien Oculi 4b228bfce5 feat(api): handle getting request ip through proxy 2024-06-20 13:59:49 +02:00
5 changed files with 39 additions and 15 deletions
Show stats Expand all files Collapse all files

2
islands/LoginForm.tsx
View file

@ -23,7 +23,7 @@ export default function LoginForm() {
required
/>
<Input
label='Utiliser une Passkey'
label='Utiliser une Passkey si disponible'
name='passkey'
type='checkbox'
checked

40
routes/api/magiclink/index.ts
View file

@ -4,7 +4,7 @@ import 'npm:iterator-polyfill'
import { FreshContext } from '$fresh/server.ts'
import { Contact, type Mail, send } from '@cohabit/cohamail/mod.ts'
import { magicLinkTemplate } from '@cohabit/cohamail/templates/mod.ts'
import { SessionHandlers } from '../../../src/session/mod.ts'
import { SessionHandlers, SessionStore } from '../../../src/session/mod.ts'
import { respondApi } from '../../../src/utils.ts'
import { sleep } from '@jotsr/delayed'
import { User } from '@cohabit/ressources_manager/src/models/mod.ts'
@ -39,19 +39,21 @@ export const handler: SessionHandlers = {
// generate magic link
const token = crypto.randomUUID()
const endpoint =
`${ctx.url.origin}/api/magiclink?token=${token}&redirect=/profil`
`${ctx.url.origin}/api/magiclink?token=${token}&session=${ctx.state.session.uuid}&redirect=/profil`
// save token to session
ctx.state.session.flash<MagicLinkInfos>(`MAGIC_LINK__${token}`, {
email,
remoteId: remoteId(ctx),
remoteId: remoteId(request, ctx),
timestamp: Date.now(),
})
// send mail to user
try {
if (user) {
const ip = ctx.remoteAddr.hostname
// Get user ip through proxy else from tcp connection
const ip = request.headers.get('X-FORWARDED-FOR') ??
ctx.remoteAddr.hostname
const device = request.headers.get('Sec-Ch-Ua-Platform') ?? undefined
await sendMagicLink(user, { device, ip, endpoint })
@ -69,14 +71,24 @@ export const handler: SessionHandlers = {
)
}
},
async GET(_request, ctx) {
async GET(request, ctx) {
const token = ctx.url.searchParams.get('token')
const redirect = ctx.url.searchParams.get('redirect')
const sessionId = ctx.url.searchParams.get('session')
// no token
if (token === null) {
return respondApi('error', 'no token provided', 400)
// no token or sessionId
if (token === null || sessionId === null) {
return respondApi('error', 'no token or session provided', 400)
}
// set session if 3rd party cookies was blocked
ctx.state.session = ctx.state.session ?? SessionStore.getSession(sessionId)
// no session available
if (ctx.state.session === null) {
return respondApi('error', 'no session datas', 401)
}
// wrong or timeout token
const entry = ctx.state.session.get<MagicLinkInfos>(`MAGIC_LINK__${token}`)
@ -87,12 +99,12 @@ export const handler: SessionHandlers = {
}
// check remote id (same user/machine that has query the token)
if (entry.remoteId === remoteId(ctx)) {
if (entry.remoteId === remoteId(request, ctx)) {
const user = await getUserByMail(entry.email)
ctx.state.session.set('user', user)
if (redirect) {
return Response.redirect(new URL(redirect, ctx.basePath))
return Response.redirect(new URL(redirect, ctx.url.origin))
}
return respondApi('success', user)
@ -109,8 +121,16 @@ export const handler: SessionHandlers = {
}
function remoteId(
{ headers }: { headers: Headers },
{ remoteAddr }: { remoteAddr: FreshContext['remoteAddr'] },
): string {
const forwardedAddress = headers.get('X-FORWARDED-FOR')
const forwardedProto = headers.get('X-FORWARDED-PROTO')
if (forwardedAddress && forwardedProto) {
return `${forwardedProto}://${forwardedAddress}`
}
return `(${remoteAddr.transport}):${remoteAddr.hostname}:${remoteAddr.port}`
}

5
routes/api/webauthn/login/[step].ts
View file

@ -118,8 +118,7 @@ export const handler: SessionHandlers = {
}
const { newCounter } = authenticationInfo
passkey.counter = newCounter
const newPasskey = { ...passkey, counter: newCounter }
// Update credential store
const [credential] = await db.ressource.credential.list(
@ -133,7 +132,7 @@ export const handler: SessionHandlers = {
// Save credential to db
await db.ressource.credential.set([
credential.update({ store: passkey }),
credential.update({ store: newPasskey }),
])
// log user

2
routes/api/webauthn/register/[step].ts
View file

@ -54,7 +54,7 @@ export const handler: SessionHandlers = {
const options = await generateRegistrationOptions({
rpName: relyingParty.name,
rpID: relyingParty.id,
rpID: relyingParty.origin,
userName: user.login,
attestationType: 'none',
excludeCredentials,

5
src/webauthn/mod.ts
View file

@ -1,6 +1,11 @@
export function getRelyingParty(url: string | URL) {
url = new URL(url)
// Prevent protocol mismatch when server is behind a proxy
if (!['localhost', '127.0.0.1', '0.0.0.0'].includes(url.hostname)) {
url.protocol = 'https'
}
return {
/**
* Human-readable title for your website