mirror of https://github.com/go-gitea/gitea.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
217 lines
6.2 KiB
217 lines
6.2 KiB
import {encodeURLEncodedBase64, decodeURLEncodedBase64} from '../utils.js'; |
|
import {showElem, hideElem} from '../utils/dom.js'; |
|
|
|
const {appSubUrl, csrfToken} = window.config; |
|
|
|
export async function initUserAuthWebAuthn() { |
|
hideElem('#webauthn-error'); |
|
|
|
const elPrompt = document.querySelector('.user.signin.webauthn-prompt'); |
|
if (!elPrompt) { |
|
return; |
|
} |
|
|
|
if (!detectWebAuthnSupport()) { |
|
return; |
|
} |
|
|
|
const res = await fetch(`${appSubUrl}/user/webauthn/assertion`); |
|
if (res.status !== 200) { |
|
webAuthnError('unknown'); |
|
return; |
|
} |
|
const options = await res.json(); |
|
options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge); |
|
for (const cred of options.publicKey.allowCredentials) { |
|
cred.id = decodeURLEncodedBase64(cred.id); |
|
} |
|
const credential = await navigator.credentials.get({ |
|
publicKey: options.publicKey |
|
}); |
|
try { |
|
await verifyAssertion(credential); |
|
} catch (err) { |
|
if (!options.publicKey.extensions?.appid) { |
|
webAuthnError('general', err.message); |
|
return; |
|
} |
|
delete options.publicKey.extensions.appid; |
|
const credential = await navigator.credentials.get({ |
|
publicKey: options.publicKey |
|
}); |
|
try { |
|
await verifyAssertion(credential); |
|
} catch (err) { |
|
webAuthnError('general', err.message); |
|
} |
|
} |
|
} |
|
|
|
async function verifyAssertion(assertedCredential) { |
|
// Move data into Arrays incase it is super long |
|
const authData = new Uint8Array(assertedCredential.response.authenticatorData); |
|
const clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON); |
|
const rawId = new Uint8Array(assertedCredential.rawId); |
|
const sig = new Uint8Array(assertedCredential.response.signature); |
|
const userHandle = new Uint8Array(assertedCredential.response.userHandle); |
|
|
|
const res = await fetch(`${appSubUrl}/user/webauthn/assertion`, { |
|
method: 'POST', |
|
headers: { |
|
'Content-Type': 'application/json; charset=utf-8' |
|
}, |
|
body: JSON.stringify({ |
|
id: assertedCredential.id, |
|
rawId: encodeURLEncodedBase64(rawId), |
|
type: assertedCredential.type, |
|
clientExtensionResults: assertedCredential.getClientExtensionResults(), |
|
response: { |
|
authenticatorData: encodeURLEncodedBase64(authData), |
|
clientDataJSON: encodeURLEncodedBase64(clientDataJSON), |
|
signature: encodeURLEncodedBase64(sig), |
|
userHandle: encodeURLEncodedBase64(userHandle), |
|
}, |
|
}), |
|
}); |
|
if (res.status === 500) { |
|
webAuthnError('unknown'); |
|
return; |
|
} else if (res.status !== 200) { |
|
webAuthnError('unable-to-process'); |
|
return; |
|
} |
|
const reply = await res.json(); |
|
|
|
window.location.href = reply?.redirect ?? `${appSubUrl}/`; |
|
} |
|
|
|
async function webauthnRegistered(newCredential) { |
|
const attestationObject = new Uint8Array(newCredential.response.attestationObject); |
|
const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON); |
|
const rawId = new Uint8Array(newCredential.rawId); |
|
|
|
const res = await fetch(`${appSubUrl}/user/settings/security/webauthn/register`, { |
|
method: 'POST', |
|
headers: { |
|
'X-Csrf-Token': csrfToken, |
|
'Content-Type': 'application/json; charset=utf-8', |
|
}, |
|
body: JSON.stringify({ |
|
id: newCredential.id, |
|
rawId: encodeURLEncodedBase64(rawId), |
|
type: newCredential.type, |
|
response: { |
|
attestationObject: encodeURLEncodedBase64(attestationObject), |
|
clientDataJSON: encodeURLEncodedBase64(clientDataJSON), |
|
}, |
|
}), |
|
}); |
|
|
|
if (res.status === 409) { |
|
webAuthnError('duplicated'); |
|
return; |
|
} else if (res.status !== 201) { |
|
webAuthnError('unknown'); |
|
return; |
|
} |
|
|
|
window.location.reload(); |
|
} |
|
|
|
function webAuthnError(errorType, message) { |
|
const elErrorMsg = document.getElementById(`webauthn-error-msg`); |
|
|
|
if (errorType === 'general') { |
|
elErrorMsg.textContent = message || 'unknown error'; |
|
} else { |
|
const elTypedError = document.querySelector(`#webauthn-error [data-webauthn-error-msg=${errorType}]`); |
|
if (elTypedError) { |
|
elErrorMsg.textContent = `${elTypedError.textContent}${message ? ` ${message}` : ''}`; |
|
} else { |
|
elErrorMsg.textContent = `unknown error type: ${errorType}${message ? ` ${message}` : ''}`; |
|
} |
|
} |
|
|
|
showElem('#webauthn-error'); |
|
} |
|
|
|
function detectWebAuthnSupport() { |
|
if (!window.isSecureContext) { |
|
document.getElementById('register-button').disabled = true; |
|
document.getElementById('login-button').disabled = true; |
|
webAuthnError('insecure'); |
|
return false; |
|
} |
|
|
|
if (typeof window.PublicKeyCredential !== 'function') { |
|
document.getElementById('register-button').disabled = true; |
|
document.getElementById('login-button').disabled = true; |
|
webAuthnError('browser'); |
|
return false; |
|
} |
|
|
|
return true; |
|
} |
|
|
|
export function initUserAuthWebAuthnRegister() { |
|
const elRegister = document.getElementById('register-webauthn'); |
|
if (!elRegister) { |
|
return; |
|
} |
|
|
|
hideElem('#webauthn-error'); |
|
|
|
elRegister.addEventListener('click', (e) => { |
|
e.preventDefault(); |
|
if (!detectWebAuthnSupport()) { |
|
return; |
|
} |
|
webAuthnRegisterRequest(); |
|
}); |
|
} |
|
|
|
async function webAuthnRegisterRequest() { |
|
const elNickname = document.getElementById('nickname'); |
|
|
|
const body = new FormData(); |
|
body.append('name', elNickname.value); |
|
|
|
const res = await fetch(`${appSubUrl}/user/settings/security/webauthn/request_register`, { |
|
method: 'POST', |
|
headers: { |
|
'X-Csrf-Token': csrfToken, |
|
}, |
|
body, |
|
}); |
|
|
|
if (res.status === 409) { |
|
webAuthnError('duplicated'); |
|
return; |
|
} else if (res.status !== 200) { |
|
webAuthnError('unknown'); |
|
return; |
|
} |
|
|
|
const options = await res.json(); |
|
elNickname.closest('div.field').classList.remove('error'); |
|
|
|
options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge); |
|
options.publicKey.user.id = decodeURLEncodedBase64(options.publicKey.user.id); |
|
if (options.publicKey.excludeCredentials) { |
|
for (const cred of options.publicKey.excludeCredentials) { |
|
cred.id = decodeURLEncodedBase64(cred.id); |
|
} |
|
} |
|
|
|
let credential; |
|
try { |
|
credential = await navigator.credentials.create({ |
|
publicKey: options.publicKey |
|
}); |
|
} catch (err) { |
|
webAuthnError('unknown', err); |
|
return; |
|
} |
|
|
|
webauthnRegistered(credential); |
|
}
|
|
|