69 lines
3 KiB
Go
69 lines
3 KiB
Go
package auth
|
|
|
|
import (
|
|
"encoding/json"
|
|
|
|
"git.mstar.dev/mstar/goutils/sliceutils"
|
|
"github.com/go-webauthn/webauthn/webauthn"
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"git.mstar.dev/mstar/linstrom/storage-new/models"
|
|
)
|
|
|
|
// A fake user struct for implementing the webauthn.User interface
|
|
// on top of the storage system
|
|
type fakeUser struct {
|
|
actualUser *models.User
|
|
}
|
|
|
|
// Ensure that fakeUser always implements webauthn.User
|
|
var _ webauthn.User = &fakeUser{}
|
|
|
|
// WebAuthnID provides the user handle of the user account. A user handle is an opaque byte sequence with a maximum
|
|
// size of 64 bytes, and is not meant to be displayed to the user.
|
|
//
|
|
// To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this id
|
|
// member, not the displayName nor name members. See Section 6.1 of [RFC8266].
|
|
//
|
|
// It's recommended this value is completely random and uses the entire 64 bytes.
|
|
//
|
|
// Specification: §5.4.3. User Account Parameters for Credential Generation (https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id)
|
|
func (fakeuser *fakeUser) WebAuthnID() []byte {
|
|
return fakeuser.actualUser.PasskeyId
|
|
}
|
|
|
|
// WebAuthnName provides the name attribute of the user account during registration and is a human-palatable name for the user
|
|
// account, intended only for display. For example, "Alex Müller" or "田中倫". The Relying Party SHOULD let the user
|
|
// choose this, and SHOULD NOT restrict the choice more than necessary.
|
|
//
|
|
// Specification: §5.4.3. User Account Parameters for Credential Generation (https://w3c.github.io/webauthn/#dictdef-publickeycredentialuserentity)
|
|
func (fakeuser *fakeUser) WebAuthnName() string {
|
|
return fakeuser.actualUser.DisplayName
|
|
}
|
|
|
|
// WebAuthnDisplayName provides the name attribute of the user account during registration and is a human-palatable
|
|
// name for the user account, intended only for display. For example, "Alex Müller" or "田中倫". The Relying Party
|
|
// SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.
|
|
//
|
|
// Specification: §5.4.3. User Account Parameters for Credential Generation (https://www.w3.org/TR/webauthn/#dom-publickeycredentialuserentity-displayname)
|
|
func (fakeuser *fakeUser) WebAuthnDisplayName() string {
|
|
return fakeuser.actualUser.DisplayName
|
|
}
|
|
|
|
// WebAuthnCredentials provides the list of Credential objects owned by the user.
|
|
func (fakeuser *fakeUser) WebAuthnCredentials() []webauthn.Credential {
|
|
// Basically just convert the relevant entries from the user to a credential
|
|
return sliceutils.Map(sliceutils.Filter(
|
|
fakeuser.actualUser.AuthMethods,
|
|
func(t models.UserAuthMethod) bool {
|
|
return t.AuthMethod == models.AuthMethodPasskey ||
|
|
t.AuthMethod == models.AuthMethodPasskey2fa
|
|
}), func(t models.UserAuthMethod) webauthn.Credential {
|
|
var c webauthn.Credential
|
|
if err := json.Unmarshal(t.Token, &c); err != nil {
|
|
// TODO: Is there any better way to handle the error here?
|
|
log.Error().Err(err).Msg("Failed to unmarshal webauthn credential")
|
|
}
|
|
return c
|
|
})
|
|
}
|