Merge pull request #49 from sebadob/webauthn-cred-id-migration

Webauthn cred id migration

Cargo.toml

@@ -9,7 +9,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.15.0-20230907"
+version = "0.15.0-20230908"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "AGPLv3"

docs/config/config.html

@@ -561,6 +561,14 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # The value is in hours (default: 2160)
 #WEBAUTHN_RENEW_EXP=2160
 
+# This feature can be set to 'true' to force User verification during the Webauthn ceremony.
+# UV will be true, if the user does not only need to verify its presence by touching the key, but by also providing
+# proof that he knows (or is) some secret via a PIN or biometric key for instance.
+# With UV, we have a true MFA scenario where UV == false (user presence only) would be a 2FA scenario (with password).
+# Be careful with this option, since Android and some special combinations of OS + browser to not support UV yet.
+# (default: false)
+#WEBAUTHN_FORCE_UV=false
+
 </code></pre>
 
                     </main>

docs/print.html

@@ -1658,6 +1658,14 @@ <h4 id="config-adjustements---rest-api"><a class="header" href="#config-adjustem
 # The value is in hours (default: 2160)
 #WEBAUTHN_RENEW_EXP=2160
 
+# This feature can be set to 'true' to force User verification during the Webauthn ceremony.
+# UV will be true, if the user does not only need to verify its presence by touching the key, but by also providing
+# proof that he knows (or is) some secret via a PIN or biometric key for instance.
+# With UV, we have a true MFA scenario where UV == false (user presence only) would be a 2FA scenario (with password).
+# Be careful with this option, since Android and some special combinations of OS + browser to not support UV yet.
+# (default: false)
+#WEBAUTHN_FORCE_UV=false
+
 </code></pre>
 
                     </main>

frontend/src/components/account/AccInfo.svelte

@@ -44,7 +44,7 @@
 
     <div class="row">
         <div class={classLabel}><b>{t.mfaActivated}:</b></div>
-        <CheckIcon check={user.webauthn_enabled}/>
+        <CheckIcon check={!!user.webauthn_user_id}/>
     </div>
 
     <div class="row">

frontend/src/components/account/AccMFA.svelte

@@ -2,12 +2,11 @@
     import {
         arrBufToBase64UrlSafe,
         base64UrlSafeToArrBuf,
-        extractFormErrors, formatDateFromTs,
-        redirectToLogin
+        extractFormErrors,
+        formatDateFromTs
     } from "../../utils/helpers.js";
     import Button from "$lib/Button.svelte";
     import {
-        getUser,
         getUserPasskeys,
         webauthnAuthFinish,
         webauthnAuthStart,
@@ -31,7 +30,7 @@
 
     let passkeys = [];
 
-    let formValues = { passkeyName: '' };
+    let formValues = {passkeyName: ''};
     let formErrors = {};
     const schema = yup.object().shape({
         passkeyName: yup.string()
@@ -74,7 +73,7 @@
             return;
         }
 
-        let res = await webauthnRegStart(user.id, { passkey_name: passkeyName });
+        let res = await webauthnRegStart(user.id, {passkey_name: passkeyName});
         if (res.status === 200) {
             let challenge = await res.json();
 
@@ -213,6 +212,8 @@
                 autocomplete="off"
                 placeholder={t.mfa.passkeyName}
                 on:input={validateForm}
+                autofocus
+                on:enter={handleRegStart}
         >
             {t.mfa.passkeyName}
         </Input>

frontend/src/components/admin/users/UserInfo.svelte

@@ -231,7 +231,7 @@
             MFA ACTIVE
         </div>
         <div class="value">
-            <CheckIcon check={user.webauthn_enabled}/>
+            <CheckIcon check={!!user.webauthn_user_id}/>
         </div>
     </div>
 

frontend/src/lib/inputs/Input.svelte

@@ -15,8 +15,13 @@
 
     function handleKeyPress(event) {
         dispatch('keypress', event);
+        if (event.code === 'Enter') {
+            dispatch('enter', event);
+        }
     }
 
+    dispatch('blur', true);
+
     function handleOnBlur() {
         dispatch('blur', true);
     }

frontend/src/lib/itemTiles/ItemTiles.svelte

@@ -5,8 +5,6 @@
 
     export let items = [];
     export let options = [];
-    export let offset = -55;
-    export let offsetSearch = -100;
     export let searchThreshold = 4;
 
     let missing = [];

migrations/postgres/7_passkey_features.sql

@@ -1,16 +1,31 @@
 alter table users
-    add webauthn_enabled bool default false not null;
+    add webauthn_user_id varchar;
+
+alter table users
+    add constraint users_pk2
+        unique (webauthn_user_id);
+
+-- This index was a duplicate -> there is one anyway from the 2nd PK on email
+drop index users_email_uindex;
 
 create table passkeys
 (
-    user_id    varchar not null
+    user_id         varchar not null
         constraint passkeys_users_id_fk
             references users
             on update cascade on delete cascade,
-    name       varchar not null,
-    passkey    varchar not null,
-    registered bigint  not null,
-    last_used  bigint  not null,
+    name            varchar not null,
+    passkey_user_id varchar    not null
+        constraint passkeys_users_webauthn_user_id_fk
+            references users (webauthn_user_id)
+            on update cascade on delete cascade,
+    passkey         varchar not null,
+    credential_id   bytea   not null,
+    registered      bigint  not null,
+    last_used       bigint  not null,
     constraint passkeys_pk
         primary key (user_id, name)
 );
+
+create index passkeys_credential_id_index
+    on passkeys (credential_id);