summaryrefslogtreecommitdiff
path: root/app/services/webauthn/authenticate_service.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/services/webauthn/authenticate_service.rb')
-rw-r--r--app/services/webauthn/authenticate_service.rb61
1 files changed, 61 insertions, 0 deletions
diff --git a/app/services/webauthn/authenticate_service.rb b/app/services/webauthn/authenticate_service.rb
new file mode 100644
index 00000000000..a4513c62c2d
--- /dev/null
+++ b/app/services/webauthn/authenticate_service.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Webauthn
+ class AuthenticateService < BaseService
+ def initialize(user, device_response, challenge)
+ @user = user
+ @device_response = device_response
+ @challenge = challenge
+ end
+
+ def execute
+ parsed_device_response = Gitlab::Json.parse(@device_response)
+
+ # appid is set for legacy U2F devices, will be used in a future iteration
+ # rp_id = @app_id
+ # unless parsed_device_response['clientExtensionResults'] && parsed_device_response['clientExtensionResults']['appid']
+ # rp_id = URI(@app_id).host
+ # end
+
+ webauthn_credential = WebAuthn::Credential.from_get(parsed_device_response)
+ encoded_raw_id = Base64.strict_encode64(webauthn_credential.raw_id)
+ stored_webauthn_credential = @user.webauthn_registrations.find_by_credential_xid(encoded_raw_id)
+
+ encoder = WebAuthn.configuration.encoder
+
+ if stored_webauthn_credential &&
+ validate_webauthn_credential(webauthn_credential) &&
+ verify_webauthn_credential(webauthn_credential, stored_webauthn_credential, @challenge, encoder)
+
+ stored_webauthn_credential.update!(counter: webauthn_credential.sign_count)
+ return true
+ end
+
+ false
+ rescue JSON::ParserError, WebAuthn::SignCountVerificationError, WebAuthn::Error
+ false
+ end
+
+ ##
+ # Validates that webauthn_credential is syntactically valid
+ #
+ # duplicated from WebAuthn::PublicKeyCredential#verify
+ # which can't be used here as we need to call WebAuthn::AuthenticatorAssertionResponse#verify instead
+ # (which is done in #verify_webauthn_credential)
+ def validate_webauthn_credential(webauthn_credential)
+ webauthn_credential.type == WebAuthn::TYPE_PUBLIC_KEY &&
+ webauthn_credential.raw_id && webauthn_credential.id &&
+ webauthn_credential.raw_id == WebAuthn.standard_encoder.decode(webauthn_credential.id)
+ end
+
+ ##
+ # Verifies that webauthn_credential matches stored_credential with the given challenge
+ #
+ def verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder)
+ webauthn_credential.response.verify(
+ encoder.decode(challenge),
+ public_key: encoder.decode(stored_credential.public_key),
+ sign_count: stored_credential.counter)
+ end
+ end
+end
View Lorry Controller Status