Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebAuthn Support #153

Open
willbarkoff opened this issue Sep 7, 2020 · 4 comments
Open

WebAuthn Support #153

willbarkoff opened this issue Sep 7, 2020 · 4 comments
Labels
enhancement Feature requests and other enhancements needs api server Needs API server changes

Comments

@willbarkoff
Copy link
Member

It would be amazing if we could support hardware tokens with U2F 🔒.

@willbarkoff
Copy link
Member Author

Ok, so looking into this it really doesn't seem too hard. The two main go libraries to do this are duo-labs/webauthn and koesie10/webauthn. JS implements it really nicely (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).

The only issue is actually debugging this. You need a secure context, and the way that we currently do local development, it isn't considered a secure context. (This was actually the main thing stopping me from doing #87).

Looking into this a bit more, it's actually not too hard. You need to generate a local certificate and have your computer trust it. Instructions are here, and I'll probably add them to the README at some point.

@thatoddmailbox
Copy link
Member

Alternatively, if you're using Chrome, you can go to chrome://flags and add "http://app.myhomework.invalid" to the list of "Insecure origins treated as secure". There's also probably a Firefox alternative with about:config.

@willbarkoff
Copy link
Member Author

Turns out it wasn't too hard at all :)
image

I'll add instructions to the README

@willbarkoff willbarkoff added enhancement Feature requests and other enhancements needs api server Needs API server changes labels Sep 9, 2020
willbarkoff added a commit to MyHomeworkSpace/api-server that referenced this issue May 11, 2021
This commit adds the dependency github.com/duo-labs/webauthn
Related: MyHomeworkSpace/client#153
willbarkoff added a commit to MyHomeworkSpace/api-server that referenced this issue May 11, 2021
This enables a secure context in Firefox (and I think chromium) browsers, enabling work on issues such as MyHomeworkSpace/client#153 and MyHomeworkSpace/client#87 without worrying about certificates
@willbarkoff willbarkoff changed the title U2F Support WebAuthn Support May 11, 2021
willbarkoff added a commit that referenced this issue May 11, 2021
willbarkoff added a commit to MyHomeworkSpace/api-server that referenced this issue May 11, 2021
@willbarkoff
Copy link
Member Author

I've implemented like half of this so far. The current plan is that a user must have TOTP setup to set up WebAuthn. A user may have both TOTP and WebAuthn setup. A user cannot have WebAuthn setup without TOTP.

Here's what's been done so far, and what needs to be done:

  • Understand how WebAuthn, U2F, and FIDO2 work
  • Implement storage models for authenticators, keys, and other stuff
  • Add logic, UI for registering keys
  • Determine how best to implement signing in with a key
    • Right now, for TOTP 2fa we use one endpoint, auth/login. While TOTP can be reasonably acheived in one request (send the username, password, and OTP all together), WebAuthn cannot. This is because TOTP is nondeterministic with respect to the server; however, WebAuthn is deterministic with respect to the server. We need to somehow send the client the data to sign, and the client needs to send back the signed data.
    • I was thinking that this could be implemented using Redis. auth/login can return some sort of "pending 2fa" response, with the data to sign, then we simply add a key to the redis store with the pending login data, and the client authenticates with WebAuthn, and makes a request to auth/2fa/login/webauthn or something. The TOTP code could also be refactored to follow this layout. This would allow further flexibility for 2fa in the future.
    • The one potential issue I see is concurrent logins. Presumably, each MyHomeworkSpace account has one "person" associated with it; however, if someone tried to log in on two computers at once, there could be issues. Let's say computer A sends a request to auth/login, and gets the WebAuthn data. Now computer B sends a request to auth/login and the server generates new WebAuthn data. This overwrites the previous WebAuthn data stored in redis. Now computer A sends a request to auth/2fa/login/webauthn with the correct data that was sent to it. It is marked as incorrect because Computer B's request overwrote it. This could be fixed by assigning each call to auth/login a unique ID; but that seems like it might be overkill. @thatoddmailbox, do you have any thoughts on this?
  • Add support for removing keys
    • This should be pretty easy. We just delete rows from the webauthn and 2fa tables.

Since these features aren't finished yet, I've pushed them to MyHomeworkSpace/client@webauthn and MyHomeworkSpace/api-server@webauthn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Feature requests and other enhancements needs api server Needs API server changes
Projects
None yet
Development

No branches or pull requests

2 participants