added passkey support (closes #6)
All checks were successful
test-and-lint / test-and-lint (pull_request) Successful in 2m50s
All checks were successful
test-and-lint / test-and-lint (pull_request) Successful in 2m50s
This commit is contained in:
262
storage/passkeys.go
Normal file
262
storage/passkeys.go
Normal file
@@ -0,0 +1,262 @@
|
||||
package storage
|
||||
|
||||
import (
|
||||
"MiauInv/models"
|
||||
utils "MiauInv/util"
|
||||
"database/sql"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"github.com/go-webauthn/webauthn/webauthn"
|
||||
)
|
||||
|
||||
const (
|
||||
PasskeyCeremonyRegister = "register"
|
||||
PasskeyCeremonyLogin = "login"
|
||||
)
|
||||
|
||||
func AddPasskeyCredential(userID, name string, credential *webauthn.Credential) (models.PasskeyCredential, error) {
|
||||
if DB == nil {
|
||||
return models.PasskeyCredential{}, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
credentialJSON, err := json.Marshal(credential)
|
||||
if err != nil {
|
||||
return models.PasskeyCredential{}, err
|
||||
}
|
||||
|
||||
row := models.PasskeyCredential{
|
||||
ID: utils.GenerateUUID(),
|
||||
UserID: userID,
|
||||
CredentialID: utils.EncodeBase64URL(credential.ID),
|
||||
Name: name,
|
||||
CredentialData: string(credentialJSON),
|
||||
CreatedAt: time.Now().Unix(),
|
||||
}
|
||||
if row.Name == "" {
|
||||
row.Name = "Passkey"
|
||||
}
|
||||
|
||||
_, err = DB.Exec(`
|
||||
INSERT INTO passkey_credentials(id, user_id, credential_id, name, credential_data, created_at, last_used_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, NULL)
|
||||
`, row.ID, row.UserID, row.CredentialID, row.Name, row.CredentialData, row.CreatedAt)
|
||||
if err != nil {
|
||||
return models.PasskeyCredential{}, err
|
||||
}
|
||||
|
||||
return row, nil
|
||||
}
|
||||
|
||||
func ListPasskeyCredentials(userID string) ([]models.PasskeyCredential, error) {
|
||||
if DB == nil {
|
||||
return nil, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
rows, err := DB.Query(`
|
||||
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
|
||||
FROM passkey_credentials
|
||||
WHERE user_id = ?
|
||||
ORDER BY created_at DESC
|
||||
`, userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
credentials := make([]models.PasskeyCredential, 0)
|
||||
for rows.Next() {
|
||||
var credential models.PasskeyCredential
|
||||
if err := rows.Scan(&credential.ID, &credential.UserID, &credential.CredentialID, &credential.Name, &credential.CredentialData, &credential.CreatedAt, &credential.LastUsedAt); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
credentials = append(credentials, credential)
|
||||
}
|
||||
return credentials, rows.Err()
|
||||
}
|
||||
|
||||
func CountPasskeyCredentials(userID string) (int, error) {
|
||||
if DB == nil {
|
||||
return 0, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
var count int
|
||||
err := DB.QueryRow("SELECT COUNT(*) FROM passkey_credentials WHERE user_id = ?", userID).Scan(&count)
|
||||
return count, err
|
||||
}
|
||||
|
||||
func GetPasskeyCredentialByCredentialID(credentialID string) (models.PasskeyCredential, error) {
|
||||
if DB == nil {
|
||||
return models.PasskeyCredential{}, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
row := DB.QueryRow(`
|
||||
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
|
||||
FROM passkey_credentials
|
||||
WHERE credential_id = ?
|
||||
`, credentialID)
|
||||
return scanPasskeyCredential(row)
|
||||
}
|
||||
|
||||
func GetPasskeyCredentialByID(userID, id string) (models.PasskeyCredential, error) {
|
||||
if DB == nil {
|
||||
return models.PasskeyCredential{}, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
row := DB.QueryRow(`
|
||||
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
|
||||
FROM passkey_credentials
|
||||
WHERE user_id = ? AND id = ?
|
||||
`, userID, id)
|
||||
return scanPasskeyCredential(row)
|
||||
}
|
||||
|
||||
func scanPasskeyCredential(row *sql.Row) (models.PasskeyCredential, error) {
|
||||
var credential models.PasskeyCredential
|
||||
err := row.Scan(&credential.ID, &credential.UserID, &credential.CredentialID, &credential.Name, &credential.CredentialData, &credential.CreatedAt, &credential.LastUsedAt)
|
||||
return credential, err
|
||||
}
|
||||
|
||||
func DecodeWebAuthnCredential(row models.PasskeyCredential) (webauthn.Credential, error) {
|
||||
var credential webauthn.Credential
|
||||
err := json.Unmarshal([]byte(row.CredentialData), &credential)
|
||||
return credential, err
|
||||
}
|
||||
|
||||
func DecodeWebAuthnCredentials(rows []models.PasskeyCredential) ([]webauthn.Credential, error) {
|
||||
credentials := make([]webauthn.Credential, 0, len(rows))
|
||||
for _, row := range rows {
|
||||
credential, err := DecodeWebAuthnCredential(row)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
credentials = append(credentials, credential)
|
||||
}
|
||||
return credentials, nil
|
||||
}
|
||||
|
||||
func UpdatePasskeyCredentialAfterLogin(userID string, credential *webauthn.Credential) error {
|
||||
if DB == nil {
|
||||
return errors.New("db not initialized")
|
||||
}
|
||||
|
||||
credentialID := utils.EncodeBase64URL(credential.ID)
|
||||
credentialJSON, err := json.Marshal(credential)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
res, err := DB.Exec(`
|
||||
UPDATE passkey_credentials
|
||||
SET credential_data = ?, last_used_at = ?
|
||||
WHERE user_id = ? AND credential_id = ?
|
||||
`, string(credentialJSON), time.Now().Unix(), userID, credentialID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if n == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func DeletePasskeyCredential(userID, id string) error {
|
||||
if DB == nil {
|
||||
return errors.New("db not initialized")
|
||||
}
|
||||
|
||||
res, err := DB.Exec("DELETE FROM passkey_credentials WHERE user_id = ? AND id = ?", userID, id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
n, err := res.RowsAffected()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if n == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func DeleteAllPasskeyCredentials(userID string) error {
|
||||
if DB == nil {
|
||||
return errors.New("db not initialized")
|
||||
}
|
||||
|
||||
_, err := DB.Exec("DELETE FROM passkey_credentials WHERE user_id = ?", userID)
|
||||
return err
|
||||
}
|
||||
|
||||
func SavePasskeyChallenge(token, userID, ceremony string, sessionData webauthn.SessionData, ttl time.Duration) error {
|
||||
if DB == nil {
|
||||
return errors.New("db not initialized")
|
||||
}
|
||||
|
||||
encodedSession, err := json.Marshal(sessionData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = DB.Exec(`
|
||||
INSERT INTO passkey_challenges(token, user_id, ceremony, session_data, expires_at)
|
||||
VALUES (?, ?, ?, ?, ?)
|
||||
`, token, userID, ceremony, string(encodedSession), time.Now().Add(ttl).Unix())
|
||||
return err
|
||||
}
|
||||
|
||||
func ConsumePasskeyChallenge(token, ceremony string) (models.PasskeyChallenge, webauthn.SessionData, error) {
|
||||
if DB == nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, errors.New("db not initialized")
|
||||
}
|
||||
|
||||
tx, err := DB.Begin()
|
||||
if err != nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
|
||||
}
|
||||
defer tx.Rollback()
|
||||
|
||||
row := tx.QueryRow(`
|
||||
SELECT token, user_id, ceremony, session_data, expires_at
|
||||
FROM passkey_challenges
|
||||
WHERE token = ? AND ceremony = ?
|
||||
`, token, ceremony)
|
||||
|
||||
var challenge models.PasskeyChallenge
|
||||
if err := row.Scan(&challenge.Token, &challenge.UserID, &challenge.Ceremony, &challenge.SessionData, &challenge.ExpiresAt); err != nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
|
||||
}
|
||||
|
||||
if _, err := tx.Exec("DELETE FROM passkey_challenges WHERE token = ?", token); err != nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
|
||||
}
|
||||
|
||||
if challenge.ExpiresAt < time.Now().Unix() {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, errors.New("passkey challenge expired")
|
||||
}
|
||||
|
||||
var sessionData webauthn.SessionData
|
||||
if err := json.Unmarshal([]byte(challenge.SessionData), &sessionData); err != nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
|
||||
}
|
||||
|
||||
if err := tx.Commit(); err != nil {
|
||||
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
|
||||
}
|
||||
|
||||
return challenge, sessionData, nil
|
||||
}
|
||||
|
||||
func CleanupExpiredPasskeyChallenges() error {
|
||||
if DB == nil {
|
||||
return errors.New("db not initialized")
|
||||
}
|
||||
|
||||
_, err := DB.Exec("DELETE FROM passkey_challenges WHERE expires_at < ?", time.Now().Unix())
|
||||
return err
|
||||
}
|
||||
@@ -55,6 +55,25 @@ func InitDB(filepath string) error {
|
||||
UNIQUE(user_id, code_hash)
|
||||
);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS passkey_credentials (
|
||||
id TEXT PRIMARY KEY,
|
||||
user_id TEXT NOT NULL,
|
||||
credential_id TEXT NOT NULL UNIQUE,
|
||||
name TEXT NOT NULL,
|
||||
credential_data TEXT NOT NULL,
|
||||
created_at INTEGER NOT NULL,
|
||||
last_used_at INTEGER DEFAULT NULL,
|
||||
FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
|
||||
);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS passkey_challenges (
|
||||
token TEXT PRIMARY KEY,
|
||||
user_id TEXT NOT NULL DEFAULT '',
|
||||
ceremony TEXT NOT NULL,
|
||||
session_data TEXT NOT NULL,
|
||||
expires_at INTEGER NOT NULL
|
||||
);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS items (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL,
|
||||
|
||||
Reference in New Issue
Block a user