-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauthenticate_verify.go
105 lines (88 loc) · 3.67 KB
/
authenticate_verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package webauthn
import (
"context"
"github.com/spiretechnology/go-webauthn/internal/errutil"
"github.com/spiretechnology/go-webauthn/pkg/challenge"
"github.com/spiretechnology/go-webauthn/pkg/errs"
"github.com/spiretechnology/go-webauthn/pkg/pubkey"
"github.com/spiretechnology/go-webauthn/pkg/spec"
)
// AuthenticationResponse is the response sent back by the client after an authentication ceremony.
type AuthenticationResponse struct {
Token string `json:"token"`
Challenge string `json:"challenge"`
CredentialID string `json:"credentialId"`
Response AuthenticatorAssertionResponse `json:"response"`
}
// AuthenticationResult contains the results of verifying the authentication response.
type AuthenticationResult struct {
Credential Credential
}
func (w *webauthn) VerifyAuthentication(ctx context.Context, user User, res *AuthenticationResponse) (*AuthenticationResult, error) {
// Decode the challenge from the response
challengeBytesSlice, err := w.options.Codec.DecodeString(res.Challenge)
if err != nil {
return nil, errutil.Wrapf(err, "decoding challenge")
}
if len(challengeBytesSlice) != challenge.ChallengeSize {
return nil, errutil.Wrap(errs.ErrInvalidChallenge)
}
challengeBytes := challenge.Challenge(challengeBytesSlice)
// Verify the challenge token
if err := w.options.Tokener.VerifyToken(res.Token, challengeBytes, user); err != nil {
return nil, errutil.Wrapf(err, "verifying token")
}
// Decode the received credential ID
credentialID, err := w.options.Codec.DecodeString(res.CredentialID)
if err != nil {
return nil, errutil.Wrapf(err, "decoding credential ID")
}
// Get the credential with the user and ID
credential, err := w.options.Credentials.GetCredential(ctx, user, credentialID)
if err != nil {
return nil, errutil.Wrapf(err, "getting credential")
}
if credential == nil {
return nil, errutil.Wrap(errs.ErrCredentialNotFound)
}
// Decode the public key from the credential store
publicKey, err := pubkey.Decode(credential.PublicKey)
if err != nil {
return nil, errutil.Wrapf(err, "parsing public key")
}
// Decode the assertion response response to spec types
assertionResponse, err := res.Response.Decode(w.options.Codec)
if err != nil {
return nil, errutil.Wrapf(err, "decoding attestation response")
}
//================================================================================
// Validate the client data
//================================================================================
// Decode the clientDataJSON
clientData, err := assertionResponse.ClientData()
if err != nil {
return nil, errutil.Wrapf(err, "decoding client data")
}
// Verify that the decoded clientDataJSON.type is "webauthn.get"
if clientData.Type != spec.ClientDataTypeGet {
return nil, errutil.Wrapf(err, "invalid client data type %q", clientData.Type)
}
// Verify that this challenge was issued to the client
clientDataChallengeBytes, err := clientData.DecodeChallenge()
if err != nil {
return nil, errutil.Wrapf(err, "decoding challenge")
}
if clientDataChallengeBytes != challengeBytes {
return nil, errutil.Wrapf(err, "invalid challenge")
}
//================================================================================
// Verify the returned signature
//================================================================================
// Verify the signature using the signature algorithm for the stored credential
if err := assertionResponse.Verify(publicKey, pubkey.KeyType(credential.PublicKeyAlg)); err != nil {
return nil, errutil.Wrapf(err, "verifying signature")
}
return &AuthenticationResult{
Credential: *credential,
}, nil
}