Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-25 18:28:31 +08:00
Code Packages Activity Actions
discourse/lib/discourse_webauthn.rb
Rafael dos Santos Silva 99ce75a01c
FEATURE: Allow passkeys to satisfy 2FA on /session/2fa (#39674) 
Previously, the 2FA confirmation page accepted only TOTP, backup codes,
or physical security keys, so users who logged in with a passkey had no
way to use that same credential for sensitive-action confirmation.

Behind the new `allow_passkeys_for_2fa` site setting, this change lets a
passkey satisfy a 2FA challenge and auto-triggers the WebAuthn prompt on
page load so a single OS dialog confirms the action.
2026-05-06 14:47:01 -03:00

134 lines
3.3 KiB
Ruby
Vendored
Raw Permalink Blame History

# frozen_string_literal: true
module DiscourseWebauthn
ACCEPTABLE_REGISTRATION_TYPE = "webauthn.create"
ACCEPTABLE_AUTHENTICATION_TYPE = "webauthn.get"
SUPPORTED_ALGORITHMS = [
-7, # ES256
-8, # EdDSA
-35, # ES384
-36, # ES512
-37, # PS256
-38, # PS384
-39, # PS512
-257, # RS256 (via freedom patch)
].freeze
VALID_ATTESTATION_FORMATS = %w[none packed fido-u2f].freeze
CHALLENGE_EXPIRY = 5.minutes
class SecurityKeyError < StandardError
end
class InvalidOriginError < SecurityKeyError
end
class InvalidRelyingPartyIdError < SecurityKeyError
end
class UserVerificationError < SecurityKeyError
end
class UserPresenceError < SecurityKeyError
end
class ChallengeMismatchError < SecurityKeyError
end
class InvalidTypeError < SecurityKeyError
end
class UnsupportedPublicKeyAlgorithmError < SecurityKeyError
end
class UnsupportedAttestationFormatError < SecurityKeyError
end
class CredentialIdInUseError < SecurityKeyError
end
class MalformedAttestationError < SecurityKeyError
end
class KeyNotFoundError < SecurityKeyError
end
class MalformedPublicKeyCredentialError < SecurityKeyError
end
class OwnershipError < SecurityKeyError
end
class PublicKeyError < SecurityKeyError
end
class UnknownCOSEAlgorithmError < SecurityKeyError
end
##
# Usage:
#
# These methods should be used in controllers where we
# are challenging the user that has a security key, and
# they must respond with a valid webauthn response and
# credentials.
#
# @param user [User] the user to stage the challenge for
# @param server_session [ServerSession] the session to store the challenge in
def self.stage_challenge(user, server_session)
::DiscourseWebauthn::ChallengeGenerator.generate.commit_to_session(
server_session,
user,
expires: CHALLENGE_EXPIRY,
)
end
##
# Clears the challenge from the user's server session.
#
# @param user [User] the user to clear the challenge for
# @param server_session [ServerSession] the session to clear the challenge from
def self.clear_challenge(user, server_session)
server_session.delete(session_challenge_key(user))
end
def self.allowed_credentials(user, server_session, include_passkeys: false)
has_security_keys = user.security_keys_enabled?
has_passkeys = include_passkeys && user.passkeys_for_2fa_enabled?
return {} if !has_security_keys && !has_passkeys
credential_ids = []
credential_ids.concat(user.second_factor_security_key_credential_ids) if has_security_keys
credential_ids.concat(user.passkey_credential_ids) if has_passkeys
{ allowed_credential_ids: credential_ids, challenge: challenge(user, server_session) }
end
def self.challenge(user, server_session)
server_session[session_challenge_key(user)]
end
def self.rp_id
Rails.env.production? ? Discourse.current_hostname : "localhost"
end
def self.origin
case Rails.env
when "development"
# defaults to the Ember CLI local port
# you might need to change this and the rp_id above
# if you are using a non-default port/hostname locally
"http://localhost:4200"
else
Discourse.base_url_no_prefix
end
end
def self.rp_name
SiteSetting.title
end
def self.session_challenge_key(user)
"staged-webauthn-challenge-#{user&.id}"
end
end
View git blame Copy permalink