diff options
author | vnugent <public@vaughnnugent.com> | 2024-05-19 12:10:16 -0400 |
---|---|---|
committer | vnugent <public@vaughnnugent.com> | 2024-05-19 12:10:16 -0400 |
commit | 356574e2e9edc874605aaed6902f9f5df4a783ae (patch) | |
tree | 7207978850fdfb5c005445c3e66deeb55d087c72 /plugins/VNLib.Plugins.Essentials.Accounts/src | |
parent | dfbb88e7ad4e25215e70b2a457bcccad2834a1bf (diff) |
Squashed commit of the following:
commit 1e8b4296d3a2093dbddcfd8479f162d077606f71
Author: vnugent <public@vaughnnugent.com>
Date: Sun May 19 11:43:27 2024 -0400
refactor: Preparing for WebAuthn and core updates
commit 34ca3d09a96fb615d00e14abb4a70fe787fe1965
Author: vnugent <public@vaughnnugent.com>
Date: Thu May 2 15:40:59 2024 -0400
feat: Allow config to toggle strict user-agent checking
commit f4b1086b4a406c759f5a0c44ade63ee9bb79c60d
Merge: 3df7bdb dfbb88e
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 18:43:14 2024 -0400
Merge branch 'master' into develop
commit 3df7bdbaa9371f552c71162022c6ccc618be8bac
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 18:42:26 2024 -0400
chore: fix missing !, cleanup project files
commit 6ec4156fb5c996d00a027f767fee7e6314e91582
Merge: 377c8a5 a74cd04
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 17:40:30 2024 -0400
Merge branch 'master' into develop
commit 377c8a5f8bb272eff5089094f5b764eb043b728f
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 27 17:28:25 2024 -0400
fix: Missing cookie set on cred regen
commit a12873dceecc72c9af3966002bfca9faefc5aac7
Merge: 2963bf6 8d57b05
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 20 12:07:42 2024 -0400
Merge branch 'master' into develop
commit 2963bf62919b3bfac4aa5055d57fe91f93ca8a0b
Author: vnugent <public@vaughnnugent.com>
Date: Sat Apr 20 11:59:45 2024 -0400
chore: Package updates
commit 9539717a751baae762498a2cadfe94ef8fda5830
Merge: 44803e0 a7cf7c8
Author: vnugent <public@vaughnnugent.com>
Date: Mon Apr 8 22:04:26 2024 -0400
Merge branch 'master' into develop
commit 44803e06d1aa45496c04127930aa8897272d42f6
Author: vnugent <public@vaughnnugent.com>
Date: Mon Apr 8 21:41:38 2024 -0400
fix: dangling/expired session security check and cookie cleanup
commit 1082bd146549a1aff47877bcd28e6be1ce0ef5e9
Author: vnugent <public@vaughnnugent.com>
Date: Sat Mar 30 22:20:29 2024 -0400
feat(app): Add AppData client plugin and browser library updated
commit ec9b42f4cacbeae8a0b4d96e48bd9e522b3a9145
Merge: 2a11454 27b487b
Author: vnugent <public@vaughnnugent.com>
Date: Sun Mar 24 21:16:05 2024 -0400
Merge branch 'master' into develop
commit 2a114541a3bfddae887adaa98c1ed326b125d511
Author: vnugent <public@vaughnnugent.com>
Date: Sun Mar 24 20:53:38 2024 -0400
refactor: pull apart session authorization for future dev
commit f8aea6453ddb2d56c1ce2ecb6a9e67d1af523c2e
Author: vnugent <public@vaughnnugent.com>
Date: Thu Mar 21 14:33:21 2024 -0400
feat: Add optional svg base64 icons for social OAuth2 connections
commit cc29bed99dc9e151315cce75e50d55dca306b532
Author: vnugent <public@vaughnnugent.com>
Date: Sun Mar 10 21:58:27 2024 -0400
source tree project location updated
Diffstat (limited to 'plugins/VNLib.Plugins.Essentials.Accounts/src')
9 files changed, 164 insertions, 23 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs index 6db41af..301113c 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,14 +24,16 @@ using System.Text.Json.Serialization; -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { - class FidoAuthenticatorSelection + internal sealed class FidoAuthenticatorSelection { [JsonPropertyName("requireResidentKey")] public bool RequireResidentKey { get; set; } = false; + [JsonPropertyName("authenticatorAttachment")] public string? AuthenticatorAttachment { get; set; } = "cross-platform"; + [JsonPropertyName("userVerification")] public string? UserVerification { get; set; } = "required"; } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs new file mode 100644 index 0000000..0bdd563 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoPubkeyAlgorithm.cs +* +* FidoPubkeyAlgorithm.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoPubkeyAlgorithm + { + [JsonPropertyName("alg")] + public int AlgId { get; set; } + + [JsonPropertyName("type")] + public string Type { get; set; } = "public-key"; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs index 1ef7d59..3ad17f3 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,16 +24,16 @@ using System.Text.Json.Serialization; -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { - internal class FidoRegClientData + internal sealed class FidoRegClientData { [JsonPropertyName("challenge")] public string? Challenge { get; set; } + [JsonPropertyName("origin")] public string? Origin { get; set; } + [JsonPropertyName("type")] public string? Type { get; set; } } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs index e8fbcc4..4dfa036 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,29 +24,33 @@ using System.Text.Json.Serialization; -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { /// <summary> /// Represents a fido device registration message to be sent /// to a currently signed in user /// </summary> - class FidoRegistrationMessage + sealed class FidoRegistrationMessage { - [JsonPropertyName("id")] - public string? GuidUserId { get; set; } [JsonPropertyName("challenge")] public string? Base64Challenge { get; set; } = null; + [JsonPropertyName("timeout")] public int Timeout { get; set; } = 60000; - [JsonPropertyName("cose_alg")] - public int CoseAlgNumber { get; set; } - [JsonPropertyName("rp_name")] - public string? SiteName { get; set; } + + [JsonPropertyName("rp")] + public FidoRelyingParty RelyingParty { get; set; } = new(); + [JsonPropertyName("attestation")] - public string? AttestationType { get; set; } = "none"; + public string AttestationType { get; set; } = "none"; + + [JsonPropertyName("user")] + public FidoUserData User { get; set; } = new(); + + [JsonPropertyName("pubKeyCredParams")] + public FidoPubkeyAlgorithm[]? PubKeyCredParams { get; set; } + [JsonPropertyName("authenticatorSelection")] - public FidoAuthenticatorSelection? AuthSelection { get; set; } = new(); + public FidoAuthenticatorSelection AuthSelection { get; set; } = new(); } } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs new file mode 100644 index 0000000..d259ac6 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRelyingParty.cs +* +* FidoRelyingParty.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoRelyingParty + { + [JsonPropertyName("id")] + public string? Id { get; set; } + + [JsonPropertyName("name")] + public string? Name { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs new file mode 100644 index 0000000..aadef29 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs @@ -0,0 +1,54 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoUserData.cs +* +* FidoUserData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Buffers.Binary; +using System.Formats.Cbor; +using System.Text.Json.Serialization; + +using VNLib.Hashing.IdentityUtility; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoAuthenticatorResponse + { + [JsonPropertyName("client_data")] + public string? Base64ClientDataJson { get; set; } + + [JsonPropertyName("attestation_object")] + public string? Base64AttestationObject { get; set; } + } + + internal sealed class FidoUserData + { + [JsonPropertyName("id")] + public string? UserId { get; set; } + + [JsonPropertyName("name")] + public string? UserName { get; set; } + + [JsonPropertyName("displayName")] + public string? DisplayName { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs index bb86a3f..9dfd183 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs @@ -29,9 +29,10 @@ using FluentValidation; using VNLib.Hashing; using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Essentials.Accounts.MFA.Fido; namespace VNLib.Plugins.Essentials.Accounts.MFA -{ +{ [ConfigurationName("mfa")] internal class MFAConfig : IOnConfigValidation diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs index 180e30e..4c80eac 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs @@ -184,6 +184,12 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider [JsonPropertyName("strict_path")] public bool VerifyPath { get; set; } = true; + /// <summary> + /// Enforce strict user-agent strings for authorized users + /// </summary> + [JsonPropertyName("strict_user_agent")] + public bool StrictUserAgent { get; set; } = true; + void IOnConfigValidation.Validate() { //Validate the current instance diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs index e20ec9f..d800e3e 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs @@ -120,7 +120,7 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider else if (ClientWebAuthManager.IsSessionElevated(in session)) { //If the session stored a user-agent, make sure it matches the connection - if (!string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) + if (_config.StrictUserAgent && !string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) { _logger.Debug("Denied authorized connection from {ip} because user-agent changed", entity.TrustedRemoteIp); return ValueTask.FromResult(FileProcessArgs.Deny); |