1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
|
/*
* Copyright (c) 2024 Vaughn Nugent
*
* Library: VNLib
* Package: VNLib.Plugins.Essentials.Accounts
* File: LoginEndpoint.cs
*
* LoginEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger
* VNLib collection of libraries and utilities.
*
* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see https://www.gnu.org/licenses/.
*/
using System;
using System.Net;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text.Json.Serialization;
using FluentValidation;
using VNLib.Utils;
using VNLib.Utils.Logging;
using VNLib.Utils.Extensions;
using VNLib.Plugins.Essentials.Users;
using VNLib.Plugins.Essentials.Endpoints;
using VNLib.Plugins.Essentials.Extensions;
using VNLib.Plugins.Extensions.Validation;
using VNLib.Plugins.Essentials.Accounts.MFA;
using VNLib.Plugins.Essentials.Accounts.Validators;
using VNLib.Plugins.Extensions.Loading;
using VNLib.Plugins.Extensions.Loading.Users;
using VNLib.Plugins.Extensions.Loading.Routing;
using static VNLib.Plugins.Essentials.Statics;
using VNLib.Plugins.Essentials.Accounts.MFA.Totp;
using VNLib.Plugins.Essentials.Accounts.MFA.Fido;
/*
* Password only log-ins should be immune to repeat attacks on the same backend, because sessions are
* guarunteed to be mutally exclusive on the same system, therefor a successful login cannot be repeated
* without a logout with the proper authorization.
*
* Since MFA upgrades are indempodent upgrades can be regenerated continually as long as the session
* is not authorized, however login authorizations should be immune to repeats because session locking
*
* Session id's are also regenerated per request, the only possible vector could be stale session cache
* that has a valid MFA key and an old, but valid session id.
*/
namespace VNLib.Plugins.Essentials.Accounts.Endpoints
{
/// <summary>
/// Provides an authentication endpoint for user-accounts
/// </summary>
[EndpointPath("{{path}}")]
[EndpointLogName("LOGIN")]
[ConfigurationName("login_endpoint")]
internal sealed class LoginEndpoint(PluginBase pbase, IConfigScope config) : UnprotectedWebEndpoint
{
public const string INVALID_MESSAGE = "Please check your email or password. You may get locked out.";
public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later";
public const string MFA_ERROR_MESSAGE = "Invalid or expired request.";
private static readonly LoginMessageValidation LmValidator = new();
private readonly MfaAuthManager MultiFactor = pbase.GetOrCreateSingleton<MfaAuthManager>();
private readonly IUserManager Users = pbase.GetOrCreateSingleton<UserManager>();
private readonly FailedLoginLockout _lockout = new(
maxCounts: config.GetRequiredProperty<uint>("max_login_attempts"),
maxTimeout: config.GetRequiredProperty("failed_attempt_timeout_sec", p => p.GetTimeSpan(TimeParseType.Seconds))
);
protected override ERRNO PreProccess(HttpEntity entity)
{
//Cannot have new sessions
return base.PreProccess(entity) && !entity.Session.IsNew;
}
protected async override ValueTask<VfReturnType> PostAsync(HttpEntity entity)
{
//Conflict if user is logged in
if (entity.IsClientAuthorized(AuthorzationCheckLevel.Any))
{
return VirtualClose(entity, HttpStatusCode.Conflict);
}
/*
* To continue an mfa upgrade, the client must send
* an mfa query argument to continue the upgrade process
*/
if (MultiFactor.Armed)
{
if (entity.QueryArgs.ContainsKey("mfa"))
{
return await ProcessMfaAsync(entity);
}
}
return await ProccesLoginAsync(entity);
}
private async ValueTask<VfReturnType> ProccesLoginAsync(HttpEntity entity)
{
MfaUpgradeWebm webm = new();
try
{
//Make sure the id is regenerated (or upgraded if successful login)
entity.Session.RegenID();
using LoginMessage? loginMessage = await entity.GetJsonFromFileAsync<LoginMessage>(SR_OPTIONS);
if (webm.Assert(loginMessage != null, "Invalid request data"))
{
return VirtualClose(entity, webm, HttpStatusCode.BadRequest);
}
//validate the message
if (!LmValidator.Validate(loginMessage, webm))
{
return VirtualClose(entity, webm, HttpStatusCode.UnprocessableEntity);
}
using IUser? user = await Users.GetUserFromUsernameAsync(loginMessage.UserName);
//Make sure account exists
if (webm.Assert(user != null, INVALID_MESSAGE))
{
return VirtualOk(entity, webm);
}
bool locked = _lockout.CheckOrClear(user, entity.RequestedTimeUtc);
//Make sure the account has not been locked out
if (webm.Assert(locked == false, LOCKED_ACCOUNT_MESSAGE))
{
goto Cleanup;
}
//Only allow local accounts
if (!user.IsLocalAccount())
{
goto Failed;
}
//Validate password
if (await ValidatePasswordAsync(user, loginMessage, entity.EventCancellation) == false)
{
goto Failed;
}
//If login return true, the response has been set and we should return
if (LoginOrMfaConnection(entity, loginMessage, user, webm))
{
goto Cleanup;
}
Failed:
//Inc failed login count
_lockout.Increment(user, entity.RequestedTimeUtc);
webm.Result = INVALID_MESSAGE;
Cleanup:
await user.ReleaseAsync();
return VirtualOk(entity ,webm);
}
catch (UserUpdateException uue)
{
Log.Warn(uue);
return VfReturnType.Error;
}
}
private async Task<bool> ValidatePasswordAsync(IUser user, LoginMessage login, CancellationToken cancellation)
{
//Validate password against store
ERRNO valResult = await Users.ValidatePasswordAsync(user, login.Password!, PassValidateFlags.None, cancellation);
return valResult == UserPassValResult.Success;
}
private bool LoginOrMfaConnection(HttpEntity entity, LoginMessage loginMessage, IUser user, MfaUpgradeWebm webm)
{
//Only allow active users
if (user.Status != UserStatus.Active)
{
//This is an unhandled case, and should never happen, but just incase write a warning to the log
Log.Warn("Account {uid} has invalid status key and a login was attempted from {ip}", user.UserID, entity.TrustedRemoteIp);
return false;
}
//Reset flc for account, either the user will be authorized, or the mfa will be triggered, but the flc should be reset
user.ClearFailedLoginCount();
try
{
/*
* Determine if the user uses MFA to guard their account. If so
* force an MFA upgrade before allowing the user to login
*/
if (MultiFactor.HasMfaEnabled(user))
{
//the upgrade message
webm.Result = MultiFactor.GetChallengeMessage(entity, user, loginMessage);
webm.MultiFactorUpgrade = true;
}
else
{
/* SUCCESSFULL LOGIN! */
//Elevate the login status of the session to reflect the user's status
entity.GenerateAuthorization(loginMessage, user, webm);
//Send the Username (since they already have it)
webm.Result = new AccountData()
{
EmailAddress = user.EmailAddress,
};
//Write to log
Log.Verbose("Successful login for user {uid}...", user.UserID[..8]);
}
webm.Success = true;
return true;
}
/*
* Account auhorization may throw excetpions if the configuration does not
* match the client, or the client sent invalid or malicous data and
* it could not grant authorization
*/
catch (OutOfMemoryException)
{
webm.Result = "Your browser sent malformatted security information";
}
catch (CryptographicException ce)
{
webm.Result = "Your browser sent malformatted security information";
Log.Debug(ce);
}
return false;
}
private async ValueTask<VfReturnType> ProcessMfaAsync(HttpEntity entity)
{
MfaUpgradeWebm webm = new();
//Recover request message
using JsonDocument? request = await entity.GetJsonFromFileAsync();
if (webm.Assert(request != null, "Invalid request data"))
{
return VirtualClose(entity, webm, HttpStatusCode.BadRequest);
}
MfaChallenge? upgrade = MultiFactor.GetChallengeData(entity, request);
/*
* Upgrade may be null if it is not valid, not correctly formatted,
* expired, and so on. We cannot leak information about the upgrade
* request to the client, so return a generic error message
*/
if (webm.Assert(upgrade != null, MFA_ERROR_MESSAGE))
{
return VirtualOk(entity, webm);
}
using IUser? user = await Users.GetUserFromUsernameAsync(upgrade.UserName!);
if (webm.Assert(user != null, MFA_ERROR_MESSAGE))
{
return VirtualOk(entity, webm);
}
bool locked = _lockout.CheckOrClear(user, entity.RequestedTimeUtc);
if (webm.Assert(locked == false, LOCKED_ACCOUNT_MESSAGE))
{
//Locked, so clear stored signature
MultiFactor.InvalidateUpgrade(entity);
}
else if (MultiFactor.VerifyResponse(entity, upgrade, user, request))
{
/*
* ###################################################
*
* AUTHORIZATION ZONE
*
* Connection will be elevated to authorized
* this is a successful login!
*
* ####################################################
*/
MultiFactor.InvalidateUpgrade(entity);
/*
* Time to authorize the user now. This will cause state changs
* to the client session, and user account. The user
* is now authorized to use the session.
*/
entity.GenerateAuthorization(upgrade, user, webm);
webm.Result = new AccountData()
{
EmailAddress = user.EmailAddress,
};
webm.Success = true;
Log.Verbose("Successful login for user {uid}...", user.UserID[..8]);
}
else
{
webm.Result = "Please check your input and try again.";
}
//Flush any changes to the user store
await user.ReleaseAsync();
//Close rseponse
return VirtualOk(entity, webm);
}
private sealed class MfaUpgradeWebm : ValErrWebMessage
{
[JsonPropertyName("mfa")]
public bool? MultiFactorUpgrade { get; set; } = null;
}
}
}
|
