1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
|
/*
* Copyright (c) 2024 Vaughn Nugent
*
* Library: VNLib
* Package: VNLib.Plugins.Essentials.Accounts
* File: LoginEndpoint.cs
*
* LoginEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger
* VNLib collection of libraries and utilities.
*
* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see https://www.gnu.org/licenses/.
*/
using System;
using System.Net;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using System.Security.Cryptography;
using System.Text.Json.Serialization;
using FluentValidation;
using VNLib.Utils;
using VNLib.Utils.Logging;
using VNLib.Utils.Extensions;
using VNLib.Plugins.Essentials.Users;
using VNLib.Plugins.Essentials.Endpoints;
using VNLib.Plugins.Essentials.Extensions;
using VNLib.Plugins.Extensions.Validation;
using VNLib.Plugins.Essentials.Accounts.MFA;
using VNLib.Plugins.Essentials.Accounts.Validators;
using VNLib.Plugins.Extensions.Loading;
using VNLib.Plugins.Extensions.Loading.Users;
using static VNLib.Plugins.Essentials.Statics;
/*
* Password only log-ins should be immune to repeat attacks on the same backend, because sessions are
* guarunteed to be mutally exclusive on the same system, therefor a successful login cannot be repeated
* without a logout with the proper authorization.
*
* Since MFA upgrades are indempodent upgrades can be regenerated continually as long as the session
* is not authorized, however login authorizations should be immune to repeats because session locking
*
* Session id's are also regenerated per request, the only possible vector could be stale session cache
* that has a valid MFA key and an old, but valid session id.
*/
namespace VNLib.Plugins.Essentials.Accounts.Endpoints
{
/// <summary>
/// Provides an authentication endpoint for user-accounts
/// </summary>
[ConfigurationName("login_endpoint")]
internal sealed class LoginEndpoint : UnprotectedWebEndpoint
{
public const string INVALID_MESSAGE = "Please check your email or password. You may get locked out.";
public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later";
public const string MFA_ERROR_MESSAGE = "Invalid or expired request.";
private static readonly LoginMessageValidation LmValidator = new();
private readonly MFAConfig MultiFactor;
private readonly IUserManager Users;
private readonly FailedLoginLockout _lockout;
public LoginEndpoint(PluginBase pbase, IConfigScope config)
{
string path = config.GetRequiredProperty("path", p => p.GetString()!);
TimeSpan duration = config["failed_attempt_timeout_sec"].GetTimeSpan(TimeParseType.Seconds);
uint maxLogins = config["max_login_attempts"].GetUInt32();
InitPathAndLog(path, pbase.Log);
Users = pbase.GetOrCreateSingleton<UserManager>();
MultiFactor = pbase.GetConfigElement<MFAConfig>();
_lockout = new(maxLogins, duration);
}
protected override ERRNO PreProccess(HttpEntity entity)
{
//Cannot have new sessions
return base.PreProccess(entity) && !entity.Session.IsNew;
}
protected async override ValueTask<VfReturnType> PostAsync(HttpEntity entity)
{
//Conflict if user is logged in
if (entity.IsClientAuthorized(AuthorzationCheckLevel.Any))
{
return VirtualClose(entity, HttpStatusCode.Conflict);
}
//If mfa is enabled, allow processing via mfa
if (MultiFactor.FIDOEnabled || MultiFactor.TOTPEnabled)
{
if (entity.QueryArgs.ContainsKey("mfa"))
{
return await ProcessMfaAsync(entity);
}
}
return await ProccesLoginAsync(entity);
}
private async ValueTask<VfReturnType> ProccesLoginAsync(HttpEntity entity)
{
MfaUpgradeWebm webm = new();
try
{
//Make sure the id is regenerated (or upgraded if successful login)
entity.Session.RegenID();
using LoginMessage? loginMessage = await entity.GetJsonFromFileAsync<LoginMessage>(SR_OPTIONS);
if (webm.Assert(loginMessage != null, "Invalid request data"))
{
return VirtualClose(entity, webm, HttpStatusCode.BadRequest);
}
//validate the message
if (!LmValidator.Validate(loginMessage, webm))
{
return VirtualClose(entity, webm, HttpStatusCode.UnprocessableEntity);
}
using IUser? user = await Users.GetUserFromUsernameAsync(loginMessage.UserName);
//Make sure account exists
if (webm.Assert(user != null, INVALID_MESSAGE))
{
return VirtualOk(entity, webm);
}
bool locked = _lockout.CheckOrClear(user, entity.RequestedTimeUtc);
//Make sure the account has not been locked out
if (webm.Assert(locked == false, LOCKED_ACCOUNT_MESSAGE))
{
goto Cleanup;
}
//Only allow local accounts
if (!user.IsLocalAccount())
{
goto Failed;
}
//Validate password
if (await ValidatePasswordAsync(user, loginMessage, entity.EventCancellation) == false)
{
goto Failed;
}
//If login return true, the response has been set and we should return
if (LoginUser(entity, loginMessage, user, webm))
{
goto Cleanup;
}
Failed:
//Inc failed login count
_lockout.Increment(user, entity.RequestedTimeUtc);
webm.Result = INVALID_MESSAGE;
Cleanup:
await user.ReleaseAsync();
return VirtualOk(entity ,webm);
}
catch (UserUpdateException uue)
{
Log.Warn(uue);
return VfReturnType.Error;
}
}
private async Task<bool> ValidatePasswordAsync(IUser user, LoginMessage login, CancellationToken cancellation)
{
//Validate password against store
ERRNO valResult = await Users.ValidatePasswordAsync(user, login.Password!, PassValidateFlags.None, cancellation);
//Valid results are greater than 0;
return valResult > 0;
}
private bool LoginUser(HttpEntity entity, LoginMessage loginMessage, IUser user, MfaUpgradeWebm webm)
{
//Only allow active users
if (user.Status != UserStatus.Active)
{
//This is an unhandled case, and should never happen, but just incase write a warning to the log
Log.Warn("Account {uid} has invalid status key and a login was attempted from {ip}", user.UserID, entity.TrustedRemoteIp);
return false;
}
//Reset flc for account, either the user will be authorized, or the mfa will be triggered, but the flc should be reset
user.ClearFailedLoginCount();
try
{
//get the new upgrade jwt string
MfaUpgradeMessage? message = user.MFAGetUpgradeIfEnabled(MultiFactor, loginMessage);
/*
* Mfa is essentially indempodent, the session stores the last upgrade key, so
* if this method is continually called, new mfa tokens will be generated.
*/
//if message is null, mfa was not enabled or could not be prepared
if (message.HasValue)
{
//Store the base64 signature
entity.Session.MfaUpgradeSecret(message.Value.SessionKey);
//send challenge message to client
webm.Result = message.Value.ClientJwt;
webm.MultiFactorUpgrade = true;
}
else
{
/* SUCCESSFULL LOGIN! */
//Elevate the login status of the session to reflect the user's status
entity.GenerateAuthorization(loginMessage, user, webm);
//Send the Username (since they already have it)
webm.Result = new AccountData()
{
EmailAddress = user.EmailAddress,
};
//Write to log
Log.Verbose("Successful login for user {uid}...", user.UserID[..8]);
}
webm.Success = true;
return true;
}
/*
* Account auhorization may throw excetpions if the configuration does not
* match the client, or the client sent invalid or malicous data and
* it could not grant authorization
*/
catch (OutOfMemoryException)
{
webm.Result = "Your browser sent malformatted security information";
}
catch (CryptographicException ce)
{
webm.Result = "Your browser sent malformatted security information";
Log.Debug(ce);
}
return false;
}
private async ValueTask<VfReturnType> ProcessMfaAsync(HttpEntity entity)
{
MfaUpgradeWebm webm = new();
//Recover request message
using JsonDocument? request = await entity.GetJsonFromFileAsync();
if (webm.Assert(request != null, "Invalid request data"))
{
return VirtualClose(entity, webm, HttpStatusCode.BadRequest);
}
//Recover upgrade jwt
string? upgradeJwt = request.RootElement.GetPropString("upgrade");
if (webm.Assert(upgradeJwt != null, "Missing required upgrade data"))
{
return VirtualClose(entity, webm, HttpStatusCode.UnprocessableEntity);
}
//Recover stored signature
string? storedSig = entity.Session.MfaUpgradeSecret();
if(webm.Assert(!string.IsNullOrWhiteSpace(storedSig), MFA_ERROR_MESSAGE))
{
return VirtualOk(entity, webm);
}
//Recover upgrade data from upgrade message
MFAUpgrade? upgrade = MultiFactor!.RecoverUpgrade(upgradeJwt, storedSig);
if (webm.Assert(upgrade != null, MFA_ERROR_MESSAGE))
{
return VirtualOk(entity, webm);
}
//recover user account
using IUser? user = await Users.GetUserFromUsernameAsync(upgrade.UserName!);
if (webm.Assert(user != null, MFA_ERROR_MESSAGE))
{
return VirtualOk(entity, webm);
}
bool locked = _lockout.CheckOrClear(user, entity.RequestedTimeUtc);
//Make sure the account has not been locked out
if (webm.Assert(locked == false, LOCKED_ACCOUNT_MESSAGE))
{
//Locked, so clear stored signature
entity.Session.MfaUpgradeSecret(null);
}
else
{
//process mfa login
LoginMfa(entity, user, request, upgrade, webm);
}
//Update user on clean process
await user.ReleaseAsync();
//Close rseponse
return VirtualOk(entity, webm);
}
private void LoginMfa(HttpEntity entity, IUser user, JsonDocument request, MFAUpgrade upgrade, MfaUpgradeWebm webm)
{
//Recover the user's local time
if(!request.RootElement.TryGetProperty("localtime", out JsonElement ltEl)
&& ltEl.TryGetDateTimeOffset(out DateTimeOffset localTime))
{
webm.Result = MFA_ERROR_MESSAGE;
return;
}
//Check mode
switch (upgrade.Type)
{
case MFAType.TOTP:
{
//get totp code from request
uint code = request.RootElement.GetProperty("code").GetUInt32();
//Verify totp code
if (!MultiFactor.VerifyTOTP(user, code))
{
webm.Result = "Please check your code.";
//Increment flc and update the user in the store
_lockout.Increment(user, entity.RequestedTimeUtc);
return;
}
//Valid, complete
}
break;
default:
webm.Result = MFA_ERROR_MESSAGE;
return;
}
//SUCCESSFUL LOGIN
//Wipe session signature
entity.Session.MfaUpgradeSecret(null);
//Elevate the login status of the session to reflect the user's status
entity.GenerateAuthorization(upgrade, user, webm);
//Send the Username (since they already have it)
webm.Result = new AccountData()
{
EmailAddress = user.EmailAddress,
};
webm.Success = true;
//Write to log
Log.Verbose("Successful login for user {uid}...", user.UserID[..8]);
}
private sealed class MfaUpgradeWebm : ValErrWebMessage
{
[JsonPropertyName("mfa")]
public bool? MultiFactorUpgrade { get; set; } = null;
}
}
}
|
