Class: Webauthn::AuthenticateService

Inherits:

BaseService

• Object
• BaseService
• Webauthn::AuthenticateService

Defined in:

app/services/webauthn/authenticate_service.rb

Instance Attribute Summary

Attributes inherited from BaseService

#current_user, #params, #project

Instance Method Summary

• #execute ⇒ Object
• #initialize(user, device_response, challenge) ⇒ AuthenticateService constructor

  A new instance of AuthenticateService.

• #validate_webauthn_credential(webauthn_credential) ⇒ Object

  Validates that webauthn_credential is syntactically valid.

• #verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder) ⇒ Object

  Verifies that webauthn_credential matches stored_credential with the given challenge.

Methods included from BaseServiceUtility

#deny_visibility_level, #event_service, #log_error, #log_info, #notification_service, #system_hook_service, #todo_service, #visibility_level

Methods included from Gitlab::Allowable

#can?

Constructor Details

#initialize(user, device_response, challenge) ⇒ AuthenticateService

Returns a new instance of AuthenticateService.

# File 'app/services/webauthn/authenticate_service.rb', line 5

def initialize(user, device_response, challenge)
  @user = user
  @device_response = device_response
  @challenge = challenge
end

Instance Method Details

#execute ⇒ Object

# File 'app/services/webauthn/authenticate_service.rb', line 11

def execute
  parsed_device_response = Gitlab::Json.parse(@device_response)

  webauthn_credential = WebAuthn::Credential.from_get(parsed_device_response)
  encoded_raw_id = Base64.strict_encode64(webauthn_credential.raw_id)
  stored_webauthn_credential = @user.webauthn_registrations.find_by_credential_xid(encoded_raw_id)

  encoder = WebAuthn.configuration.encoder

  if stored_webauthn_credential &&
      validate_webauthn_credential(webauthn_credential) &&
      verify_webauthn_credential(webauthn_credential, stored_webauthn_credential, @challenge, encoder)

    stored_webauthn_credential.update!(counter: webauthn_credential.sign_count)
    return true
  end

  false
rescue JSON::ParserError, WebAuthn::SignCountVerificationError, WebAuthn::Error
  false
end

#validate_webauthn_credential(webauthn_credential) ⇒ Object

Validates that webauthn_credential is syntactically valid

duplicated from WebAuthn::PublicKeyCredential#verify which can't be used here as we need to call WebAuthn::AuthenticatorAssertionResponse#verify instead (which is done in #verify_webauthn_credential)

# File 'app/services/webauthn/authenticate_service.rb', line 39

def validate_webauthn_credential(webauthn_credential)
  webauthn_credential.type == WebAuthn::TYPE_PUBLIC_KEY &&
      webauthn_credential.raw_id && webauthn_credential.id &&
      webauthn_credential.raw_id == WebAuthn.standard_encoder.decode(webauthn_credential.id)
end

#verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder) ⇒ Object

Verifies that webauthn_credential matches stored_credential with the given challenge

# File 'app/services/webauthn/authenticate_service.rb', line 48

def verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder)
  # We need to adjust the relaying party id (RP id) we verify against if the registration in question
  # is a migrated U2F registration. This is beacuse the appid of U2F and the rp id of WebAuthn differ.
  rp_id = webauthn_credential.client_extension_outputs['appid'] ? WebAuthn.configuration.origin : URI(WebAuthn.configuration.origin).host
  webauthn_credential.response.verify(
    encoder.decode(challenge),
      public_key: encoder.decode(stored_credential.public_key),
      sign_count: stored_credential.counter,
      rp_id: rp_id)
end