GraphQL API changes

Author: tonkku107

Cargo.lock

@@ -12,7 +12,7 @@ use mas_context::LogContext;
 use mas_data_model::SiteConfig;
 use mas_handlers::{
     ActivityTracker, BoundActivityTracker, CookieManager, ErrorWrapper, GraphQLSchema, Limiter,
-    MetadataCache, RequesterFingerprint, passwords::PasswordManager,
+    MetadataCache, RequesterFingerprint, passwords::PasswordManager, webauthn::Webauthn,
 };
 use mas_i18n::Translator;
 use mas_keystore::{Encrypter, Keystore};
@@ -49,6 +49,7 @@ pub struct AppState {
     pub activity_tracker: ActivityTracker,
     pub trusted_proxies: Vec<IpNetwork>,
     pub limiter: Limiter,
+    pub webauthn: Webauthn,
 }
 
 impl AppState {
@@ -216,6 +217,12 @@ impl FromRef<AppState> for Arc<dyn HomeserverConnection> {
     }
 }
 
+impl FromRef<AppState> for Webauthn {
+    fn from_ref(input: &AppState) -> Self {
+        input.webauthn.clone()
+    }
+}
+
 impl FromRequestParts<AppState> for BoxClock {
     type Rejection = Infallible;
 

crates/cli/src/app_state.rs

@@ -29,7 +29,7 @@ use crate::{
         database_pool_from_config, homeserver_connection_from_config,
         load_policy_factory_dynamic_data_continuously, mailer_from_config,
         password_manager_from_config, policy_factory_from_config, site_config_from_config,
-        templates_from_config, test_mailer_in_background,
+        templates_from_config, test_mailer_in_background, webauthn_from_config,
     },
 };
 
@@ -187,6 +187,8 @@ impl Options {
 
         let password_manager = password_manager_from_config(&config.passwords).await?;
 
+        let webauthn = webauthn_from_config(&config.http, &config.experimental)?;
+
         // The upstream OIDC metadata cache
         let metadata_cache = MetadataCache::new();
 
@@ -222,6 +224,7 @@ impl Options {
             password_manager.clone(),
             url_builder.clone(),
             limiter.clone(),
+            webauthn.clone(),
         );
 
         let state = {
@@ -242,6 +245,7 @@ impl Options {
                 activity_tracker,
                 trusted_proxies,
                 limiter,
+                webauthn,
             };
             s.init_metrics();
             s.init_metadata_cache();

crates/cli/src/commands/server.rs

@@ -9,13 +9,13 @@ use std::{sync::Arc, time::Duration};
 use anyhow::Context;
 use mas_config::{
     AccountConfig, BrandingConfig, CaptchaConfig, DatabaseConfig, EmailConfig, EmailSmtpMode,
-    EmailTransportKind, ExperimentalConfig, HomeserverKind, MatrixConfig, PasswordsConfig,
-    PolicyConfig, TemplatesConfig,
+    EmailTransportKind, ExperimentalConfig, HomeserverKind, HttpConfig, MatrixConfig,
+    PasswordsConfig, PolicyConfig, TemplatesConfig,
 };
 use mas_context::LogContext;
 use mas_data_model::{SessionExpirationConfig, SiteConfig};
 use mas_email::{MailTransport, Mailer};
-use mas_handlers::passwords::PasswordManager;
+use mas_handlers::{passwords::PasswordManager, webauthn::Webauthn};
 use mas_matrix::{HomeserverConnection, ReadOnlyHomeserverConnection};
 use mas_matrix_synapse::SynapseConnection;
 use mas_policy::PolicyFactory;
@@ -490,6 +490,16 @@ pub fn homeserver_connection_from_config(
     }
 }
 
+pub fn webauthn_from_config(
+    http_config: &HttpConfig,
+    experimental_config: &ExperimentalConfig,
+) -> Result<Webauthn, anyhow::Error> {
+    Webauthn::new(
+        &http_config.public_base,
+        experimental_config.passkeys.as_ref(),
+    )
+}
+
 #[cfg(test)]
 mod tests {
     use rand::SeedableRng;

crates/cli/src/util.rs

@@ -52,6 +52,14 @@ pub struct PasskeysConfig {
     /// Whether passkeys are enabled or not
     #[serde(default)]
     pub enabled: bool,
+    /// Relying Party Identifier to use
+    ///
+    /// If not set, the host from `public_base` is used
+    #[serde(default)]
+    pub rpid: Option<String>,
+    /// Additional allowed origins. `rpid` and `public_base` are already allowed
+    #[serde(default)]
+    pub allowed_origins: Option<Vec<String>>,
 }
 
 /// Configuration sections for experimental options

crates/config/src/sections/experimental.rs

@@ -32,7 +32,7 @@ pub use self::{
     clients::{ClientAuthMethodConfig, ClientConfig, ClientsConfig},
     database::{DatabaseConfig, PgSslMode},
     email::{EmailConfig, EmailSmtpMode, EmailTransportKind},
-    experimental::ExperimentalConfig,
+    experimental::{ExperimentalConfig, PasskeysConfig},
     http::{
         BindConfig as HttpBindConfig, HttpConfig, ListenerConfig as HttpListenerConfig,
         Resource as HttpResource, TlsConfig as HttpTlsConfig, UnixOrTcp,

crates/config/src/sections/mod.rs

@@ -88,6 +88,7 @@ rand.workspace = true
 rand_chacha.workspace = true
 headers.workspace = true
 ulid.workspace = true
+webauthn_rp.workspace = true
 
 mas-axum-utils.workspace = true
 mas-config.workspace = true

crates/handlers/Cargo.toml

@@ -55,7 +55,7 @@ use self::{
 };
 use crate::{
     BoundActivityTracker, Limiter, RequesterFingerprint, impl_from_error_for_route,
-    passwords::PasswordManager,
+    passwords::PasswordManager, webauthn::Webauthn,
 };
 
 #[cfg(test)]
@@ -76,6 +76,7 @@ struct GraphQLState {
     password_manager: PasswordManager,
     url_builder: UrlBuilder,
     limiter: Limiter,
+    webauthn: Webauthn,
 }
 
 #[async_trait::async_trait]
@@ -108,6 +109,10 @@ impl state::State for GraphQLState {
         &self.limiter
     }
 
+    fn webauthn(&self) -> &Webauthn {
+        &self.webauthn
+    }
+
     fn clock(&self) -> BoxClock {
         let clock = SystemClock::default();
         Box::new(clock)
@@ -131,6 +136,7 @@ pub fn schema(
     password_manager: PasswordManager,
     url_builder: UrlBuilder,
     limiter: Limiter,
+    webauthn: Webauthn,
 ) -> Schema {
     let state = GraphQLState {
         repository_factory,
@@ -140,6 +146,7 @@ pub fn schema(
         password_manager,
         url_builder,
         limiter,
+        webauthn,
     };
     let state: BoxState = Box::new(state);
 
@@ -519,6 +526,12 @@ impl OwnerId for mas_data_model::UpstreamOAuthLink {
     }
 }
 
+impl OwnerId for mas_data_model::UserPasskey {
+    fn owner_id(&self) -> Option<Ulid> {
+        Some(self.user_id)
+    }
+}
+
 /// A dumb wrapper around a `Ulid` to implement `OwnerId` for it.
 pub struct UserId(Ulid);
 

crates/handlers/src/graphql/mod.rs

@@ -26,7 +26,9 @@ pub use self::{
     oauth::{OAuth2Client, OAuth2Session},
     site_config::{SITE_CONFIG_ID, SiteConfig},
     upstream_oauth::{UpstreamOAuth2Link, UpstreamOAuth2Provider},
-    users::{AppSession, User, UserEmail, UserEmailAuthentication, UserRecoveryTicket},
+    users::{
+        AppSession, User, UserEmail, UserEmailAuthentication, UserPasskey, UserRecoveryTicket,
+    },
     viewer::{Anonymous, Viewer, ViewerSession},
 };
 

crates/handlers/src/graphql/model/mod.rs

@@ -29,6 +29,8 @@ pub enum NodeType {
     UserEmail,
     UserEmailAuthentication,
     UserRecoveryTicket,
+    UserPasskey,
+    UserPasskeyChallenge,
 }
 
 #[derive(Debug, Error)]
@@ -55,6 +57,8 @@ impl NodeType {
             NodeType::UserEmail => "user_email",
             NodeType::UserEmailAuthentication => "user_email_authentication",
             NodeType::UserRecoveryTicket => "user_recovery_ticket",
+            NodeType::UserPasskey => "user_passkey",
+            NodeType::UserPasskeyChallenge => "user_passkey_challenge",
         }
     }
 
@@ -72,6 +76,8 @@ impl NodeType {
             "user_email" => Some(NodeType::UserEmail),
             "user_email_authentication" => Some(NodeType::UserEmailAuthentication),
             "user_recovery_ticket" => Some(NodeType::UserRecoveryTicket),
+            "user_passkey" => Some(NodeType::UserPasskey),
+            "user_passkey_challenge" => Some(NodeType::UserPasskeyChallenge),
             _ => None,
         }
     }