Use WebAuthn credentials as second factor for login

Author: MrSerth

app/controllers/application_controller.rb

@@ -7,17 +7,18 @@ class ApplicationController < ActionController::Base
   include ApplicationHelper
   include I18nHelper
   include Pundit::Authorization
+  include Webauthn::Authentication
 
   MEMBER_ACTIONS = %i[destroy edit show update].freeze
   RENDER_HOST = CodeOcean::Config.new(:code_ocean).read[:render_host]
   LEGAL_SETTINGS = CodeOcean::Config.new(:code_ocean).read[:legal] || {}
   MONITORING_USER_AGENT = /updown\.io/
 
-  before_action :require_fully_authenticated_user!
   before_action :deny_access_from_render_host, prepend: true
   after_action :verify_authorized, except: %i[welcome]
   around_action :mnemosyne_trace, prepend: true
   around_action :switch_locale, prepend: true
+  before_action :check_current_user, prepend: true
   before_action :set_sentry_context, :load_embed_options, :set_document_policy
   skip_before_action :require_fully_authenticated_user!, only: %i[welcome]
   protect_from_forgery(with: :exception, prepend: true)
@@ -46,12 +47,18 @@ def current_contributor
   def welcome
     # Show root page
     redirect_to ping_index_path if MONITORING_USER_AGENT.match?(request.user_agent)
+    _require_webauthn_credential_authentication if current_user&.webauthn_configured?
   end
 
   private
 
-  def require_fully_authenticated_user!
-    raise Pundit::NotAuthorizedError unless current_user
+  def check_current_user
+    # Simply accessing the current_user will trigger the authentication process:
+    # If the user is not authenticated but a remember_me cookie is present,
+    # the user might be redirected to the WebAuthn Credential Authentication page.
+    # Therefore, we use `prepend: true` to ensure that this method is called before
+    # the `require_fully_authenticated_user!` method.
+    current_user
   end
 
   def deny_access_from_render_host
@@ -97,19 +104,6 @@ def login_from_authentication_token
     end
   end
 
-  def authenticate(user)
-    if user.is_a? InternalUser
-      # Sorcery Login only works for InternalUsers
-      auto_login(user)
-    else
-      # All external users are logged in "manually"
-      session[:external_user_id] = user.id
-    end
-
-    flash = {notice: session.delete(:return_to_url_notice), alert: session.delete(:return_to_url_alert)}.compact_blank
-    sorcery_redirect_back_or_to(:root, flash) unless session[:return_to_url] == request.fullpath
-  end
-
   def set_sentry_context
     return if current_user.blank?
 

app/controllers/concerns/webauthn/authentication.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+module Webauthn
+  module Authentication
+    def self.included(base)
+      base.send(:include, InstanceMethods)
+      base.before_action :require_fully_authenticated_user!
+
+      Sorcery::Controller::Config.after_login << :require_webauthn_credential_verification
+      Sorcery::Controller::Config.after_remember_me << :require_webauthn_credential_verification
+      Sorcery::Controller::Config.after_logout << :destroy_webauthn_cookie
+    end
+
+    module InstanceMethods
+      # Verify user presence and ensure the sign-in process finished.
+      # If configured previously, the user must have completed the WebAuthn authentication.
+      # This method is intended to be used as a before_action.
+      def require_fully_authenticated_user!
+        require_partially_authenticated_user!
+        if current_user.webauthn_configured?
+          _require_webauthn_credential_authentication
+          refresh_webauthn_cookie
+        else
+          current_user.store_authentication_result(true)
+        end
+      end
+
+      # Verify that a user is signed in (and that we have a current_user).
+      # This method does not check for the completion of the WebAuthn authentication.
+      # This method is intended to be used as a before_action.
+      def require_partially_authenticated_user!
+        raise Pundit::NotAuthorizedError unless current_user
+      end
+
+      # This method is called after the first login step when *not using a password*.
+      # For example, it could be called when signing in using LTI or an authentication token.
+      # Password-based logins are handled by Sorcery, and will call `require_webauthn_credential_verification`.
+      def authenticate(user)
+        _sign_in_as(user)
+        return _finalize_login(user) if user.fully_authenticated?
+
+        redirect_to new_webauthn_credential_authentication_path
+        user
+      end
+
+      # This method is called after the WebAuthn authentication is completed.
+      # It is intended to be used in the WebAuthnCredentialAuthentication controller.
+      def authenticate_webauthn_for(webauthn_credential)
+        _store_in_webauthn_cookie(webauthn_credential)
+        _finalize_login(webauthn_credential.user)
+      end
+
+      # This method can be used to redirect users who are already fully authenticated.
+      # It is intended to be used as a before_action in the WebAuthnCredentialAuthentication controller.
+      def redirect_fully_authenticated_users
+        if session[:return_to_url].blank? && session[:return_to_url_notice].blank? && request.referer.blank?
+          session[:return_to_url_alert] = t('application.not_authorized')
+        end
+        _finalize_login(current_user) if _webauthn_credential_authentication_completed?(current_user)
+      end
+
+      private
+
+      ######################################################
+      # Sorcery Hooks
+      ######################################################
+
+      # If the user has configured WebAuthn, require the WebAuthn authentication after login.
+      def require_webauthn_credential_verification(user, _credential = nil)
+        return unless user.webauthn_configured?
+
+        _require_webauthn_credential_authentication user
+      end
+
+      # Refresh the WebAuthn cookie on each request if the user has completed the WebAuthn authentication.
+      def refresh_webauthn_cookie
+        return unless current_user
+        return unless _webauthn_credential_authentication_completed?(current_user)
+
+        Webauthn::Cookie.new(request).refresh
+      end
+
+      # Remove the WebAuthn cookie after the user logs out.
+      def destroy_webauthn_cookie(_user = nil)
+        webauthn_cookie = Webauthn::Cookie.new(request)
+        webauthn_cookie.clear
+      end
+
+      ######################################################
+      # Internal Methods, use with caution!
+      ######################################################
+
+      # Redirect to the WebAuthn authentication page if the user has not completed the WebAuthn authentication.
+      def _require_webauthn_credential_authentication(user = current_user)
+        redirect_to new_webauthn_credential_authentication_path unless _webauthn_credential_authentication_completed?(user)
+      end
+
+      # Finish the login process and redirect the user to the return_to_url.
+      # This method is called after the second login step, i.e., after verifying the WebAuthn credential.
+      # If no WebAuthn credential is required, the method might be called directly after the first login step.
+      def _finalize_login(user)
+        flash = {notice: session.delete(:return_to_url_notice), alert: session.delete(:return_to_url_alert)}.compact_blank
+        sorcery_redirect_back_or_to(:root, flash) unless session[:return_to_url] == request.fullpath
+        user.store_authentication_result(true)
+      end
+
+      # Sign in the user (by setting the session) and store the authentication result.
+      def _sign_in_as(user)
+        if user.is_a? InternalUser
+          # Sorcery Login only works for InternalUsers
+          auto_login(user)
+        else
+          # All external users are logged in "manually"
+          session[:external_user_id] = user.id
+        end
+
+        if user.webauthn_configured?
+          # The user is fully authenticated if the WebAuthn authentication completed
+          user.store_authentication_result(_webauthn_credential_authentication_completed?(user))
+        else
+          # No additional authentication required
+          user.store_authentication_result(true)
+        end
+      end
+
+      # Store the WebAuthn credential and user in a dedicated cookie to indicate full authentication.
+      # A dedicated cookie is beneficial for LTI-based logins; otherwise, a user would need to reauthenticate for each LTI launch.
+      def _store_in_webauthn_cookie(webauthn_credential)
+        webauthn_cookie = Webauthn::Cookie.new(request)
+        webauthn_cookie.store(:webauthn_user, webauthn_credential.user.id_with_type)
+        webauthn_cookie.store(:webauthn_credential, webauthn_credential.id)
+      end
+
+      # Check if the user has successfully completed the WebAuthn authentication.
+      # Furthermore, memorize the result for the given user.
+      def _webauthn_credential_authentication_completed?(user)
+        return false unless user.webauthn_configured?
+        return true if user.fully_authenticated? # Simple memorization for the current request
+
+        webauthn_cookie = Webauthn::Cookie.new(request)
+        return false unless webauthn_cookie.key?(:webauthn_user)
+        return false unless webauthn_cookie.key?(:webauthn_credential)
+
+        webauthn_credential = WebauthnCredential.find_by(id: webauthn_cookie.content[:webauthn_credential])
+        return false unless webauthn_credential
+        return false unless user == webauthn_credential.user
+        return false unless user.id_with_type == webauthn_cookie.content[:webauthn_user]
+
+        user.store_authentication_result(true)
+        true
+      end
+    end
+  end
+end

app/controllers/concerns/webauthn/cookie.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Webauthn
+  class Cookie
+    NAME = 'CodeOcean-WebAuthn'
+    PREFIXED_NAME = AuthenticatedUrlHelper.cookie_name_for(NAME)
+
+    attr_reader :request
+
+    delegate :key?, to: :content
+
+    def initialize(request)
+      @request = request
+    end
+
+    def content
+      @content ||= JSON.parse(cookies.encrypted[PREFIXED_NAME]).deep_symbolize_keys
+    rescue JSON::ParserError, TypeError
+      {}
+    end
+
+    def content=(value)
+      @content = value
+      if value.present?
+        cookies.encrypted[PREFIXED_NAME] = {
+          value: JSON.generate(value),
+          expires: 1.month.from_now,
+          secure: Rails.env.production? || Rails.env.staging?,
+          httponly: true,
+          path: Rails.application.config.relative_url_root,
+          same_site: :lax, # Similar to the session cookie, we cannot use :strict here (due to LTI support).
+        }
+      else
+        clear
+      end
+    end
+
+    def store(key, value)
+      self.content = content.merge({key => value})
+    end
+
+    def clear
+      cookies.delete PREFIXED_NAME
+    end
+
+    def refresh
+      return if content.blank?
+
+      self.content = content
+    end
+
+    private
+
+    def cookies
+      request.cookie_jar
+    end
+  end
+end

app/controllers/sessions_controller.rb

@@ -10,7 +10,8 @@ class SessionsController < ApplicationController
   end
 
   skip_before_action :verify_authenticity_token, only: :create_through_lti
-  skip_before_action :require_fully_authenticated_user!, only: %i[new create_through_lti create]
+  skip_before_action :require_fully_authenticated_user!, only: %i[new create_through_lti create destroy]
+  before_action :require_partially_authenticated_user!, only: %i[destroy]
   skip_after_action :verify_authorized
   after_action :set_sentry_context, only: %i[create_through_lti create]
 
@@ -46,6 +47,8 @@ def create
       # We set the user's default study group to the "internal" group (no external id) for the given consumer.
       session[:study_group_id] = current_user.study_groups.find_by(external_id: nil)&.id
       session[:return_to_url_notice] = t('.success')
+      # Since _finalize_login requires the session information, we cannot integrate it with Sorcery directly.
+      _finalize_login(current_user) unless current_user.webauthn_configured?
     else
       flash.now[:danger] = t('.failure')
       render(:new)
@@ -68,16 +71,19 @@ def destroy
       session.delete(:embed_options)
       session.delete(:pg_id)
       session.delete(:pair_programming)
+      destroy_webauthn_cookie
 
-      # In case we have another session as an internal user, we set the study group for this one
+      # In case we have another session as an internal user, we set the study group for this one.
+      # A second factor authentication is still required and *might cause a redirect*.
       internal_user = find_or_login_current_user
       if internal_user.present?
         session[:study_group_id] = internal_user.study_groups.find_by(external_id: nil)&.id
       end
     else
       logout
     end
-    redirect_to(:root, notice: t('.success'))
+    flash[:notice] = t('.success')
+    redirect_to(:root) unless performed?
   end
 
   private
@@ -119,6 +125,7 @@ def redirect_to_survey
     uri = Addressable::URI.parse 'https://survey.openhpi.de/survey/index.php'
     uri.query_values = query_params
 
+    # This redirect skips the WebAuthn requirement
     redirect_to uri.to_s, allow_other_host: true
   end
 end

app/controllers/webauthn_credential_authentication_controller.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+class WebauthnCredentialAuthenticationController < ApplicationController
+  skip_before_action :require_fully_authenticated_user!
+  before_action :require_partially_authenticated_user!
+  before_action :deny_access_for_users_without_webauthn_credentials
+  before_action :redirect_fully_authenticated_users
+  before_action :authorize!
+
+  def new
+    @webauthn_get_options = personalized_options
+    session[:current_challenge] = @webauthn_get_options.challenge
+  end
+
+  def create
+    raise WebAuthn::Error.new(t('.missing_challenge')) unless session[:current_challenge]
+    raise WebAuthn::Error.new(t('.invalid_param')) unless credential_param.is_a?(Hash) && credential_param.key?('rawId')
+
+    webauthn_credential = WebAuthn::Credential.from_get(credential_param)
+    credential = current_user.webauthn_credentials.find_by(external_id: webauthn_credential.id)
+    raise WebAuthn::Error.new(t('.credential_not_found')) unless credential
+
+    webauthn_credential.verify(
+      session.delete(:current_challenge),
+      public_key: credential.public_key,
+      sign_count: credential.sign_count,
+      user_presence: true,
+      user_verification: true
+    )
+
+    credential.assign_attributes(
+      sign_count: webauthn_credential.sign_count,
+      last_used_at: Time.zone.now
+    )
+    credential.save(touch: false)
+
+    authenticate_webauthn_for(credential)
+  rescue WebAuthn::Error => e
+    redirect_to new_webauthn_credential_authentication_path, danger: t('.failed', error: e.message)
+  end
+
+  private
+
+  def personalized_options
+    WebAuthn::Credential.options_for_get(
+      allow_credentials:,
+      user_verification: :required
+    )
+  end
+
+  def allow_credentials
+    current_user.webauthn_credentials.map do |cred|
+      {id: cred.external_id, type: WebAuthn::TYPE_PUBLIC_KEY, transports: cred.transports}
+    end
+  end
+
+  def authorize!
+    authorize current_user, policy_class: WebauthnCredentialAuthenticationPolicy
+  end
+
+  def deny_access_for_users_without_webauthn_credentials
+    raise Pundit::NotAuthorizedError unless current_user.webauthn_configured?
+  end
+
+  def credential_param
+    return @credential_param if defined? @credential_param
+
+    credential_param = params.require(:webauthn_credential).permit(:credential)[:credential]
+    @credential_param = JSON.parse(credential_param.to_s)
+  rescue JSON::ParserError
+    @credential_param = {}
+  end
+end