Merge remote-tracking branch 'origin/master' into fm/auth-1111-passkeys-captcha-on-auth

Author: fadymak

internal/api/api.go

@@ -313,7 +313,9 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			r.Use(api.requirePasskeyEnabled)
 
 			r.Route("/authentication", func(r *router) {
-				r.With(api.verifyCaptcha).Post("/options", api.PasskeyAuthenticationOptions)
+				r.With(api.limitHandler(api.limiterOpts.PasskeyAuthentication)).
+					With(api.verifyCaptcha).
+					Post("/options", api.PasskeyAuthenticationOptions)
 				r.Post("/verify", api.PasskeyAuthenticationVerify)
 			})
 

internal/api/external_oauth.go

@@ -118,7 +118,7 @@ func (a *API) oAuthCallback(ctx context.Context, r *http.Request, providerType s
 	}
 	token, err := oauthProvider.GetOAuthToken(ctx, oauthCode, tokenOpts...)
 	if err != nil {
-		return nil, apierrors.NewInternalServerError("Unable to exchange external code: %s", oauthCode).WithInternalError(err)
+		return nil, apierrors.NewInternalServerError("Unable to exchange external code: %s", oauthCode[:min(4, len(oauthCode))]).WithInternalError(err)
 	}
 
 	userData, err := oauthProvider.GetUserData(ctx, token)

internal/api/options.go

@@ -42,21 +42,22 @@ type LimiterOptions struct {
 	Email ratelimit.Limiter
 	Phone ratelimit.Limiter
 
-	Signups             *limiter.Limiter
-	AnonymousSignIns    *limiter.Limiter
-	Recover             *limiter.Limiter
-	Resend              *limiter.Limiter
-	MagicLink           *limiter.Limiter
-	Otp                 *limiter.Limiter
-	Token               *limiter.Limiter
-	Verify              *limiter.Limiter
-	User                *limiter.Limiter
-	FactorVerify        *limiter.Limiter
-	FactorChallenge     *limiter.Limiter
-	SSO                 *limiter.Limiter
-	SAMLAssertion       *limiter.Limiter
-	Web3                *limiter.Limiter
-	OAuthClientRegister *limiter.Limiter
+	Signups               *limiter.Limiter
+	AnonymousSignIns      *limiter.Limiter
+	Recover               *limiter.Limiter
+	Resend                *limiter.Limiter
+	MagicLink             *limiter.Limiter
+	Otp                   *limiter.Limiter
+	Token                 *limiter.Limiter
+	Verify                *limiter.Limiter
+	User                  *limiter.Limiter
+	FactorVerify          *limiter.Limiter
+	FactorChallenge       *limiter.Limiter
+	SSO                   *limiter.Limiter
+	SAMLAssertion         *limiter.Limiter
+	Web3                  *limiter.Limiter
+	OAuthClientRegister   *limiter.Limiter
+	PasskeyAuthentication *limiter.Limiter
 }
 
 func (lo *LimiterOptions) apply(a *API) { a.limiterOpts = lo }
@@ -115,6 +116,7 @@ func NewLimiterOptions(gc *conf.GlobalConfiguration) *LimiterOptions {
 	o.User = newLimiterPer5mOver1h(gc.RateLimitOtp)
 	o.Signups = newLimiterPer5mOver1h(gc.RateLimitOtp)
 	o.OAuthClientRegister = newLimiterPer5mOver1h(gc.RateLimitOAuthDynamicClientRegister)
+	o.PasskeyAuthentication = newLimiterPer5mOver1h(gc.RateLimitPasskey)
 
 	return o
 }

internal/api/passkey_authentication_test.go

@@ -274,6 +274,20 @@ func (ts *PasskeyTestSuite) TestAuthenticationOptionsCaptchaDisabled() {
 	ts.NotEmpty(optionsResp.ChallengeID)
 }
 
+// TestAuthenticationOptionsRateLimited tests that the passkey authentication options endpoint is rate limited.
+func (ts *PasskeyTestSuite) TestAuthenticationOptionsRateLimited() {
+	// The passkey authentication limiter has a burst of 30 (from newLimiterPer5mOver1h).
+	// Send 30 requests that consume the burst, then verify the 31st is rejected.
+	for i := 0; i < 30; i++ {
+		w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", nil, withHeader(ts.Config.RateLimitHeader, "1.2.3.4"))
+		require.Equal(ts.T(), http.StatusOK, w.Code)
+	}
+
+	// 31st request should be rate limited
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", nil, withHeader(ts.Config.RateLimitHeader, "1.2.3.4"))
+	require.Equal(ts.T(), http.StatusTooManyRequests, w.Code)
+}
+
 // registerPasskey is a test helper that registers a passkey for the test user
 // and returns the authenticator (with stored credential) for later assertion.
 func (ts *PasskeyTestSuite) registerPasskey() (*virtualAuthenticator, *PasskeyMetadataResponse) {
@@ -283,7 +297,7 @@ func (ts *PasskeyTestSuite) registerPasskey() (*virtualAuthenticator, *PasskeyMe
 		origin: ts.Config.WebAuthn.RPOrigins[0],
 	}
 
-	w := ts.makeAuthenticatedRequest(http.MethodPost, "http://localhost/passkeys/registration/options", token, nil)
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/registration/options", nil, withBearerToken(token))
 	ts.Require().Equal(http.StatusOK, w.Code)
 
 	var optionsResp PasskeyRegistrationOptionsResponse
@@ -292,10 +306,10 @@ func (ts *PasskeyTestSuite) registerPasskey() (*virtualAuthenticator, *PasskeyMe
 	credResp, err := authenticator.createCredential(optionsResp.Options)
 	require.NoError(ts.T(), err)
 
-	w = ts.makeAuthenticatedRequest(http.MethodPost, "http://localhost/passkeys/registration/verify", token, map[string]any{
+	w = ts.makeRequest(http.MethodPost, "http://localhost/passkeys/registration/verify", map[string]any{
 		"challenge_id":        optionsResp.ChallengeID,
 		"credential_response": json.RawMessage(credResp.JSON),
-	})
+	}, withBearerToken(token))
 	ts.Require().Equal(http.StatusOK, w.Code)
 
 	var passkeyResp PasskeyMetadataResponse

internal/api/passkey_manage_test.go

@@ -31,7 +31,7 @@ func (ts *PasskeyTestSuite) createTestPasskey(userID uuid.UUID, friendlyName str
 
 func (ts *PasskeyTestSuite) TestPasskeyListEmpty() {
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodGet, "http://localhost/passkeys", token, nil)
+	w := ts.makeRequest(http.MethodGet, "http://localhost/passkeys", nil, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -45,7 +45,7 @@ func (ts *PasskeyTestSuite) TestPasskeyListWithPasskeys() {
 	pk2 := ts.createTestPasskey(ts.TestUser.ID, "My MacBook")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodGet, "http://localhost/passkeys", token, nil)
+	w := ts.makeRequest(http.MethodGet, "http://localhost/passkeys", nil, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -74,7 +74,7 @@ func (ts *PasskeyTestSuite) TestPasskeyListDoesNotReturnOtherUsersPasskeys() {
 	ts.createTestPasskey(otherUser.ID, "Other User Passkey")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodGet, "http://localhost/passkeys", token, nil)
+	w := ts.makeRequest(http.MethodGet, "http://localhost/passkeys", nil, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -93,9 +93,9 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateFriendlyName() {
 	cred := ts.createTestPasskey(ts.TestUser.ID, "Old Name")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), map[string]any{
 		"friendly_name": "New Name",
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -113,7 +113,7 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateMissingFriendlyName() {
 	cred := ts.createTestPasskey(ts.TestUser.ID, "Name")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), token, map[string]any{})
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), map[string]any{}, withBearerToken(token))
 
 	ts.Equal(http.StatusBadRequest, w.Code)
 }
@@ -122,9 +122,9 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateFriendlyNameTooLong() {
 	cred := ts.createTestPasskey(ts.TestUser.ID, "Name")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), map[string]any{
 		"friendly_name": strings.Repeat("a", 121),
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusBadRequest, w.Code)
 
@@ -139,9 +139,9 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateFriendlyNameAtMaxLength() {
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
 	longName := strings.Repeat("a", 120)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), map[string]any{
 		"friendly_name": longName,
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -157,9 +157,9 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateOtherUsersPasskey() {
 	otherCred := ts.createTestPasskey(otherUser.ID, "Other Passkey")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", otherCred.ID), token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", otherCred.ID), map[string]any{
 		"friendly_name": "Stolen Passkey",
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusNotFound, w.Code)
 
@@ -171,18 +171,18 @@ func (ts *PasskeyTestSuite) TestPasskeyUpdateOtherUsersPasskey() {
 
 func (ts *PasskeyTestSuite) TestPasskeyUpdateNonExistent() {
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), map[string]any{
 		"friendly_name": "New Name",
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusNotFound, w.Code)
 }
 
 func (ts *PasskeyTestSuite) TestPasskeyUpdateInvalidID() {
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodPatch, "http://localhost/passkeys/not-a-uuid", token, map[string]any{
+	w := ts.makeRequest(http.MethodPatch, "http://localhost/passkeys/not-a-uuid", map[string]any{
 		"friendly_name": "New Name",
-	})
+	}, withBearerToken(token))
 
 	ts.Equal(http.StatusNotFound, w.Code)
 }
@@ -199,7 +199,7 @@ func (ts *PasskeyTestSuite) TestPasskeyDelete() {
 	cred := ts.createTestPasskey(ts.TestUser.ID, "To Delete")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), token, nil)
+	w := ts.makeRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", cred.ID), nil, withBearerToken(token))
 
 	ts.Equal(http.StatusOK, w.Code)
 
@@ -219,7 +219,7 @@ func (ts *PasskeyTestSuite) TestPasskeyDeleteOtherUsersPasskey() {
 	otherCred := ts.createTestPasskey(otherUser.ID, "Other Passkey")
 
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", otherCred.ID), token, nil)
+	w := ts.makeRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", otherCred.ID), nil, withBearerToken(token))
 
 	ts.Equal(http.StatusNotFound, w.Code)
 
@@ -230,7 +230,7 @@ func (ts *PasskeyTestSuite) TestPasskeyDeleteOtherUsersPasskey() {
 
 func (ts *PasskeyTestSuite) TestPasskeyDeleteNonExistent() {
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
-	w := ts.makeAuthenticatedRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), token, nil)
+	w := ts.makeRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), nil, withBearerToken(token))
 
 	ts.Equal(http.StatusNotFound, w.Code)
 }
@@ -246,16 +246,16 @@ func (ts *PasskeyTestSuite) TestPasskeyManageDisabled() {
 	token := ts.generateToken(ts.TestUser, &ts.TestSession.ID)
 
 	// List
-	w := ts.makeAuthenticatedRequest(http.MethodGet, "http://localhost/passkeys/", token, nil)
+	w := ts.makeRequest(http.MethodGet, "http://localhost/passkeys/", nil, withBearerToken(token))
 	ts.Equal(http.StatusNotFound, w.Code)
 
 	// Update
-	w = ts.makeAuthenticatedRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), token, map[string]any{
+	w = ts.makeRequest(http.MethodPatch, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), map[string]any{
 		"friendly_name": "Name",
-	})
+	}, withBearerToken(token))
 	ts.Equal(http.StatusNotFound, w.Code)
 
 	// Delete
-	w = ts.makeAuthenticatedRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), token, nil)
+	w = ts.makeRequest(http.MethodDelete, fmt.Sprintf("http://localhost/passkeys/%s", uuid.Must(uuid.NewV4())), nil, withBearerToken(token))
 	ts.Equal(http.StatusNotFound, w.Code)
 }

internal/api/passkey_registration.go

@@ -177,8 +177,8 @@ func (a *API) PasskeyRegistrationVerify(w http.ResponseWriter, r *http.Request)
 		return apierrors.NewBadRequestError(apierrors.ErrorCodeWebAuthnVerificationFailed, "Credential verification failed").WithInternalError(err)
 	}
 
-	// TODO(fm): fallback to AAGUID -> UA -> "Passkey" for friendly name
-	passkeyCredential := models.NewWebAuthnCredential(user.ID, credential, "")
+	friendlyName := utilities.PasskeyFriendlyName(credential.Authenticator.AAGUID)
+	passkeyCredential := models.NewWebAuthnCredential(user.ID, credential, friendlyName)
 
 	err = db.Transaction(func(tx *storage.Connection) error {
 		count, terr := models.CountWebAuthnCredentialsByUserID(tx, user.ID)