cedros-login-server 0.0.43

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256

//! WebAuthn authentication ceremony methods (email-first + discoverable flows)

use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
use chrono::{Duration, Utc};
use std::sync::Arc;
use uuid::Uuid;
use webauthn_rs::prelude::{DiscoverableAuthentication, Passkey, PasskeyAuthentication};

use crate::errors::AppError;
use crate::repositories::{WebAuthnChallenge, WebAuthnCredential, WebAuthnRepository};

use super::{AuthenticationOptionsResponse, VerifyAuthenticationRequest, WebAuthnService};

impl WebAuthnService {
    /// Start passkey authentication ceremony (email-first flow)
    pub async fn start_authentication(
        &self,
        user_id: Option<Uuid>,
        credentials: &[WebAuthnCredential],
        repo: &Arc<dyn WebAuthnRepository>,
    ) -> Result<AuthenticationOptionsResponse, AppError> {
        let webauthn = self.get_webauthn().await?;
        let policy = self.user_verification_policy();

        // Convert stored credentials to Passkey objects
        let passkeys: Vec<Passkey> = credentials
            .iter()
            .filter_map(|c| serde_json::from_str(&c.public_key).ok())
            .collect();

        if passkeys.is_empty() {
            return Err(AppError::NotFound("No passkeys registered for user".into()));
        }

        let (mut rcr, auth_state) =
            webauthn
                .start_passkey_authentication(&passkeys)
                .map_err(|e| {
                    AppError::Internal(anyhow::anyhow!(
                        "WebAuthn authentication start failed: {:?}",
                        e
                    ))
                })?;

        self.apply_authentication_options(&mut rcr, policy);

        let state_json = self.serialize_authentication_state(&auth_state, policy)?;

        let challenge_id = Uuid::new_v4();
        let challenge = WebAuthnChallenge {
            challenge_id,
            user_id,
            state: state_json,
            challenge_type: "authenticate".to_string(),
            created_at: Utc::now(),
            expires_at: Utc::now() + Duration::seconds(self.config.challenge_ttl_seconds as i64),
        };

        repo.store_challenge(challenge).await?;

        Ok(AuthenticationOptionsResponse {
            challenge_id,
            options: rcr,
        })
    }

    /// S-16: Start discoverable (username-less) passkey authentication ceremony
    ///
    /// This allows users to authenticate without providing their username first.
    /// The authenticator will prompt the user to select a passkey, which contains
    /// the user's identity.
    pub async fn start_discoverable_authentication(
        &self,
        repo: &Arc<dyn WebAuthnRepository>,
    ) -> Result<AuthenticationOptionsResponse, AppError> {
        let webauthn = self.get_webauthn().await?;
        let policy = self.user_verification_policy();

        // Start discoverable authentication (no allowCredentials list)
        let (mut rcr, auth_state) = webauthn.start_discoverable_authentication().map_err(|e| {
            AppError::Internal(anyhow::anyhow!(
                "WebAuthn discoverable auth start failed: {:?}",
                e
            ))
        })?;

        self.apply_authentication_options(&mut rcr, policy);

        let state_json = self.serialize_authentication_state(&auth_state, policy)?;

        let challenge_id = Uuid::new_v4();
        let challenge = WebAuthnChallenge {
            challenge_id,
            user_id: None, // No user known yet - will be determined from credential
            state: state_json,
            challenge_type: "discoverable".to_string(),
            created_at: Utc::now(),
            expires_at: Utc::now() + Duration::seconds(self.config.challenge_ttl_seconds as i64),
        };

        repo.store_challenge(challenge).await?;

        Ok(AuthenticationOptionsResponse {
            challenge_id,
            options: rcr,
        })
    }

    /// S-16: Complete discoverable (username-less) passkey authentication ceremony
    ///
    /// Returns the user ID and credential after successful authentication.
    pub async fn finish_discoverable_authentication(
        &self,
        request: VerifyAuthenticationRequest,
        repo: &Arc<dyn WebAuthnRepository>,
    ) -> Result<(Uuid, WebAuthnCredential), AppError> {
        let webauthn = self.get_webauthn().await?;

        let challenge = repo
            .consume_challenge(request.challenge_id)
            .await?
            .ok_or_else(|| AppError::Validation("Challenge expired or not found".into()))?;

        if challenge.challenge_type != "discoverable" {
            return Err(AppError::Validation(
                "Invalid challenge type for discoverable auth".into(),
            ));
        }

        // Deserialize the authentication state
        let auth_state: DiscoverableAuthentication =
            serde_json::from_str(&challenge.state).map_err(|e| AppError::Internal(e.into()))?;

        // Get the credential ID from the response to look up the user.
        // Use get_credential_id() which returns raw_id bytes, NOT .id which is
        // already base64url-encoded (encoding that would double-encode).
        let cred_id_bytes: &[u8] = request.credential.get_credential_id();
        let cred_id = URL_SAFE_NO_PAD.encode(cred_id_bytes);

        tracing::info!(
            cred_id_lookup = %cred_id,
            cred_id_from_id_field = %request.credential.id,
            raw_id_len = cred_id_bytes.len(),
            "Discoverable auth: looking up credential"
        );

        // Find the credential and user
        let stored_credential = repo.find_by_credential_id(&cred_id).await?;

        if stored_credential.is_none() {
            tracing::warn!(
                cred_id_lookup = %cred_id,
                cred_id_from_id_field = %request.credential.id,
                "Discoverable auth: credential NOT found in DB"
            );
            return Err(AppError::InvalidCredentials);
        }
        let stored_credential = stored_credential.unwrap();

        // Deserialize the stored passkey
        let passkey: Passkey = serde_json::from_str(&stored_credential.public_key)
            .map_err(|e| AppError::Internal(e.into()))?;

        // Verify the authentication response with discoverable flow
        let auth_result = webauthn
            .finish_discoverable_authentication(&request.credential, auth_state, &[passkey.into()])
            .map_err(|_| AppError::InvalidCredentials)?;

        // M-02: Validate sign count increased (detects cloned authenticators)
        let new_counter = auth_result.counter();
        let old_counter = stored_credential.sign_count;
        if new_counter <= old_counter && old_counter > 0 {
            tracing::warn!(
                credential_id = %stored_credential.credential_id,
                user_id = %stored_credential.user_id,
                old_counter = old_counter,
                new_counter = new_counter,
                "M-02: WebAuthn sign count did not increase - possible cloned authenticator"
            );
            if self.config.reject_cloned_credentials {
                return Err(AppError::Validation(
                    "Authentication rejected: possible cloned authenticator detected".into(),
                ));
            }
        }

        // SEC-05: Atomically update sign count and last_used_at
        repo.record_successful_auth(stored_credential.id, new_counter)
            .await?;

        Ok((stored_credential.user_id, stored_credential))
    }

    /// Complete passkey authentication ceremony
    pub async fn finish_authentication(
        &self,
        request: VerifyAuthenticationRequest,
        credentials: &[WebAuthnCredential],
        repo: &Arc<dyn WebAuthnRepository>,
    ) -> Result<(Uuid, WebAuthnCredential), AppError> {
        let webauthn = self.get_webauthn().await?;

        let challenge = repo
            .consume_challenge(request.challenge_id)
            .await?
            .ok_or_else(|| AppError::Validation("Challenge expired or not found".into()))?;

        if challenge.challenge_type != "authenticate" {
            return Err(AppError::Validation("Invalid challenge type".into()));
        }

        // Deserialize the authentication state
        let auth_state: PasskeyAuthentication =
            serde_json::from_str(&challenge.state).map_err(|e| AppError::Internal(e.into()))?;

        // Verify the authentication response
        let auth_result = webauthn
            .finish_passkey_authentication(&request.credential, &auth_state)
            .map_err(|_| AppError::InvalidCredentials)?;

        // Find the matching credential by credential ID
        let used_cred_id = URL_SAFE_NO_PAD.encode(auth_result.cred_id());
        let credential = credentials
            .iter()
            .find(|c| c.credential_id == used_cred_id)
            .ok_or_else(|| {
                AppError::Internal(anyhow::anyhow!(
                    "Credential not found after successful auth"
                ))
            })?;

        // M-02: Validate sign count increased (detects cloned authenticators)
        let new_counter = auth_result.counter();
        let old_counter = credential.sign_count;
        if new_counter <= old_counter && old_counter > 0 {
            tracing::warn!(
                credential_id = %credential.credential_id,
                user_id = %credential.user_id,
                old_counter = old_counter,
                new_counter = new_counter,
                "M-02: WebAuthn sign count did not increase - possible cloned authenticator"
            );
            if self.config.reject_cloned_credentials {
                return Err(AppError::Validation(
                    "Authentication rejected: possible cloned authenticator detected".into(),
                ));
            }
        }

        // SEC-05: Atomically update sign count and last_used_at
        repo.record_successful_auth(credential.id, new_counter)
            .await?;

        Ok((credential.user_id, credential.clone()))
    }
}