Implement Webauthn

MIGRATIONS.unreleased.md

@@ -11,5 +11,7 @@ User-facing changes are documented in the [changelog](CHANGELOG.released.md).
  - New FossilDB version `0.1.37` (`master__525:` on dockerhub) is required. [#8460](https://github.com/scalableminds/webknossos/pull/8460)
 
 ### Postgres Evolutions:
+
 - [129-credit-transactions.sql](conf/evolutions/129-credit-transactions.sql)
 - [130-replace-text-types.sql](conf/evolutions/130-replace-text-types.sql)
+- [131-add-webauthn-credentials.sql](./conf/evolutions/131-add-webauthn-credentials.sql)

app/models/user/MultiUser.scala

@@ -136,6 +136,13 @@ class MultiUserDAO @Inject()(sqlClient: SqlClient)(implicit ec: ExecutionContext
                      (SELECT _id FROM webknossos.users WHERE _organization = $organizationId)""".asUpdate)
     } yield ()
 
+  def findOneById(id: ObjectId)(implicit ctx: DBAccessContext): Fox[MultiUser] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(q"SELECT $columns FROM $existingCollectionName WHERE _id = $id AND $accessQuery".as[MultiusersRow])
+      parsed <- parseFirst(r, id)
+    } yield parsed
+
   def findOneByEmail(email: String)(implicit ctx: DBAccessContext): Fox[MultiUser] =
     for {
       accessQuery <- readAccessQuery

app/models/user/WebAuthnCredentials.scala

@@ -0,0 +1,139 @@
+package models.user
+
+import com.fasterxml.jackson.core.`type`.TypeReference
+import com.fasterxml.jackson.annotation.{JsonCreator, JsonProperty, JsonTypeInfo}
+import com.scalableminds.util.accesscontext.DBAccessContext
+import com.scalableminds.util.objectid.ObjectId
+import com.scalableminds.util.tools.Fox
+import com.scalableminds.webknossos.schema.Tables._
+import com.webauthn4j.converter.AttestedCredentialDataConverter
+import com.webauthn4j.converter.util.ObjectConverter
+import com.webauthn4j.credential.CredentialRecordImpl
+import com.webauthn4j.data.attestation.statement.AttestationStatement
+import com.webauthn4j.data.extension.authenticator.{AuthenticationExtensionsAuthenticatorOutputs, RegistrationExtensionAuthenticatorOutput}
+import net.liftweb.common.Box.tryo
+import slick.lifted.Rep
+import utils.sql.{SQLDAO, SqlClient}
+
+import javax.inject.Inject
+import scala.concurrent.ExecutionContext
+
+
+case class WebAuthnCredential(
+    _id: ObjectId,
+    _multiUser: ObjectId,
+    name: String,
+    credentialRecord: CredentialRecordImpl,
+    isDeleted: Boolean,
+) {
+  def serializeAttestationStatement(converter: ObjectConverter): Array[Byte] = {
+    AttestationStatementEnvelope(credentialRecord.getAttestationStatement).serialize(converter)
+  }
+
+  def serializeAttestedCredential(objectConverter: ObjectConverter): Array[Byte] = {
+    val converter = new AttestedCredentialDataConverter(objectConverter);
+    converter.convert(credentialRecord.getAttestedCredentialData)
+  }
+
+  def serializedExtensions(converter: ObjectConverter): Array[Byte] = {
+    converter.getCborConverter.writeValueAsBytes(credentialRecord.getAuthenticatorExtensions)
+  }
+}
+
+// Define the AttestationStatementEnvelope class
+case class AttestationStatementEnvelope(@JsonProperty("attStmt") attestationStatement: AttestationStatement) {
+  // The JSON type information annotation for polymorphism
+  @JsonTypeInfo(
+    use = JsonTypeInfo.Id.NAME,
+    include = JsonTypeInfo.As.EXTERNAL_PROPERTY,
+    property = "fmt"
+  )
+  private val attStmt: AttestationStatement = attestationStatement
+
+  // Getter for the 'fmt' property
+  @JsonProperty("fmt")
+  def getFormat: String = attestationStatement.getFormat
+
+  // Getter for the AttestationStatement instance
+  def getAttestationStatement: AttestationStatement = attestationStatement
+
+  def serialize(converter: ObjectConverter): Array[Byte] =
+    converter.getJsonConverter.writeValueAsBytes(this)
+}
+
+class WebAuthnCredentialDAO @Inject()(sqlClient: SqlClient)(implicit ec: ExecutionContext)
+    extends SQLDAO[WebAuthnCredential, WebauthncredentialsRow, Webauthncredentials](sqlClient) {
+  protected val collection = Webauthncredentials
+
+  override protected def idColumn(x: Webauthncredentials): Rep[String] = x._Id
+
+  override protected def isDeletedColumn(x: Webauthncredentials): Rep[Boolean] = x.isdeleted
+
+  protected def parse(r: WebauthncredentialsRow): Fox[WebAuthnCredential] = {
+    val objectConverter = new ObjectConverter()
+    val converter = objectConverter.getCborConverter
+    val attestedCredentialDataConverter = new AttestedCredentialDataConverter(objectConverter)
+    for {
+      envelope <- tryo(converter.readValue(r.serializedattestationstatement, new TypeReference[AttestationStatementEnvelope] {}))
+      attestationStatement = envelope.attestationStatement
+      attestedCredential <- tryo(attestedCredentialDataConverter.convert(r.serializedattestedcredential))
+      authenticatorExtensions <- tryo(converter.readValue(r.serializedextensions, new TypeReference[AuthenticationExtensionsAuthenticatorOutputs[RegistrationExtensionAuthenticatorOutput]] {}))
+      record = new CredentialRecordImpl(
+        attestationStatement,
+        null,
+        null,
+        null,
+        r.signaturecount.toLong,
+        attestedCredential,
+        authenticatorExtensions,
+        null,
+        null,
+        null
+      )
+    } yield WebAuthnCredential(ObjectId(r._Id), ObjectId(r._Multiuser), r.name, record, r.isdeleted)
+  }
+
+  def findAllForUser(multiUserId: ObjectId)(implicit ctx: DBAccessContext): Fox[List[WebAuthnCredential]] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(
+        q"SELECT $columns FROM webknossos.webauthncredentials WHERE _multiUser = $multiUserId AND $accessQuery"
+          .as[WebauthncredentialsRow])
+      parsed <- parseAll(r)
+    } yield parsed
+
+  def findByCredentialId(multiUserId: ObjectId, credentialId: Array[Byte])(implicit ctx: DBAccessContext): Fox[WebAuthnCredential] =
+    for {
+      accessQuery <- readAccessQuery
+      r <- run(q"SELECT $columns FROM webknossos.webauthncredentials WHERE _multiUser = $multiUserId AND credentialId = $credentialId AND $accessQuery"
+          .as[WebauthncredentialsRow])
+      parsed <- parseFirst(r, multiUserId)
+    } yield parsed
+
+  def insertOne(c: WebAuthnCredential): Fox[Unit] = {
+    val converter = new ObjectConverter()
+    val serializedAttestationStatement = c.serializeAttestationStatement(converter)
+    val serializedAttestedCredential = c.serializeAttestedCredential(converter)
+    val serializedAuthenticatorExtensions = c.serializedExtensions(converter)
+    val credentialId = c.credentialRecord.getAttestedCredentialData.getCredentialId
+    for {
+      _ <- run(
+        q"""INSERT INTO webknossos.webauthncredentials(_id, _multiUser, credentialId, name, serializedAttestationStatement, serializedAttestedCredential, serializedExtensions, signatureCount)
+                       VALUES(${c._id}, ${c._multiUser}, ${credentialId}, ${c.name}, ${serializedAttestationStatement}, ${serializedAttestedCredential},
+                              ${serializedAuthenticatorExtensions}, ${c.credentialRecord.getCounter.toInt})""".asUpdate)
+    } yield ()
+  }
+
+  def updateSignCount(c: WebAuthnCredential): Fox[Unit] = {
+    val signatureCount = c.credentialRecord.getCounter
+    for {
+      _ <- run(q"""UPDATE webknossos.webauthncredentials SET signatureCount = $signatureCount WHERE _id = ${c._id}""".asUpdate)
+    } yield ()
+  }
+
+  def removeById(id: ObjectId, multiUser: ObjectId): Fox[Unit] =
+    for {
+      _ <- run(q"""DELETE FROM webknossos.webauthncredentials WHERE _id = ${id} AND _multiUser=${multiUser}""".asUpdate)
+    } yield ()
+
+}

conf/application.conf

@@ -61,6 +61,9 @@ play {
     timeout.idle = 2 hours
     timeout.connection = 2 hours
   }
+  context {
+    blocking = "pekko.actor.default-dispatcher"
+  }
 }
 
 pekko.actor.default-dispatcher {

conf/evolutions/131-add-webauthn-credentials.sql

@@ -0,0 +1,23 @@
+START TRANSACTION;
+
+do $$ begin ASSERT (select schemaVersion from webknossos.releaseInformation) = 130, 'Previous schema version mismatch'; end; $$ LANGUAGE plpgsql;
+
+CREATE TABLE webknossos.webauthnCredentials(
+  _id TEXT PRIMARY KEY,
+  _multiUser CHAR(24) NOT NULL,
+  credentialId BYTEA NOT NULL,
+  name TEXT NOT NULL,
+  serializedAttestationStatement BYTEA NOT NULL,
+  serializedAttestedCredential BYTEA NOT NULL,
+  serializedExtensions BYTEA NOT NULL,
+  signatureCount INTEGER NOT NULL,
+  isDeleted BOOLEAN NOT NULL DEFAULT false,
+  UNIQUE (_id, credentialId)
+);
+
+ALTER TABLE webknossos.webauthnCredentials
+  ADD FOREIGN KEY (_multiUser) REFERENCES webknossos.multiUsers(_id) ON DELETE CASCADE ON UPDATE CASCADE DEFERRABLE;
+
+UPDATE webknossos.releaseInformation SET schemaVersion = 131;
+
+COMMIT TRANSACTION;

conf/evolutions/reversions/131-add-webauthn-credentials.sql

@@ -0,0 +1,10 @@
+START TRANSACTION;
+
+-- This reversion might take a while because it needs to search in all annotation layer names for '$' and replace it with ''
+do $$ begin ASSERT (select schemaVersion from webknossos.releaseInformation) = 131, 'Previous schema version mismatch'; end; $$ LANGUAGE plpgsql;
+
+DROP TABLE webknossos.webauthnCredentials;
+
+UPDATE webknossos.releaseInformation SET schemaVersion = 130;
+
+COMMIT TRANSACTION;

conf/webknossos.latest.routes

@@ -37,6 +37,15 @@ POST          /auth/resetPassword
 GET           /auth/logout                                                                      controllers.AuthenticationController.logout()
 GET           /auth/sso                                                                         controllers.AuthenticationController.singleSignOn(sso: String, sig: String)
 GET           /auth/oidc/login                                                                  controllers.AuthenticationController.loginViaOpenIdConnect()
+
+# Routes for WebAuthn
+POST          /auth/webauthn/auth/start                                                         controllers.AuthenticationController.webauthnAuthStart()
+POST          /auth/webauthn/auth/finalize                                                      controllers.AuthenticationController.webauthnAuthFinalize()
+POST          /auth/webauthn/register/start                                                     controllers.AuthenticationController.webauthnRegisterStart()
+POST          /auth/webauthn/register/finalize                                                  controllers.AuthenticationController.webauthnRegisterFinalize()
+GET           /auth/webauthn/keys                                                               controllers.AuthenticationController.webauthnListKeys()
+DELETE        /auth/webauthn/keys                                                               controllers.AuthenticationController.webauthnRemoveKey()
+
 # /auth/oidc/callback route is used literally in code
 GET           /auth/oidc/callback                                                               controllers.AuthenticationController.openIdCallback()
 POST          /auth/createOrganizationWithAdmin                                                 controllers.AuthenticationController.createOrganizationWithAdmin()

frontend/javascripts/admin/admin_rest_api.ts

@@ -1,3 +1,4 @@
+import * as webauthn from "@github/webauthn-json";
 import dayjs from "dayjs";
 import { V3 } from "libs/mjs";
 import type { RequestOptions } from "libs/request";
@@ -90,6 +91,7 @@ import {
   type VoxelyticsLogLine,
   type VoxelyticsWorkflowListing,
   type VoxelyticsWorkflowReport,
+  type WebAuthnKeyDescriptor,
   type ZarrPrivateLink,
 } from "types/api_flow_types";
 import type { ArbitraryObject } from "types/globals";
@@ -147,6 +149,46 @@ export async function loginUser(formValues: {
   return [activeUser, organization];
 }
 
+export async function doWebAuthnLogin(): Promise<[APIUser, APIOrganization]> {
+  const webAuthnAuthAssertion = await Request.receiveJSON("/api/auth/webauthn/auth/start", {
+    method: "POST",
+  });
+  const response = JSON.stringify(await webauthn.get(webAuthnAuthAssertion));
+  await Request.sendJSONReceiveJSON("/api/auth/webauthn/auth/finalize", {
+    method: "POST",
+    data: { key: response },
+  });
+
+  const activeUser = await getActiveUser();
+  const organization = await getOrganization(activeUser.organization);
+  return [activeUser, organization];
+}
+
+export async function doWebAuthnRegistration(name: string): Promise<any> {
+  const webAuthnRegistrationAssertion = await Request.receiveJSON(
+    "/api/auth/webauthn/register/start",
+    {
+      method: "POST",
+    },
+  ).then((body) => JSON.parse(body));
+  const response = JSON.stringify(await webauthn.create(webAuthnRegistrationAssertion));
+  return Request.sendJSONReceiveJSON("/api/auth/webauthn/register/finalize", {
+    data: { name: name, key: response },
+    method: "POST",
+  });
+}
+
+export async function listWebAuthnKeys(): Promise<Array<WebAuthnKeyDescriptor>> {
+  return await Request.receiveJSON("/api/auth/webauthn/keys");
+}
+
+export async function removeWebAuthnKey(key: WebAuthnKeyDescriptor): Promise<any> {
+  return await Request.sendJSONReceiveArraybuffer("/api/auth/webauthn/keys", {
+    method: "DELETE",
+    data: key,
+  });
+}
+
 export async function getUsers(): Promise<Array<APIUser>> {
   const users = await Request.receiveJSON("/api/users");
   assertResponseLimit(users);