core&ui: rollback simplewebauthn

11 months ago · b1e9700983
parent bc19a3ca5a
commit b1e9700983
6 changed files with 21 additions and 10 deletions
--- a/package.json
+++ b/package.json
@ -31,7 +31,7 @@
    "version": "1.0.0",
    "license": "AGPL-3.0-only",
    "devDependencies": {
-        "@simplewebauthn/typescript-types": "^8.0.0",
+        "@simplewebauthn/typescript-types": "7.4.0",
        "@types/autocannon": "^7.12.1",
        "@types/cross-spawn": "^6.0.3",
        "@types/node": "^20.8.6",
--- a/packages/hydrooj/package.json
+++ b/packages/hydrooj/package.json
@ -19,7 +19,7 @@
        "@aws-sdk/s3-request-presigner": "3.429.0",
        "@graphql-tools/schema": "^10.0.0",
        "@hydrooj/utils": "workspace:*",
-        "@simplewebauthn/server": "^8.3.2",
+        "@simplewebauthn/server": "7.4.0",
        "adm-zip": "0.5.5",
        "cac": "^6.7.14",
        "cordis": "2.8.8",
--- a/packages/hydrooj/src/handler/home.ts
+++ b/packages/hydrooj/src/handler/home.ts
@ -280,12 +280,17 @@ class HomeSecurityHandler extends Handler {
        this.back();
    }

+    getAuthnHost() {
+        return system.get('authn.host') && this.request.hostname.includes(system.get('authn.host'))
+            ? system.get('authn.host') : this.request.hostname;
+    }
+
    @requireSudo
    @param('type', Types.Range(['cross-platform', 'platform']))
    async postRegister(domainId: string, type: 'cross-platform' | 'platform') {
-        const options = await generateRegistrationOptions({
+        const options = generateRegistrationOptions({
            rpName: system.get('server.name'),
-            rpID: this.request.hostname,
+            rpID: this.getAuthnHost(),
            userID: this.user._id.toString(),
            userDisplayName: this.user.uname,
            userName: `${this.user.uname}(${this.user.mail})`,
@ -310,7 +315,7 @@ class HomeSecurityHandler extends Handler {
            response: this.args.result,
            expectedChallenge: this.session.webauthnVerify,
            expectedOrigin: this.request.headers.origin,
-            expectedRPID: this.request.hostname,
+            expectedRPID: this.getAuthnHost(),
        }).catch(() => { throw new ValidationError('verify'); });
        if (!verification.verified) throw new ValidationError('verify');
        const info = verification.registrationInfo;
--- a/packages/hydrooj/src/handler/user.ts
+++ b/packages/hydrooj/src/handler/user.ts
@ -165,16 +165,22 @@ class UserSudoHandler extends Handler {
 class UserWebauthnHandler extends Handler {
    noCheckPermView = true;

+    getAuthnHost() {
+        return system.get('authn.host') && this.request.hostname.includes(system.get('authn.host'))
+            ? system.get('authn.host') : this.request.hostname;
+    }
+
    @param('uname', Types.Username, true)
    async get(domainId: string, uname: string) {
        const udoc = this.user._id ? this.user : ((await user.getByEmail(domainId, uname)) || await user.getByUname(domainId, uname));
        if (!udoc._id) throw new UserNotFoundError(uname || 'user');
        if (!udoc.authn) throw new AuthOperationError('authn', 'disabled');
-        const options = await generateAuthenticationOptions({
+        const options = generateAuthenticationOptions({
            allowCredentials: udoc._authenticators.map((authenticator) => ({
                id: authenticator.credentialID.buffer,
                type: 'public-key',
            })),
+            rpID: this.getAuthnHost(),
            userVerification: 'preferred',
        });
        await token.add(token.TYPE_WEBAUTHN, 60, { uid: udoc._id }, options.challenge);
@ -195,7 +201,7 @@ class UserWebauthnHandler extends Handler {
            response: result,
            expectedChallenge: challenge,
            expectedOrigin: this.request.headers.origin,
-            expectedRPID: this.request.hostname,
+            expectedRPID: this.getAuthnHost(),
            authenticator: {
                ...authenticator,
                credentialID: authenticator.credentialID.buffer,
--- a/packages/hydrooj/src/interface.ts
+++ b/packages/hydrooj/src/interface.ts
@ -1,5 +1,5 @@
-import { AttestationFormat } from '@simplewebauthn/server/script/helpers/decodeAttestationObject';
-import { AuthenticationExtensionsAuthenticatorOutputs } from '@simplewebauthn/server/script/helpers/decodeAuthenticatorExtensions';
+import { AttestationFormat } from '@simplewebauthn/server/dist/helpers/decodeAttestationObject';
+import { AuthenticationExtensionsAuthenticatorOutputs } from '@simplewebauthn/server/dist/helpers/decodeAuthenticatorExtensions';
 import { CredentialDeviceType } from '@simplewebauthn/typescript-types';
 import type fs from 'fs';
 import type { Dictionary, NumericDictionary } from 'lodash';
--- a/packages/ui-default/package.json
+++ b/packages/ui-default/package.json
@ -24,7 +24,7 @@
    "@fontsource/source-code-pro": "^5.0.13",
    "@fontsource/ubuntu-mono": "^5.0.15",
    "@hydrooj/utils": "workspace:*",
-    "@simplewebauthn/browser": "^8.3.1",
+    "@simplewebauthn/browser": "7.4.0",
    "@svgr/webpack": "^8.1.0",
    "@types/gulp-if": "^0.0.34",
    "@types/jquery": "^3.5.22",