mirror of
https://github.com/kmc7468/arkvault.git
synced 2025-12-16 06:58:46 +00:00
공개 키 등록시 인증 절차 추가
This commit is contained in:
static
@@ -1,14 +1,14 @@
|
||||
import { and, eq } from "drizzle-orm";
|
||||
import { and, eq, gt, lte } from "drizzle-orm";
|
||||
import db from "./drizzle";
|
||||
import { client, userClient } from "./schema";
|
||||
import { client, userClient, userClientChallenge, UserClientState } from "./schema";
|
||||
|
||||
export const createClient = async (pubKey: string, userId: number) => {
|
||||
await db.transaction(async (tx) => {
|
||||
return await db.transaction(async (tx) => {
|
||||
const insertRes = await tx.insert(client).values({ pubKey }).returning({ id: client.id });
|
||||
await tx.insert(userClient).values({
|
||||
userId,
|
||||
clientId: insertRes[0]!.id,
|
||||
});
|
||||
const { id: clientId } = insertRes[0]!;
|
||||
await tx.insert(userClient).values({ userId, clientId });
|
||||
|
||||
return clientId;
|
||||
});
|
||||
};
|
||||
|
||||
@@ -25,3 +25,58 @@ export const getUserClient = async (userId: number, clientId: number) => {
|
||||
.execute();
|
||||
return userClients[0] ?? null;
|
||||
};
|
||||
|
||||
export const setUserClientStateToPending = async (userId: number, clientId: number) => {
|
||||
await db
|
||||
.update(userClient)
|
||||
.set({ state: UserClientState.Pending })
|
||||
.where(
|
||||
and(
|
||||
eq(userClient.userId, userId),
|
||||
eq(userClient.clientId, clientId),
|
||||
eq(userClient.state, UserClientState.Challenging),
|
||||
),
|
||||
)
|
||||
.execute();
|
||||
};
|
||||
|
||||
export const createUserClientChallenge = async (
|
||||
userId: number,
|
||||
clientId: number,
|
||||
challenge: string,
|
||||
allowedIp: string,
|
||||
expiresAt: number,
|
||||
) => {
|
||||
await db
|
||||
.insert(userClientChallenge)
|
||||
.values({
|
||||
userId,
|
||||
clientId,
|
||||
challenge,
|
||||
allowedIp,
|
||||
expiresAt,
|
||||
})
|
||||
.execute();
|
||||
};
|
||||
|
||||
export const getUserClientChallenge = async (challenge: string, ip: string) => {
|
||||
const challenges = await db
|
||||
.select()
|
||||
.from(userClientChallenge)
|
||||
.where(
|
||||
and(
|
||||
eq(userClientChallenge.challenge, challenge),
|
||||
eq(userClientChallenge.allowedIp, ip),
|
||||
gt(userClientChallenge.expiresAt, Date.now()),
|
||||
),
|
||||
)
|
||||
.execute();
|
||||
return challenges[0] ?? null;
|
||||
};
|
||||
|
||||
export const cleanupExpiredUserClientChallenges = async () => {
|
||||
await db
|
||||
.delete(userClientChallenge)
|
||||
.where(lte(userClientChallenge.expiresAt, Date.now()))
|
||||
.execute();
|
||||
};
|
||||
|
||||
@@ -2,8 +2,9 @@ import { sqliteTable, text, integer, primaryKey } from "drizzle-orm/sqlite-core"
|
||||
import { user } from "./user";
|
||||
|
||||
export enum UserClientState {
|
||||
PENDING = 0,
|
||||
ACTIVE = 1,
|
||||
Challenging = 0,
|
||||
Pending = 1,
|
||||
Active = 2,
|
||||
}
|
||||
|
||||
export const client = sqliteTable("client", {
|
||||
@@ -20,10 +21,23 @@ export const userClient = sqliteTable(
|
||||
clientId: integer("client_id")
|
||||
.notNull()
|
||||
.references(() => client.id),
|
||||
state: integer("state").notNull().default(0),
|
||||
state: integer("state").notNull().default(UserClientState.Challenging),
|
||||
encKey: text("encrypted_key"),
|
||||
},
|
||||
(t) => ({
|
||||
pk: primaryKey({ columns: [t.userId, t.clientId] }),
|
||||
}),
|
||||
);
|
||||
|
||||
export const userClientChallenge = sqliteTable("user_client_challenge", {
|
||||
id: integer("id").primaryKey(),
|
||||
userId: integer("user_id")
|
||||
.notNull()
|
||||
.references(() => user.id),
|
||||
clientId: integer("client_id")
|
||||
.notNull()
|
||||
.references(() => client.id),
|
||||
challenge: text("challenge").notNull().unique(),
|
||||
allowedIp: text("allowed_ip").notNull(),
|
||||
expiresAt: integer("expires_at").notNull(),
|
||||
});
|
||||
|
||||
@@ -12,4 +12,7 @@ export default {
|
||||
accessExp: env.JWT_ACCESS_TOKEN_EXPIRES || "5m",
|
||||
refreshExp: env.JWT_REFRESH_TOKEN_EXPIRES || "14d",
|
||||
},
|
||||
challenge: {
|
||||
pubKeyExp: env.PUBKEY_CHALLENGE_EXPIRES || "5m",
|
||||
},
|
||||
};
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import argon2 from "argon2";
|
||||
import { v4 as uuidv4 } from "uuid";
|
||||
import { getClientByPubKey } from "$lib/server/db/client";
|
||||
import { getClientByPubKey, getUserClient } from "$lib/server/db/client";
|
||||
import { getUserByEmail } from "$lib/server/db/user";
|
||||
import {
|
||||
getRefreshToken,
|
||||
@@ -9,6 +9,7 @@ import {
|
||||
rotateRefreshToken,
|
||||
revokeRefreshToken,
|
||||
} from "$lib/server/db/token";
|
||||
import { UserClientState } from "$lib/server/db/schema";
|
||||
import { issueToken, verifyToken, TokenError } from "$lib/server/modules/auth";
|
||||
|
||||
const verifyPassword = async (hash: string, password: string) => {
|
||||
@@ -36,8 +37,11 @@ export const login = async (email: string, password: string, pubKey?: string) =>
|
||||
}
|
||||
|
||||
const client = pubKey ? await getClientByPubKey(pubKey) : undefined;
|
||||
const userClient = client ? await getUserClient(user.id, client.id) : undefined;
|
||||
if (client === null) {
|
||||
error(401, "Invalid public key");
|
||||
} else if (client && (!userClient || userClient.state === UserClientState.Challenging)) {
|
||||
error(401, "Unregistered public key");
|
||||
}
|
||||
|
||||
return {
|
||||
|
||||
@@ -1,10 +1,45 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import { createClient, getClientByPubKey } from "$lib/server/db/client";
|
||||
import { randomBytes, publicEncrypt } from "crypto";
|
||||
import ms from "ms";
|
||||
import { promisify } from "util";
|
||||
import {
|
||||
createClient,
|
||||
getClientByPubKey,
|
||||
createUserClientChallenge,
|
||||
getUserClientChallenge,
|
||||
setUserClientStateToPending,
|
||||
} from "$lib/server/db/client";
|
||||
import env from "$lib/server/loadenv";
|
||||
|
||||
export const registerPubKey = async (userId: number, pubKey: string) => {
|
||||
const expiresIn = ms(env.challenge.pubKeyExp);
|
||||
const expiresAt = () => Date.now() + expiresIn;
|
||||
|
||||
const generateChallenge = async (userId: number, ip: string, clientId: number, pubKey: string) => {
|
||||
const challenge = await promisify(randomBytes)(32);
|
||||
const challengeBase64 = challenge.toString("base64");
|
||||
await createUserClientChallenge(userId, clientId, challengeBase64, ip, expiresAt());
|
||||
|
||||
const pubKeyPem = `-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
|
||||
const challengeEncrypted = publicEncrypt({ key: pubKeyPem, oaepHash: "sha256" }, challenge);
|
||||
return challengeEncrypted.toString("base64");
|
||||
};
|
||||
|
||||
export const registerPubKey = async (userId: number, ip: string, pubKey: string) => {
|
||||
if (await getClientByPubKey(pubKey)) {
|
||||
error(409, "Public key already registered");
|
||||
}
|
||||
|
||||
await createClient(pubKey, userId);
|
||||
const clientId = await createClient(pubKey, userId);
|
||||
return await generateChallenge(userId, ip, clientId, pubKey);
|
||||
};
|
||||
|
||||
export const verifyPubKey = async (userId: number, ip: string, answer: string) => {
|
||||
const challenge = await getUserClientChallenge(answer, ip);
|
||||
if (!challenge) {
|
||||
error(401, "Invalid challenge answer");
|
||||
} else if (challenge.userId !== userId) {
|
||||
error(403, "Forbidden");
|
||||
}
|
||||
|
||||
await setUserClientStateToPending(userId, challenge.clientId);
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user