공개 키 등록시 인증 절차 추가

2026-02-04 16:16:55 +00:00 · 2024-12-29 00:32:24 +09:00
parent 928cb799d3
commit 75ab5f5859
11 changed files with 183 additions and 22 deletions
--- a/src/lib/server/services/auth.ts
+++ b/src/lib/server/services/auth.ts
@@ -1,7 +1,7 @@
 import { error } from "@sveltejs/kit";
 import argon2 from "argon2";
 import { v4 as uuidv4 } from "uuid";
-import { getClientByPubKey } from "$lib/server/db/client";
+import { getClientByPubKey, getUserClient } from "$lib/server/db/client";
 import { getUserByEmail } from "$lib/server/db/user";
 import {
  getRefreshToken,
@@ -9,6 +9,7 @@ import {
  rotateRefreshToken,
  revokeRefreshToken,
 } from "$lib/server/db/token";
+import { UserClientState } from "$lib/server/db/schema";
 import { issueToken, verifyToken, TokenError } from "$lib/server/modules/auth";

 const verifyPassword = async (hash: string, password: string) => {
@@ -36,8 +37,11 @@ export const login = async (email: string, password: string, pubKey?: string) =>
  }

  const client = pubKey ? await getClientByPubKey(pubKey) : undefined;
+  const userClient = client ? await getUserClient(user.id, client.id) : undefined;
  if (client === null) {
    error(401, "Invalid public key");
+  } else if (client && (!userClient || userClient.state === UserClientState.Challenging)) {
+    error(401, "Unregistered public key");
  }

  return {
--- a/src/lib/server/services/key.ts
+++ b/src/lib/server/services/key.ts
@@ -1,10 +1,45 @@
 import { error } from "@sveltejs/kit";
-import { createClient, getClientByPubKey } from "$lib/server/db/client";
+import { randomBytes, publicEncrypt } from "crypto";
+import ms from "ms";
+import { promisify } from "util";
+import {
+  createClient,
+  getClientByPubKey,
+  createUserClientChallenge,
+  getUserClientChallenge,
+  setUserClientStateToPending,
+} from "$lib/server/db/client";
+import env from "$lib/server/loadenv";

-export const registerPubKey = async (userId: number, pubKey: string) => {
+const expiresIn = ms(env.challenge.pubKeyExp);
+const expiresAt = () => Date.now() + expiresIn;
+
+const generateChallenge = async (userId: number, ip: string, clientId: number, pubKey: string) => {
+  const challenge = await promisify(randomBytes)(32);
+  const challengeBase64 = challenge.toString("base64");
+  await createUserClientChallenge(userId, clientId, challengeBase64, ip, expiresAt());
+
+  const pubKeyPem = `-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
+  const challengeEncrypted = publicEncrypt({ key: pubKeyPem, oaepHash: "sha256" }, challenge);
+  return challengeEncrypted.toString("base64");
+};
+
+export const registerPubKey = async (userId: number, ip: string, pubKey: string) => {
  if (await getClientByPubKey(pubKey)) {
    error(409, "Public key already registered");
  }

-  await createClient(pubKey, userId);
+  const clientId = await createClient(pubKey, userId);
+  return await generateChallenge(userId, ip, clientId, pubKey);
+};
+
+export const verifyPubKey = async (userId: number, ip: string, answer: string) => {
+  const challenge = await getUserClientChallenge(answer, ip);
+  if (!challenge) {
+    error(401, "Invalid challenge answer");
+  } else if (challenge.userId !== userId) {
+    error(403, "Forbidden");
+  }
+
+  await setUserClientStateToPending(userId, challenge.clientId);
 };