mirror of
https://github.com/kmc7468/arkvault.git
synced 2025-12-15 22:38:47 +00:00
Token Upgrade시 챌린지를 거치도록 변경
This commit is contained in:
static
@@ -1,16 +1,21 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import argon2 from "argon2";
|
||||
import ms from "ms";
|
||||
import { v4 as uuidv4 } from "uuid";
|
||||
import { getClientByPubKey, getUserClient } from "$lib/server/db/client";
|
||||
import { getClient, getClientByPubKeys, getUserClient } from "$lib/server/db/client";
|
||||
import { getUserByEmail } from "$lib/server/db/user";
|
||||
import env from "$lib/server/loadenv";
|
||||
import {
|
||||
getRefreshToken,
|
||||
registerRefreshToken,
|
||||
rotateRefreshToken,
|
||||
upgradeRefreshToken,
|
||||
revokeRefreshToken,
|
||||
registerTokenUpgradeChallenge,
|
||||
getTokenUpgradeChallenge,
|
||||
} from "$lib/server/db/token";
|
||||
import { issueToken, verifyToken, TokenError } from "$lib/server/modules/auth";
|
||||
import { verifySignature, generateChallenge } from "$lib/server/modules/crypto";
|
||||
|
||||
const verifyPassword = async (hash: string, password: string) => {
|
||||
return await argon2.verify(hash, password);
|
||||
@@ -30,23 +35,15 @@ const issueRefreshToken = async (userId: number, clientId?: number) => {
|
||||
return token;
|
||||
};
|
||||
|
||||
export const login = async (email: string, password: string, pubKey?: string) => {
|
||||
export const login = async (email: string, password: string) => {
|
||||
const user = await getUserByEmail(email);
|
||||
if (!user || !(await verifyPassword(user.password, password))) {
|
||||
error(401, "Invalid email or password");
|
||||
}
|
||||
|
||||
const client = pubKey ? await getClientByPubKey(pubKey) : undefined;
|
||||
const userClient = client ? await getUserClient(user.id, client.id) : undefined;
|
||||
if (client === null) {
|
||||
error(401, "Invalid public key");
|
||||
} else if (client && (!userClient || userClient.state === "challenging")) {
|
||||
error(401, "Unregistered public key");
|
||||
}
|
||||
|
||||
return {
|
||||
accessToken: issueAccessToken(user.id, client?.id),
|
||||
refreshToken: await issueRefreshToken(user.id, client?.id),
|
||||
accessToken: issueAccessToken(user.id),
|
||||
refreshToken: await issueRefreshToken(user.id),
|
||||
};
|
||||
};
|
||||
|
||||
@@ -75,7 +72,7 @@ export const logout = async (refreshToken: string) => {
|
||||
await revokeRefreshToken(jti);
|
||||
};
|
||||
|
||||
export const refreshTokens = async (refreshToken: string) => {
|
||||
export const refreshToken = async (refreshToken: string) => {
|
||||
const { jti: oldJti, userId, clientId } = await verifyRefreshToken(refreshToken);
|
||||
const newJti = uuidv4();
|
||||
|
||||
@@ -88,20 +85,75 @@ export const refreshTokens = async (refreshToken: string) => {
|
||||
};
|
||||
};
|
||||
|
||||
export const upgradeTokens = async (refreshToken: string, pubKey: string) => {
|
||||
const expiresIn = ms(env.challenge.tokenUpgradeExp);
|
||||
const expiresAt = () => new Date(Date.now() + expiresIn);
|
||||
|
||||
const createChallenge = async (
|
||||
ip: string,
|
||||
tokenId: string,
|
||||
clientId: number,
|
||||
encPubKey: string,
|
||||
) => {
|
||||
const { answer, challenge } = await generateChallenge(32, encPubKey);
|
||||
await registerTokenUpgradeChallenge(
|
||||
tokenId,
|
||||
clientId,
|
||||
answer.toString("base64"),
|
||||
ip,
|
||||
expiresAt(),
|
||||
);
|
||||
return challenge.toString("base64");
|
||||
};
|
||||
|
||||
export const createTokenUpgradeChallenge = async (
|
||||
refreshToken: string,
|
||||
ip: string,
|
||||
encPubKey: string,
|
||||
sigPubKey: string,
|
||||
) => {
|
||||
const { jti, userId, clientId } = await verifyRefreshToken(refreshToken);
|
||||
if (clientId) {
|
||||
error(403, "Forbidden");
|
||||
}
|
||||
|
||||
const client = await getClientByPubKeys(encPubKey, sigPubKey);
|
||||
const userClient = client ? await getUserClient(userId, client.id) : undefined;
|
||||
if (!client) {
|
||||
error(401, "Invalid public key(s)");
|
||||
} else if (!userClient || userClient.state === "challenging") {
|
||||
error(401, "Unregistered client");
|
||||
}
|
||||
|
||||
return { challenge: await createChallenge(ip, jti, client.id, encPubKey) };
|
||||
};
|
||||
|
||||
export const upgradeToken = async (
|
||||
refreshToken: string,
|
||||
ip: string,
|
||||
answer: string,
|
||||
sigAnswer: string,
|
||||
) => {
|
||||
const { jti: oldJti, userId, clientId } = await verifyRefreshToken(refreshToken);
|
||||
if (clientId) {
|
||||
error(403, "Forbidden");
|
||||
}
|
||||
|
||||
const client = await getClientByPubKey(pubKey);
|
||||
const userClient = client ? await getUserClient(userId, client.id) : undefined;
|
||||
if (!client) {
|
||||
error(401, "Invalid public key");
|
||||
} else if (client && (!userClient || userClient.state === "challenging")) {
|
||||
error(401, "Unregistered public key");
|
||||
const challenge = await getTokenUpgradeChallenge(answer, ip);
|
||||
if (!challenge) {
|
||||
error(401, "Invalid challenge answer");
|
||||
} else if (challenge.refreshTokenId !== oldJti) {
|
||||
error(403, "Forbidden");
|
||||
}
|
||||
|
||||
const client = await getClient(challenge.clientId);
|
||||
if (!client) {
|
||||
error(500, "Invalid challenge answer");
|
||||
} else if (!verifySignature(answer, sigAnswer, client.sigPubKey)) {
|
||||
error(401, "Invalid challenge answer signature");
|
||||
}
|
||||
|
||||
// TODO: Replay attack prevention
|
||||
|
||||
const newJti = uuidv4();
|
||||
if (!(await upgradeRefreshToken(oldJti, newJti, client.id))) {
|
||||
error(500, "Refresh token not found");
|
||||
|
||||
Reference in New Issue
Block a user