app/assets/javascripts/authenticateSecurityKey.js

(function (window) {
  "use strict";

  window.GOVUK.Modules.AuthenticateSecurityKey = function () {
    this.start = function (component) {
      $(component)
        .on('click', function (event) {
          event.preventDefault();

          fetch('/webauthn/authenticate')
            .then(response => {
              if (!response.ok) {
                throw Error(response.statusText);
              }

              return response.arrayBuffer();
            })
            .then(data => {
              var options = window.CBOR.decode(data);
              // triggers browser dialogue to login with authenticator
              return window.navigator.credentials.get(options);
            })
            .then(credential => {
              return fetch('/webauthn/authenticate', {
                method: 'POST',
                headers: { 'X-CSRFToken': component.data('csrfToken') },
                body: window.CBOR.encode({
                  credentialId: new Uint8Array(credential.rawId),
                  authenticatorData: new Uint8Array(credential.response.authenticatorData),
                  signature: new Uint8Array(credential.response.signature),
                  clientDataJSON: new Uint8Array(credential.response.clientDataJSON),
                })
              });
            })
            .then(response => {
              if (response.status === 403){
                // flask will have `flash`ed an error message up
                window.location.reload();
                return;
              }

              if (!response.ok) {
                // probably an internal server error
                throw Error(response.statusText);
              }

              // fetch will already have done the login redirect dance and will at this point be
              // referring to the final 200 - hopefully to the `/accounts` url or similar. Set the location
              // to trigger a browser navigate to that URL.
              window.location.href = response.url;
            })
            .catch(error => {
              console.error(error);
              // some browsers will show an error dialogue for some
              // errors; to be safe we always pop up an alert
              var message = error.message || error;
              alert('Error during authentication.\n\n' + message);
            });
        });
    };
  };
}) (window);
create webauthn 2fa page if user has `webauthn_auth` as their auth type, then redirect them to an interstitial that prompts them to click on a button which right now just logs to the JS console, but in a future commit will open up the webauthn browser prompt content is unsurprisingly not final. 2021-05-14 11:20:56 +01:00			`(function (window) {`
allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`"use strict";`
create webauthn 2fa page if user has `webauthn_auth` as their auth type, then redirect them to an interstitial that prompts them to click on a button which right now just logs to the JS console, but in a future commit will open up the webauthn browser prompt content is unsurprisingly not final. 2021-05-14 11:20:56 +01:00
allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`window.GOVUK.Modules.AuthenticateSecurityKey = function () {`
			`this.start = function (component) {`
			`$(component)`
			`.on('click', function (event) {`
			`event.preventDefault();`

			`fetch('/webauthn/authenticate')`
			`.then(response => {`
			`if (!response.ok) {`
			`throw Error(response.statusText);`
			`}`

			`return response.arrayBuffer();`
			`})`
			`.then(data => {`
			`var options = window.CBOR.decode(data);`
			`// triggers browser dialogue to login with authenticator`
			`return window.navigator.credentials.get(options);`
			`})`
			`.then(credential => {`
			`return fetch('/webauthn/authenticate', {`
			`method: 'POST',`
			`headers: { 'X-CSRFToken': component.data('csrfToken') },`
			`body: window.CBOR.encode({`
			`credentialId: new Uint8Array(credential.rawId),`
			`authenticatorData: new Uint8Array(credential.response.authenticatorData),`
			`signature: new Uint8Array(credential.response.signature),`
			`clientDataJSON: new Uint8Array(credential.response.clientDataJSON),`
			`})`
			`});`
			`})`
			`.then(response => {`
redirect on login; flash errors on failure the js `fetch` function will follow redirects blindly and return you the final 200 response. when there's an error, we don't want to go anywhere, and we want to use the flask `flash` functionality to pop up an error page (the likely reason for seeing this is using a yubikey that isn't associated with your user). using `flash` and then `window.location.reload()` handles this fine. However, when the user does log in succesfully we need to properly log them in - this includes: * checking their account isn't over the max login count * resetting failed login count to 0 if not * setting a new session id in the database (so other browser windows are logged out) * checking if they need to revalidate their email access (every 90 days) * clearing old user out of the cache This code all happens in the ajax function rather than being in a separate redirect, so that you can't just navigate to the login flow. I wasn't able to unit test that function due how it uses the session and other flask globals, so moved the auth into its own function so it's easy to stub out all that CBOR nonsense. TODO: We still need to pass any `next` URLs through the chain from login page all the way through the javascript AJAX calls and redirects to the log_in_user function 2021-05-17 15:56:15 +01:00			`if (response.status === 403){`
			// flask will have `flash`ed an error message up
			`window.location.reload();`
			`return;`
			`}`

allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`if (!response.ok) {`
redirect on login; flash errors on failure the js `fetch` function will follow redirects blindly and return you the final 200 response. when there's an error, we don't want to go anywhere, and we want to use the flask `flash` functionality to pop up an error page (the likely reason for seeing this is using a yubikey that isn't associated with your user). using `flash` and then `window.location.reload()` handles this fine. However, when the user does log in succesfully we need to properly log them in - this includes: * checking their account isn't over the max login count * resetting failed login count to 0 if not * setting a new session id in the database (so other browser windows are logged out) * checking if they need to revalidate their email access (every 90 days) * clearing old user out of the cache This code all happens in the ajax function rather than being in a separate redirect, so that you can't just navigate to the login flow. I wasn't able to unit test that function due how it uses the session and other flask globals, so moved the auth into its own function so it's easy to stub out all that CBOR nonsense. TODO: We still need to pass any `next` URLs through the chain from login page all the way through the javascript AJAX calls and redirects to the log_in_user function 2021-05-17 15:56:15 +01:00			`// probably an internal server error`
allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`throw Error(response.statusText);`
			`}`
redirect on login; flash errors on failure the js `fetch` function will follow redirects blindly and return you the final 200 response. when there's an error, we don't want to go anywhere, and we want to use the flask `flash` functionality to pop up an error page (the likely reason for seeing this is using a yubikey that isn't associated with your user). using `flash` and then `window.location.reload()` handles this fine. However, when the user does log in succesfully we need to properly log them in - this includes: * checking their account isn't over the max login count * resetting failed login count to 0 if not * setting a new session id in the database (so other browser windows are logged out) * checking if they need to revalidate their email access (every 90 days) * clearing old user out of the cache This code all happens in the ajax function rather than being in a separate redirect, so that you can't just navigate to the login flow. I wasn't able to unit test that function due how it uses the session and other flask globals, so moved the auth into its own function so it's easy to stub out all that CBOR nonsense. TODO: We still need to pass any `next` URLs through the chain from login page all the way through the javascript AJAX calls and redirects to the log_in_user function 2021-05-17 15:56:15 +01:00
			`// fetch will already have done the login redirect dance and will at this point be`
			// referring to the final 200 - hopefully to the `/accounts` url or similar. Set the location
			`// to trigger a browser navigate to that URL.`
			`window.location.href = response.url;`
allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`})`
			`.catch(error => {`
			`console.error(error);`
			`// some browsers will show an error dialogue for some`
			`// errors; to be safe we always pop up an alert`
			`var message = error.message \|\| error;`
			`alert('Error during authentication.\n\n' + message);`
			`});`
			`});`
create webauthn 2fa page if user has `webauthn_auth` as their auth type, then redirect them to an interstitial that prompts them to click on a button which right now just logs to the JS console, but in a future commit will open up the webauthn browser prompt content is unsurprisingly not final. 2021-05-14 11:20:56 +01:00			`};`
allow sign in via webauthn credentials The flow of the code is roughly as follows: user clicks button on webauthn page js sends GET request python reads GET request, sets up login challenge python returns login challenge in response js reads GET response, passes login challenge to browser browser asks user to touch yubikey browser returns yubikey challenge response data to js js sends POST request with yubikey challenge response data python reads yubikey challenge and compares with users creds from db if its a match, python signs user in The login challenge is a PublicKeyCredentialRequestOptions: [1] The browser function we call is navigator.credentials.get(): [2] The response to the challenge from the browser is a PublicKeyCredential: [3] The python server does all the work setting those up and tearing them back down again (and checking them against the values we have stored in the database), but we need to do work to convert them to-and-from CBOR. [1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions [2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get [3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential 2021-05-14 17:37:57 +01:00			`};`
			`}) (window);`