add endpoint for verifying webauthn login

with sms and email auth the api handles verifying logins in the `/<user_id>/verify/code` endpoint, when it checks the code is valid etc. The admin app has already done this for webauthn logins, but we still need an API endpoint so that we can set up the user's db entry to have a new logged in timestamp, a new session id (this is important for logging out other browser sessions), etc. Also, we need to be able to make sure that the user's max login count isn't exceeded. If it's exceeded, we shouldn't let them log in even with a valid webauthn check. This endpoint is a POST where the admin passes in a json dict with key "succesful" being True or False. True sets up the db stuff as mentioned. False just increments the failed login count.
2026-02-03 01:41:05 -05:00 · 2021-05-17 20:32:01 +01:00
parent 3702d4eae8
commit 00b0227007
3 changed files with 107 additions and 3 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -63,6 +63,7 @@ from app.user.users_schema import (
    post_send_user_sms_code_schema,
    post_set_permissions_schema,
    post_verify_code_schema,
+    post_verify_webauthn_schema,
 )
 from app.utils import url_with_token

@@ -226,6 +227,32 @@ def verify_user_code(user_id):
    return jsonify({}), 204


+@user_blueprint.route('/<uuid:user_id>/verify/webauthn-login', methods=['POST'])
+def verify_webauthn_login_for_user(user_id):
+    """
+    webauthn logins are already verified on the admin app but we still need to
+    check the max login count and set up a session id etc here.
+    """
+    data = request.get_json()
+    validate(data, post_verify_webauthn_schema)
+
+    user = get_user_by_id(user_id=user_id)
+    successful = data['successful']
+
+    if user.failed_login_count >= current_app.config.get('MAX_VERIFY_CODE_COUNT'):
+        raise InvalidRequest("Maximum login count exceeded", status_code=403)
+
+    if successful:
+        user.current_session_id = str(uuid.uuid4())
+        user.logged_in_at = datetime.utcnow()
+        user.failed_login_count = 0
+        save_model_user(user)
+    else:
+        increment_failed_login_count(user)
+
+    return jsonify({}), 204
+
+
@user_blueprint.route('/<uuid:user_id>/<code_type>-code', methods=['POST'])
 def send_user_2fa_code(user_id, code_type):
    user_to_send_to = get_user_by_id(user_id=user_id)
--- a/app/user/users_schema.py
+++ b/app/user/users_schema.py
@@ -11,6 +11,18 @@ post_verify_code_schema = {
 }


+post_verify_webauthn_schema = {
+    '$schema': 'http://json-schema.org/draft-04/schema#',
+    'description': 'POST schema for verifying a webauthn login attempt',
+    'type': 'object',
+    'properties': {
+        'successful': {'type': 'boolean'}
+    },
+    'required': ['successful'],
+    'additionalProperties': False
+}
+
+
 post_send_user_email_code_schema = {
    '$schema': 'http://json-schema.org/draft-04/schema#',
    'description': (