Webauthn nits (#18284)

This contains some additional fixes and small nits related to #17957 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-07-22 18:28:37 +00:00 · 2022-01-15 16:52:56 +00:00
parent e239d354c9
commit d7c2a2951c
10 changed files with 87 additions and 40 deletions
--- a/models/auth/webauthn.go
+++ b/models/auth/webauthn.go
@@ -6,7 +6,7 @@ package auth

 import (
 	"context"
-	"encoding/base64"
+	"encoding/base32"
 	"fmt"
 	"strings"

@@ -94,7 +94,7 @@ type WebAuthnCredentialList []*WebAuthnCredential
 func (list WebAuthnCredentialList) ToCredentials() []webauthn.Credential {
 	creds := make([]webauthn.Credential, 0, len(list))
 	for _, cred := range list {
-		credID, _ := base64.RawStdEncoding.DecodeString(cred.CredentialID)
+		credID, _ := base32.HexEncoding.DecodeString(cred.CredentialID)
 		creds = append(creds, webauthn.Credential{
 			ID:              credID,
 			PublicKey:       cred.PublicKey,
@@ -164,13 +164,13 @@ func HasWebAuthnRegistrationsByUID(uid int64) (bool, error) {
 }

 // GetWebAuthnCredentialByCredID returns WebAuthn credential by credential ID
-func GetWebAuthnCredentialByCredID(credID string) (*WebAuthnCredential, error) {
-	return getWebAuthnCredentialByCredID(db.DefaultContext, credID)
+func GetWebAuthnCredentialByCredID(userID int64, credID string) (*WebAuthnCredential, error) {
+	return getWebAuthnCredentialByCredID(db.DefaultContext, userID, credID)
 }

-func getWebAuthnCredentialByCredID(ctx context.Context, credID string) (*WebAuthnCredential, error) {
+func getWebAuthnCredentialByCredID(ctx context.Context, userID int64, credID string) (*WebAuthnCredential, error) {
 	cred := new(WebAuthnCredential)
-	if found, err := db.GetEngine(ctx).Where("credential_id = ?", credID).Get(cred); err != nil {
+	if found, err := db.GetEngine(ctx).Where("user_id = ? AND credential_id = ?", userID, credID).Get(cred); err != nil {
 		return nil, err
 	} else if !found {
 		return nil, ErrWebAuthnCredentialNotExist{CredentialID: credID}
@@ -187,7 +187,7 @@ func createCredential(ctx context.Context, userID int64, name string, cred *weba
 	c := &WebAuthnCredential{
 		UserID:          userID,
 		Name:            name,
-		CredentialID:    base64.RawStdEncoding.EncodeToString(cred.ID),
+		CredentialID:    base32.HexEncoding.EncodeToString(cred.ID),
 		PublicKey:       cred.PublicKey,
 		AttestationType: cred.AttestationType,
 		AAGUID:          cred.Authenticator.AAGUID,
--- a/models/auth/webauthn_test.go
+++ b/models/auth/webauthn_test.go
@@ -5,7 +5,7 @@
 package auth

 import (
-	"encoding/base64"
+	"encoding/base32"
 	"testing"

 	"code.gitea.io/gitea/models/unittest"
@@ -61,7 +61,7 @@ func TestCreateCredential(t *testing.T) {
 	res, err := CreateCredential(1, "WebAuthn Created Credential", &webauthn.Credential{ID: []byte("Test")})
 	assert.NoError(t, err)
 	assert.Equal(t, "WebAuthn Created Credential", res.Name)
-	bs, err := base64.RawStdEncoding.DecodeString(res.CredentialID)
+	bs, err := base32.HexEncoding.DecodeString(res.CredentialID)
 	assert.NoError(t, err)
 	assert.Equal(t, []byte("Test"), bs)

--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -368,6 +368,8 @@ var migrations = []Migration{
 	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 	// v207 -> v208
 	NewMigration("Add webauthn table and migrate u2f data to webauthn", addWebAuthnCred),
+	// v208 -> v209
+	NewMigration("Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive", useBase32HexForCredIDInWebAuthnCredential),
 }

 // GetCurrentDBVersion returns the current db version
--- a/models/migrations/v208.go
+++ b/models/migrations/v208.go
@@ -0,0 +1,51 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"encoding/base32"
+	"encoding/base64"
+
+	"xorm.io/xorm"
+)
+
+func useBase32HexForCredIDInWebAuthnCredential(x *xorm.Engine) error {
+
+	// Create webauthnCredential table
+	type webauthnCredential struct {
+		ID           int64  `xorm:"pk autoincr"`
+		CredentialID string `xorm:"INDEX"`
+	}
+	if err := x.Sync2(&webauthnCredential{}); err != nil {
+		return err
+	}
+
+	var start int
+	regs := make([]*webauthnCredential, 0, 50)
+	for {
+		err := x.OrderBy("id").Limit(50, start).Find(&regs)
+		if err != nil {
+			return err
+		}
+
+		for _, reg := range regs {
+			credID, _ := base64.RawStdEncoding.DecodeString(reg.CredentialID)
+			reg.CredentialID = base32.HexEncoding.EncodeToString(credID)
+
+			_, err := x.Update(reg)
+			if err != nil {
+				return err
+			}
+		}
+
+		if len(regs) < 50 {
+			break
+		}
+		start += 50
+		regs = regs[:0]
+	}
+
+	return nil
+}