Split out HTTP handlers

koesie10 · koesie10 · commit e2615f42f753 · 2018-09-28T10:25:03.000+02:00
This can be useful when nesting the assertion or attestaion responses
inside another object which can contain other data, such as the name
of the authenticator.
diff --git a/webauthn/login.go b/webauthn/login.go
@@ -11,17 +11,15 @@ import (
 	"github.com/koesie10/webauthn/protocol"
 )
 
-// StartLogin is a HTTP request handler which writes the options to be passed to navigator.credentials.get()
-// to the http.ResponseWriter. The user argument is optional and can be nil, in which case the allowCredentials
-// option will not be set and AuthenticatorStore.GetAuthenticators will not be called.
-func (w *WebAuthn) StartLogin(r *http.Request, rw http.ResponseWriter, user User, session Session) {
+// GetLoginOptions will return the options that need to be passed to navigator.credentials.get(). This should
+// be returned to the user via e.g. JSON over HTTP. For convenience, use StartLogin.
+func (w *WebAuthn) GetLoginOptions(user User, session Session) (*protocol.CredentialRequestOptions, error) {
 	chal, err := protocol.NewChallenge()
 	if err != nil {
-		w.writeError(r, rw, err)
-		return
+		return nil, err
 	}
 
-	options := protocol.CredentialRequestOptions{
+	options := &protocol.CredentialRequestOptions{
 		PublicKey: protocol.PublicKeyCredentialRequestOptions{
 			Challenge: chal,
 			Timeout:   w.Config.Timeout,
@@ -31,8 +29,7 @@ func (w *WebAuthn) StartLogin(r *http.Request, rw http.ResponseWriter, user User
 	if user != nil {
 		authenticators, err := w.Config.AuthenticatorStore.GetAuthenticators(user)
 		if err != nil {
-			w.writeError(r, rw, err)
-			return
+			return nil, err
 		}
 
 		allowCredentials := make([]protocol.PublicKeyCredentialDescriptor, len(authenticators))
@@ -48,56 +45,53 @@ func (w *WebAuthn) StartLogin(r *http.Request, rw http.ResponseWriter, user User
 	}
 
 	if err := session.Set(w.Config.SessionKeyPrefixChallenge+".login", []byte(chal)); err != nil {
+		return nil, err
+	}
+
+	return options, nil
+}
+
+// StartLogin is a HTTP request handler which writes the options to be passed to navigator.credentials.get()
+// to the http.ResponseWriter. The user argument is optional and can be nil, in which case the allowCredentials
+// option will not be set and AuthenticatorStore.GetAuthenticators will not be called.
+func (w *WebAuthn) StartLogin(r *http.Request, rw http.ResponseWriter, user User, session Session) {
+	options, err := w.GetLoginOptions(user, session)
+	if err != nil {
 		w.writeError(r, rw, err)
 		return
 	}
 
 	w.write(r, rw, options)
 }
 
-// FinishLogin is a HTTP request handler which should receive the response of navigator.credentials.get(). If
+// ParseAndFinishLogin should receive the response of navigator.credentials.get(). If
 // user is non-nil, it will be checked that the authenticator is owned by that user. If the request is valid,
-// the authenticator will be returned and nothing will have been written to http.ResponseWriter. If authenticator is
-// nil, an error has been written to http.ResponseWriter and should be returned as-is.
-func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user User, session Session) Authenticator {
+// the authenticator will be returned. For convenience, use FinishLogin.
+func (w *WebAuthn) ParseAndFinishLogin(assertionResponse protocol.AssertionResponse, user User, session Session) (Authenticator, error) {
 	rawChal, err := session.Get(w.Config.SessionKeyPrefixChallenge + ".login")
 	if err != nil {
-		w.writeErrorCode(r, rw, http.StatusBadRequest, err)
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("missing challenge in session")
 	}
 	chal, ok := rawChal.([]byte)
 	if !ok {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("invalid challenge session value"))
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("invalid challenge session value")
 	}
 
 	if err := session.Delete(w.Config.SessionKeyPrefixChallenge + ".login"); err != nil {
-		w.writeError(r, rw, err)
-		return nil
-	}
-
-	var assertionResponse protocol.AssertionResponse
-
-	d := json.NewDecoder(r.Body)
-	d.DisallowUnknownFields()
-	if err := d.Decode(&assertionResponse); err != nil {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug(err.Error()))
-		return nil
+		return nil, err
 	}
 
 	p, err := protocol.ParseAssertionResponse(assertionResponse)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	// 1. If the allowCredentials option was given when this authentication ceremony was initiated, verify that
 	// credential.id identifies one of the public key credentials that were listed in allowCredentials.
 	if user != nil {
 		authenticators, err := w.Config.AuthenticatorStore.GetAuthenticators(user)
 		if err != nil {
-			w.writeError(r, rw, err)
-			return nil
+			return nil, err
 		}
 
 		var authrFound bool
@@ -109,7 +103,7 @@ func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user Use
 		}
 
 		if !authrFound {
-			w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("authenticator is not owned by user"))
+			return nil, protocol.ErrInvalidRequest.WithDebug("authenticator is not owned by user")
 		}
 	}
 
@@ -118,14 +112,12 @@ func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user Use
 	if p.Response.UserHandle != nil && len(p.Response.UserHandle) > 0 {
 		if user != nil {
 			if !bytes.Equal(p.Response.UserHandle, user.WebAuthID()) {
-				w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("authenticator's user handle does not equal user ID"))
-				return nil
+				return nil, protocol.ErrInvalidRequest.WithDebug("authenticator's user handle does not equal user ID")
 			}
 		} else {
 			authenticators, err := w.Config.AuthenticatorStore.GetAuthenticators(&defaultUser{id: p.Response.UserHandle})
 			if err != nil {
-				w.writeError(r, rw, err)
-				return nil
+				return nil, err
 			}
 
 			var authrFound bool
@@ -137,8 +129,7 @@ func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user Use
 			}
 
 			if !authrFound {
-				w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("authenticator is not owned by user"))
-				return nil
+				return nil, protocol.ErrInvalidRequest.WithDebug("authenticator is not owned by user")
 			}
 		}
 	}
@@ -147,32 +138,50 @@ func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user Use
 	// case), look up the corresponding credential public key.
 	authr, err := w.Config.AuthenticatorStore.GetAuthenticator(p.RawID)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	block, _ := pem.Decode(authr.WebAuthPublicKey())
 	if block == nil {
-		w.writeError(r, rw, fmt.Errorf("invalid stored public key, unable to decode"))
-		return nil
+		return nil, fmt.Errorf("invalid stored public key, unable to decode")
 	}
 
 	cert, err := x509.ParsePKIXPublicKey(block.Bytes)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	valid, err := protocol.IsValidAssertion(p, chal, w.Config.RelyingPartyID, w.Config.RelyingPartyOrigin, &x509.Certificate{
 		PublicKey: cert,
 	})
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	if !valid {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("invalid login"))
+		return nil, protocol.ErrInvalidRequest.WithDebug("invalid login")
+	}
+
+	return authr, nil
+}
+
+// FinishLogin is a HTTP request handler which should receive the response of navigator.credentials.get(). If
+// user is non-nil, it will be checked that the authenticator is owned by that user. If the request is valid,
+// the authenticator will be returned and nothing will have been written to http.ResponseWriter. If authenticator is
+// nil, an error has been written to http.ResponseWriter and should be returned as-is.
+func (w *WebAuthn) FinishLogin(r *http.Request, rw http.ResponseWriter, user User, session Session) Authenticator {
+	var assertionResponse protocol.AssertionResponse
+
+	d := json.NewDecoder(r.Body)
+	d.DisallowUnknownFields()
+	if err := d.Decode(&assertionResponse); err != nil {
+		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug(err.Error()))
+		return nil
+	}
+
+	authr, err := w.ParseAndFinishLogin(assertionResponse, user, session)
+	if err != nil {
+		w.writeError(r, rw, err)
 		return nil
 	}
 
diff --git a/webauthn/registration.go b/webauthn/registration.go
@@ -10,13 +10,12 @@ import (
 	"github.com/koesie10/webauthn/protocol"
 )
 
-// StartRegistration is a HTTP request handler which writes the options to be passed to navigator.credentials.create()
-// to the http.ResponseWriter.
-func (w *WebAuthn) StartRegistration(r *http.Request, rw http.ResponseWriter, user User, session Session) {
+// GetRegistrationOptions will return the options that need to be passed to navigator.credentials.create(). This should
+// be returned to the user via e.g. JSON over HTTP. For convenience, use StartRegistration.
+func (w *WebAuthn) GetRegistrationOptions(user User, session Session) (*protocol.CredentialCreationOptions, error) {
 	chal, err := protocol.NewChallenge()
 	if err != nil {
-		w.writeError(r, rw, err)
-		return
+		return nil, err
 	}
 
 	u := protocol.PublicKeyCredentialUserEntity{
@@ -27,7 +26,7 @@ func (w *WebAuthn) StartRegistration(r *http.Request, rw http.ResponseWriter, us
 		DisplayName: user.WebAuthDisplayName(),
 	}
 
-	options := protocol.CredentialCreationOptions{
+	options := &protocol.CredentialCreationOptions{
 		PublicKey: protocol.PublicKeyCredentialCreationOptions{
 			Challenge: chal,
 			RP: protocol.PublicKeyCredentialRpEntity{
@@ -50,8 +49,7 @@ func (w *WebAuthn) StartRegistration(r *http.Request, rw http.ResponseWriter, us
 
 	authenticators, err := w.Config.AuthenticatorStore.GetAuthenticators(user)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return
+		return nil, err
 	}
 
 	excludeCredentials := make([]protocol.PublicKeyCredentialDescriptor, len(authenticators))
@@ -66,86 +64,76 @@ func (w *WebAuthn) StartRegistration(r *http.Request, rw http.ResponseWriter, us
 	options.PublicKey.ExcludeCredentials = excludeCredentials
 
 	if err := session.Set(w.Config.SessionKeyPrefixChallenge+".register", []byte(chal)); err != nil {
-		w.writeError(r, rw, err)
-		return
+		return nil, err
 	}
 	if err := session.Set(w.Config.SessionKeyPrefixUserID+".register", u.ID); err != nil {
+		return nil, err
+	}
+
+	return options, nil
+}
+
+// StartRegistration is a HTTP request handler which writes the options to be passed to navigator.credentials.create()
+// to the http.ResponseWriter.
+func (w *WebAuthn) StartRegistration(r *http.Request, rw http.ResponseWriter, user User, session Session) {
+	options, err := w.GetRegistrationOptions(user, session)
+	if err != nil {
 		w.writeError(r, rw, err)
 		return
 	}
 
 	w.write(r, rw, options)
 }
 
-// FinishRegistration is a HTTP request handler which should receive the response of navigator.credentials.create(). If
-// the request is valid, AuthenticatorStore.AddAuthenticator will be called and an empty response with HTTP status code
-// 201 (Created) will be written to the http.ResponseWriter. If authenticator is  nil, an error has been written to
-// http.ResponseWriter and should be returned as-is.
-func (w *WebAuthn) FinishRegistration(r *http.Request, rw http.ResponseWriter, user User, session Session) Authenticator {
+// ParseAndFinishRegistration should receive the response of navigator.credentials.create(). If
+// the request is valid, AuthenticatorStore.AddAuthenticator will be called and the authenticator that was registered
+// will be returned. For convenience, use FinishRegistration.
+func (w *WebAuthn) ParseAndFinishRegistration(attestationResponse protocol.AttestationResponse, user User, session Session) (Authenticator, error) {
 	rawChal, err := session.Get(w.Config.SessionKeyPrefixChallenge + ".register")
 	if err != nil {
-		w.writeErrorCode(r, rw, http.StatusBadRequest, err)
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("missing challenge in session")
 	}
 	chal, ok := rawChal.([]byte)
 	if !ok {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("invalid challenge session value"))
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("invalid challenge session value")
 	}
 	if err := session.Delete(w.Config.SessionKeyPrefixChallenge + ".register"); err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	rawUserID, err := session.Get(w.Config.SessionKeyPrefixUserID + ".register")
 	if err != nil {
-		w.writeErrorCode(r, rw, http.StatusBadRequest, err)
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("missing user ID in session")
 	}
 	userID, ok := rawUserID.([]byte)
 	if !ok {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("invalid user ID session value"))
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("invalid user ID session value")
 	}
 	if err := session.Delete(w.Config.SessionKeyPrefixUserID + ".register"); err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	if !bytes.Equal(user.WebAuthID(), userID) {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("user has changed since start of registration"))
-		return nil
-	}
-
-	var attestationResponse protocol.AttestationResponse
-	d := json.NewDecoder(r.Body)
-	d.DisallowUnknownFields()
-	if err := d.Decode(&attestationResponse); err != nil {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug(err.Error()))
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("user has changed since start of registration")
 	}
 
 	p, err := protocol.ParseAttestationResponse(attestationResponse)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	valid, err := protocol.IsValidAttestation(p, chal, w.Config.RelyingPartyID, w.Config.RelyingPartyOrigin)
 	if err != nil {
-		w.writeError(r, rw, err)
-		return nil
+		return nil, err
 	}
 
 	if !valid {
-		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug("invalid registration"))
-		return nil
+		return nil, protocol.ErrInvalidRequest.WithDebug("invalid registration")
 	}
 
 	data, err := x509.MarshalPKIXPublicKey(p.Response.Attestation.AuthData.AttestedCredentialData.COSEKey)
 	if err != nil {
-		w.writeErrorCode(r, rw, http.StatusBadRequest, err)
-		return nil
+		return nil, err
 	}
 
 	authr := &defaultAuthenticator{
@@ -160,6 +148,27 @@ func (w *WebAuthn) FinishRegistration(r *http.Request, rw http.ResponseWriter, u
 	}
 
 	if err := w.Config.AuthenticatorStore.AddAuthenticator(user, authr); err != nil {
+		return nil, err
+	}
+
+	return authr, nil
+}
+
+// FinishRegistration is a HTTP request handler which should receive the response of navigator.credentials.create(). If
+// the request is valid, AuthenticatorStore.AddAuthenticator will be called and an empty response with HTTP status code
+// 201 (Created) will be written to the http.ResponseWriter. If authenticator is  nil, an error has been written to
+// http.ResponseWriter and should be returned as-is.
+func (w *WebAuthn) FinishRegistration(r *http.Request, rw http.ResponseWriter, user User, session Session) Authenticator {
+	var attestationResponse protocol.AttestationResponse
+	d := json.NewDecoder(r.Body)
+	d.DisallowUnknownFields()
+	if err := d.Decode(&attestationResponse); err != nil {
+		w.writeError(r, rw, protocol.ErrInvalidRequest.WithDebug(err.Error()))
+		return nil
+	}
+
+	authr, err := w.ParseAndFinishRegistration(attestationResponse, user, session)
+	if err != nil {
 		w.writeError(r, rw, err)
 		return nil
 	}
