DEV: Add routes and controller actions for passkeys (2/3) (#23587)

This is part 2 (of 3) for passkeys support. This adds a hidden site setting plus routes and controller actions. 1. registering passkeys Passkeys are registered in a two-step process. First, `create_passkey` returns details for the browser to create a passkey. This includes - a challenge - the relying party ID and Origin - the user's secure identifier - the supported algorithms - the user's existing passkeys (if any) Then the browser creates a key with this information, and submits it to the server via `register_passkey`. 2. authenticating passkeys A similar process happens here as well. First, a challenge is created and sent to the browser. Then the browser makes a public key credential and submits it to the server via `passkey_auth_perform`. 3. renaming/deleting passkeys These routes allow changing the name of a key and deleting it. 4. checking if session is trusted for sensitive actions Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2025-05-30 07:11:34 +08:00 · 2023-10-11 14:36:54 -04:00
parent 90be6f304f
commit e3e73a3091
9 changed files with 592 additions and 19 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -1,7 +1,8 @@
 # frozen_string_literal: true

 class SessionController < ApplicationController
-  before_action :check_local_login_allowed, only: %i[create forgot_password]
+  before_action :check_local_login_allowed,
+                only: %i[create forgot_password passkey_challenge passkey_login]
  before_action :rate_limit_login, only: %i[create email_login]
  skip_before_action :redirect_to_login_if_required
  skip_before_action :preload_json,
@ -332,6 +333,34 @@ class SessionController < ApplicationController
    end
  end

+  def passkey_challenge
+    render json: DiscourseWebauthn.stage_challenge(current_user, secure_session)
+  end
+
+  def passkey_login
+    raise Discourse::NotFound unless SiteSetting.experimental_passkeys
+
+    params.require(:publicKeyCredential)
+
+    security_key =
+      ::DiscourseWebauthn::AuthenticationService.new(
+        nil,
+        params[:publicKeyCredential],
+        session: secure_session,
+        factor_type: UserSecurityKey.factor_types[:first_factor],
+      ).authenticate_security_key
+
+    user = User.where(id: security_key.user_id, active: true).first
+
+    if user.email_confirmed?
+      login(user, false)
+    else
+      not_activated(user)
+    end
+  rescue ::DiscourseWebauthn::SecurityKeyError => err
+    render_json_error(err.message, status: 401)
+  end
+
  def email_login_info
    token = params[:token]
    matched_token = EmailToken.confirmable(token, scope: EmailToken.scopes[:email_login])