WebAuthN auth

2023-11-05 01:12:02 +00:00
parent 45e4e9f5da
commit 092930a24f
33 changed files with 1123 additions and 463 deletions
--- a/lib/sso_bsn/accounts/user.ex
+++ b/lib/sso_bsn/accounts/user.ex
@@ -0,0 +1,60 @@
+defmodule SsoBsn.Accounts.User do
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  alias SsoBsn.Accounts.UserKey
+
+  schema "users" do
+    field :username, :string
+    field :confirmed_at, :naive_datetime
+
+    has_many :keys, UserKey
+
+    timestamps(type: :utc_datetime)
+  end
+
+  @doc """
+  A user changeset for registration.
+  """
+  def registration_changeset(user, attrs, _opts \\ []) do
+    user
+    |> cast(attrs, [:username])
+    |> validate_username()
+  end
+
+  def validate_username(changeset) do
+    changeset
+    |> validate_format(:username, ~r/^[a-zA-Z_0-9.-]+$/)
+    |> validate_length(:username, min: 3, max: 128)
+    |> unique_constraint(:username)
+  end
+
+  @doc """
+  A user changeset for changing the username.
+
+  It requires the username to change otherwise an error is added.
+  """
+  def username_changeset(user, attrs, _opts \\ []) do
+    user
+    |> cast(attrs, [:username])
+    |> validate_username()
+    |> case do
+      %{changes: %{username: _}} = changeset -> changeset
+      %{} = changeset -> add_error(changeset, :username, "did not change")
+    end
+  end
+
+  @doc """
+  Confirms the account by setting `confirmed_at`.
+  """
+  def confirm_changeset(user) do
+    now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
+    change(user, confirmed_at: now)
+  end
+
+
+  def add_key_changeset(user) do
+    user
+    |> Ecto.build_assoc(:keys)
+  end
+end
--- a/lib/sso_bsn/accounts/user_key.ex
+++ b/lib/sso_bsn/accounts/user_key.ex
@@ -0,0 +1,30 @@
+defmodule SsoBsn.Accounts.UserKey do
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  alias SsoBsn.Accounts.User
+
+  defmodule BinaryTerm do
+    use Ecto.Type
+    def type, do: :binary
+
+    def cast(term), do: {:ok, term}
+    def load(data) when is_binary(data), do: {:ok, :erlang.binary_to_term(data)}
+    def dump(term), do: {:ok, :erlang.term_to_binary(term)} |> dbg()
+  end
+  alias SsoBsn.Accounts.UserKey.BinaryTerm
+
+  schema "users_keys" do
+    field :key_id, :string
+    field :cose_key, BinaryTerm
+
+    belongs_to :user, User
+  end
+
+  def new(key, attrs) do
+    key
+    |> cast(attrs, [:key_id, :cose_key])
+  end
+
+end
+
--- a/lib/sso_bsn/accounts/user_token.ex
+++ b/lib/sso_bsn/accounts/user_token.ex
@@ -0,0 +1,83 @@
+defmodule SsoBsn.Accounts.UserToken do
+  use Ecto.Schema
+  import Ecto.Query
+  alias SsoBsn.Accounts.UserToken
+
+  @rand_size 32
+
+  @session_validity_in_days 60
+
+  schema "users_tokens" do
+    field :token, :binary
+    field :context, :string
+    field :sent_to, :string
+    belongs_to :user, SsoBsn.Accounts.User
+
+    timestamps(updated_at: false)
+  end
+
+  @doc """
+  Generates a token that will be stored in a signed place,
+  such as session or cookie. As they are signed, those
+  tokens do not need to be hashed.
+
+  The reason why we store session tokens in the database, even
+  though Phoenix already provides a session cookie, is because
+  Phoenix' default session cookies are not persisted, they are
+  simply signed and potentially encrypted. This means they are
+  valid indefinitely, unless you change the signing/encryption
+  salt.
+
+  Therefore, storing them allows individual user
+  sessions to be expired. The token system can also be extended
+  to store additional data, such as the device used for logging in.
+  You could then use this information to display all valid sessions
+  and devices in the UI and allow users to explicitly expire any
+  session they deem invalid.
+  """
+  def build_session_token(user) do
+    token = :crypto.strong_rand_bytes(@rand_size)
+     {token, %UserToken{token: token, context: "session", user_id: user.id}}
+  end
+
+  def build_login_token(user) do
+    token = Base.encode64(:crypto.strong_rand_bytes(@rand_size))
+    {token, %UserToken{token: token, context: "login", user_id: user.id}}
+  end
+
+  @doc """
+  Checks if the token is valid and returns its underlying lookup query.
+
+  The query returns the user found by the token, if any.
+
+  The token is valid if it matches the value in the database and it has
+  not expired (after @session_validity_in_days).
+  """
+  def verify_session_token_query(token) do
+    query =
+      from token in token_and_context_query(token, "session"),
+        join: user in assoc(token, :user),
+        where: token.inserted_at > ago(@session_validity_in_days, "day"),
+        select: user
+
+    {:ok, query}
+  end
+
+  @doc """
+  Returns the token struct for the given token value and context.
+  """
+  def token_and_context_query(token, context) do
+    from UserToken, where: [token: ^token, context: ^context]
+  end
+
+  @doc """
+  Gets all tokens for the given user for the given contexts.
+  """
+  def user_and_contexts_query(user, :all) do
+    from t in UserToken, where: t.user_id == ^user.id
+  end
+
+  def user_and_contexts_query(user, [_ | _] = contexts) do
+    from t in UserToken, where: t.user_id == ^user.id and t.context in ^contexts
+  end
+end