Add WebAuthn login support

Author: DJAndries

controllers/accounts.go

@@ -35,8 +35,8 @@ type AccountsController struct {
 type PasswordFinalizeResponse struct {
 	// Authentication token (only present if resetting/changing password)
 	AuthToken *string `json:"authToken"`
-	// Indicates to the client whether 2FA verification will be required before password setup is complete
-	RequiresTwoFA bool `json:"requiresTwoFA"`
+	// Two-factor authentication options available for this account
+	TwoFAOptions *services.TwoFAOptions `json:"twoFAOptions"`
 	// Indicates to the client whether email verification will be required before password setup is complete
 	RequiresEmailVerification bool `json:"requiresEmailVerification"`
 	// Indicates to the client that sessions were invalidated (only applicable when changing password)
@@ -507,13 +507,23 @@ func (ac *AccountsController) SetupPasswordFinalize(w http.ResponseWriter, r *ht
 		}
 	}
 
-	render.Status(r, http.StatusOK)
-	render.JSON(w, r, &PasswordFinalizeResponse{
+	response := &PasswordFinalizeResponse{
 		AuthToken:                 authToken,
-		RequiresTwoFA:             registrationState.IsTwoFAEnabled(),
 		RequiresEmailVerification: verification.Intent == datastore.RegistrationIntent,
 		SessionsInvalidated:       sessionsInvalidated,
-	})
+	}
+
+	if registrationState.IsTwoFAEnabled() {
+		twoFAOptions, err := ac.twoFAService.PrepareChallenge(registrationState)
+		if err != nil {
+			util.RenderErrorResponse(w, r, http.StatusInternalServerError, err)
+			return
+		}
+		response.TwoFAOptions = twoFAOptions
+	}
+
+	render.Status(r, http.StatusOK)
+	render.JSON(w, r, response)
 }
 
 // @Summary Finalize password setup with 2FA
@@ -556,7 +566,10 @@ func (ac *AccountsController) SetupPasswordFinalize2FA(w http.ResponseWriter, r
 	}
 
 	if err := ac.twoFAService.ProcessChallenge(registrationState, &requestData); err != nil {
-		if errors.Is(err, util.ErrBadTOTPCode) || errors.Is(err, util.ErrBadRecoveryKey) {
+		if errors.Is(err, util.ErrBadTOTPCode) ||
+			errors.Is(err, util.ErrBadRecoveryKey) ||
+			errors.Is(err, util.ErrTOTPCodeAlreadyUsed) ||
+			errors.Is(err, util.ErrBadWebAuthnResponse) {
 			util.RenderErrorResponse(w, r, http.StatusUnauthorized, err)
 			return
 		}

controllers/accounts_test.go

@@ -339,7 +339,7 @@ func (suite *AccountsTestSuite) TestRegistration() {
 	util.DecodeJSONTestResponse(suite.T(), resp.Body, &parsedFinalizeResp)
 	suite.Nil(parsedFinalizeResp.AuthToken) // No auth token until email is verified
 	suite.True(parsedFinalizeResp.RequiresEmailVerification)
-	suite.False(parsedFinalizeResp.RequiresTwoFA)
+	suite.Nil(parsedFinalizeResp.TwoFAOptions)
 	suite.False(parsedFinalizeResp.SessionsInvalidated)
 
 	// Verify account was created but not verified
@@ -490,7 +490,7 @@ func (suite *AccountsTestSuite) TestChangePassword() {
 
 		var changeFinalizeResp controllers.PasswordFinalizeResponse
 		util.DecodeJSONTestResponse(suite.T(), resp.Body, &changeFinalizeResp)
-		suite.False(changeFinalizeResp.RequiresTwoFA)
+		suite.Nil(changeFinalizeResp.TwoFAOptions)
 		suite.False(changeFinalizeResp.RequiresEmailVerification)
 		suite.Equal(sessionInvalidation, changeFinalizeResp.SessionsInvalidated)
 

controllers/auth.go

@@ -69,8 +69,8 @@ type LoginFinalizeRequest struct {
 type LoginFinalizeResponse struct {
 	// Authentication token for future requests
 	AuthToken *string `json:"authToken"`
-	// Indicates if 2FA verification is required before authentication is complete
-	RequiresTwoFA bool `json:"requiresTwoFA"`
+	// Two-factor authentication options available for this account
+	TwoFAOptions *services.TwoFAOptions `json:"twoFAOptions"`
 }
 
 // @Description	Response containing validated token details
@@ -398,10 +398,16 @@ func (ac *AuthController) LoginFinalize(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	response := LoginFinalizeResponse{
-		RequiresTwoFA: loginState.IsTwoFAEnabled(),
-	}
-	if !loginState.IsTwoFAEnabled() {
+	response := LoginFinalizeResponse{}
+
+	if loginState.IsTwoFAEnabled() {
+		twoFAOptions, err := ac.twoFAService.PrepareChallenge(loginState)
+		if err != nil {
+			util.RenderErrorResponse(w, r, http.StatusInternalServerError, err)
+			return
+		}
+		response.TwoFAOptions = twoFAOptions
+	} else {
 		// Create a session and return an auth token
 		authToken, err := ac.createSessionAndToken(*loginState.AccountID, r.UserAgent())
 		if err != nil {
@@ -463,7 +469,10 @@ func (ac *AuthController) LoginFinalize2FA(w http.ResponseWriter, r *http.Reques
 
 	// Process the 2FA authentication request
 	if err := ac.twoFAService.ProcessChallenge(loginState, &requestData); err != nil {
-		if errors.Is(err, util.ErrBadTOTPCode) || errors.Is(err, util.ErrBadRecoveryKey) || errors.Is(err, util.ErrTOTPCodeAlreadyUsed) {
+		if errors.Is(err, util.ErrBadTOTPCode) ||
+			errors.Is(err, util.ErrBadRecoveryKey) ||
+			errors.Is(err, util.ErrTOTPCodeAlreadyUsed) ||
+			errors.Is(err, util.ErrBadWebAuthnResponse) {
 			util.RenderErrorResponse(w, r, http.StatusUnauthorized, err)
 			return
 		}

controllers/auth_test.go

@@ -2,6 +2,7 @@ package controllers_test
 
 import (
 	"encoding/hex"
+	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -13,7 +14,9 @@ import (
 	"github.com/brave/accounts/services"
 	"github.com/brave/accounts/util"
 	"github.com/bytemare/opaque"
+	"github.com/descope/virtualwebauthn"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/pquerna/otp"
@@ -27,6 +30,7 @@ type AuthTestSuite struct {
 	ds            *datastore.Datastore
 	keyServiceDs  *datastore.Datastore
 	jwtService    *services.JWTService
+	twoFAService  *services.TwoFAService
 	account       *datastore.Account
 	controller    *controllers.AuthController
 	router        *chi.Mux
@@ -65,8 +69,8 @@ func (suite *AuthTestSuite) SetupTest() {
 	suite.Require().NoError(err)
 	opaqueService, err := services.NewOpaqueService(suite.ds, false)
 	suite.Require().NoError(err)
-	twoFAService := services.NewTwoFAService(suite.ds, false)
-	suite.controller = controllers.NewAuthController(opaqueService, suite.jwtService, twoFAService, suite.ds, &MockSESService{})
+	suite.twoFAService = services.NewTwoFAService(suite.ds, false)
+	suite.controller = controllers.NewAuthController(opaqueService, suite.jwtService, suite.twoFAService, suite.ds, &MockSESService{})
 
 	suite.account, err = suite.ds.GetOrCreateAccount("test@example.com")
 	suite.Require().NoError(err)
@@ -245,7 +249,7 @@ func (suite *AuthTestSuite) performLoginSteps() (*controllers.LoginFinalizeRespo
 func (suite *AuthTestSuite) TestAuthLogin() {
 	finalizeResp, _ := suite.performLoginSteps()
 	suite.NotEmpty(finalizeResp.AuthToken)
-	suite.False(finalizeResp.RequiresTwoFA)
+	suite.Nil(finalizeResp.TwoFAOptions)
 
 	req := httptest.NewRequest("GET", "/v2/auth/validate", nil)
 	req.Header.Add("Authorization", "Bearer "+*finalizeResp.AuthToken)
@@ -484,7 +488,9 @@ func (suite *AuthTestSuite) TestAuth2FAWithTOTPCode() {
 	finalizeResp, loginToken := suite.performLoginSteps()
 
 	// Verify we need 2FA
-	suite.True(finalizeResp.RequiresTwoFA)
+	suite.Require().NotNil(finalizeResp.TwoFAOptions)
+	suite.True(finalizeResp.TwoFAOptions.TOTPEnabled)
+	suite.Nil(finalizeResp.TwoFAOptions.WebAuthnRequest)
 	suite.Nil(finalizeResp.AuthToken)
 
 	// Try using invalid TOTP code first
@@ -520,7 +526,9 @@ func (suite *AuthTestSuite) TestAuth2FAWithTOTPCode() {
 
 	// Perform login steps again to get a new login state
 	finalizeResp, loginToken = suite.performLoginSteps()
-	suite.True(finalizeResp.RequiresTwoFA)
+	suite.Require().NotNil(finalizeResp.TwoFAOptions)
+	suite.True(finalizeResp.TwoFAOptions.TOTPEnabled)
+	suite.Nil(finalizeResp.TwoFAOptions.WebAuthnRequest)
 	suite.Nil(finalizeResp.AuthToken)
 
 	// Try to reuse the same code with the new login state
@@ -541,6 +549,7 @@ func (suite *AuthTestSuite) TestAuth2FAWithTOTPCode() {
 	account, err := suite.ds.GetOrCreateAccount(suite.account.Email)
 	suite.Require().NoError(err)
 	suite.True(account.TOTPEnabled)
+	suite.False(account.WebAuthnEnabled)
 	suite.NotNil(account.RecoveryKeyHash)
 }
 
@@ -568,7 +577,9 @@ func (suite *AuthTestSuite) TestAuth2FAWithRecoveryKey() {
 	finalizeResp, loginToken := suite.performLoginSteps()
 
 	// Verify we need 2FA
-	suite.True(finalizeResp.RequiresTwoFA)
+	suite.Require().NotNil(finalizeResp.TwoFAOptions)
+	suite.True(finalizeResp.TwoFAOptions.TOTPEnabled)
+	suite.Nil(finalizeResp.TwoFAOptions.WebAuthnRequest)
 	suite.Nil(finalizeResp.AuthToken)
 
 	// Test 2FA with bad recovery key
@@ -606,10 +617,11 @@ func (suite *AuthTestSuite) TestAuth2FAWithRecoveryKey() {
 	account, err := suite.ds.GetOrCreateAccount(suite.account.Email)
 	suite.Require().NoError(err)
 	suite.False(account.TOTPEnabled)
+	suite.False(account.WebAuthnEnabled)
 	suite.Nil(account.RecoveryKeyHash)
 
 	finalizeResp, _ = suite.performLoginSteps()
-	suite.False(finalizeResp.RequiresTwoFA)
+	suite.Nil(finalizeResp.TwoFAOptions)
 	suite.NotNil(finalizeResp.AuthToken)
 
 	validateReq = httptest.NewRequest("GET", "/v2/auth/validate", nil)
@@ -618,6 +630,78 @@ func (suite *AuthTestSuite) TestAuth2FAWithRecoveryKey() {
 	suite.Equal(http.StatusOK, validateResp.Code)
 }
 
+func (suite *AuthTestSuite) TestAuth2FAWithWebAuthn() {
+	// Add a WebAuthn credential for the account
+	authenticator := virtualwebauthn.NewAuthenticator()
+	registeredCredential := addWebAuthnCredential(suite.T(), suite.twoFAService, suite.ds, authenticator, suite.account, "YubiKey 5C")
+
+	// Create an unregistered credential for testing failure case
+	unregisteredCredential := virtualwebauthn.NewCredential(virtualwebauthn.KeyTypeEC2)
+
+	// Perform login initialization and finalization
+	finalizeResp, loginToken := suite.performLoginSteps()
+
+	// Verify we need 2FA
+	suite.Require().NotNil(finalizeResp.TwoFAOptions)
+	suite.Require().NotNil(finalizeResp.TwoFAOptions.WebAuthnRequest)
+	suite.Nil(finalizeResp.AuthToken)
+
+	// Try with unregistered credential first
+	rp := createWebAuthnRelyingParty()
+
+	assertionOptionsJSON, err := json.Marshal(finalizeResp.TwoFAOptions.WebAuthnRequest)
+	suite.Require().NoError(err)
+
+	parsedAssertionOptions, err := virtualwebauthn.ParseAssertionOptions(string(assertionOptionsJSON))
+	suite.Require().NoError(err)
+
+	// Use unregistered credential - should fail
+	unregisteredAssertionResponse := virtualwebauthn.CreateAssertionResponse(rp, authenticator, unregisteredCredential, *parsedAssertionOptions)
+
+	var unregisteredWebAuthnResponse protocol.CredentialAssertionResponse
+	err = json.Unmarshal([]byte(unregisteredAssertionResponse), &unregisteredWebAuthnResponse)
+	suite.Require().NoError(err)
+
+	invalidRequest := services.TwoFAAuthRequest{
+		WebAuthnResponse: &unregisteredWebAuthnResponse,
+	}
+	req := util.CreateJSONTestRequest("/v2/auth/login/finalize_2fa", invalidRequest)
+	req.Header.Set("Authorization", "Bearer "+loginToken)
+	resp := util.ExecuteTestRequest(req, suite.router)
+
+	// Should get unauthorized with unregistered credential
+	suite.Equal(http.StatusUnauthorized, resp.Code)
+	util.AssertErrorResponseCode(suite.T(), resp, util.ErrBadWebAuthnResponse.Code)
+
+	// Now use the registered credential - should succeed
+	registeredAssertionResponse := virtualwebauthn.CreateAssertionResponse(rp, authenticator, registeredCredential, *parsedAssertionOptions)
+
+	var registeredWebAuthnResponse protocol.CredentialAssertionResponse
+	err = json.Unmarshal([]byte(registeredAssertionResponse), &registeredWebAuthnResponse)
+	suite.Require().NoError(err)
+
+	validRequest := services.TwoFAAuthRequest{
+		WebAuthnResponse: &registeredWebAuthnResponse,
+	}
+	req = util.CreateJSONTestRequest("/v2/auth/login/finalize_2fa", validRequest)
+	req.Header.Set("Authorization", "Bearer "+loginToken)
+	resp = util.ExecuteTestRequest(req, suite.router)
+
+	// Should succeed with registered credential
+	suite.Equal(http.StatusOK, resp.Code)
+
+	var parsedTwoFAResp controllers.LoginFinalize2FAResponse
+	util.DecodeJSONTestResponse(suite.T(), resp.Body, &parsedTwoFAResp)
+	suite.NotEmpty(parsedTwoFAResp.AuthToken)
+	suite.False(parsedTwoFAResp.TwoFADisabled)
+
+	// Verify the auth token works
+	validateReq := httptest.NewRequest("GET", "/v2/auth/validate", nil)
+	validateReq.Header.Add("Authorization", "Bearer "+parsedTwoFAResp.AuthToken)
+	validateResp := util.ExecuteTestRequest(validateReq, suite.router)
+	suite.Equal(http.StatusOK, validateResp.Code)
+}
+
 func TestAuthTestSuite(t *testing.T) {
 	t.Run("NoKeyService", func(t *testing.T) {
 		suite.Run(t, NewAuthTestSuite(false))