remove Webauthn client creation from authentication middleware

briskt · briskt · commit 270f825f3e1b · 2025-04-14T16:53:46.000+08:00
diff --git a/fixtures_test.go b/fixtures_test.go
@@ -60,14 +60,13 @@ func getTestWebauthnUsers(ms *MfaSuite, config baseTestConfig) []WebauthnUser {
 	apiKey2.Secret = "E286600E-3DBF-4C23-A0DA-9C55D448"
 
 	testUser0 := WebauthnUser{
-		ID:             apiKey0.Secret,
-		Name:           "Nancy_NoCredential",
-		DisplayName:    "Nancy NoCredential",
-		Store:          config.Storage,
-		WebAuthnClient: config.WebAuthnClient,
-		ApiKey:         apiKey0,
-		ApiKeyValue:    apiKey0.Key,
-		Credentials:    []webauthn.Credential{},
+		ID:          apiKey0.Secret,
+		Name:        "Nancy_NoCredential",
+		DisplayName: "Nancy NoCredential",
+		Store:       config.Storage,
+		ApiKey:      apiKey0,
+		ApiKeyValue: apiKey0.Key,
+		Credentials: []webauthn.Credential{},
 	}
 
 	testUser1 := testUser0
diff --git a/user.go b/user.go
@@ -53,23 +53,21 @@ type WebauthnUser struct {
 	Credentials          []webauthn.Credential `dynamodbav:"-" json:"-"`
 	EncryptedCredentials []byte                `dynamodbav:"EncryptedCredentials" json:"EncryptedCredentials,omitempty"`
 
-	WebAuthnClient *webauthn.WebAuthn `dynamodbav:"-" json:"-"`
-	Name           string             `dynamodbav:"-" json:"-"`
-	DisplayName    string             `dynamodbav:"-" json:"-"`
-	Icon           string             `dynamodbav:"-" json:"-"`
+	Name        string `dynamodbav:"-" json:"-"`
+	DisplayName string `dynamodbav:"-" json:"-"`
+	Icon        string `dynamodbav:"-" json:"-"`
 }
 
 // NewWebauthnUser creates a new WebauthnUser from API input data, a storage client and a Webauthn client.
-func NewWebauthnUser(apiConfig ApiMeta, storage *Storage, apiKey ApiKey, webAuthnClient *webauthn.WebAuthn) WebauthnUser {
+func NewWebauthnUser(apiConfig ApiMeta, storage *Storage, apiKey ApiKey) WebauthnUser {
 	u := WebauthnUser{
-		ID:             apiConfig.UserUUID,
-		Name:           apiConfig.Username,
-		DisplayName:    apiConfig.UserDisplayName,
-		Icon:           apiConfig.UserIcon,
-		Store:          storage,
-		WebAuthnClient: webAuthnClient,
-		ApiKey:         apiKey,
-		ApiKeyValue:    apiKey.Key,
+		ID:          apiConfig.UserUUID,
+		Name:        apiConfig.Username,
+		DisplayName: apiConfig.UserDisplayName,
+		Icon:        apiConfig.UserIcon,
+		Store:       storage,
+		ApiKey:      apiKey,
+		ApiKeyValue: apiKey.Key,
 	}
 
 	if u.ID == "" {
@@ -268,18 +266,14 @@ func (u *WebauthnUser) Delete() error {
 
 // BeginRegistration processes the first half of the Webauthn Registration flow for the user and returns the
 // CredentialCreation data to pass back to the client. User session data is saved in the database.
-func (u *WebauthnUser) BeginRegistration() (*protocol.CredentialCreation, error) {
-	if u.WebAuthnClient == nil {
-		return nil, fmt.Errorf("webauthnUser, %s, missing WebAuthClient in BeginRegistration", u.Name)
-	}
-
+func (u *WebauthnUser) BeginRegistration(client *webauthn.WebAuthn) (*protocol.CredentialCreation, error) {
 	rrk := false
 	authSelection := protocol.AuthenticatorSelection{
 		RequireResidentKey: &rrk,
 		UserVerification:   protocol.VerificationDiscouraged,
 	}
 
-	options, sessionData, err := u.WebAuthnClient.BeginRegistration(u, webauthn.WithAuthenticatorSelection(authSelection))
+	options, sessionData, err := client.BeginRegistration(u, webauthn.WithAuthenticatorSelection(authSelection))
 	if err != nil {
 		return &protocol.CredentialCreation{}, fmt.Errorf("failed to begin registration: %w", err)
 	}
@@ -295,7 +289,7 @@ func (u *WebauthnUser) BeginRegistration() (*protocol.CredentialCreation, error)
 // FinishRegistration processes the last half of the Webauthn Registration flow for the user and returns the
 // key_handle_hash to pass back to the client. The client should store this value for later use. User session data is
 // cleared from the database.
-func (u *WebauthnUser) FinishRegistration(r *http.Request) (string, error) {
+func (u *WebauthnUser) FinishRegistration(r *http.Request, client *webauthn.WebAuthn) (string, error) {
 	if r.Body == nil {
 		return "", fmt.Errorf("request Body may not be nil in FinishRegistration")
 	}
@@ -312,7 +306,7 @@ func (u *WebauthnUser) FinishRegistration(r *http.Request) (string, error) {
 		return "", fmt.Errorf("unable to parse credential creation response body: %w", err)
 	}
 
-	credential, err := u.WebAuthnClient.CreateCredential(u, u.SessionData, parsedResponse)
+	credential, err := client.CreateCredential(u, u.SessionData, parsedResponse)
 	if err != nil {
 		logProtocolError("unable to create credential", err)
 		return "", fmt.Errorf("unable to create credential: %w", err)
@@ -330,7 +324,7 @@ func (u *WebauthnUser) FinishRegistration(r *http.Request) (string, error) {
 
 // BeginLogin processes the first half of the Webauthn Authentication flow for the user and returns the
 // CredentialAssertion data to pass back to the client. User session data is saved in the database.
-func (u *WebauthnUser) BeginLogin() (*protocol.CredentialAssertion, error) {
+func (u *WebauthnUser) BeginLogin(client *webauthn.WebAuthn) (*protocol.CredentialAssertion, error) {
 	extensions := protocol.AuthenticationExtensions{}
 	if u.EncryptedAppId != "" {
 		appid, err := u.ApiKey.DecryptLegacy([]byte(u.EncryptedAppId))
@@ -340,7 +334,7 @@ func (u *WebauthnUser) BeginLogin() (*protocol.CredentialAssertion, error) {
 		extensions["appid"] = string(appid)
 	}
 
-	options, sessionData, err := u.WebAuthnClient.BeginLogin(u, webauthn.WithAssertionExtensions(extensions), webauthn.WithUserVerification(protocol.VerificationDiscouraged))
+	options, sessionData, err := client.BeginLogin(u, webauthn.WithAssertionExtensions(extensions), webauthn.WithUserVerification(protocol.VerificationDiscouraged))
 	if err != nil {
 		return &protocol.CredentialAssertion{}, err
 	}
@@ -356,7 +350,7 @@ func (u *WebauthnUser) BeginLogin() (*protocol.CredentialAssertion, error) {
 
 // FinishLogin processes the last half of the Webauthn Authentication flow for the user and returns the
 // Credential data to pass back to the client. User session data is untouched by this function.
-func (u *WebauthnUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) {
+func (u *WebauthnUser) FinishLogin(r *http.Request, client *webauthn.WebAuthn) (*webauthn.Credential, error) {
 	if r.Body == nil {
 		return nil, fmt.Errorf("request Body may not be nil in FinishLogin")
 	}
@@ -383,14 +377,14 @@ func (u *WebauthnUser) FinishLogin(r *http.Request) (*webauthn.Credential, error
 		}
 
 		appIdHash := sha256.Sum256(appid)
-		rpIdHash := sha256.Sum256([]byte(u.WebAuthnClient.Config.RPID))
+		rpIdHash := sha256.Sum256([]byte(client.Config.RPID))
 
 		if fmt.Sprintf("%x", parsedResponse.Response.AuthenticatorData.RPIDHash) == fmt.Sprintf("%x", appIdHash) {
 			parsedResponse.Response.AuthenticatorData.RPIDHash = rpIdHash[:]
 		}
 	}
 
-	credential, err := u.WebAuthnClient.ValidateLogin(u, u.SessionData, parsedResponse)
+	credential, err := client.ValidateLogin(u, u.SessionData, parsedResponse)
 	if err != nil {
 		logProtocolError("failed to validate login", err)
 		return &webauthn.Credential{}, fmt.Errorf("failed to validate login: %w", err)
diff --git a/webauthn.go b/webauthn.go
@@ -62,7 +62,13 @@ func BeginRegistration(w http.ResponseWriter, r *http.Request) {
 		user.ID = uuid.NewV4().String()
 	}
 
-	options, err := user.BeginRegistration()
+	client, err := getWebauthnClient(r)
+	if err != nil {
+		jsonResponse(w, err, http.StatusInternalServerError)
+		return
+	}
+
+	options, err := user.BeginRegistration(client)
 	if err != nil {
 		jsonResponse(w, fmt.Sprintf("failed to begin registration: %s", err), http.StatusBadRequest)
 		return
@@ -85,7 +91,12 @@ func FinishRegistration(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	keyHandleHash, err := user.FinishRegistration(r)
+	client, err := getWebauthnClient(r)
+	if err != nil {
+		jsonResponse(w, err, http.StatusInternalServerError)
+	}
+
+	keyHandleHash, err := user.FinishRegistration(r, client)
 	if err != nil {
 		jsonResponse(w, err, http.StatusBadRequest)
 		return
@@ -108,7 +119,12 @@ func BeginLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	options, err := user.BeginLogin()
+	client, err := getWebauthnClient(r)
+	if err != nil {
+		jsonResponse(w, err, http.StatusInternalServerError)
+		return
+	}
+	options, err := user.BeginLogin(client)
 	if err != nil {
 		jsonResponse(w, err, http.StatusBadRequest)
 		log.Printf("error beginning user login: %s\n", err)
@@ -128,7 +144,12 @@ func FinishLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	credential, err := user.FinishLogin(r)
+	client, err := getWebauthnClient(r)
+	if err != nil {
+		jsonResponse(w, err, http.StatusInternalServerError)
+	}
+
+	credential, err := user.FinishLogin(r, client)
 	if err != nil {
 		jsonResponse(w, err, http.StatusBadRequest)
 		log.Printf("error finishing user login	: %s\n", err)
@@ -245,8 +266,23 @@ func fixEncoding(content []byte) io.Reader {
 	return bytes.NewReader([]byte(fixStringEncoding(allStr)))
 }
 
-// getWebAuthnFromApiMeta creates a new WebAuthn object from the metadata provided in a web request. Typically used in
-// the API authentication phase, early in the handler or in a middleware.
+// getWebauthnClient creates a new webauthn client from the request metadata
+func getWebauthnClient(r *http.Request) (*webauthn.WebAuthn, error) {
+	// apiMeta includes info about the user and webauthn config
+	apiMeta, err := getApiMetaFromRequest(r)
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve API meta information from request: %w", err)
+	}
+
+	webAuthnClient, err := getWebAuthnFromApiMeta(apiMeta)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create webauthn client from api meta config: %w", err)
+	}
+
+	return webAuthnClient, nil
+}
+
+// getWebAuthnFromApiMeta creates a new WebAuthn object from the metadata provided in a web request.
 func getWebAuthnFromApiMeta(meta ApiMeta) (*webauthn.WebAuthn, error) {
 	web, err := webauthn.New(&webauthn.Config{
 		RPDisplayName: meta.RPDisplayName,      // Display Name for your site
@@ -261,8 +297,7 @@ func getWebAuthnFromApiMeta(meta ApiMeta) (*webauthn.WebAuthn, error) {
 	return web, nil
 }
 
-// getApiMetaFromRequest creates an ApiMeta object from request headers, including basic validation checks. Used during
-// API authentication.
+// getApiMetaFromRequest creates an ApiMeta object from request headers, including basic validation checks.
 func getApiMetaFromRequest(r *http.Request) (ApiMeta, error) {
 	meta := ApiMeta{
 		RPDisplayName:   r.Header.Get("x-mfa-RPDisplayName"),
@@ -356,12 +391,7 @@ func AuthenticateRequest(r *http.Request) (*WebauthnUser, error) {
 		return nil, fmt.Errorf("unable to retrieve API meta information from request: %w", err)
 	}
 
-	webAuthnClient, err := getWebAuthnFromApiMeta(apiMeta)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create webauthn client from api meta config: %w", err)
-	}
-
-	user := NewWebauthnUser(apiMeta, localStorage, apiKey, webAuthnClient)
+	user := NewWebauthnUser(apiMeta, localStorage, apiKey)
 
 	// If this user exists (api key value is not empty), make sure the calling API Key owns the user and is allowed to operate on it
 	if user.ApiKeyValue != "" && user.ApiKeyValue != apiKey.Key {
diff --git a/webauthn_test.go b/webauthn_test.go
