feat: パスキーに対応

MisskeyIO · Aug 19, 2023 · 76d86c2 · 76d86c2
1 parent 755d841
commit 76d86c2
Show file tree

Hide file tree

Showing 42 changed files with 801 additions and 1,052 deletions.
diff --git a/locales/de-DE.yml b/locales/de-DE.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "Dein Browser unterstützt keine Security-Tokens."
   registerTOTPBeforeKey: "Um einen Security-Token oder einen Passkey zu registrieren, musst du zuerst eine Authentifizierungs-App registrieren."
   securityKeyInfo: "Du kannst neben Fingerabdruck- oder PIN-Authentifizierung auf deinem Gerät auch Anmeldung mit Hilfe eines FIDO2-kompatiblen Hardware-Sicherheitsschlüssels einrichten."
-  chromePasskeyNotSupported: "Chrome-Passkeys werden zur Zeit nicht unterstützt."
   registerSecurityKey: "Security-Token oder Passkey registrieren"
   securityKeyName: "Schlüsselname eingeben"
   tapSecurityKey: "Bitten folge den Anweisungen deines Browsers zur Registrierung"

diff --git a/locales/en-US.yml b/locales/en-US.yml
@@ -413,6 +413,7 @@ token: "Token"
 2fa: "Two-factor authentication"
 totp: "Authenticator App"
 totpDescription: "Use an authenticator app to enter one-time passwords"
+useSecurityKey: "Please use the security key or passkey according to the browser or device instructions."
 moderator: "Moderator"
 moderation: "Moderation"
 nUsersMentioned: "Mentioned by {n} users"
@@ -1693,7 +1694,6 @@ _2fa:
   securityKeyNotSupported: "Your browser does not support security keys."
   registerTOTPBeforeKey: "Please set up an authenticator app to register a security or pass key."
   securityKeyInfo: "Besides fingerprint or PIN authentication, you can also setup authentication via hardware security keys that support FIDO2 to further secure your account."
-  chromePasskeyNotSupported: "Chrome passkeys are currently not supported."
   registerSecurityKey: "Register a security or pass key"
   securityKeyName: "Enter a key name"
   tapSecurityKey: "Please follow your browser to register the security or pass key"

diff --git a/locales/es-ES.yml b/locales/es-ES.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "Tu navegador no soporta claves de autenticación."
   registerTOTPBeforeKey: "Please set up an authenticator app to register a security or pass key.\npor favor. configura una aplicación de autenticación para registrar una llave de seguridad."
   securityKeyInfo: "Se puede configurar el inicio de sesión usando una clave de seguridad de hardware que soporte FIDO2 o con un certificado de huella digital o con un PIN"
-  chromePasskeyNotSupported: "Las llaves de seguridad de Chrome no son soportadas por el momento."
   registerSecurityKey: "Registrar una llave de seguridad"
   securityKeyName: "Ingresa un nombre para la clave"
   tapSecurityKey: "Por favor, sigue tu navegador para registrar una llave de seguridad"

diff --git a/locales/id-ID.yml b/locales/id-ID.yml
@@ -1660,7 +1660,6 @@ _2fa:
   securityKeyNotSupported: "Peramban kamu tidak mendukung security key."
   registerTOTPBeforeKey: "Mohon atur aplikasi autentikator untuk mendaftarkan security key atau passkey."
   securityKeyInfo: "Kamu dapat memasang otentikasi WebAuthN untuk mengamankan proses login lebih lanjut dengan tidak hanya perangkat keras kunci keamanan yang mendukung FIDO2, namun juga sidik jari atau otentikasi PIN pada perangkatmu."
-  chromePasskeyNotSupported: "Passkey Chrome saat ini tidak didukung."
   registerSecurityKey: "Daftarkan security key atau passkey."
   securityKeyName: "Masukkan nama key."
   tapSecurityKey: "Mohon ikuti peramban kamu untuk mendaftarkan security key atau passkey"

diff --git a/locales/index.d.ts b/locales/index.d.ts
@@ -416,6 +416,7 @@ export interface Locale {
     "2fa": string;
     "totp": string;
     "totpDescription": string;
+    "useSecurityKey": string;
     "moderator": string;
     "moderation": string;
     "nUsersMentioned": string;
@@ -1824,7 +1825,6 @@ export interface Locale {
         "securityKeyNotSupported": string;
         "registerTOTPBeforeKey": string;
         "securityKeyInfo": string;
-        "chromePasskeyNotSupported": string;
         "registerSecurityKey": string;
         "securityKeyName": string;
         "tapSecurityKey": string;

diff --git a/locales/it-IT.yml b/locales/it-IT.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "Il tuo browser non supporta le chiavi di sicurezza."
   registerTOTPBeforeKey: "Ti occorre un'app di autenticazione con OTP, prima di registrare la chiave di sicurezza."
   securityKeyInfo: "È possibile impostare il dispositivo per accedere utilizzando una chiave di sicurezza hardware che supporta FIDO2 o un'impronta digitale o un PIN sul dispositivo."
-  chromePasskeyNotSupported: "Le passkey di Chrome non sono attualmente supportate."
   registerSecurityKey: "Registra la chiave di sicurezza"
   securityKeyName: "Inserisci il nome della chiave"
   tapSecurityKey: "Segui le istruzioni del browser e registra la chiave di sicurezza."

diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
@@ -413,6 +413,7 @@ token: "確認コード"
 2fa: "二要素認証"
 totp: "認証アプリ"
 totpDescription: "認証アプリを使ってワンタイムパスワードを入力"
+useSecurityKey: "ブラウザまたはデバイスの指示に従って、セキュリティキーまたはパスキーを使用してください。"
 moderator: "モデレーター"
 moderation: "モデレーション"
 nUsersMentioned: "{n}人が投稿"
@@ -1742,7 +1743,6 @@ _2fa:
   securityKeyNotSupported: "お使いのブラウザはセキュリティキーに対応していません。"
   registerTOTPBeforeKey: "セキュリティキー・パスキーを登録するには、まず認証アプリの設定を行なってください。"
   securityKeyInfo: "FIDO2をサポートするハードウェアセキュリティキー、端末の生体認証やPINロック、パスキーといった、WebAuthn由来の鍵を登録します。"
-  chromePasskeyNotSupported: "Chromeのパスキーは現在サポートしていません。"
   registerSecurityKey: "セキュリティキー・パスキーを登録する"
   securityKeyName: "キーの名前を入力"
   tapSecurityKey: "ブラウザの指示に従い、セキュリティキーやパスキーを登録してください"

diff --git a/locales/ja-KS.yml b/locales/ja-KS.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "今使とるブラウザはセキュリティキーに対応してへんのやってさ。"
   registerTOTPBeforeKey: "セキュリティキー・パスキーを登録するんやったら、まず認証アプリを設定してーな。"
   securityKeyInfo: "FIDO2をサポートするハードウェアセキュリティキーか端末の指紋認証やPINを使ってログインするように設定できるで。"
-  chromePasskeyNotSupported: "Chromeのパスキーは今んとこ対応してないねん。"
   registerSecurityKey: "セキュリティキー・パスキーを登録するわ"
   securityKeyName: "キーの名前を入れてーや"
   tapSecurityKey: "ブラウザが言うこと聞いて、セキュリティキーとかパスキー登録しといでや"

diff --git a/locales/ko-KR.yml b/locales/ko-KR.yml
@@ -412,6 +412,7 @@ token: "토큰"
 2fa: "2단계 인증"
 totp: "인증 앱"
 totpDescription: "인증 앱을 사용하여 일회성 비밀번호 입력"
+useSecurityKey: "브라우저 또는 장치의 안내에 따라 보안 키 또는 패스키를 사용해 주세요."
 moderator: "모더레이터"
 moderation: "모더레이션"
 nUsersMentioned: "{n}명이 언급함"
@@ -1685,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "이 브라우저는 보안 키를 지원하지 않습니다."
   registerTOTPBeforeKey: "보안 키 또는 패스키를 등록하려면 인증 앱을 등록하십시오."
   securityKeyInfo: "FIDO2를 지원하는 하드웨어 보안 키 혹은 디바이스의 지문인식이나 화면잠금 PIN을 이용해서 로그인하도록 설정할 수 있습니다."
-  chromePasskeyNotSupported: "현재 Chrome의 패스키는 지원되지 않습니다."
   registerSecurityKey: "보안 키 또는 패스키 등록"
   securityKeyName: "키 이름 입력"
   tapSecurityKey: "브라우저의 지시에 따라 보안 키 또는 패스키를 등록하여 주십시오"

diff --git a/locales/ru-RU.yml b/locales/ru-RU.yml
@@ -1576,7 +1576,6 @@ _2fa:
   securityKeyNotSupported: "Ваш браузер не поддерживает ключи безопасности."
   registerTOTPBeforeKey: "Чтобы зарегистрировать ключ безопасности и пароль, сначала настройте приложение аутентификации."
   securityKeyInfo: "Вы можете настроить вход с помощью аппаратного ключа безопасности, поддерживающего FIDO2, или отпечатка пальца или PIN-кода на устройстве."
-  chromePasskeyNotSupported: "В настоящее время Chrome не поддерживает пароль-ключи."
   registerSecurityKey: "Зарегистрируйте ключ безопасности ・Passkey"
   securityKeyName: "Введите имя для ключа"
   tapSecurityKey: "Пожалуйста, следуйте инструкциям в вашем браузере, чтобы зарегистрировать свой ключ безопасности или пароль"

diff --git a/locales/th-TH.yml b/locales/th-TH.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "เบราว์เซอร์ของคุณไม่รองรับคีย์ความปลอดภัยนะ"
   registerTOTPBeforeKey: "กรุณาตั้งค่าแอปยืนยันตัวตนเพื่อลงทะเบียนรหัสความปลอดภัยหรือรหัสผ่าน"
   securityKeyInfo: "นอกจากนี้การตรวจสอบความถูกต้องด้วยลายนิ้วมือหรือ PIN แล้ว คุณยังสามารถตั้งค่าการตรวจสอบสิทธิ์ผ่านคีย์ความปลอดภัยของฮาร์ดแวร์ที่รองรับ FIDO2 เพื่อเพิ่มความปลอดภัยให้กับบัญชีของคุณ"
-  chromePasskeyNotSupported: "ขณะนี้ยังไม่รองรับรหัสผ่านของ Chrome"
   registerSecurityKey: "ลงทะเบียนรหัสความปลอดภัยหรือรหัสผ่าน"
   securityKeyName: "ป้อนชื่อคีย์"
   tapSecurityKey: "กรุณาทำตามเบราว์เซอร์ของคุณเพื่อลงทะเบียนรหัสความปลอดภัยหรือรหัสผ่าน"

diff --git a/locales/zh-CN.yml b/locales/zh-CN.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "您的浏览器不支持安全密钥。"
   registerTOTPBeforeKey: "要注册安全密钥或 Passkey，请先设置验证器应用程序。"
   securityKeyInfo: "注册兼容 WebAuthn 的密钥，例如支持 FIDO2 的硬件安全密钥、设备上的生物识别功能、PIN 码以及 Passkey 等。"
-  chromePasskeyNotSupported: "目前不支持 Chrome 的 Passkey。"
   registerSecurityKey: "注册安全密钥或 Passkey"
   securityKeyName: "输入密钥名称"
   tapSecurityKey: "请按照浏览器说明操作来注册安全密钥或 Passkey。"

diff --git a/locales/zh-TW.yml b/locales/zh-TW.yml
@@ -1686,7 +1686,6 @@ _2fa:
   securityKeyNotSupported: "您的瀏覽器不支援安全金鑰。"
   registerTOTPBeforeKey: "如要註冊安全金鑰或 Passkey，請先設定驗證應用程式。"
   securityKeyInfo: "您可以設定使用支援 FIDO2 的硬體安全鎖、終端設備的指紋認證，或者 PIN 碼來登入。"
-  chromePasskeyNotSupported: "目前不支援 Chrome 的 Passkey。"
   registerSecurityKey: "註冊安全金鑰或 Passkey"
   securityKeyName: "輸入金鑰名稱"
   tapSecurityKey: "按照瀏覽器的說明註冊安全金鑰或 Passkey。"

diff --git a/packages/backend/migration/1691959191872-passkey-support.js b/packages/backend/migration/1691959191872-passkey-support.js
@@ -0,0 +1,49 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class PasskeySupport1691959191872 {
+    name = 'PasskeySupport1691959191872'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "user_security_key" ADD "counter" bigint NOT NULL DEFAULT '0'`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."counter" IS 'The number of times the UserSecurityKey was validated.'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" ADD "credentialDeviceType" character varying(32)`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."credentialDeviceType" IS 'The type of Backup Eligibility in authenticator data'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" ADD "credentialBackedUp" boolean`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."credentialBackedUp" IS 'Whether or not the credential has been backed up'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" ADD "transports" character varying(32) array`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."transports" IS 'The type of the credential returned by the browser'`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."publicKey" IS 'The public key of the UserSecurityKey, hex-encoded.'`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."lastUsed" IS 'Timestamp of the last time the UserSecurityKey was used.'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" ALTER COLUMN "lastUsed" SET DEFAULT now()`);
+        await queryRunner.query(`UPDATE "user_security_key" SET "id" = REPLACE(REPLACE(REPLACE(REPLACE(ENCODE(DECODE("id", 'hex'), 'base64'), E'\\n', ''), '+', '-'), '/', '_'), '=', ''), "publicKey" = REPLACE(REPLACE(REPLACE(REPLACE(ENCODE(DECODE("publicKey", 'hex'), 'base64'), E'\\n', ''), '+', '-'), '/', '_'), '=', '')`);
+        await queryRunner.query(`ALTER TABLE "attestation_challenge" DROP CONSTRAINT "FK_f1a461a618fa1755692d0e0d592"`);
+        await queryRunner.query(`DROP INDEX "IDX_47efb914aed1f72dd39a306c7b"`);
+        await queryRunner.query(`DROP INDEX "IDX_f1a461a618fa1755692d0e0d59"`);
+        await queryRunner.query(`DROP TABLE "attestation_challenge"`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`CREATE TABLE "attestation_challenge" ("id" character varying(32) NOT NULL, "userId" character varying(32) NOT NULL, "challenge" character varying(64) NOT NULL, "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL, "registrationChallenge" boolean NOT NULL DEFAULT false, CONSTRAINT "PK_d0ba6786e093f1bcb497572a6b5" PRIMARY KEY ("id", "userId"))`);
+        await queryRunner.query(`CREATE INDEX "IDX_f1a461a618fa1755692d0e0d59" ON "attestation_challenge" ("userId") `);
+        await queryRunner.query(`CREATE INDEX "IDX_47efb914aed1f72dd39a306c7b" ON "attestation_challenge" ("challenge") `);
+        await queryRunner.query(`ALTER TABLE "attestation_challenge" ADD CONSTRAINT "FK_f1a461a618fa1755692d0e0d592" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE CASCADE ON UPDATE NO ACTION`);
+        await queryRunner.query(`COMMENT ON COLUMN "attestation_challenge"."challenge" IS 'Hex-encoded sha256 hash of the challenge.'`);
+        await queryRunner.query(`COMMENT ON COLUMN "attestation_challenge"."createdAt" IS 'The date challenge was created for expiry purposes.'`);
+        await queryRunner.query(`COMMENT ON COLUMN "attestation_challenge"."registrationChallenge" IS 'Indicates that the challenge is only for registration purposes if true to prevent the challenge for being used as authentication.'`);
+        await queryRunner.query(`UPDATE "user_security_key" SET "id" = ENCODE(DECODE(REPLACE(REPLACE("id" || CASE WHEN LENGTH("id") % 4 = 2 THEN '==' WHEN LENGTH("id") % 4 = 3 THEN '=' ELSE '' END, '-', '+'), '_', '/'), 'base64'), 'hex'), "publicKey" = ENCODE(DECODE(REPLACE(REPLACE("publicKey" || CASE WHEN LENGTH("publicKey") % 4 = 2 THEN '==' WHEN LENGTH("publicKey") % 4 = 3 THEN '=' ELSE '' END, '-', '+'), '_', '/'), 'base64'), 'hex')`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" ALTER COLUMN "lastUsed" DROP DEFAULT`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."lastUsed" IS 'The date of the last time the UserSecurityKey was successfully validated.'`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."publicKey" IS 'Variable-length public key used to verify attestations (hex-encoded).'`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."transports" IS 'The type of the credential returned by the browser'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" DROP COLUMN "transports"`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."credentialBackedUp" IS 'Whether or not the credential has been backed up'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" DROP COLUMN "credentialBackedUp"`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."credentialDeviceType" IS 'The type of Backup Eligibility in authenticator data'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" DROP COLUMN "credentialDeviceType"`);
+        await queryRunner.query(`COMMENT ON COLUMN "user_security_key"."counter" IS 'The number of times the UserSecurityKey was validated.'`);
+        await queryRunner.query(`ALTER TABLE "user_security_key" DROP COLUMN "counter"`);
+    }
+}
diff --git a/packages/backend/package.json b/packages/backend/package.json
@@ -74,6 +74,7 @@
 		"@nestjs/core": "10.1.0",
 		"@nestjs/testing": "10.1.0",
 		"@peertube/http-signature": "1.7.0",
+		"@simplewebauthn/server": "^7.4.0",
 		"@sinonjs/fake-timers": "10.3.0",
 		"@swc/cli": "0.1.62",
 		"@swc/core": "1.3.70",
@@ -163,6 +164,7 @@
 	},
 	"devDependencies": {
 		"@jest/globals": "29.6.1",
+		"@simplewebauthn/typescript-types": "^7.4.0",
 		"@swc/jest": "0.2.26",
 		"@types/accepts": "1.3.5",
 		"@types/archiver": "5.3.2",

diff --git a/packages/backend/src/boot/common.ts b/packages/backend/src/boot/common.ts
@@ -8,7 +8,6 @@ import { ChartManagementService } from '@/core/chart/ChartManagementService.js';
 import { QueueProcessorService } from '@/queue/QueueProcessorService.js';
 import { NestLogger } from '@/NestLogger.js';
 import { QueueProcessorModule } from '@/queue/QueueProcessorModule.js';
-import { JanitorService } from '@/daemons/JanitorService.js';
 import { QueueStatsService } from '@/daemons/QueueStatsService.js';
 import { ServerStatsService } from '@/daemons/ServerStatsService.js';
 import { ServerService } from '@/server/ServerService.js';
@@ -25,7 +24,6 @@ export async function server() {
 
 	if (process.env.NODE_ENV !== 'test') {
 		app.get(ChartManagementService).start();
-		app.get(JanitorService).start();
 		app.get(QueueStatsService).start();
 		app.get(ServerStatsService).start();
 	}