teamhanko · bjoern-m · Aug 26, 2024 · Aug 26, 2024 · Aug 26, 2024 · Aug 26, 2024
diff --git a/backend/config/config.go b/backend/config/config.go
@@ -32,6 +32,8 @@ type Config struct {
 	Emails Emails `yaml:"emails" json:"emails,omitempty" koanf:"emails" jsonschema:"title=emails"`
 	// `log` configures application logging.
 	Log LoggerConfig `yaml:"log" json:"log,omitempty" koanf:"log" jsonschema:"title=log"`
+	// `mfa` configures how multi-factor-authentication behaves.
+	MFA MFA `yaml:"mfa" json:"mfa,omitempty" koanf:"mfa" jsonschema:"title=mfa"`
 	// Deprecated. See child properties for suggested replacements.
 	Passcode Passcode `yaml:"passcode" json:"passcode,omitempty" koanf:"passcode" jsonschema:"title=passcode"`
 	// `passkey` configures how passkeys  are acquired and used.

diff --git a/backend/config/config.yaml b/backend/config/config.yaml
@@ -29,6 +29,19 @@ email_delivery:
     port: "2500"
 log:
   log_health_and_metrics: true
+mfa:
+  acquire_on_login: false
+  acquire_on_registration: true
+  enabled: true
+  optional: true
+  security_keys:
+    attestation_preference: direct
+    authenticator_attachment: cross-platform
+    enabled: true
+    limit: 10
+    user_verification: discouraged
+  totp:
+    enabled: true
 passkey:
   enabled: true
   optional: true

diff --git a/backend/config/config_default.go b/backend/config/config_default.go
@@ -94,6 +94,10 @@ func DefaultConfig() *Config {
 		RateLimiter: RateLimiter{
 			Enabled: true,
 			Store:   RATE_LIMITER_STORE_IN_MEMORY,
+			OTPLimits: RateLimits{
+				Tokens:   3,
+				Interval: 1 * time.Minute,
+			},
 			PasswordLimits: RateLimits{
 				Tokens:   5,
 				Interval: 1 * time.Minute,
@@ -161,6 +165,22 @@ func DefaultConfig() *Config {
 			MinLength:             3,
 			MaxLength:             32,
 		},
+		MFA: MFA{
+			AcquireOnLogin:        false,
+			AcquireOnRegistration: true,
+			Enabled:               true,
+			Optional:              true,
+			SecurityKeys: SecurityKeys{
+				AttestationPreference:   "direct",
+				AuthenticatorAttachment: "cross-platform",
+				Enabled:                 true,
+				Limit:                   10,
+				UserVerification:        "discouraged",
+			},
+			TOTP: TOTP{
+				Enabled: true,
+			},
+		},
 		Debug: false,
 	}
 }
diff --git a/backend/config/config_mfa.go b/backend/config/config_mfa.go
@@ -0,0 +1,36 @@
+package config
+
+type SecurityKeys struct {
+	// `attestation_preference` is used to specify the preference regarding attestation conveyance during
+	// credential generation.
+	AttestationPreference string `yaml:"attestation_preference" json:"attestation_preference,omitempty" koanf:"attestation_preference" split_words:"true" jsonschema:"default=direct,enum=direct,enum=indirect,enum=none"`
+	// `authenticator_attachment`  is used to specify the preference regarding authenticator attachment during credential registration.
+	AuthenticatorAttachment string `yaml:"authenticator_attachment" json:"authenticator_attachment,omitempty" koanf:"authenticator_attachment" split_words:"true" jsonschema:"default=cross-platform,enum=platform,enum=cross-platform,enum=no_preference"`
+	// `enabled` determines whether security keys are eligible for multi-factor-authentication.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+	// 'limit' determines the maximum number of security keys a user can register.
+	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
+	// The setting applies to both WebAuthn registration and authentication ceremonies.
+	UserVerification string `yaml:"user_verification" json:"user_verification,omitempty" koanf:"user_verification" split_words:"true" jsonschema:"default=discouraged,enum=required,enum=preferred,enum=discouraged"`
+}
+
+type TOTP struct {
+	// `enabled` determines whether TOTP is eligible for multi-factor-authentication.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+}
+
+type MFA struct {
+	// `acquire_on_login` configures if users are prompted creating an MFA credential on login.
+	AcquireOnLogin bool `yaml:"acquire_on_login" json:"acquire_on_login" koanf:"acquire_on_login" jsonschema:"default=false"`
+	// `acquire_on_registration` configures if users are prompted creating an MFA credential on registration.
+	AcquireOnRegistration bool `yaml:"acquire_on_registration" json:"acquire_on_registration" koanf:"acquire_on_registration" jsonschema:"default=true"`
+	// `enabled` determines whether multi-factor-authentication is enabled.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+	// `optional` determines whether users must create an MFA credential when prompted. The MFA credential cannot be
+	// deleted if multi-factor-authentication is required (`optional: false`).
+	Optional bool `yaml:"optional" json:"optional" koanf:"optional" jsonschema:"default=true"`
+	// `security_keys` configures security key settings for multi-factor-authentication
+	SecurityKeys SecurityKeys `yaml:"security_keys" json:"security_keys,omitempty" koanf:"security_keys" jsonschema:"title=security_keys"`
+	// `totp` configures the TOTP (Time-Based One-Time-Password) method for multi-factor-authentication.
+	TOTP TOTP `yaml:"totp" json:"totp,omitempty" koanf:"totp" jsonschema:"title=totp"`
+}
diff --git a/backend/config/config_rate_limiter.go b/backend/config/config_rate_limiter.go
@@ -16,6 +16,8 @@ type RateLimiter struct {
 	Redis *RedisConfig `yaml:"redis_config" json:"redis_config,omitempty" koanf:"redis_config"`
 	// `passcode_limits` controls rate limits for passcode operations.
 	PasscodeLimits RateLimits `yaml:"passcode_limits" json:"passcode_limits,omitempty" koanf:"passcode_limits" split_words:"true"`
+	// `otp_limits` controls rate limits for OTP login attempts.
+	OTPLimits RateLimits `yaml:"otp_limits" json:"otp_limits,omitempty" koanf:"otp_limits" split_words:"true"`
 	// `password_limits` controls rate limits for password login operations.
 	PasswordLimits RateLimits `yaml:"password_limits" json:"password_limits,omitempty" koanf:"password_limits" split_words:"true"`
 	// `token_limits` controls rate limits for token exchange operations.

diff --git a/backend/dto/intern/WebauthnCredential.go b/backend/dto/intern/WebauthnCredential.go
@@ -10,7 +10,7 @@ import (
 	"time"
 )
 
-func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID, backupEligible bool, backupState bool, authenticatorMetadata mapper.AuthenticatorMetadata) *models.WebauthnCredential {
+func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID, backupEligible, backupState, mfaOnly bool, authenticatorMetadata mapper.AuthenticatorMetadata) *models.WebauthnCredential {
 	now := time.Now().UTC()
 	aaguid, _ := uuid.FromBytes(credential.Authenticator.AAGUID)
 	credentialID := base64.RawURLEncoding.EncodeToString(credential.ID)
@@ -28,6 +28,7 @@ func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID
 		UpdatedAt:       now,
 		BackupEligible:  backupEligible,
 		BackupState:     backupState,
+		MFAOnly:         mfaOnly,
 	}
 
 	for _, name := range credential.Transport {

diff --git a/backend/dto/profile.go b/backend/dto/profile.go
@@ -2,24 +2,37 @@ package dto
 
 import (
 	"github.com/gofrs/uuid"
+	"github.com/teamhanko/hanko/backend/config"
 	"github.com/teamhanko/hanko/backend/persistence/models"
 	"time"
 )
 
+type MFAConfig struct {
+	AuthAppSetUp        bool `json:"auth_app_set_up"`
+	TOTPEnabled         bool `json:"totp_enabled"`
+	SecurityKeysEnabled bool `json:"security_keys_enabled"`
+}
+
 type ProfileData struct {
-	UserID              uuid.UUID                    `json:"user_id"`
-	WebauthnCredentials []WebauthnCredentialResponse `json:"passkeys,omitempty"`
-	Emails              []EmailResponse              `json:"emails,omitempty"`
-	Username            *Username                    `json:"username,omitempty"`
-	CreatedAt           time.Time                    `json:"created_at"`
-	UpdatedAt           time.Time                    `json:"updated_at"`
+	UserID       uuid.UUID                    `json:"user_id"`
+	Passkeys     []WebauthnCredentialResponse `json:"passkeys,omitempty"`
+	SecurityKeys []WebauthnCredentialResponse `json:"security_keys,omitempty"`
+	MFAConfig    MFAConfig                    `json:"mfa_config"`
+	Emails       []EmailResponse              `json:"emails,omitempty"`
+	Username     *Username                    `json:"username,omitempty"`
+	CreatedAt    time.Time                    `json:"created_at"`
+	UpdatedAt    time.Time                    `json:"updated_at"`
 }
 
-func ProfileDataFromUserModel(user *models.User) *ProfileData {
-	var webauthnCredentials []WebauthnCredentialResponse
+func ProfileDataFromUserModel(user *models.User, cfg *config.Config) *ProfileData {
+	var webauthnCredentials, securityKeys []WebauthnCredentialResponse
 	for _, webauthnCredentialModel := range user.WebauthnCredentials {
 		webauthnCredential := FromWebauthnCredentialModel(&webauthnCredentialModel)
-		webauthnCredentials = append(webauthnCredentials, *webauthnCredential)
+		if cfg.MFA.SecurityKeys.Enabled && webauthnCredentialModel.MFAOnly {
+			securityKeys = append(securityKeys, *webauthnCredential)
+		} else if cfg.Passkey.Enabled {
+			webauthnCredentials = append(webauthnCredentials, *webauthnCredential)
+		}
 	}
 
 	var emails []EmailResponse
@@ -29,11 +42,17 @@ func ProfileDataFromUserModel(user *models.User) *ProfileData {
 	}
 
 	return &ProfileData{
-		UserID:              user.ID,
-		WebauthnCredentials: webauthnCredentials,
-		Emails:              emails,
-		Username:            FromUsernameModel(user.Username),
-		CreatedAt:           user.CreatedAt,
-		UpdatedAt:           user.UpdatedAt,
+		UserID:       user.ID,
+		Passkeys:     webauthnCredentials,
+		SecurityKeys: securityKeys,
+		MFAConfig: MFAConfig{
+			AuthAppSetUp:        user.OTPSecret != nil,
+			TOTPEnabled:         cfg.MFA.Enabled && cfg.MFA.TOTP.Enabled,
+			SecurityKeysEnabled: cfg.MFA.Enabled && cfg.MFA.SecurityKeys.Enabled,
+		},
+		Emails:    emails,
+		Username:  FromUsernameModel(user.Username),
+		CreatedAt: user.CreatedAt,
+		UpdatedAt: user.UpdatedAt,
 	}
 }
diff --git a/backend/flow_api/flow/capabilities/action_send_capabilities.go b/backend/flow_api/flow/capabilities/action_send_capabilities.go
@@ -19,16 +19,18 @@ func (a RegisterClientCapabilities) GetDescription() string {
 
 func (a RegisterClientCapabilities) Initialize(c flowpilot.InitializationContext) {
 	c.AddInputs(flowpilot.BooleanInput("webauthn_conditional_mediation_available").Hidden(true))
+	c.AddInputs(flowpilot.BooleanInput("webauthn_platform_authenticator_available").Hidden(true))
 	c.AddInputs(flowpilot.BooleanInput("webauthn_available").Required(true).Hidden(true))
 }
 
 func (a RegisterClientCapabilities) Execute(c flowpilot.ExecutionContext) error {
+	deps := a.GetDeps(c)
+
 	if valid := c.ValidateInputData(); !valid {
 		return c.Error(flowpilot.ErrorFormDataInvalid)
 	}
 
 	webauthnAvailable := c.Input().Get("webauthn_available").Bool()
-
 	err := c.Stash().Set(shared.StashPathWebauthnAvailable, webauthnAvailable)
 	if err != nil {
 		return err
@@ -40,5 +42,18 @@ func (a RegisterClientCapabilities) Execute(c flowpilot.ExecutionContext) error
 		return err
 	}
 
+	platformAuthenticatorAvailable := c.Input().Get("webauthn_platform_authenticator_available").Bool()
+	err = c.Stash().Set(shared.StashPathWebauthnPlatformAuthenticatorAvailable, platformAuthenticatorAvailable)
+	if err != nil {
+		return err
+	}
+
+	attachmentSupported := platformAuthenticatorAvailable ||
+		deps.Cfg.MFA.SecurityKeys.AuthenticatorAttachment != "platform"
+	err = c.Stash().Set(shared.StashPathSecurityKeyAttachmentSupported, attachmentSupported)
+	if err != nil {
+		return err
+	}
+
 	return c.Continue()
 }
diff --git a/backend/flow_api/flow/credential_onboarding/action_register_password.go b/backend/flow_api/flow/credential_onboarding/action_register_password.go
@@ -67,5 +67,9 @@ func (a RegisterPassword) Execute(c flowpilot.ExecutionContext) error {
 
 	c.PreventRevert()
 
+	if err = c.ExecuteHook(shared.ScheduleMFACreationStates{}); err != nil {
+		return err
+	}
+
 	return c.Continue()
 }
diff --git a/backend/flow_api/flow/credential_onboarding/action_skip_method_chooser.go b/backend/flow_api/flow/credential_onboarding/action_skip_method_chooser.go
@@ -34,5 +34,9 @@ func (a SkipCredentialOnboardingMethodChooser) Initialize(c flowpilot.Initializa
 func (a SkipCredentialOnboardingMethodChooser) Execute(c flowpilot.ExecutionContext) error {
 	c.PreventRevert()
 
+	if err := c.ExecuteHook(shared.ScheduleMFACreationStates{}); err != nil {
+		return err
+	}
+
 	return c.Continue()
 }
diff --git a/backend/flow_api/flow/credential_onboarding/action_skip_passkey.go b/backend/flow_api/flow/credential_onboarding/action_skip_passkey.go
@@ -52,6 +52,10 @@ func (a SkipPasskey) Execute(c flowpilot.ExecutionContext) error {
 		return c.Continue(shared.StatePasswordCreation)
 	}
 
+	if err := c.ExecuteHook(shared.ScheduleMFACreationStates{}); err != nil {
+		return err
+	}
+
 	return c.Continue()
 }
 

diff --git a/backend/flow_api/flow/credential_onboarding/action_skip_password.go b/backend/flow_api/flow/credential_onboarding/action_skip_password.go
@@ -53,6 +53,10 @@ func (a SkipPassword) Execute(c flowpilot.ExecutionContext) error {
 		return c.Continue(shared.StateOnboardingCreatePasskey)
 	}
 
+	if err := c.ExecuteHook(shared.ScheduleMFACreationStates{}); err != nil {
+		return err
+	}
+
 	return c.Continue()
 }
 

diff --git a/backend/flow_api/flow/credential_onboarding/action_webauthn_generate_creation_options.go b/backend/flow_api/flow/credential_onboarding/action_webauthn_generate_creation_options.go
@@ -57,7 +57,7 @@ func (a WebauthnGenerateCreationOptions) Execute(c flowpilot.ExecutionContext) e
 		Username: &username,
 	}
 
-	sessionDataModel, creationOptions, err := deps.WebauthnService.GenerateCreationOptions(params)
+	sessionDataModel, creationOptions, err := deps.WebauthnService.GenerateCreationOptionsPasskey(params)
 	if err != nil {
 		return fmt.Errorf("failed to generate webauthn creation options: %w", err)
 	}
@@ -67,6 +67,11 @@ func (a WebauthnGenerateCreationOptions) Execute(c flowpilot.ExecutionContext) e
 		return err
 	}
 
+	err = c.Stash().Set(shared.StashPathCreateMFAOnlyCredential, false)
+	if err != nil {
+		return err
+	}
+
 	err = c.Payload().Set("creation_options", creationOptions)
 	if err != nil {
 		return err

diff --git a/backend/flow_api/flow/credential_onboarding/action_webauthn_verify_attestation_response.go b/backend/flow_api/flow/credential_onboarding/action_webauthn_verify_attestation_response.go
@@ -1,11 +1,7 @@
 package credential_onboarding
 
 import (
-	"errors"
-	"fmt"
-	"github.com/gofrs/uuid"
 	"github.com/teamhanko/hanko/backend/flow_api/flow/shared"
-	"github.com/teamhanko/hanko/backend/flow_api/services"
 	"github.com/teamhanko/hanko/backend/flowpilot"
 )
 
@@ -30,58 +26,19 @@ func (a WebauthnVerifyAttestationResponse) Initialize(c flowpilot.Initialization
 }
 
 func (a WebauthnVerifyAttestationResponse) Execute(c flowpilot.ExecutionContext) error {
-	deps := a.GetDeps(c)
-
 	if valid := c.ValidateInputData(); !valid {
 		return c.Error(flowpilot.ErrorFormDataInvalid)
 	}
 
-	if !c.Stash().Get(shared.StashPathWebauthnSessionDataID).Exists() {
-		return errors.New("webauthn_session_data_id does not exist in the stash")
-	}
-
-	sessionDataID, err := uuid.FromString(c.Stash().Get(shared.StashPathWebauthnSessionDataID).String())
-	if err != nil {
-		return fmt.Errorf("failed to parse webauthn_session_data_id: %w", err)
-	}
-
-	userID, err := uuid.FromString(c.Stash().Get(shared.StashPathUserID).String())
-	if err != nil {
-		return fmt.Errorf("failed to parse user_id into a uuid: %w", err)
-	}
-
-	username := c.Stash().Get(shared.StashPathUsername).String()
-	email := c.Stash().Get(shared.StashPathEmail).String()
-
-	params := services.VerifyAttestationResponseParams{
-		Tx:            deps.Tx,
-		SessionDataID: sessionDataID,
-		PublicKey:     c.Input().Get("public_key").String(),
-		UserID:        userID,
-		Email:         &email,
-		Username:      &username,
+	if err := c.ExecuteHook(shared.VerifyAttestationResponse{}); err != nil {
+		return err
 	}
 
-	credential, err := deps.WebauthnService.VerifyAttestationResponse(params)
-	if err != nil {
-		if errors.Is(err, services.ErrInvalidWebauthnCredential) {
-			return c.Error(shared.ErrorPasskeyInvalid.Wrap(err))
-		}
-
-		return fmt.Errorf("failed to verify attestation response: %w", err)
-	}
-
-	err = c.Stash().Set(shared.StashPathWebauthnCredential, credential)
-	if err != nil {
-		return fmt.Errorf("failed to set webauthn_credential to the stash: %w", err)
-	}
+	c.PreventRevert()
 
-	err = c.Stash().Set(shared.StashPathUserHasWebauthnCredential, true)
-	if err != nil {
-		return fmt.Errorf("failed to set user_has_webauthn_credential to the stash: %w", err)
+	if err := c.ExecuteHook(shared.ScheduleMFACreationStates{}); err != nil {
+		return err
 	}
 
-	c.PreventRevert()
-
 	return c.Continue()
 }
diff --git a/backend/flow_api/flow/credential_usage/action_continue_to_passcode_confirmation_recovery.go b/backend/flow_api/flow/credential_usage/action_continue_to_passcode_confirmation_recovery.go
@@ -27,6 +27,10 @@ func (a ContinueToPasscodeConfirmationRecovery) Initialize(c flowpilot.Initializ
 }
 
 func (a ContinueToPasscodeConfirmationRecovery) Execute(c flowpilot.ExecutionContext) error {
+	if err := c.Stash().Set(shared.StashPathLoginMethod, "password"); err != nil {
+		return fmt.Errorf("failed to set login_method to stash: %w", err)
+	}
+
 	if len(c.Stash().Get(shared.StashPathUserID).String()) > 0 {
 		if err := c.Stash().Set(shared.StashPathPasscodeTemplate, "recovery"); err != nil {
 			return fmt.Errorf("failed to set passcode_template to the stash: %w", err)
@@ -37,5 +41,7 @@ func (a ContinueToPasscodeConfirmationRecovery) Execute(c flowpilot.ExecutionCon
 		}
 	}
 
-	return c.Continue(shared.StatePasscodeConfirmation, shared.StateLoginPasswordRecovery)
+	_ = c.Stash().Set(shared.StashPathPasswordRecoveryPending, true)
+
+	return c.Continue(shared.StatePasscodeConfirmation)
 }