| package model |
|
|
| import ( |
| "encoding/base64" |
| "encoding/json" |
| "errors" |
| "fmt" |
| "strings" |
| "time" |
|
|
| "github.com/QuantumNous/new-api/common" |
|
|
| "github.com/go-webauthn/webauthn/protocol" |
| "github.com/go-webauthn/webauthn/webauthn" |
| "gorm.io/gorm" |
| ) |
|
|
| var ( |
| ErrPasskeyNotFound = errors.New("passkey credential not found") |
| ErrFriendlyPasskeyNotFound = errors.New("Passkey 验证失败,请重试或联系管理员") |
| ) |
|
|
| type PasskeyCredential struct { |
| ID int `json:"id" gorm:"primaryKey"` |
| UserID int `json:"user_id" gorm:"uniqueIndex;not null"` |
| CredentialID string `json:"credential_id" gorm:"type:varchar(512);uniqueIndex;not null"` |
| PublicKey string `json:"public_key" gorm:"type:text;not null"` |
| AttestationType string `json:"attestation_type" gorm:"type:varchar(255)"` |
| AAGUID string `json:"aaguid" gorm:"type:varchar(512)"` |
| SignCount uint32 `json:"sign_count" gorm:"default:0"` |
| CloneWarning bool `json:"clone_warning"` |
| UserPresent bool `json:"user_present"` |
| UserVerified bool `json:"user_verified"` |
| BackupEligible bool `json:"backup_eligible"` |
| BackupState bool `json:"backup_state"` |
| Transports string `json:"transports" gorm:"type:text"` |
| Attachment string `json:"attachment" gorm:"type:varchar(32)"` |
| LastUsedAt *time.Time `json:"last_used_at"` |
| CreatedAt time.Time `json:"created_at"` |
| UpdatedAt time.Time `json:"updated_at"` |
| DeletedAt gorm.DeletedAt `json:"-" gorm:"index"` |
| } |
|
|
| func (p *PasskeyCredential) TransportList() []protocol.AuthenticatorTransport { |
| if p == nil || strings.TrimSpace(p.Transports) == "" { |
| return nil |
| } |
| var transports []string |
| if err := json.Unmarshal([]byte(p.Transports), &transports); err != nil { |
| return nil |
| } |
| result := make([]protocol.AuthenticatorTransport, 0, len(transports)) |
| for _, transport := range transports { |
| result = append(result, protocol.AuthenticatorTransport(transport)) |
| } |
| return result |
| } |
|
|
| func (p *PasskeyCredential) SetTransports(list []protocol.AuthenticatorTransport) { |
| if len(list) == 0 { |
| p.Transports = "" |
| return |
| } |
| stringList := make([]string, len(list)) |
| for i, transport := range list { |
| stringList[i] = string(transport) |
| } |
| encoded, err := json.Marshal(stringList) |
| if err != nil { |
| return |
| } |
| p.Transports = string(encoded) |
| } |
|
|
| func (p *PasskeyCredential) ToWebAuthnCredential() webauthn.Credential { |
| flags := webauthn.CredentialFlags{ |
| UserPresent: p.UserPresent, |
| UserVerified: p.UserVerified, |
| BackupEligible: p.BackupEligible, |
| BackupState: p.BackupState, |
| } |
|
|
| credID, _ := base64.StdEncoding.DecodeString(p.CredentialID) |
| pubKey, _ := base64.StdEncoding.DecodeString(p.PublicKey) |
| aaguid, _ := base64.StdEncoding.DecodeString(p.AAGUID) |
|
|
| return webauthn.Credential{ |
| ID: credID, |
| PublicKey: pubKey, |
| AttestationType: p.AttestationType, |
| Transport: p.TransportList(), |
| Flags: flags, |
| Authenticator: webauthn.Authenticator{ |
| AAGUID: aaguid, |
| SignCount: p.SignCount, |
| CloneWarning: p.CloneWarning, |
| Attachment: protocol.AuthenticatorAttachment(p.Attachment), |
| }, |
| } |
| } |
|
|
| func NewPasskeyCredentialFromWebAuthn(userID int, credential *webauthn.Credential) *PasskeyCredential { |
| if credential == nil { |
| return nil |
| } |
| passkey := &PasskeyCredential{ |
| UserID: userID, |
| CredentialID: base64.StdEncoding.EncodeToString(credential.ID), |
| PublicKey: base64.StdEncoding.EncodeToString(credential.PublicKey), |
| AttestationType: credential.AttestationType, |
| AAGUID: base64.StdEncoding.EncodeToString(credential.Authenticator.AAGUID), |
| SignCount: credential.Authenticator.SignCount, |
| CloneWarning: credential.Authenticator.CloneWarning, |
| UserPresent: credential.Flags.UserPresent, |
| UserVerified: credential.Flags.UserVerified, |
| BackupEligible: credential.Flags.BackupEligible, |
| BackupState: credential.Flags.BackupState, |
| Attachment: string(credential.Authenticator.Attachment), |
| } |
| passkey.SetTransports(credential.Transport) |
| return passkey |
| } |
|
|
| func (p *PasskeyCredential) ApplyValidatedCredential(credential *webauthn.Credential) { |
| if credential == nil || p == nil { |
| return |
| } |
| p.CredentialID = base64.StdEncoding.EncodeToString(credential.ID) |
| p.PublicKey = base64.StdEncoding.EncodeToString(credential.PublicKey) |
| p.AttestationType = credential.AttestationType |
| p.AAGUID = base64.StdEncoding.EncodeToString(credential.Authenticator.AAGUID) |
| p.SignCount = credential.Authenticator.SignCount |
| p.CloneWarning = credential.Authenticator.CloneWarning |
| p.UserPresent = credential.Flags.UserPresent |
| p.UserVerified = credential.Flags.UserVerified |
| p.BackupEligible = credential.Flags.BackupEligible |
| p.BackupState = credential.Flags.BackupState |
| p.Attachment = string(credential.Authenticator.Attachment) |
| p.SetTransports(credential.Transport) |
| } |
|
|
| func GetPasskeyByUserID(userID int) (*PasskeyCredential, error) { |
| if userID == 0 { |
| common.SysLog("GetPasskeyByUserID: empty user ID") |
| return nil, ErrFriendlyPasskeyNotFound |
| } |
| var credential PasskeyCredential |
| if err := DB.Where("user_id = ?", userID).First(&credential).Error; err != nil { |
| if errors.Is(err, gorm.ErrRecordNotFound) { |
| |
| return nil, ErrPasskeyNotFound |
| } |
| |
| common.SysLog(fmt.Sprintf("GetPasskeyByUserID: database error for user %d: %v", userID, err)) |
| return nil, ErrFriendlyPasskeyNotFound |
| } |
| return &credential, nil |
| } |
|
|
| func GetPasskeyByCredentialID(credentialID []byte) (*PasskeyCredential, error) { |
| if len(credentialID) == 0 { |
| common.SysLog("GetPasskeyByCredentialID: empty credential ID") |
| return nil, ErrFriendlyPasskeyNotFound |
| } |
|
|
| credIDStr := base64.StdEncoding.EncodeToString(credentialID) |
| var credential PasskeyCredential |
| if err := DB.Where("credential_id = ?", credIDStr).First(&credential).Error; err != nil { |
| if errors.Is(err, gorm.ErrRecordNotFound) { |
| common.SysLog(fmt.Sprintf("GetPasskeyByCredentialID: passkey not found for credential ID length %d", len(credentialID))) |
| return nil, ErrFriendlyPasskeyNotFound |
| } |
| common.SysLog(fmt.Sprintf("GetPasskeyByCredentialID: database error for credential ID: %v", err)) |
| return nil, ErrFriendlyPasskeyNotFound |
| } |
|
|
| return &credential, nil |
| } |
|
|
| func UpsertPasskeyCredential(credential *PasskeyCredential) error { |
| if credential == nil { |
| common.SysLog("UpsertPasskeyCredential: nil credential provided") |
| return fmt.Errorf("Passkey 保存失败,请重试") |
| } |
| return DB.Transaction(func(tx *gorm.DB) error { |
| |
| if err := tx.Unscoped().Where("user_id = ?", credential.UserID).Delete(&PasskeyCredential{}).Error; err != nil { |
| common.SysLog(fmt.Sprintf("UpsertPasskeyCredential: failed to delete existing credential for user %d: %v", credential.UserID, err)) |
| return fmt.Errorf("Passkey 保存失败,请重试") |
| } |
| if err := tx.Create(credential).Error; err != nil { |
| common.SysLog(fmt.Sprintf("UpsertPasskeyCredential: failed to create credential for user %d: %v", credential.UserID, err)) |
| return fmt.Errorf("Passkey 保存失败,请重试") |
| } |
| return nil |
| }) |
| } |
|
|
| func DeletePasskeyByUserID(userID int) error { |
| if userID == 0 { |
| common.SysLog("DeletePasskeyByUserID: empty user ID") |
| return fmt.Errorf("删除失败,请重试") |
| } |
| |
| if err := DB.Unscoped().Where("user_id = ?", userID).Delete(&PasskeyCredential{}).Error; err != nil { |
| common.SysLog(fmt.Sprintf("DeletePasskeyByUserID: failed to delete passkey for user %d: %v", userID, err)) |
| return fmt.Errorf("删除失败,请重试") |
| } |
| return nil |
| } |
|
|
