Tighten passkey credential persistence and enrollment

Re-prompt master password or OTP at POST /webauthn, matching the sibling 2FA WebAuthn activation path. Bind registration and PRF-update ceremonies to random challenge tokens, consume saved challenge rows atomically, and add the authenticated assertion-options/update endpoints for completing PRF unlock setup. Persist complete PRF unlock keysets with a dedicated column-scoped update helper. Mirror password-login 2FA policy handling for passkey login: enforce RequireTwoFactor revocation when no providers exist, and reject accounts whose TwoFactor rows are all disabled or unusable.
3 weeks ago · f728963aaa
5 changed files with 272 additions and 12 deletions
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -17,16 +17,17 @@ pub use sends::purge_sends;

 use reqwest::Method;
 use rocket::{Catcher, Route, http::Status, serde::json::Json, serde::json::Value};
-use webauthn_rs::prelude::{Passkey, PasskeyRegistration};
+use webauthn_rs::prelude::{Passkey, PasskeyAuthentication, PasskeyRegistration};
 use webauthn_rs_proto::UserVerificationPolicy;

 use crate::{
    CONFIG,
    api::{
        ApiResult, EmptyResult, JsonResult, Notify, PasswordOrOtpData, UpdateType,
-        core::two_factor::webauthn::{RegisterPublicKeyCredentialCopy, WEBAUTHN},
+        core::two_factor::webauthn::{PublicKeyCredentialCopy, RegisterPublicKeyCredentialCopy, WEBAUTHN},
    },
    auth::Headers,
+    crypto,
    db::{
        DbConn,
        models::{
@ -37,7 +38,7 @@ use crate::{
    error::Error,
    http_client::make_http_request,
    mail,
-    util::{FeatureFlagFilter, parse_experimental_client_feature_flags},
+    util::{FeatureFlagFilter, get_uuid, parse_experimental_client_feature_flags},
 };

 pub fn routes() -> Vec<Route> {
@ -50,6 +51,8 @@ pub fn routes() -> Vec<Route> {
        config,
        get_api_webauthn,
        post_api_webauthn,
+        put_api_webauthn,
+        post_api_webauthn_assertion_options,
        post_api_webauthn_attestation_options,
        post_api_webauthn_delete
    ];
@ -239,6 +242,42 @@ async fn get_api_webauthn(headers: Headers, conn: DbConn) -> Json<Value> {
    }))
 }

+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct WebAuthnPasskeyRegistrationChallenge {
+    token: String,
+    state: PasskeyRegistration,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct WebAuthnPasskeyAssertionChallenge {
+    token: String,
+    state: PasskeyAuthentication,
+}
+
+fn passkey_registration_challenge_state(data: &str, token: Option<&str>) -> ApiResult<PasskeyRegistration> {
+    if let Ok(saved) = serde_json::from_str::<WebAuthnPasskeyRegistrationChallenge>(data) {
+        if token != Some(saved.token.as_str()) {
+            err!("Invalid registration challenge. Please try again.")
+        }
+        Ok(saved.state)
+    } else {
+        if token.is_some() {
+            err!("Invalid registration challenge. Please try again.")
+        }
+        Ok(serde_json::from_str::<PasskeyRegistration>(data)?)
+    }
+}
+
+fn passkey_assertion_challenge_state(data: &str, token: &str) -> ApiResult<PasskeyAuthentication> {
+    let saved: WebAuthnPasskeyAssertionChallenge = serde_json::from_str(data)?;
+    if token != saved.token.as_str() {
+        err!("Invalid assertion challenge. Please try again.")
+    }
+    Ok(saved.state)
+}
+
 #[post("/webauthn/attestation-options", data = "<data>")]
 async fn post_api_webauthn_attestation_options(
    data: Json<PasswordOrOtpData>,
@ -252,7 +291,7 @@ async fn post_api_webauthn_attestation_options(
        err!("Passkeys cannot be created when SSO sign-in is required")
    }

-    data.validate(&user, false, &conn).await?;
+    data.validate(&user, true, &conn).await?;

    let all_creds = WebAuthnCredential::find_by_user(&user.uuid, &conn).await;
    let existing_cred_ids: Vec<_> = all_creds
@ -289,10 +328,20 @@ async fn post_api_webauthn_attestation_options(
        tf.delete(&conn).await?;
    }

+    let token = get_uuid();
+    let saved_challenge = WebAuthnPasskeyRegistrationChallenge {
+        token: token.clone(),
+        state,
+    };
+
    // Persist the registration state in the database (same pattern as 2FA webauthn)
-    TwoFactor::new(user.uuid, TwoFactorType::WebauthnPasskeyRegisterChallenge, serde_json::to_string(&state)?)
-        .save(&conn)
-        .await?;
+    TwoFactor::new(
+        user.uuid,
+        TwoFactorType::WebauthnPasskeyRegisterChallenge,
+        serde_json::to_string(&saved_challenge)?,
+    )
+    .save(&conn)
+    .await?;

    let mut options = serde_json::to_value(challenge.public_key)?;
    options["status"] = "ok".into();
@ -300,15 +349,78 @@ async fn post_api_webauthn_attestation_options(

    Ok(Json(json!({
        "options": options,
+        "token": token,
        "object": "webauthnCredentialCreateOptions"
    })))
 }

+#[post("/webauthn/assertion-options", data = "<data>")]
+async fn post_api_webauthn_assertion_options(
+    data: Json<PasswordOrOtpData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
+    if !CONFIG.is_webauthn_2fa_supported() {
+        err!("Configured `DOMAIN` is not compatible with Webauthn")
+    }
+
+    crate::ratelimit::check_limit_login(&headers.ip.ip)?;
+
+    let data: PasswordOrOtpData = data.into_inner();
+    let user = headers.user;
+
+    if CONFIG.sso_enabled() && CONFIG.sso_only() {
+        err!("Passkeys cannot be updated when SSO sign-in is required")
+    }
+
+    data.validate(&user, true, &conn).await?;
+
+    let credentials: Vec<Passkey> = WebAuthnCredential::find_by_user(&user.uuid, &conn)
+        .await
+        .into_iter()
+        .filter(|wac| wac.supports_prf)
+        .filter_map(|wac| serde_json::from_str(&wac.credential).ok())
+        .collect();
+
+    if credentials.is_empty() {
+        err!("No PRF-capable passkeys registered")
+    }
+
+    let (response, state) = WEBAUTHN.start_passkey_authentication(&credentials)?;
+
+    if let Some(tf) =
+        TwoFactor::find_by_user_and_type(&user.uuid, TwoFactorType::WebauthnPasskeyAssertionChallenge as i32, &conn)
+            .await
+    {
+        tf.delete(&conn).await?;
+    }
+
+    let token = get_uuid();
+    let saved_challenge = WebAuthnPasskeyAssertionChallenge {
+        token: token.clone(),
+        state,
+    };
+    TwoFactor::new(
+        user.uuid,
+        TwoFactorType::WebauthnPasskeyAssertionChallenge,
+        serde_json::to_string(&saved_challenge)?,
+    )
+    .save(&conn)
+    .await?;
+
+    Ok(Json(json!({
+        "options": response.public_key,
+        "token": token,
+        "object": "webauthnCredentialAssertionOptions"
+    })))
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct WebAuthnLoginCredentialCreateRequest {
    device_response: RegisterPublicKeyCredentialCopy,
    name: String,
+    token: Option<String>,
    supports_prf: bool,
    encrypted_user_key: Option<String>,
    encrypted_public_key: Option<String>,
@ -328,13 +440,15 @@ async fn post_api_webauthn(
        err!("Passkeys cannot be created when SSO sign-in is required")
    }

-    // Retrieve and delete the saved challenge state from the database
+    // Atomically take the saved challenge state (single-use): concurrent
+    // finishes for the same registration row cannot both succeed and create
+    // duplicate `web_authn_credentials` entries — only the caller whose DELETE
+    // removes the row proceeds.
    let type_ = TwoFactorType::WebauthnPasskeyRegisterChallenge as i32;
-    let Some(tf) = TwoFactor::find_by_user_and_type(&user.uuid, type_, &conn).await else {
+    let Some(tf) = TwoFactor::take_by_user_and_type(&user.uuid, type_, &conn).await else {
        err!("No registration challenge found. Please try again.")
    };
-    let state: PasskeyRegistration = serde_json::from_str(&tf.data)?;
-    tf.delete(&conn).await?;
+    let state = passkey_registration_challenge_state(&tf.data, data.token.as_deref())?;
    let credential = WEBAUTHN.finish_passkey_registration(&data.device_response.into(), &state)?;

    WebAuthnCredential::new(
@ -352,6 +466,91 @@ async fn post_api_webauthn(
    Ok(Status::Ok)
 }

+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct WebAuthnLoginCredentialUpdateRequest {
+    device_response: PublicKeyCredentialCopy,
+    token: String,
+    encrypted_user_key: Option<String>,
+    encrypted_public_key: Option<String>,
+    encrypted_private_key: Option<String>,
+}
+
+#[put("/webauthn", data = "<data>")]
+async fn put_api_webauthn(
+    data: Json<WebAuthnLoginCredentialUpdateRequest>,
+    headers: Headers,
+    conn: DbConn,
+) -> ApiResult<Status> {
+    crate::ratelimit::check_limit_login(&headers.ip.ip)?;
+
+    let data: WebAuthnLoginCredentialUpdateRequest = data.into_inner();
+    let user = headers.user;
+
+    if CONFIG.sso_enabled() && CONFIG.sso_only() {
+        err!("Passkeys cannot be updated when SSO sign-in is required")
+    }
+
+    let Some(encrypted_user_key) = data.encrypted_user_key else {
+        err!("Encrypted user key is required")
+    };
+    let Some(encrypted_public_key) = data.encrypted_public_key else {
+        err!("Encrypted public key is required")
+    };
+    let Some(encrypted_private_key) = data.encrypted_private_key else {
+        err!("Encrypted private key is required")
+    };
+
+    // Atomically take the saved challenge state (single-use): concurrent
+    // updates for the same assertion row cannot both succeed and apply
+    // different blob payloads — only the caller whose DELETE removes the row
+    // proceeds.
+    let type_ = TwoFactorType::WebauthnPasskeyAssertionChallenge as i32;
+    let Some(tf) = TwoFactor::take_by_user_and_type(&user.uuid, type_, &conn).await else {
+        err!("No assertion challenge found. Please try again.")
+    };
+    let state = passkey_assertion_challenge_state(&tf.data, &data.token)?;
+
+    let credential_response = data.device_response.into();
+    let mut parsed_credentials: Vec<(WebAuthnCredential, Passkey)> =
+        WebAuthnCredential::find_by_user(&user.uuid, &conn)
+            .await
+            .into_iter()
+            .filter_map(|wac| {
+                let passkey: Passkey = serde_json::from_str(&wac.credential).ok()?;
+                Some((wac, passkey))
+            })
+            .collect();
+
+    if parsed_credentials.is_empty() {
+        err!("No passkeys registered")
+    }
+
+    let authentication_result = WEBAUTHN.finish_passkey_authentication(&credential_response, &state)?;
+    let Some((matched_wac, passkey)) = parsed_credentials
+        .iter_mut()
+        .find(|(_, passkey)| crypto::ct_eq(passkey.cred_id().as_slice(), authentication_result.cred_id().as_slice()))
+    else {
+        err!("Verified credential is not registered")
+    };
+
+    if !matched_wac.supports_prf {
+        err!("Passkey does not support PRF")
+    }
+
+    if passkey.update_credential(&authentication_result) == Some(true) {
+        matched_wac.credential = serde_json::to_string(passkey)?;
+        matched_wac.update_credential(&conn).await?;
+    }
+
+    matched_wac.encrypted_user_key = Some(encrypted_user_key);
+    matched_wac.encrypted_public_key = Some(encrypted_public_key);
+    matched_wac.encrypted_private_key = Some(encrypted_private_key);
+    matched_wac.update_prf_keyset(&conn).await?;
+
+    Ok(Status::Ok)
+}
+
 #[post("/webauthn/<uuid>/delete", data = "<data>")]
 async fn post_api_webauthn_delete(
    data: Json<PasswordOrOtpData>,
@ -362,7 +561,7 @@ async fn post_api_webauthn_delete(
    let data: PasswordOrOtpData = data.into_inner();
    let user = headers.user;

-    data.validate(&user, false, &conn).await?;
+    data.validate(&user, true, &conn).await?;

    WebAuthnCredential::delete_by_uuid_and_user(&WebAuthnCredentialId::from(uuid.to_owned()), &user.uuid, &conn)
        .await?;
--- a/src/api/core/two_factor/mod.rs
+++ b/src/api/core/two_factor/mod.rs
@ -65,6 +65,7 @@ pub fn is_twofactor_provider_usable(provider_type: &TwoFactorType, provider_data
        | TwoFactorType::WebauthnRegisterChallenge
        | TwoFactorType::WebauthnLoginChallenge
        | TwoFactorType::WebauthnPasskeyRegisterChallenge
+        | TwoFactorType::WebauthnPasskeyAssertionChallenge
        | TwoFactorType::ProtectedActions => false,
    }
 }
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -1033,6 +1033,7 @@ async fn json_err_twofactor(
                | TwoFactorType::U2fRegisterChallenge
                | TwoFactorType::Webauthn
                | TwoFactorType::WebauthnLoginChallenge
+                | TwoFactorType::WebauthnPasskeyAssertionChallenge
                | TwoFactorType::WebauthnPasskeyRegisterChallenge
                | TwoFactorType::WebauthnRegisterChallenge,
            ) => { /* Nothing special to do for these providers */ }
@ -1352,6 +1353,22 @@ async fn webauthn_login(data: ConnectData, user_id: &mut Option<UserId>, conn: &

    let mut device = get_device(&data, conn, &user).await?;

+    // Mirror the 2FA-state gate that password login applies (twofactor_auth):
+    // - no providers at all → enforce_2fa_policy (revoke from RequireTwoFactor
+    //   orgs the user no longer satisfies) and let the passkey login proceed.
+    // - rows exist but every provider is disabled or unusable → reject, same
+    //   message the password path returns. The passkey is the auth, so we
+    //   don't ask for a 2FA token when usable providers exist.
+    let twofactors = TwoFactor::find_by_user(&user.uuid, conn).await;
+    if twofactors.is_empty() {
+        enforce_2fa_policy(&user, &user.uuid, device.atype, &ip.ip, conn).await?;
+    } else if !twofactors.iter().any(|tf| {
+        TwoFactorType::from_i32(tf.atype)
+            .is_some_and(|t| tf.enabled && is_twofactor_provider_usable(&t, Some(&tf.data)))
+    }) {
+        err!("No enabled and usable two factor providers are available for this account")
+    }
+
    let auth_tokens = auth::AuthTokens::new(&device, &user, AuthMethod::WebAuthn, data.client_id);

    // Build response using the common authenticated_response helper
--- a/src/db/models/two_factor.rs
+++ b/src/db/models/two_factor.rs
@ -43,6 +43,7 @@ pub enum TwoFactorType {
    WebauthnRegisterChallenge = 1003,
    WebauthnLoginChallenge = 1004,
    WebauthnPasskeyRegisterChallenge = 1005,
+    WebauthnPasskeyAssertionChallenge = 1006,

    // Special type for Protected Actions verification via email
    ProtectedActions = 2000,
@ -149,6 +150,33 @@ impl TwoFactor {
        .await
    }

+    /// Atomically fetch and delete the row for this user+type. Returns Some
+    /// only when the caller's DELETE actually removed a row, so two concurrent
+    /// callers (e.g. a double-clicked enrollment finish) cannot both proceed
+    /// with the same single-use challenge state — the loser sees None. The
+    /// surrounding transaction rolls back the SELECT+DELETE pair atomically
+    /// on a DB error, leaving the row intact rather than silently consuming it.
+    pub async fn take_by_user_and_type(user_uuid: &UserId, atype: i32, conn: &DbConn) -> Option<Self> {
+        let user_uuid = user_uuid.clone();
+        conn.run(move |conn| {
+            conn.transaction::<Option<Self>, diesel::result::Error, _>(|conn| {
+                let tf = twofactor::table
+                    .filter(twofactor::user_uuid.eq(&user_uuid))
+                    .filter(twofactor::atype.eq(atype))
+                    .first::<Self>(conn)
+                    .optional()?;
+                let Some(existing) = &tf else {
+                    return Ok(None);
+                };
+                let deleted =
+                    diesel::delete(twofactor::table.filter(twofactor::uuid.eq(&existing.uuid))).execute(conn)?;
+                Ok(tf.filter(|_| deleted == 1))
+            })
+            .unwrap_or(None)
+        })
+        .await
+    }
+
    pub async fn delete_all_by_user(user_uuid: &UserId, conn: &DbConn) -> EmptyResult {
        conn.run(move |conn| {
            diesel::delete(twofactor::table.filter(twofactor::user_uuid.eq(user_uuid)))
--- a/src/db/models/web_authn_credential.rs
+++ b/src/db/models/web_authn_credential.rs
@ -106,6 +106,21 @@ impl WebAuthnCredential {
        }}
    }

+    /// Persist a complete PRF unlock keyset after a user enables vault
+    /// encryption for an existing passkey-login credential.
+    pub async fn update_prf_keyset(&self, conn: &DbConn) -> EmptyResult {
+        db_run! { conn: {
+            diesel::update(web_authn_credentials::table.filter(web_authn_credentials::uuid.eq(&self.uuid)))
+                .set((
+                    web_authn_credentials::encrypted_user_key.eq(&self.encrypted_user_key),
+                    web_authn_credentials::encrypted_public_key.eq(&self.encrypted_public_key),
+                    web_authn_credentials::encrypted_private_key.eq(&self.encrypted_private_key),
+                ))
+                .execute(conn)
+                .map_res("Error updating web_authn_credential PRF keyset")
+        }}
+    }
+
    pub async fn find_by_user(user_uuid: &UserId, conn: &DbConn) -> Vec<Self> {
        db_run! { conn: {
            web_authn_credentials::table