Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-06-16 02:48:27 +02:00

221 lines
7.6 KiB
Raw Normal View History

use serde_json::Value;
use crate::{api::EmptyResult, db::DbConn, error::MapResult};
db_object! {
#[derive(Identifiable, Queryable, Insertable, AsChangeset)]
2022-05-20 23:39:47 +02:00
#[diesel(table_name = twofactor)]
pub struct TwoFactor {
pub uuid: String,
pub user_uuid: String,
pub atype: i32,
pub enabled: bool,
pub data: String,
pub last_used: i64,
pub enum TwoFactorType {
Authenticator = 0,
Email = 1,
Duo = 2,
YubiKey = 3,
U2f = 4,
Remember = 5,
OrganizationDuo = 6,
Webauthn = 7,
// These are implementation details
U2fRegisterChallenge = 1000,
U2fLoginChallenge = 1001,
EmailVerificationChallenge = 1002,
WebauthnRegisterChallenge = 1003,
WebauthnLoginChallenge = 1004,
// Special type for Protected Actions verification via email
ProtectedActions = 2000,
/// Local methods
impl TwoFactor {
2019-05-20 21:12:41 +02:00
pub fn new(user_uuid: String, atype: TwoFactorType, data: String) -> Self {
Self {
uuid: crate::util::get_uuid(),
2019-05-20 21:12:41 +02:00
atype: atype as i32,
enabled: true,
last_used: 0,
pub fn to_json(&self) -> Value {
"Enabled": self.enabled,
"Key": "", // This key and value vary
"Object": "twoFactorAuthenticator" // This value varies
pub fn to_json_provider(&self) -> Value {
"Enabled": self.enabled,
2019-05-20 21:12:41 +02:00
"Type": self.atype,
"Object": "twoFactorProvider"
/// Database methods
impl TwoFactor {
2022-05-20 23:39:47 +02:00
pub async fn save(&self, conn: &mut DbConn) -> EmptyResult {
db_run! { conn:
sqlite, mysql {
match diesel::replace_into(twofactor::table)
Ok(_) => Ok(()),
// Record already exists and causes a Foreign Key Violation because replace_into() wants to delete the record first.
Err(diesel::result::Error::DatabaseError(diesel::result::DatabaseErrorKind::ForeignKeyViolation, _)) => {
.map_res("Error saving twofactor")
Err(e) => Err(e.into()),
}.map_res("Error saving twofactor")
postgresql {
let value = TwoFactorDb::to_db(self);
// We need to make sure we're not going to violate the unique constraint on user_uuid and atype.
// This happens automatically on other DBMS backends due to replace_into(). PostgreSQL does
// not support multiple constraints on ON CONFLICT clauses.
.map_res("Error deleting twofactor for insert")?;
.map_res("Error saving twofactor")
2022-05-20 23:39:47 +02:00
pub async fn delete(self, conn: &mut DbConn) -> EmptyResult {
db_run! { conn: {
.map_res("Error deleting twofactor")
2022-05-20 23:39:47 +02:00
pub async fn find_by_user(user_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
db_run! { conn: {
.filter(twofactor::atype.lt(1000)) // Filter implementation types
.expect("Error loading twofactor")
2022-05-20 23:39:47 +02:00
pub async fn find_by_user_and_type(user_uuid: &str, atype: i32, conn: &mut DbConn) -> Option<Self> {
db_run! { conn: {
2022-05-20 23:39:47 +02:00
pub async fn delete_all_by_user(user_uuid: &str, conn: &mut DbConn) -> EmptyResult {
db_run! { conn: {
.map_res("Error deleting twofactors")
pub async fn migrate_u2f_to_webauthn(conn: &mut DbConn) -> EmptyResult {
let u2f_factors = db_run! { conn: {
.filter(twofactor::atype.eq(TwoFactorType::U2f as i32))
.expect("Error loading twofactor")
use crate::api::core::two_factor::webauthn::U2FRegistration;
use crate::api::core::two_factor::webauthn::{get_webauthn_registrations, WebauthnRegistration};
2024-04-22 21:00:28 +02:00
use webauthn_rs_core::proto::*;
for mut u2f in u2f_factors {
let mut regs: Vec<U2FRegistration> = serde_json::from_str(&u2f.data)?;
// If there are no registrations or they are migrated (we do the migration in batch so we can consider them all migrated when the first one is)
if regs.is_empty() || regs[0].migrated == Some(true) {
let (_, mut webauthn_regs) = get_webauthn_registrations(&u2f.user_uuid, conn).await?;
// If the user already has webauthn registrations saved, don't overwrite them
if !webauthn_regs.is_empty() {
for reg in &mut regs {
let x: [u8; 32] = reg.reg.pub_key[1..33].try_into().unwrap();
let y: [u8; 32] = reg.reg.pub_key[33..65].try_into().unwrap();
let key = COSEKey {
type_: COSEAlgorithm::ES256,
key: COSEKeyType::EC_EC2(COSEEC2Key {
curve: ECDSACurve::SECP256R1,
2024-04-22 21:00:28 +02:00
x: x.to_vec().into(),
y: y.to_vec().into(),
2024-04-22 21:00:28 +02:00
let credential = CredentialV3 {
counter: reg.counter,
verified: false,
cred: key,
cred_id: reg.reg.key_handle.clone(),
registration_policy: UserVerificationPolicy::Preferred,
let new_reg = WebauthnRegistration {
id: reg.id,
migrated: true,
name: reg.name.clone(),
2024-04-22 21:00:28 +02:00
security_key: (Credential::from(credential).into()),
reg.migrated = Some(true);
u2f.data = serde_json::to_string(&regs)?;
TwoFactor::new(u2f.user_uuid.clone(), TwoFactorType::Webauthn, serde_json::to_string(&webauthn_regs)?)