jackmechem/server-dash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security key support

Browse source
This commit is contained in:
Jack Mechem 2026-05-01 14:33:52 -07:00
parent ede90f8c7f
commit c991fe7b6d
6 changed files with 384 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

16
app/api/auth/login/route.ts
View file

@ -1,14 +1,14 @@
import { NextRequest, NextResponse } from "next/server"; import { NextRequest, NextResponse } from "next/server";
export async function POST(req: NextRequest) { export async function POST(req: NextRequest) {
const { username, password, totp } = await req.json(); const { username, password } = await req.json();
const res = await fetch("http://localhost:3001/auth/login", { const res = await fetch("http://localhost:3001/auth/login", {
method: "POST", method: "POST",
headers: { headers: {
Authorization: Authorization:
"Basic " + "Basic " +
Buffer.from(`${username}:${password}${totp}`).toString("base64"), Buffer.from(`${username}:${password}`).toString("base64"),
}, },
}); });
@ -16,14 +16,6 @@ export async function POST(req: NextRequest) {
return NextResponse.json({ error: "Invalid credentials" }, { status: 401 }); return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
} }
const { token } = await res.json(); // Returns { session_id, challenge } — browser completes the WebAuthn step
const response = NextResponse.json({ success: true }); return NextResponse.json(await res.json());
response.cookies.set("token", token, {
httpOnly: true,
secure: true,
sameSite: "strict",
maxAge: 60 * 60 * 8,
path: "/",
});
return response;
} }

17
app/api/auth/register/finish/route.ts Normal file
View file

@ -0,0 +1,17 @@
import { NextRequest, NextResponse } from "next/server";
export async function POST(req: NextRequest) {
const body = await req.json();
const res = await fetch("http://localhost:3001/auth/register/finish", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(body),
});
if (!res.ok) {
return NextResponse.json({ error: "Registration failed" }, { status: 400 });
}
return NextResponse.json(await res.json());
}

20
app/api/auth/register/start/route.ts Normal file
View file

@ -0,0 +1,20 @@
import { NextRequest, NextResponse } from "next/server";
export async function POST(req: NextRequest) {
const { username, password } = await req.json();
const res = await fetch("http://localhost:3001/auth/register/start", {
method: "POST",
headers: {
Authorization:
"Basic " +
Buffer.from(`${username}:${password}`).toString("base64"),
},
});
if (!res.ok) {
return NextResponse.json({ error: "Invalid credentials" }, { status: 401 });
}
return NextResponse.json(await res.json());
}

29
app/api/auth/verify/route.ts Normal file
View file

@ -0,0 +1,29 @@
import { NextRequest, NextResponse } from "next/server";
export async function POST(req: NextRequest) {
const body = await req.json();
const res = await fetch("http://localhost:3001/auth/verify", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(body),
});
if (!res.ok) {
return NextResponse.json(
{ error: "YubiKey verification failed" },
{ status: 401 },
);
}
const { token } = await res.json();
const response = NextResponse.json({ success: true });
response.cookies.set("token", token, {
httpOnly: true,
secure: true,
sameSite: "strict",
maxAge: 60 * 60 * 8,
path: "/",
});
return response;
}

148
app/auth/page.tsx
View file

@ -2,14 +2,30 @@
import { useState, useEffect } from "react"; import { useState, useEffect } from "react";
import { useRouter } from "next/navigation"; import { useRouter } from "next/navigation";
function b64uToBuf(b64u: string): ArrayBuffer {
const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
const bin = atob(b64);
const buf = new Uint8Array(bin.length);
for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
return buf.buffer;
}
function bufToB64u(buf: ArrayBuffer): string {
const bytes = new Uint8Array(buf);
let bin = "";
for (const b of bytes) bin += String.fromCharCode(b);
return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
}
type Status = "idle" | "checking" | "waiting_yubikey" | "verifying";
export default function AuthPage() { export default function AuthPage() {
const router = useRouter(); const router = useRouter();
const [username, setUsername] = useState(""); const [username, setUsername] = useState("");
const [password, setPassword] = useState(""); const [password, setPassword] = useState("");
const [totp, setTotp] = useState("");
const [error, setError] = useState(""); const [error, setError] = useState("");
const [loading, setLoading] = useState(false); const [status, setStatus] = useState<Status>("idle");
const [checking, setChecking] = useState(true); const [initialChecking, setInitialChecking] = useState(true);
useEffect(() => { useEffect(() => {
async function checkAuth() { async function checkAuth() {
@ -22,7 +38,7 @@ export default function AuthPage() {
router.push(callbackUrl); router.push(callbackUrl);
} }
} finally { } finally {
setChecking(false); setInitialChecking(false);
} }
} }
checkAuth(); checkAuth();
@ -30,29 +46,96 @@ export default function AuthPage() {
async function handleLogin(e: React.FormEvent) { async function handleLogin(e: React.FormEvent) {
e.preventDefault(); e.preventDefault();
setLoading(true);
setError(""); setError("");
setStatus("checking");
try { try {
const res = await fetch("/api/auth/login", { // Step 1: verify password → get WebAuthn challenge
const loginRes = await fetch("/api/auth/login", {
method: "POST", method: "POST",
headers: { "Content-Type": "application/json" }, headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username, password, totp }), body: JSON.stringify({ username, password }),
}); });
if (!res.ok) {
setError("Invalid credentials or authenticator code."); if (!loginRes.ok) {
setLoading(false); setError("Invalid credentials.");
setStatus("idle");
return; return;
} }
const { session_id, challenge } = await loginRes.json();
// Step 2: prompt YubiKey tap
setStatus("waiting_yubikey");
const opts = challenge.publicKey;
opts.challenge = b64uToBuf(opts.challenge);
if (opts.allowCredentials) {
opts.allowCredentials = opts.allowCredentials.map(
(c: { id: string; type: string; transports?: string[] }) => ({
...c,
id: b64uToBuf(c.id),
}),
);
}
let cred: PublicKeyCredential;
try {
cred = (await navigator.credentials.get({
publicKey: opts,
})) as PublicKeyCredential;
} catch (err: unknown) {
setError(
"YubiKey error: " +
(err instanceof Error ? err.message : "cancelled"),
);
setStatus("idle");
return;
}
// Step 3: verify assertion → set cookie
setStatus("verifying");
const assertion = cred.response as AuthenticatorAssertionResponse;
const verifyRes = await fetch("/api/auth/verify", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
session_id,
credential: {
id: cred.id,
rawId: bufToB64u(cred.rawId),
type: cred.type,
response: {
authenticatorData: bufToB64u(assertion.authenticatorData),
clientDataJSON: bufToB64u(assertion.clientDataJSON),
signature: bufToB64u(assertion.signature),
userHandle: assertion.userHandle
? bufToB64u(assertion.userHandle)
: null,
},
extensions: {},
},
}),
});
if (!verifyRes.ok) {
setError("YubiKey verification failed.");
setStatus("idle");
return;
}
const callbackUrl = const callbackUrl =
new URLSearchParams(window.location.search).get("callbackUrl") ?? "/"; new URLSearchParams(window.location.search).get("callbackUrl") ?? "/";
router.push(callbackUrl); router.push(callbackUrl);
} catch { } catch {
setError("Something went wrong. Try again."); setError("Something went wrong. Try again.");
setLoading(false); setStatus("idle");
} }
} }
if (checking) return null; if (initialChecking) return null;
const busy = status !== "idle";
return ( return (
<main className="h-full bg-gray-100 flex items-center justify-center"> <main className="h-full bg-gray-100 flex items-center justify-center">
@ -79,13 +162,14 @@ export default function AuthPage() {
value={username} value={username}
onChange={(e) => setUsername(e.target.value)} onChange={(e) => setUsername(e.target.value)}
required required
disabled={busy}
autoComplete="username" autoComplete="username"
className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors" className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
/> />
</div> </div>
{/* Password */} {/* Password */}
<div className="mb-4"> <div className="mb-6">
<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5"> <label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
Password Password
</label> </label>
@ -94,44 +178,38 @@ export default function AuthPage() {
value={password} value={password}
onChange={(e) => setPassword(e.target.value)} onChange={(e) => setPassword(e.target.value)}
required required
disabled={busy}
autoComplete="current-password" autoComplete="current-password"
className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors" className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
/> />
</div> </div>
{/* TOTP */} {/* YubiKey cue */}
<div className="mb-6"> {status === "waiting_yubikey" && (
<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5"> <p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
Authenticator code Touch your YubiKey
</label> </p>
<input )}
type="text"
value={totp}
onChange={(e) =>
setTotp(e.target.value.replace(/\D/g, "").slice(0, 6))
}
required
autoComplete="one-time-code"
inputMode="numeric"
placeholder="000000"
className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors tracking-widest"
/>
</div>
{/* Error */} {/* Error */}
{error && <p className="text-[13px] text-red-400 mb-4">{error}</p>} {error && (
<p className="text-[13px] text-red-400 mb-4">{error}</p>
)}
{/* Submit */} {/* Submit */}
<button <button
type="submit" type="submit"
disabled={loading} disabled={busy}
className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${ className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
loading busy
? "bg-blue-200 cursor-not-allowed" ? "bg-blue-200 cursor-not-allowed"
: "bg-blue-500 hover:bg-blue-400 cursor-pointer" : "bg-blue-500 hover:bg-blue-400 cursor-pointer"
}`} }`}
> >
{loading ? "Signing in..." : "Sign in"} {status === "idle" && "Sign in"}
{status === "checking" && "Checking…"}
{status === "waiting_yubikey" && "Waiting for YubiKey…"}
{status === "verifying" && "Verifying…"}
</button> </button>
</form> </form>
</div> </div>

201
app/enroll/page.tsx Normal file
View file

@ -0,0 +1,201 @@
"use client";
import { useState } from "react";
function b64uToBuf(b64u: string): ArrayBuffer {
const b64 = b64u.replace(/-/g, "+").replace(/_/g, "/");
const bin = atob(b64);
const buf = new Uint8Array(bin.length);
for (let i = 0; i < bin.length; i++) buf[i] = bin.charCodeAt(i);
return buf.buffer;
}
function bufToB64u(buf: ArrayBuffer): string {
const bytes = new Uint8Array(buf);
let bin = "";
for (const b of bytes) bin += String.fromCharCode(b);
return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
}
type Status = "idle" | "starting" | "waiting_yubikey" | "saving" | "done" | "error";
export default function EnrollPage() {
const [username, setUsername] = useState("");
const [password, setPassword] = useState("");
const [status, setStatus] = useState<Status>("idle");
const [message, setMessage] = useState("");
async function enroll(e: React.FormEvent) {
e.preventDefault();
setStatus("starting");
setMessage("");
try {
// Step 1: get registration challenge
const startRes = await fetch("/api/auth/register/start", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username, password }),
});
if (!startRes.ok) {
setMessage("Invalid credentials.");
setStatus("error");
return;
}
const { session_id, challenge } = await startRes.json();
// Step 2: create credential with YubiKey
setStatus("waiting_yubikey");
const opts = challenge.publicKey;
opts.challenge = b64uToBuf(opts.challenge);
opts.user.id = b64uToBuf(opts.user.id);
if (opts.excludeCredentials) {
opts.excludeCredentials = opts.excludeCredentials.map(
(c: { id: string; type: string; transports?: string[] }) => ({
...c,
id: b64uToBuf(c.id),
}),
);
}
let cred: PublicKeyCredential;
try {
cred = (await navigator.credentials.create({
publicKey: opts,
})) as PublicKeyCredential;
} catch (err: unknown) {
setMessage(
"YubiKey error: " +
(err instanceof Error ? err.message : "cancelled"),
);
setStatus("error");
return;
}
// Step 3: save credential
setStatus("saving");
const attestation = cred.response as AuthenticatorAttestationResponse;
const finishRes = await fetch("/api/auth/register/finish", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
session_id,
credential: {
id: cred.id,
rawId: bufToB64u(cred.rawId),
type: cred.type,
response: {
attestationObject: bufToB64u(attestation.attestationObject),
clientDataJSON: bufToB64u(attestation.clientDataJSON),
transports: attestation.getTransports
? attestation.getTransports()
: [],
},
extensions: {},
},
}),
});
if (!finishRes.ok) {
setMessage("Registration failed. Check server logs.");
setStatus("error");
return;
}
setStatus("done");
setMessage("YubiKey enrolled! You can now log in.");
} catch {
setMessage("Something went wrong. Try again.");
setStatus("error");
}
}
const canSubmit = status === "idle" || status === "error";
const busy = !canSubmit;
return (
<main className="h-full bg-gray-100 flex items-center justify-center">
<div className="bg-white border border-gray-300 rounded-2xl md:p-12 p-8 w-full m-[10px] md:max-w-md shadow-sm">
{/* Header */}
<div className="mb-8">
<p className="text-[11px] tracking-widest text-blue-500 uppercase mb-2">
dell-xps-nixos-serv
</p>
<h1 className="text-[28px] font-normal text-gray-900 tracking-tight mb-1.5">
Enroll YubiKey
</h1>
<p className="text-sm text-gray-400">One-time security key setup</p>
</div>
{status === "done" ? (
<p className="text-sm text-green-500">{message}</p>
) : (
<form onSubmit={enroll}>
{/* Username */}
<div className="mb-4">
<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
Username
</label>
<input
type="text"
value={username}
onChange={(e) => setUsername(e.target.value)}
required
disabled={busy}
autoComplete="username"
className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
/>
</div>
{/* Password */}
<div className="mb-6">
<label className="block text-[11px] tracking-wider text-gray-400 uppercase mb-1.5">
Password
</label>
<input
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
required
disabled={busy}
autoComplete="current-password"
className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm text-gray-900 bg-gray-50 outline-none focus:border-blue-300 focus:ring-2 focus:ring-blue-50 transition-colors"
/>
</div>
{/* YubiKey cue */}
{status === "waiting_yubikey" && (
<p className="text-sm text-blue-500 mb-4 text-center animate-pulse">
Touch your YubiKey
</p>
)}
{/* Error */}
{status === "error" && message && (
<p className="text-[13px] text-red-400 mb-4">{message}</p>
)}
{/* Submit */}
<button
type="submit"
disabled={busy}
className={`w-full py-2.5 rounded-xl text-md border border-blue-600 shadow-sm text-white font-[600] tracking-wide transition-colors ${
busy
? "bg-blue-200 cursor-not-allowed"
: "bg-blue-500 hover:bg-blue-400 cursor-pointer"
}`}
>
{status === "idle" && "Register YubiKey"}
{status === "error" && "Try again"}
{status === "starting" && "Starting…"}
{status === "waiting_yubikey" && "Touch YubiKey…"}
{status === "saving" && "Saving…"}
</button>
</form>
)}
</div>
</main>
);
}