Implemented U2F, refactored Two Factor authentication, registering U2F device and authentication should work. Works on Chrome on MacOS with a virtual device.

src/api/core/mod.rs

@@ -2,7 +2,7 @@ mod accounts;
 mod ciphers;
 mod folders;
 mod organizations;
-mod two_factor;
+pub(crate) mod two_factor;
 
 use self::accounts::*;
 use self::ciphers::*;
@@ -58,9 +58,11 @@ pub fn routes() -> Vec<Route> {
         get_twofactor,
         get_recover,
         recover,
+        disable_twofactor,
         generate_authenticator,
         activate_authenticator,
-        disable_authenticator,
+        generate_u2f,
+        activate_u2f,
 
         get_organization,
         create_organization,

src/api/core/two_factor.rs

@@ -1,28 +1,24 @@
-use rocket_contrib::{Json, Value};
-
 use data_encoding::BASE32;
+use rocket_contrib::{Json, Value};
+use serde_json;
 
-use db::DbConn;
+use db::{
+    models::{TwoFactor, TwoFactorType, User},
+    DbConn,
+};
 
 use crypto;
 
-use api::{PasswordData, JsonResult, NumberOrString, JsonUpcase};
+use api::{ApiResult, JsonResult, JsonUpcase, NumberOrString, PasswordData};
 use auth::Headers;
 
 #[get("/two-factor")]
-fn get_twofactor(headers: Headers) -> JsonResult {
-    let data = if headers.user.totp_secret.is_none() {
-        Value::Null
-    } else {
-        json!([{
-            "Enabled": true,
-            "Type": 0,
-            "Object": "twoFactorProvider"
-        }])
-    };
+fn get_twofactor(headers: Headers, conn: DbConn) -> JsonResult {
+    let twofactors = TwoFactor::find_by_user(&headers.user.uuid, &conn);
+    let twofactors_json: Vec<Value> = twofactors.iter().map(|c| c.to_json_list()).collect();
 
     Ok(Json(json!({
-        "Data": data,
+        "Data": twofactors_json,
         "Object": "list"
     })))
 }
@@ -58,7 +54,7 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
     // Get the user
     let mut user = match User::find_by_mail(&data.Email, &conn) {
         Some(user) => user,
-        None => err!("Username or password is incorrect. Try again.")
+        None => err!("Username or password is incorrect. Try again."),
     };
 
     // Check password
@@ -71,24 +67,69 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
         err!("Recovery code is incorrect. Try again.")
     }
 
-    user.totp_secret = None;
+    // Remove all twofactors from the user
+    for twofactor in TwoFactor::find_by_user(&user.uuid, &conn) {
+        twofactor.delete(&conn).expect("Error deleting twofactor");
+    }
+
+    // Remove the recovery code, not needed without twofactors
     user.totp_recover = None;
     user.save(&conn);
 
     Ok(Json(json!({})))
 }
 
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct DisableTwoFactorData {
+    MasterPasswordHash: String,
+    Type: NumberOrString,
+}
+
+#[post("/two-factor/disable", data = "<data>")]
+fn disable_twofactor(
+    data: JsonUpcase<DisableTwoFactorData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
+    let data: DisableTwoFactorData = data.into_inner().data;
+    let password_hash = data.MasterPasswordHash;
+
+    if !headers.user.check_valid_password(&password_hash) {
+        err!("Invalid password");
+    }
+
+    let type_ = data.Type.into_i32().expect("Invalid type");
+
+    if let Some(twofactor) = TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn) {
+        twofactor.delete(&conn).expect("Error deleting twofactor");
+    }
+
+    Ok(Json(json!({
+        "Enabled": false,
+        "Type": type_,
+        "Object": "twoFactorProvider"
+    })))
+}
+
 #[post("/two-factor/get-authenticator", data = "<data>")]
-fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers) -> JsonResult {
+fn generate_authenticator(
+    data: JsonUpcase<PasswordData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
     let data: PasswordData = data.into_inner().data;
 
     if !headers.user.check_valid_password(&data.MasterPasswordHash) {
         err!("Invalid password");
     }
 
-    let (enabled, key) = match headers.user.totp_secret {
-        Some(secret) => (true, secret),
-        _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20])))
+    let type_ = TwoFactorType::Authenticator as i32;
+    let twofactor = TwoFactor::find_by_user_and_type(&headers.user.uuid, type_, &conn);
+
+    let (enabled, key) = match twofactor {
+        Some(tf) => (true, tf.data),
+        _ => (false, BASE32.encode(&crypto::get_random(vec![0u8; 20]))),
     };
 
     Ok(Json(json!({
@@ -100,20 +141,24 @@ fn generate_authenticator(data: JsonUpcase<PasswordData>, headers: Headers) -> J
 
 #[derive(Deserialize, Debug)]
 #[allow(non_snake_case)]
-struct EnableTwoFactorData {
+struct EnableAuthenticatorData {
     MasterPasswordHash: String,
     Key: String,
     Token: NumberOrString,
 }
 
 #[post("/two-factor/authenticator", data = "<data>")]
-fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
-    let data: EnableTwoFactorData = data.into_inner().data;
+fn activate_authenticator(
+    data: JsonUpcase<EnableAuthenticatorData>,
+    headers: Headers,
+    conn: DbConn,
+) -> JsonResult {
+    let data: EnableAuthenticatorData = data.into_inner().data;
     let password_hash = data.MasterPasswordHash;
     let key = data.Key;
     let token = match data.Token.into_i32() {
         Some(n) => n as u64,
-        None => err!("Malformed token")
+        None => err!("Malformed token"),
     };
 
     if !headers.user.check_valid_password(&password_hash) {
@@ -123,27 +168,24 @@ fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Header
     // Validate key as base32 and 20 bytes length
     let decoded_key: Vec<u8> = match BASE32.decode(key.as_bytes()) {
         Ok(decoded) => decoded,
-        _ => err!("Invalid totp secret")
+        _ => err!("Invalid totp secret"),
     };
 
     if decoded_key.len() != 20 {
         err!("Invalid key length")
     }
 
-    // Set key in user.totp_secret
-    let mut user = headers.user;
-    user.totp_secret = Some(key.to_uppercase());
+    let type_ = TwoFactorType::Authenticator;
+    let twofactor = TwoFactor::new(headers.user.uuid.clone(), type_, key.to_uppercase());
 
     // Validate the token provided with the key
-    if !user.check_totp_code(token) {
+    if !twofactor.check_totp_code(token) {
         err!("Invalid totp code")
     }
 
-    // Generate totp_recover
-    let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
-    user.totp_recover = Some(totp_recover);
-
-    user.save(&conn);
+    let mut user = headers.user;
+    _generate_recover_code(&mut user, &conn);
+    twofactor.save(&conn).expect("Error saving twofactor");
 
     Ok(Json(json!({
         "Enabled": true,
@@ -152,32 +194,228 @@ fn activate_authenticator(data: JsonUpcase<EnableTwoFactorData>, headers: Header
     })))
 }
 
-#[derive(Deserialize)]
-#[allow(non_snake_case)]
-struct DisableTwoFactorData {
-    MasterPasswordHash: String,
-    Type: NumberOrString,
+fn _generate_recover_code(user: &mut User, conn: &DbConn) {
+    if user.totp_recover.is_none() {
+        let totp_recover = BASE32.encode(&crypto::get_random(vec![0u8; 20]));
+        user.totp_recover = Some(totp_recover);
+        user.save(conn);
+    }
 }
 
-#[post("/two-factor/disable", data = "<data>")]
-fn disable_authenticator(data: JsonUpcase<DisableTwoFactorData>, headers: Headers, conn: DbConn) -> JsonResult {
-    let data: DisableTwoFactorData = data.into_inner().data;
-    let password_hash = data.MasterPasswordHash;
-    let _type = data.Type;
+use u2f::messages::{RegisterResponse, SignResponse, U2fSignRequest};
+use u2f::protocol::{Challenge, U2f};
+use u2f::register::Registration;
 
-    if !headers.user.check_valid_password(&password_hash) {
+use CONFIG;
+
+const U2F_VERSION: &str = "U2F_V2";
+
+lazy_static! {
+    static ref APP_ID: String = format!("{}/app-id.json", &CONFIG.domain);
+    static ref U2F: U2f = U2f::new(APP_ID.clone());
+}
+
+#[post("/two-factor/get-u2f", data = "<data>")]
+fn generate_u2f(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: PasswordData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
         err!("Invalid password");
     }
 
-    let mut user = headers.user;
-    user.totp_secret = None;
-    user.totp_recover = None;
+    let user_uuid = &headers.user.uuid;
 
-    user.save(&conn);
+    let u2f_type = TwoFactorType::U2f as i32;
+    let register_type = TwoFactorType::U2fRegisterChallenge;
+    let (enabled, challenge) = match TwoFactor::find_by_user_and_type(user_uuid, u2f_type, &conn) {
+        Some(_) => (true, String::new()),
+        None => {
+            let c = _create_u2f_challenge(user_uuid, register_type, &conn);
+            (false, c.challenge)
+        }
+    };
 
     Ok(Json(json!({
-        "Enabled": false,
-        "Type": 0,
-        "Object": "twoFactorProvider"
+        "Enabled": enabled,
+        "Challenge": {
+            "UserId": headers.user.uuid,
+            "AppId": APP_ID.to_string(),
+            "Challenge": challenge,
+            "Version": U2F_VERSION,
+        },
+        "Object": "twoFactorU2f"
     })))
 }
+
+#[derive(Deserialize, Debug)]
+#[allow(non_snake_case)]
+struct EnableU2FData {
+    MasterPasswordHash: String,
+    DeviceResponse: String,
+}
+
+#[post("/two-factor/u2f", data = "<data>")]
+fn activate_u2f(data: JsonUpcase<EnableU2FData>, headers: Headers, conn: DbConn) -> JsonResult {
+    let data: EnableU2FData = data.into_inner().data;
+
+    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
+        err!("Invalid password");
+    }
+
+    let tf_challenge = TwoFactor::find_by_user_and_type(
+        &headers.user.uuid,
+        TwoFactorType::U2fRegisterChallenge as i32,
+        &conn,
+    );
+
+    if let Some(tf_challenge) = tf_challenge {
+        let challenge: Challenge = serde_json::from_str(&tf_challenge.data).unwrap();
+        tf_challenge
+            .delete(&conn)
+            .expect("Error deleting U2F register challenge");
+
+        let response: RegisterResponse = serde_json::from_str(&data.DeviceResponse).unwrap();
+
+        match U2F.register_response(challenge.clone(), response) {
+            Ok(registration) => {
+                // TODO: Allow more than one U2F device
+                let mut registrations = Vec::new();
+                registrations.push(registration);
+
+                let tf_registration = TwoFactor::new(
+                    headers.user.uuid.clone(),
+                    TwoFactorType::U2f,
+                    serde_json::to_string(&registrations).unwrap(),
+                );
+                tf_registration
+                    .save(&conn)
+                    .expect("Error saving U2F registration");
+
+                let mut user = headers.user;
+                _generate_recover_code(&mut user, &conn);
+
+                Ok(Json(json!({
+                    "Enabled": true,
+                    "Challenge": {
+                        "UserId": user.uuid,
+                        "AppId": APP_ID.to_string(),
+                        "Challenge": challenge,
+                        "Version": U2F_VERSION,
+                    },
+                    "Object": "twoFactorU2f"
+                })))
+            }
+            Err(e) => {
+                println!("Error: {:#?}", e);
+                err!("Error activating u2f")
+            }
+        }
+    } else {
+        err!("Can't recover challenge")
+    }
+}
+
+fn _create_u2f_challenge(user_uuid: &str, type_: TwoFactorType, conn: &DbConn) -> Challenge {
+    let challenge = U2F.generate_challenge().unwrap();
+
+    TwoFactor::new(
+        user_uuid.into(),
+        type_,
+        serde_json::to_string(&challenge).unwrap(),
+    ).save(conn)
+        .expect("Error saving challenge");
+
+    challenge
+}
+
+// This struct is copied from the U2F lib
+// because it doesn't implement Deserialize
+#[derive(Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct RegistrationCopy {
+    pub key_handle: Vec<u8>,
+    pub pub_key: Vec<u8>,
+    pub attestation_cert: Option<Vec<u8>>,
+}
+
+impl Into<Registration> for RegistrationCopy {
+    fn into(self) -> Registration {
+        Registration {
+            key_handle: self.key_handle,
+            pub_key: self.pub_key,
+            attestation_cert: self.attestation_cert,
+        }
+    }
+}
+
+fn _parse_registrations(registations: &str) -> Vec<Registration> {
+    let registrations_copy: Vec<RegistrationCopy> = serde_json::from_str(registations).unwrap();
+
+    registrations_copy.into_iter().map(Into::into).collect()
+}
+
+pub fn generate_u2f_login(user_uuid: &str, conn: &DbConn) -> ApiResult<U2fSignRequest> {
+    let challenge = _create_u2f_challenge(user_uuid, TwoFactorType::U2fLoginChallenge, conn);
+
+    let type_ = TwoFactorType::U2f as i32;
+    let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, type_, conn) {
+        Some(tf) => tf,
+        None => err!("No U2F devices registered"),
+    };
+
+    let registrations = _parse_registrations(&twofactor.data);
+    let signed_request: U2fSignRequest = U2F.sign_request(challenge, registrations);
+
+    Ok(signed_request)
+}
+
+pub fn validate_u2f_login(user_uuid: &str, response: &str, conn: &DbConn) -> ApiResult<()> {
+    let challenge_type = TwoFactorType::U2fLoginChallenge as i32;
+    let u2f_type = TwoFactorType::U2f as i32;
+
+    let tf_challenge = TwoFactor::find_by_user_and_type(user_uuid, challenge_type, &conn);
+
+    let challenge = match tf_challenge {
+        Some(tf_challenge) => {
+            let challenge: Challenge = serde_json::from_str(&tf_challenge.data).unwrap();
+            tf_challenge
+                .delete(&conn)
+                .expect("Error deleting U2F login challenge");
+            challenge
+        }
+        None => err!("Can't recover login challenge"),
+    };
+
+    let twofactor = match TwoFactor::find_by_user_and_type(user_uuid, u2f_type, conn) {
+        Some(tf) => tf,
+        None => err!("No U2F devices registered"),
+    };
+
+    let registrations = _parse_registrations(&twofactor.data);
+
+    println!("response {:#?}", response);
+
+    let response: SignResponse = serde_json::from_str(response).unwrap();
+
+    println!("client_data {:#?}", response.client_data);
+    println!("key_handle {:#?}", response.key_handle);
+    println!("signature_data {:#?}", response.signature_data);
+
+    let mut _counter: u32 = 0;
+    for registration in registrations {
+        let response =
+            U2F.sign_response(challenge.clone(), registration, response.clone(), _counter);
+        match response {
+            Ok(new_counter) => {
+                _counter = new_counter;
+                println!("O {:#}", new_counter);
+                return Ok(());
+            }
+            Err(e) => {
+                println!("E {:#}", e);
+                break;
+            }
+        }
+    }
+    err!("error verifying response")
+}

src/api/identity.rs

@@ -1,19 +1,21 @@
 use std::collections::HashMap;
 
-use rocket::{Route, Outcome};
-use rocket::request::{self, Request, FromRequest, Form, FormItems, FromForm};
+use rocket::request::{self, Form, FormItems, FromForm, FromRequest, Request};
+use rocket::{Outcome, Route};
 
 use rocket_contrib::{Json, Value};
 
-use db::DbConn;
+use num_traits::FromPrimitive;
+
 use db::models::*;
+use db::DbConn;
 
-use util;
+use util::{self, JsonMap};
 
-use api::JsonResult;
+use api::{ApiResult, JsonResult};
 
 pub fn routes() -> Vec<Route> {
-    routes![ login]
+    routes![login]
 }
 
 #[post("/connect/token", data = "<connect_data>")]
@@ -21,8 +23,8 @@ fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn)
     let data = connect_data.get();
 
     match data.grant_type {
-        GrantType::RefreshToken =>_refresh_login(data, device_type, conn),
-        GrantType::Password => _password_login(data, device_type, conn)
+        GrantType::RefreshToken => _refresh_login(data, device_type, conn),
+        GrantType::Password => _password_login(data, device_type, conn),
     }
 }
 
@@ -33,7 +35,7 @@ fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) ->
     // Get device by refresh token
     let mut device = match Device::find_by_refresh_token(token, &conn) {
         Some(device) => device,
-        None => err!("Invalid refresh token")
+        None => err!("Invalid refresh token"),
     };
 
     // COMMON
@@ -64,7 +66,7 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
     let username = data.get("username");
     let user = match User::find_by_mail(username, &conn) {
         Some(user) => user,
-        None => err!("Username or password is incorrect. Try again.")
+        None => err!("Username or password is incorrect. Try again."),
     };
 
     // Check password
@@ -72,7 +74,7 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
     if !user.check_valid_password(password) {
         err!("Username or password is incorrect. Try again.")
     }
-    
+
     // Let's only use the header and ignore the 'devicetype' parameter
     let device_type_num = device_type.0;
 
@@ -102,42 +104,7 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
         }
     };
 
-    let twofactor_token = if user.requires_twofactor() {
-        let twofactor_provider = util::parse_option_string(data.get_opt("twoFactorProvider")).unwrap_or(0);
-        let twofactor_code = match data.get_opt("twoFactorToken") {
-            Some(code) => code,
-            None => err_json!(_json_err_twofactor())
-        };
-
-       match twofactor_provider {
-            0 /* TOTP */ => { 
-                let totp_code: u64 = match twofactor_code.parse() {
-                    Ok(code) => code,
-                    Err(_) => err!("Invalid Totp code")
-                };
-
-                if !user.check_totp_code(totp_code) {
-                    err_json!(_json_err_twofactor())
-                }
-
-                if util::parse_option_string(data.get_opt("twoFactorRemember")).unwrap_or(0) == 1 {
-                    device.refresh_twofactor_remember();
-                    device.twofactor_remember.clone()
-                } else {
-                    device.delete_twofactor_remember();
-                    None
-                }
-            },
-            5 /* Remember */ => {
-                match device.twofactor_remember {
-                    Some(ref remember) if remember == twofactor_code => (),
-                    _ => err_json!(_json_err_twofactor())
-                };
-                None // No twofactor token needed here
-            },
-            _ => err!("Invalid two factor provider"),
-        }
-    } else { None };  // No twofactor token if twofactor is disabled
+    let twofactor_token = twofactor_auth(&user.uuid, &data, &mut device, &conn)?;
 
     // Common
     let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
@@ -163,13 +130,124 @@ fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) ->
     Ok(Json(result))
 }
 
-fn _json_err_twofactor() -> Value {
-    json!({
+fn twofactor_auth(
+    user_uuid: &str,
+    data: &ConnectData,
+    device: &mut Device,
+    conn: &DbConn,
+) -> ApiResult<Option<String>> {
+    let twofactors_raw = TwoFactor::find_by_user(user_uuid, conn);
+    // Remove u2f challenge twofactors (impl detail)
+    let twofactors: Vec<_> = twofactors_raw.iter().filter(|tf| tf.type_ < 1000).collect();
+
+    let providers: Vec<_> = twofactors.iter().map(|tf| tf.type_).collect();
+
+    // No twofactor token if twofactor is disabled
+    if twofactors.len() == 0 {
+        return Ok(None);
+    }
+
+    let provider = match util::parse_option_string(data.get_opt("twoFactorProvider")) {
+        Some(provider) => provider,
+        None => providers[0], // If we aren't given a two factor provider, asume the first one
+    };
+
+    let twofactor_code = match data.get_opt("twoFactorToken") {
+        Some(code) => code,
+        None => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+    };
+
+    let twofactor = twofactors.iter().filter(|tf| tf.type_ == provider).nth(0);
+
+    match TwoFactorType::from_i32(provider) {
+        Some(TwoFactorType::Remember) => {
+            match &device.twofactor_remember {
+                Some(remember) if remember == twofactor_code => return Ok(None), // No twofactor token needed here
+                _ => err_json!(_json_err_twofactor(&providers, user_uuid, conn)?),
+            }
+        }
+
+        Some(TwoFactorType::Authenticator) => {
+            let twofactor = match twofactor {
+                Some(tf) => tf,
+                None => err!("TOTP not enabled"),
+            };
+
+            let totp_code: u64 = match twofactor_code.parse() {
+                Ok(code) => code,
+                _ => err!("Invalid TOTP code"),
+            };
+
+            if !twofactor.check_totp_code(totp_code) {
+                err_json!(_json_err_twofactor(&providers, user_uuid, conn)?)
+            }
+        }
+
+        Some(TwoFactorType::U2f) => {
+            use api::core::two_factor;
+
+            two_factor::validate_u2f_login(user_uuid, twofactor_code, conn)?;
+        }
+
+        _ => err!("Invalid two factor provider"),
+    }
+
+    if util::parse_option_string(data.get_opt("twoFactorRemember")).unwrap_or(0) == 1 {
+        Ok(Some(device.refresh_twofactor_remember()))
+    } else {
+        device.delete_twofactor_remember();
+        Ok(None)
+    }
+}
+
+fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> ApiResult<Value> {
+    use api::core::two_factor;
+
+    let mut result = json!({
         "error" : "invalid_grant",
         "error_description" : "Two factor required.",
-        "TwoFactorProviders" : [ 0 ],
-        "TwoFactorProviders2" : { "0" : null }
-    })
+        "TwoFactorProviders" : providers,
+        "TwoFactorProviders2" : {} // { "0" : null }
+    });
+
+    for provider in providers {
+        result["TwoFactorProviders2"][provider.to_string()] = Value::Null;
+
+        match TwoFactorType::from_i32(*provider) {
+            Some(TwoFactorType::Authenticator) => { /* Nothing to do for TOTP */ }
+
+            Some(TwoFactorType::U2f) => {
+                let request = two_factor::generate_u2f_login(user_uuid, conn)?;
+                let mut challenge_list = Vec::new();
+
+                for key in request.registered_keys {
+                    let mut challenge_map = JsonMap::new();
+
+                    challenge_map.insert("appId".into(), Value::String(request.app_id.clone()));
+                    challenge_map
+                        .insert("challenge".into(), Value::String(request.challenge.clone()));
+                    challenge_map.insert("version".into(), Value::String(key.version));
+                    challenge_map.insert(
+                        "keyHandle".into(),
+                        Value::String(key.key_handle.unwrap_or_default()),
+                    );
+
+                    challenge_list.push(Value::Object(challenge_map));
+                }
+
+                let mut map = JsonMap::new();
+                use serde_json;
+                let challenge_list_str = serde_json::to_string(&challenge_list).unwrap();
+
+                map.insert("Challenges".into(), Value::String(challenge_list_str));
+                result["TwoFactorProviders2"][provider.to_string()] = Value::Object(map);
+            }
+
+            _ => {}
+        }
+    }
+
+    Ok(result)
 }
 
 #[derive(Clone, Copy)]
@@ -187,7 +265,6 @@ impl<'a, 'r> FromRequest<'a, 'r> for DeviceType {
     }
 }
 
-
 #[derive(Debug)]
 struct ConnectData {
     grant_type: GrantType,
@@ -196,7 +273,10 @@ struct ConnectData {
 }
 
 #[derive(Debug, Copy, Clone)]
-enum GrantType { RefreshToken, Password }
+enum GrantType {
+    RefreshToken,
+    Password,
+}
 
 impl ConnectData {
     fn get(&self, key: &str) -> &String {
@@ -227,25 +307,28 @@ impl<'f> FromForm<'f> for ConnectData {
         }
 
         // Validate needed values
-        let (grant_type, is_device) =
-            match data.get("grant_type").map(String::as_ref) {
-                Some("refresh_token") => {
-                    check_values(&data, &VALUES_REFRESH)?;
-                    (GrantType::RefreshToken, false) // Device doesn't matter here
-                }
-                Some("password") => {
-                    check_values(&data, &VALUES_PASSWORD)?;
+        let (grant_type, is_device) = match data.get("grant_type").map(String::as_ref) {
+            Some("refresh_token") => {
+                check_values(&data, &VALUES_REFRESH)?;
+                (GrantType::RefreshToken, false) // Device doesn't matter here
+            }
+            Some("password") => {
+                check_values(&data, &VALUES_PASSWORD)?;
 
-                    let is_device = match data["client_id"].as_ref() {
-                        "browser" | "mobile" => check_values(&data, &VALUES_DEVICE)?,
-                        _ => false
-                    };
-                    (GrantType::Password, is_device)
-                }
-                _ => return Err("Grant type not supported".to_string())
-            };
+                let is_device = match data["client_id"].as_ref() {
+                    "browser" | "mobile" => check_values(&data, &VALUES_DEVICE)?,
+                    _ => false,
+                };
+                (GrantType::Password, is_device)
+            }
+            _ => return Err("Grant type not supported".to_string()),
+        };
 
-        Ok(ConnectData { grant_type, is_device, data })
+        Ok(ConnectData {
+            grant_type,
+            is_device,
+            data,
+        })
     }
 }
 

src/api/mod.rs

@@ -1,4 +1,4 @@
-mod core;
+pub(crate) mod core;
 mod icons;
 mod identity;
 mod web;
@@ -12,8 +12,9 @@ use rocket::response::status::BadRequest;
 use rocket_contrib::Json;
 
 // Type aliases for API methods results
-type JsonResult = Result<Json, BadRequest<Json>>;
-type EmptyResult = Result<(), BadRequest<Json>>;
+type ApiResult<T> = Result<T, BadRequest<Json>>;
+type JsonResult = ApiResult<Json>;
+type EmptyResult = ApiResult<()>;
 
 use util;
 type JsonUpcase<T> = Json<util::UpCase<T>>;

src/api/web.rs

@@ -4,13 +4,13 @@ use std::path::{Path, PathBuf};
 use rocket::request::Request;
 use rocket::response::{self, NamedFile, Responder};
 use rocket::Route;
-use rocket_contrib::Json;
+use rocket_contrib::{Json, Value};
 
 use CONFIG;
 
 pub fn routes() -> Vec<Route> {
     if CONFIG.web_vault_enabled {
-        routes![web_index, web_files, attachments, alive]
+        routes![web_index, app_id, web_files, attachments, alive]
     } else {
         routes![attachments, alive]
     }
@@ -22,6 +22,20 @@ fn web_index() -> WebHeaders<io::Result<NamedFile>> {
     web_files("index.html".into())
 }
 
+#[get("/app-id.json")]
+fn app_id() -> WebHeaders<Json<Value>> {
+    WebHeaders(Json(json!({
+    "trustedFacets": [
+        {
+        "version": { "major": 1, "minor": 0 },
+        "ids": [
+            &CONFIG.domain,
+            "ios:bundle-id:com.8bit.bitwarden",
+            "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" ]
+        }]
+    })))
+}
+
 #[get("/<p..>", rank = 1)] // Only match this if the other routes don't match
 fn web_files(p: PathBuf) -> WebHeaders<io::Result<NamedFile>> {
     WebHeaders(NamedFile::open(Path::new(&CONFIG.web_vault_folder).join(p)))

src/auth.rs

@@ -11,11 +11,11 @@ use serde::ser::Serialize;
 use CONFIG;
 
 const JWT_ALGORITHM: jwt::Algorithm = jwt::Algorithm::RS256;
- // TODO: This isn't used, but we  should make sure it represents the correct address
-pub const JWT_ISSUER: &str = "localhost:8000/identity";
 
 lazy_static! {
     pub static ref DEFAULT_VALIDITY: Duration = Duration::hours(2);
+    pub static ref JWT_ISSUER: String = CONFIG.domain.clone();
+
     static ref JWT_HEADER: jwt::Header = jwt::Header::new(JWT_ALGORITHM);
 
     static ref PRIVATE_RSA_KEY: Vec<u8> = match read_file(&CONFIG.private_rsa_key) {
@@ -43,7 +43,7 @@ pub fn decode_jwt(token: &str) -> Result<JWTClaims, String> {
         validate_iat: true,
         validate_nbf: true,
         aud: None,
-        iss: Some(JWT_ISSUER.into()),
+        iss: Some(JWT_ISSUER.clone()),
         sub: None,
         algorithms: vec![JWT_ALGORITHM],
     };

src/db/models/device.rs

@@ -43,11 +43,14 @@ impl Device {
         }
     }
 
-    pub fn refresh_twofactor_remember(&mut self) {
+    pub fn refresh_twofactor_remember(&mut self) -> String {
         use data_encoding::BASE64;
         use crypto;
 
-        self.twofactor_remember = Some(BASE64.encode(&crypto::get_random(vec![0u8; 180])));
+        let twofactor_remember = BASE64.encode(&crypto::get_random(vec![0u8; 180]));
+        self.twofactor_remember = Some(twofactor_remember.clone());
+
+        twofactor_remember
     }
 
     pub fn delete_twofactor_remember(&mut self) {

src/db/models/mod.rs

@@ -6,6 +6,7 @@ mod user;
 
 mod collection;
 mod organization;
+mod two_factor;
 
 pub use self::attachment::Attachment;
 pub use self::cipher::Cipher;
@@ -15,3 +16,4 @@ pub use self::user::User;
 pub use self::organization::Organization;
 pub use self::organization::{UserOrganization, UserOrgStatus, UserOrgType};
 pub use self::collection::{Collection, CollectionUser, CollectionCipher};
+pub use self::two_factor::{TwoFactor, TwoFactorType};

src/db/models/two_factor.rs

@@ -0,0 +1,112 @@
+use serde_json::Value as JsonValue;
+
+use uuid::Uuid;
+
+use super::User;
+
+#[derive(Debug, Identifiable, Queryable, Insertable, Associations)]
+#[table_name = "twofactor"]
+#[belongs_to(User, foreign_key = "user_uuid")]
+#[primary_key(uuid)]
+pub struct TwoFactor {
+    pub uuid: String,
+    pub user_uuid: String,
+    pub type_: i32,
+    pub enabled: bool,
+    pub data: String,
+}
+
+#[allow(dead_code)]
+#[derive(FromPrimitive, ToPrimitive)]
+pub enum TwoFactorType {
+    Authenticator = 0,
+    Email = 1,
+    Duo = 2,
+    YubiKey = 3,
+    U2f = 4,
+    Remember = 5,
+    OrganizationDuo = 6,
+
+    // These are implementation details
+    U2fRegisterChallenge = 1000,
+    U2fLoginChallenge = 1001,
+}
+
+/// Local methods
+impl TwoFactor {
+    pub fn new(user_uuid: String, type_: TwoFactorType, data: String) -> Self {
+        Self {
+            uuid: Uuid::new_v4().to_string(),
+            user_uuid,
+            type_: type_ as i32,
+            enabled: true,
+            data,
+        }
+    }
+
+    pub fn check_totp_code(&self, totp_code: u64) -> bool {
+        let totp_secret = self.data.as_bytes();
+
+        use data_encoding::BASE32;
+        use oath::{totp_raw_now, HashType};
+
+        let decoded_secret = match BASE32.decode(totp_secret) {
+            Ok(s) => s,
+            Err(_) => return false
+        };
+
+        let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
+        generated == totp_code
+    }
+
+    pub fn to_json(&self) -> JsonValue {
+        json!({
+            "Enabled": self.enabled,
+            "Key": "", // This key and value vary
+            "Object": "twoFactorAuthenticator" // This value varies
+        })
+    }
+
+    pub fn to_json_list(&self) -> JsonValue {
+        json!({
+            "Enabled": self.enabled,
+            "Type": self.type_,
+            "Object": "twoFactorProvider"
+        })
+    }
+}
+
+use diesel;
+use diesel::prelude::*;
+use db::DbConn;
+use db::schema::twofactor;
+
+/// Database methods
+impl TwoFactor {
+    pub fn save(&self, conn: &DbConn) -> QueryResult<usize> {
+        diesel::replace_into(twofactor::table)
+            .values(self)
+            .execute(&**conn)
+    }
+
+    pub fn delete(self, conn: &DbConn) -> QueryResult<usize> {
+        diesel::delete(
+            twofactor::table.filter(
+                twofactor::uuid.eq(self.uuid)
+            )
+        ).execute(&**conn)
+    }
+
+    pub fn find_by_user(user_uuid: &str, conn: &DbConn) -> Vec<Self> {
+        twofactor::table
+            .filter(twofactor::user_uuid.eq(user_uuid))
+            .load::<Self>(&**conn).expect("Error loading twofactor")
+    }
+
+    pub fn find_by_user_and_type(user_uuid: &str, type_: i32, conn: &DbConn) -> Option<Self> {
+        twofactor::table
+            .filter(twofactor::user_uuid.eq(user_uuid))
+            .filter(twofactor::type_.eq(type_))
+            .first::<Self>(&**conn).ok()
+    }
+}

src/db/models/user.rs

@@ -27,7 +27,8 @@ pub struct User {
     pub private_key: Option<String>,
     pub public_key: Option<String>,
     
-    pub totp_secret: Option<String>,
+    #[column_name = "totp_secret"]
+    _totp_secret: Option<String>,
     pub totp_recover: Option<String>,
 
     pub security_stamp: String,
@@ -64,7 +65,7 @@ impl User {
             private_key: None,
             public_key: None,
             
-            totp_secret: None,
+            _totp_secret: None,
             totp_recover: None,
 
             equivalent_domains: "[]".to_string(),
@@ -97,28 +98,6 @@ impl User {
     pub fn reset_security_stamp(&mut self) {
         self.security_stamp = Uuid::new_v4().to_string();
     }
-
-    pub fn requires_twofactor(&self) -> bool {
-        self.totp_secret.is_some()
-    }
-
-    pub fn check_totp_code(&self, totp_code: u64) -> bool {
-        if let Some(ref totp_secret) = self.totp_secret {
-            // Validate totp
-            use data_encoding::BASE32;
-            use oath::{totp_raw_now, HashType};
-
-            let decoded_secret = match BASE32.decode(totp_secret.as_bytes()) {
-                Ok(s) => s,
-                Err(_) => return false
-            };
-
-            let generated = totp_raw_now(&decoded_secret, 6, 0, 30, &HashType::SHA1);
-            generated == totp_code
-        } else {
-            true
-        }
-    }
 }
 
 use diesel;
@@ -130,10 +109,13 @@ use db::schema::users;
 impl User {
     pub fn to_json(&self, conn: &DbConn) -> JsonValue {
         use super::UserOrganization;
+        use super::TwoFactor;
 
         let orgs = UserOrganization::find_by_user(&self.uuid, conn);
         let orgs_json: Vec<JsonValue> = orgs.iter().map(|c| c.to_json(&conn)).collect();
 
+        let twofactor_enabled = TwoFactor::find_by_user(&self.uuid, conn).len() > 0;
+
         json!({
             "Id": self.uuid,
             "Name": self.name,
@@ -142,7 +124,7 @@ impl User {
             "Premium": true,
             "MasterPasswordHint": self.password_hint,
             "Culture": "en-US",
-            "TwoFactorEnabled": self.totp_secret.is_some(),
+            "TwoFactorEnabled": twofactor_enabled,
             "Key": self.key,
             "PrivateKey": self.private_key,
             "SecurityStamp": self.security_stamp,

src/db/schema.rs

@@ -79,6 +79,17 @@ table! {
     }
 }
 
+table! {
+    twofactor (uuid) {
+        uuid -> Text,
+        user_uuid -> Text,
+        #[sql_name = "type"]
+        type_ -> Integer,
+        enabled -> Bool,
+        data -> Text,
+    }
+}
+
 table! {
     users (uuid) {
         uuid -> Text,
@@ -132,6 +143,7 @@ joinable!(devices -> users (user_uuid));
 joinable!(folders -> users (user_uuid));
 joinable!(folders_ciphers -> ciphers (cipher_uuid));
 joinable!(folders_ciphers -> folders (folder_uuid));
+joinable!(twofactor -> users (user_uuid));
 joinable!(users_collections -> collections (collection_uuid));
 joinable!(users_collections -> users (user_uuid));
 joinable!(users_organizations -> organizations (org_uuid));
@@ -146,6 +158,7 @@ allow_tables_to_appear_in_same_query!(
     folders,
     folders_ciphers,
     organizations,
+    twofactor,
     users,
     users_collections,
     users_organizations,

src/main.rs

@@ -19,9 +19,13 @@ extern crate chrono;
 extern crate oath;
 extern crate data_encoding;
 extern crate jsonwebtoken as jwt;
+extern crate u2f;
 extern crate dotenv;
 #[macro_use]
 extern crate lazy_static;
+#[macro_use]
+extern crate num_derive;
+extern crate num_traits;
 
 use std::{env, path::Path, process::{exit, Command}};
 use rocket::Rocket;
@@ -160,6 +164,7 @@ pub struct Config {
     local_icon_extractor: bool,
     signups_allowed: bool,
     password_iterations: i32,
+    domain: String,
 }
 
 impl Config {
@@ -184,6 +189,7 @@ impl Config {
             local_icon_extractor: util::parse_option_string(env::var("LOCAL_ICON_EXTRACTOR").ok()).unwrap_or(false),
             signups_allowed: util::parse_option_string(env::var("SIGNUPS_ALLOWED").ok()).unwrap_or(true),
             password_iterations: util::parse_option_string(env::var("PASSWORD_ITERATIONS").ok()).unwrap_or(100_000),
+            domain: env::var("DOMAIN").unwrap_or("https://localhost".into()),
         }
     }
 }

src/util.rs

@@ -132,7 +132,9 @@ pub fn format_date(date: &NaiveDateTime) -> String {
 use std::fmt;
 
 use serde::de::{self, DeserializeOwned, Deserializer, MapAccess, SeqAccess, Visitor};
-use serde_json::Value;
+use serde_json::{self, Value};
+
+pub type JsonMap = serde_json::Map<String, Value>;
 
 #[derive(PartialEq, Serialize, Deserialize)]
 pub struct UpCase<T: DeserializeOwned> {
@@ -162,8 +164,7 @@ impl<'de> Visitor<'de> for UpCaseVisitor {
     fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error>
         where A: MapAccess<'de>
     {
-        use serde_json::Map;
-        let mut result_map = Map::<String, Value>::new();
+        let mut result_map = JsonMap::new();
 
         while let Some((key, value)) = map.next_entry()? {
             result_map.insert(upcase_first(key), upcase_value(&value));