Support for passkey registration (#2885)

* support for fido2 auth

* stub out registration implementations

* stub out assertion steps and token issuance

* verify token

* webauthn tokenable

* remove duplicate expiration set

* revert sqlproj changes

* update sqlproj target framework

* update new validator signature

* [PM-2014] Passkey registration (#2915)

* [PM-2014] chore: rename `IWebAuthnRespository` to `IWebAuthnCredentialRepository`

* [PM-2014] fix: add missing service registration

* [PM-2014] feat: add user verification when fetching options

* [PM-2014] feat: create migration script for mssql

* [PM-2014] chore: append to todo comment

* [PM-2014] feat: add support for creation token

* [PM-2014] feat: implement credential saving

* [PM-2014] chore: add resident key TODO comment

* [PM-2014] feat: implement passkey listing

* [PM-2014] feat: implement deletion without user verification

* [PM-2014] feat: add user verification to delete

* [PM-2014] feat: implement passkey limit

* [PM-2014] chore: clean up todo comments

* [PM-2014] fix: add missing sql scripts

Missed staging them when commiting

* [PM-2014] feat: include options response model in swagger docs

* [PM-2014] chore: move properties after ctor

* [PM-2014] feat: use `Guid` directly as input paramter

* [PM-2014] feat: use nullable guid in token

* [PM-2014] chore: add new-line

* [PM-2014] feat: add support for feature flag

* [PM-2014] feat: start adding controller tests

* [PM-2014] feat: add user verification test

* [PM-2014] feat: add controller tests for token interaction

* [PM-2014] feat: add tokenable tests

* [PM-2014] chore: clean up commented premium check

* [PM-2014] feat: add user service test for credential limit

* [PM-2014] fix: run `dotnet format`

* [PM-2014] chore: remove trailing comma

* [PM-2014] chore: add `Async` suffix

* [PM-2014] chore: move delay to constant

* [PM-2014] chore: change `default` to `null`

* [PM-2014] chore: remove autogenerated weirdness

* [PM-2014] fix: lint

* Added check for PasswordlessLogin feature flag on new controller and methods. (#3284)

* Added check for PasswordlessLogin feature flag on new controller and methods.

* fix: build error from missing constructor argument

---------

Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>

* [PM-4171] Update DB to support PRF (#3321)

* [PM-4171] feat: update database to support PRF

* [PM-4171] feat: rename `DescriptorId` to `CredentialId`

* [PM-4171] feat: add PRF felds to domain object

* [PM-4171] feat: add `SupportsPrf` column

* [PM-4171] fix: add missing comma

* [PM-4171] fix: add comma

* [PM-3263] fix identity server tests for passkey registration (#3331)

* Added WebAuthnRepo to EF DI

* updated config to match current grant types

* Remove ExtensionGrantValidator (#3363)

* Linting

---------

Co-authored-by: Andreas Coroiu <acoroiu@bitwarden.com>
Co-authored-by: Andreas Coroiu <andreas.coroiu@gmail.com>
Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>
Co-authored-by: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Co-authored-by: Todd Martin <tmartin@bitwarden.com>

src/Core/Auth/Entities/WebAuthnCredential.cs

@@ -0,0 +1,32 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Entities;
+
+public class WebAuthnCredential : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    [MaxLength(50)]
+    public string Name { get; set; }
+    [MaxLength(256)]
+    public string PublicKey { get; set; }
+    [MaxLength(256)]
+    public string CredentialId { get; set; }
+    public int Counter { get; set; }
+    [MaxLength(20)]
+    public string Type { get; set; }
+    public Guid AaGuid { get; set; }
+    public string EncryptedUserKey { get; set; }
+    public string EncryptedPrivateKey { get; set; }
+    public string EncryptedPublicKey { get; set; }
+    public bool SupportsPrf { get; set; }
+    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
+
+    public void SetNewId()
+    {
+        Id = CoreHelpers.GenerateComb();
+    }
+}

src/Core/Auth/Models/Business/Tokenables/WebAuthnCredentialCreateOptionsTokenable.cs

@@ -0,0 +1,44 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+using Fido2NetLib;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnCredentialCreateOptionsTokenable : ExpiringTokenable
+{
+    // 7 minutes = max webauthn timeout (6 minutes) + slack for miscellaneous delays
+    private const double _tokenLifetimeInHours = (double)7 / 60;
+    public const string ClearTextPrefix = "BWWebAuthnCredentialCreateOptions_";
+    public const string DataProtectorPurpose = "WebAuthnCredentialCreateDataProtector";
+    public const string TokenIdentifier = "WebAuthnCredentialCreateOptionsToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid? UserId { get; set; }
+    public CredentialCreateOptions Options { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnCredentialCreateOptionsTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnCredentialCreateOptionsTokenable(User user, CredentialCreateOptions options) : this()
+    {
+        UserId = user?.Id;
+        Options = options;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (!Valid || user == null)
+        {
+            return false;
+        }
+
+        return UserId == user.Id;
+    }
+
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && UserId != null && Options != null;
+}
+

src/Core/Auth/Models/Business/Tokenables/WebAuthnLoginTokenable.cs

@@ -0,0 +1,43 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Entities;
+using Bit.Core.Tokens;
+
+namespace Bit.Core.Auth.Models.Business.Tokenables;
+
+public class WebAuthnLoginTokenable : ExpiringTokenable
+{
+    private const double _tokenLifetimeInHours = (double)1 / 60; // 1 minute
+    public const string ClearTextPrefix = "BWWebAuthnLogin_";
+    public const string DataProtectorPurpose = "WebAuthnLoginDataProtector";
+    public const string TokenIdentifier = "WebAuthnLoginToken";
+
+    public string Identifier { get; set; } = TokenIdentifier;
+    public Guid Id { get; set; }
+    public string Email { get; set; }
+
+    [JsonConstructor]
+    public WebAuthnLoginTokenable()
+    {
+        ExpirationDate = DateTime.UtcNow.AddHours(_tokenLifetimeInHours);
+    }
+
+    public WebAuthnLoginTokenable(User user) : this()
+    {
+        Id = user?.Id ?? default;
+        Email = user?.Email;
+    }
+
+    public bool TokenIsValid(User user)
+    {
+        if (Id == default || Email == default || user == null)
+        {
+            return false;
+        }
+
+        return Id == user.Id &&
+        Email.Equals(user.Email, StringComparison.InvariantCultureIgnoreCase);
+    }
+
+    // Validates deserialized 
+    protected override bool TokenIsValid() => Identifier == TokenIdentifier && Id != default && !string.IsNullOrWhiteSpace(Email);
+}

src/Core/Auth/Repositories/IWebAuthnCredentialRepository.cs

@@ -0,0 +1,10 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.Auth.Repositories;
+
+public interface IWebAuthnCredentialRepository : IRepository<WebAuthnCredential, Guid>
+{
+    Task<WebAuthnCredential> GetByIdAsync(Guid id, Guid userId);
+    Task<ICollection<WebAuthnCredential>> GetManyByUserIdAsync(Guid userId);
+}