Refactor authentication handling in Navigation and registration components to support lazy store access, improving resilience against Pinia initialization issues. Enhance registration logic to include optional password fallback for passkey users, with validation checks for password strength and confirmation. Update server-side registration to handle optional password securely, ensuring consistent user experience across different authentication methods.

2026-01-07 20:16:17 +01:00
parent 4c7ae87c70
commit 3d9b6b57dc
3 changed files with 79 additions and 19 deletions
--- a/server/api/auth/register-passkey.post.js
+++ b/server/api/auth/register-passkey.post.js
@@ -1,17 +1,18 @@
 import { verifyRegistrationResponse } from '@simplewebauthn/server'
 import crypto from 'crypto'
-import bcrypt from 'bcryptjs'
 import nodemailer from 'nodemailer'
-import { readUsers, writeUsers } from '../../utils/auth.js'
+import { hashPassword, readUsers, writeUsers } from '../../utils/auth.js'
 import { getWebAuthnConfig } from '../../utils/webauthn-config.js'
 import { consumePreRegistration } from '../../utils/webauthn-challenges.js'
 import { toBase64Url } from '../../utils/webauthn-encoding.js'
 import { writeAuditLog } from '../../utils/audit-log.js'
+import { assertPasswordNotPwned } from '../../utils/hibp.js'

 export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const registrationId = String(body?.registrationId || '')
  const response = body?.credential
+  const password = body?.password ? String(body.password) : ''

  if (!registrationId || !response) {
    throw createError({ statusCode: 400, statusMessage: 'Ungültige Anfrage' })
@@ -56,9 +57,18 @@ export default defineEventHandler(async (event) => {
  const credentialId = toBase64Url(credentialID)
  const publicKey = toBase64Url(credentialPublicKey)

-  // Dummy password hash (login via password isn't intended)
-  const salt = await bcrypt.genSalt(10)
-  const hashedPassword = await bcrypt.hash(crypto.randomBytes(32).toString('hex'), salt)
+  // Optional: Passwort als Fallback (z.B. Firefox/Linux) erlauben
+  let hashedPassword
+  if (password && password.trim().length > 0) {
+    if (password.length < 8) {
+      throw createError({ statusCode: 400, message: 'Das Passwort muss mindestens 8 Zeichen lang sein' })
+    }
+    await assertPasswordNotPwned(password)
+    hashedPassword = await hashPassword(password)
+  } else {
+    // Kein Passwort gesetzt: random Hash, damit bestehende Code-Pfade (verifyPassword) konsistent bleiben.
+    hashedPassword = await hashPassword(crypto.randomBytes(32).toString('hex'))
+  }

  const newUser = {
    id: String(userId),
@@ -115,7 +125,7 @@ export default defineEventHandler(async (event) => {
            <li><strong>Name:</strong> ${name}</li>
            <li><strong>E-Mail:</strong> ${email}</li>
            <li><strong>Telefon:</strong> ${phone || 'Nicht angegeben'}</li>
-            <li><strong>Login:</strong> Passkey (ohne Passwort)</li>
+            <li><strong>Login:</strong> Passkey${password ? ' + Passwort (Fallback)' : ' (ohne Passwort)'}</li>
          </ul>
          <p>Bitte prüfen Sie die Registrierung im CMS.</p>
        `