Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.
This commit is contained in:
Torsten Schulz (local)
51
server/api/auth/passkeys/registration-options.post.js
Normal file
51
server/api/auth/passkeys/registration-options.post.js
Normal file
@@ -0,0 +1,51 @@
|
||||
import { generateRegistrationOptions } from '@simplewebauthn/server'
|
||||
import { getUserFromToken, hasAnyRole } from '../../../utils/auth.js'
|
||||
import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
|
||||
import { setRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
|
||||
import { writeAuditLog } from '../../../utils/audit-log.js'
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const token = getCookie(event, 'auth_token')
|
||||
const user = token ? await getUserFromToken(token) : null
|
||||
|
||||
if (!user) {
|
||||
throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
|
||||
}
|
||||
|
||||
// Mindestens für Admin/Vorstand anbieten (und auch für Mitglieder ok)
|
||||
if (!hasAnyRole(user, 'admin', 'vorstand', 'mitglied', 'newsletter')) {
|
||||
throw createError({ statusCode: 403, statusMessage: 'Keine Berechtigung' })
|
||||
}
|
||||
|
||||
const { rpId, rpName } = getWebAuthnConfig()
|
||||
|
||||
const existing = Array.isArray(user.passkeys) ? user.passkeys : []
|
||||
const excludeCredentials = existing
|
||||
.filter(pk => pk && pk.credentialId)
|
||||
.map(pk => ({
|
||||
id: pk.credentialId,
|
||||
type: 'public-key',
|
||||
transports: pk.transports || undefined
|
||||
}))
|
||||
|
||||
const options = await generateRegistrationOptions({
|
||||
rpName,
|
||||
rpID: rpId,
|
||||
userID: String(user.id),
|
||||
userName: user.email,
|
||||
// Keine Attestation-Daten speichern
|
||||
attestationType: 'none',
|
||||
authenticatorSelection: {
|
||||
residentKey: 'preferred',
|
||||
userVerification: 'preferred'
|
||||
},
|
||||
excludeCredentials
|
||||
})
|
||||
|
||||
setRegistrationChallenge(user.id, options.challenge)
|
||||
await writeAuditLog('auth.passkey.registration.options', { userId: user.id })
|
||||
|
||||
return { success: true, options }
|
||||
})
|
||||
|
||||
|
||||
Reference in New Issue
Block a user