Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

2026-01-05 11:50:57 +01:00
parent 8bd7ed76cd
commit 673c34ac9d
47 changed files with 1738 additions and 83 deletions
--- a/server/api/auth/passkeys/register.post.js
+++ b/server/api/auth/passkeys/register.post.js
@@ -0,0 +1,93 @@
+import { verifyRegistrationResponse } from '@simplewebauthn/server'
+import { getUserFromToken, readUsers, writeUsers } from '../../../utils/auth.js'
+import { getWebAuthnConfig } from '../../../utils/webauthn-config.js'
+import { clearRegistrationChallenge, getRegistrationChallenge } from '../../../utils/webauthn-challenges.js'
+import { toBase64Url } from '../../../utils/webauthn-encoding.js'
+import { writeAuditLog } from '../../../utils/audit-log.js'
+
+export default defineEventHandler(async (event) => {
+  const token = getCookie(event, 'auth_token')
+  const user = token ? await getUserFromToken(token) : null
+
+  if (!user) {
+    throw createError({ statusCode: 401, statusMessage: 'Nicht authentifiziert' })
+  }
+
+  const body = await readBody(event)
+  const response = body?.credential
+  if (!response) {
+    throw createError({ statusCode: 400, statusMessage: 'Credential fehlt' })
+  }
+
+  const expectedChallenge = getRegistrationChallenge(user.id)
+  if (!expectedChallenge) {
+    throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
+  }
+
+  const { origin, rpId, requireUV } = getWebAuthnConfig()
+
+  let verification
+  try {
+    verification = await verifyRegistrationResponse({
+      response,
+      expectedChallenge,
+      expectedOrigin: origin,
+      expectedRPID: rpId,
+      requireUserVerification: requireUV
+    })
+  } finally {
+    clearRegistrationChallenge(user.id)
+  }
+
+  const { verified, registrationInfo } = verification
+  if (!verified || !registrationInfo) {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
+  }
+
+  const {
+    credentialID,
+    credentialPublicKey,
+    counter,
+    credentialDeviceType,
+    credentialBackedUp
+  } = registrationInfo
+
+  const credentialId = toBase64Url(credentialID)
+  const publicKey = toBase64Url(credentialPublicKey)
+
+  const users = await readUsers()
+  const idx = users.findIndex(u => u.id === user.id)
+  if (idx === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Benutzer nicht gefunden' })
+  }
+
+  const u = users[idx]
+  if (!Array.isArray(u.passkeys)) u.passkeys = []
+
+  // Duplikate verhindern
+  if (u.passkeys.some(pk => pk.credentialId === credentialId)) {
+    return { success: true, message: 'Passkey ist bereits registriert.' }
+  }
+
+  u.passkeys.push({
+    id: `${Date.now()}`,
+    credentialId,
+    publicKey,
+    counter: Number(counter) || 0,
+    transports: Array.isArray(response.transports) ? response.transports : undefined,
+    deviceType: credentialDeviceType,
+    backedUp: !!credentialBackedUp,
+    createdAt: new Date().toISOString(),
+    lastUsedAt: null,
+    name: body?.name ? String(body.name).slice(0, 80) : 'Passkey'
+  })
+
+  users[idx] = u
+  await writeUsers(users)
+
+  await writeAuditLog('auth.passkey.registered', { userId: user.id })
+  return { success: true, message: 'Passkey hinzugefügt.' }
+})
+
+