torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c40780ef892ee72c486392b948f849d64e0d04f6
harheimertc/server/api/auth/register-passkey.post.js
Torsten Schulz (local) c40780ef89
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 48s
Details
Enhance passkey registration process with detailed debug logging and validation checks 
Add comprehensive debug logging throughout the passkey registration flow, including request handling, option generation, and verification steps. Implement validation for incoming requests and responses to ensure required fields are present, improving error handling and clarity. This update aims to facilitate troubleshooting and enhance the overall robustness of the registration process.
2026-01-07 21:36:41 +01:00

212 lines
7.2 KiB
JavaScript
Raw Blame History

import { verifyRegistrationResponse } from '@simplewebauthn/server'
import crypto from 'crypto'
import nodemailer from 'nodemailer'
import { hashPassword, readUsers, writeUsers } from '../../utils/auth.js'
import { getWebAuthnConfig } from '../../utils/webauthn-config.js'
import { consumePreRegistration } from '../../utils/webauthn-challenges.js'
import { toBase64Url } from '../../utils/webauthn-encoding.js'
import { writeAuditLog } from '../../utils/audit-log.js'
import { assertPasswordNotPwned } from '../../utils/hibp.js'
export default defineEventHandler(async (event) => {
const requestStart = Date.now()
const requestOrigin = getHeader(event, 'origin')
console.log('[DEBUG] register-passkey request received', {
origin: requestOrigin,
timestamp: new Date().toISOString()
})
const body = await readBody(event)
const registrationId = String(body?.registrationId || '')
const response = body?.credential
const password = body?.password ? String(body.password) : ''
console.log('[DEBUG] Request body parsed', {
hasRegistrationId: !!registrationId,
registrationId: registrationId.substring(0, 10) + '...',
hasCredential: !!response,
credentialId: response?.id,
hasPassword: !!password
})
if (!registrationId || !response) {
console.error('[DEBUG] Validation failed: missing registrationId or credential')
throw createError({ statusCode: 400, statusMessage: 'Ungültige Anfrage' })
}
const pre = consumePreRegistration(registrationId)
if (!pre) {
console.error('[DEBUG] Pre-registration not found or expired', { registrationId })
throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
}
const { challenge, userId, name, email, phone } = pre
console.log('[DEBUG] Pre-registration found', {
userId,
email: email.substring(0, 10) + '...',
hasChallenge: !!challenge
})
const users = await readUsers()
if (users.some(u => String(u.email || '').toLowerCase() === String(email).toLowerCase())) {
console.error('[DEBUG] User already exists', { email })
throw createError({ statusCode: 409, message: 'Ein Benutzer mit dieser E-Mail-Adresse existiert bereits' })
}
const { origin, rpId, requireUV } = getWebAuthnConfig()
console.log('[DEBUG] WebAuthn config for verification', {
origin,
rpId,
requireUV
})
console.log('[DEBUG] Verifying registration response...')
const verifyStart = Date.now()
const verification = await verifyRegistrationResponse({
response,
expectedChallenge: challenge,
expectedOrigin: origin,
expectedRPID: rpId,
requireUserVerification: requireUV
})
const verifyDuration = Date.now() - verifyStart
const { verified, registrationInfo } = verification
console.log(`[DEBUG] Verification completed (${verifyDuration}ms)`, {
verified,
hasRegistrationInfo: !!registrationInfo,
credentialId: registrationInfo?.credentialID ? 'present' : 'missing',
deviceType: registrationInfo?.credentialDeviceType,
backedUp: registrationInfo?.credentialBackedUp
})
if (!verified || !registrationInfo) {
console.error('[DEBUG] Verification failed', {
verified,
hasRegistrationInfo: !!registrationInfo
})
await writeAuditLog('auth.passkey.prereg.failed', { email })
throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
}
const {
credentialID,
credentialPublicKey,
counter,
credentialDeviceType,
credentialBackedUp
} = registrationInfo
const credentialId = toBase64Url(credentialID)
const publicKey = toBase64Url(credentialPublicKey)
// Optional: Passwort als Fallback (z.B. Firefox/Linux) erlauben
let hashedPassword
if (password && password.trim().length > 0) {
if (password.length < 8) {
throw createError({ statusCode: 400, message: 'Das Passwort muss mindestens 8 Zeichen lang sein' })
}
await assertPasswordNotPwned(password)
hashedPassword = await hashPassword(password)
} else {
// Kein Passwort gesetzt: random Hash, damit bestehende Code-Pfade (verifyPassword) konsistent bleiben.
hashedPassword = await hashPassword(crypto.randomBytes(32).toString('hex'))
}
const newUser = {
id: String(userId),
email: String(email).toLowerCase(),
password: hashedPassword,
name,
phone: phone || '',
role: 'mitglied',
active: false,
created: new Date().toISOString(),
lastLogin: null,
passkeys: [
{
id: `${Date.now()}`,
credentialId,
publicKey,
counter: Number(counter) || 0,
transports: Array.isArray(response.transports) ? response.transports : undefined,
deviceType: credentialDeviceType,
backedUp: !!credentialBackedUp,
createdAt: new Date().toISOString(),
lastUsedAt: null,
name: 'Passkey'
}
]
}
users.push(newUser)
await writeUsers(users)
const totalDuration = Date.now() - requestStart
console.log(`[DEBUG] User created successfully (total: ${totalDuration}ms)`, {
userId: newUser.id,
email: newUser.email.substring(0, 10) + '...',
hasPasskey: newUser.passkeys?.length > 0,
hasPassword: !!newUser.password
})
await writeAuditLog('auth.passkey.prereg.success', { email, userId: newUser.id })
// Send notification emails (same behavior as password registration)
try {
const smtpUser = process.env.SMTP_USER
const smtpPass = process.env.SMTP_PASS
if (smtpUser && smtpPass) {
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST || 'smtp.gmail.com',
port: process.env.SMTP_PORT || 587,
secure: false,
auth: { user: smtpUser, pass: smtpPass }
})
await transporter.sendMail({
from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
to: process.env.SMTP_ADMIN || 'j.dichmann@gmx.de',
subject: 'Neue Registrierung (Passkey) - Harheimer TC',
html: `
<h2>Neue Registrierung (Passkey)</h2>
<p>Ein neuer Benutzer hat sich registriert und wartet auf Freigabe:</p>
<ul>
<li><strong>Name:</strong> ${name}</li>
<li><strong>E-Mail:</strong> ${email}</li>
<li><strong>Telefon:</strong> ${phone || 'Nicht angegeben'}</li>
<li><strong>Login:</strong> Passkey${password ? ' + Passwort (Fallback)' : ' (ohne Passwort)'}</li>
</ul>
<p>Bitte prüfen Sie die Registrierung im CMS.</p>
`
})
await transporter.sendMail({
from: process.env.SMTP_FROM || 'noreply@harheimertc.de',
to: email,
subject: 'Registrierung erhalten - Harheimer TC',
html: `
<h2>Registrierung erhalten</h2>
<p>Hallo ${name},</p>
<p>vielen Dank für Ihre Registrierung beim Harheimer TC!</p>
<p>Ihre Anfrage wird vom Vorstand geprüft. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.</p>
<br>
<p>Mit sportlichen Grüßen,<br>Ihr Harheimer TC</p>
`
})
}
} catch (emailError) {
console.error('E-Mail-Versand fehlgeschlagen:', emailError)
}
return {
success: true,
message: 'Registrierung erfolgreich. Sie erhalten eine E-Mail, sobald Ihr Zugang freigeschaltet wurde.'
}
})
Reference in New Issue View Git Blame Copy Permalink