keepassxc/src/browser/BrowserAction.h
Sami Vänttinen ac2b445db6
Passkeys improvements (#10318)
Refactors the Passkey implementation to include more checks and a structure that is more aligned with the official specification.
Notable changes:
- _BrowserService_ no longer does the checks by itself. A new class _BrowserPasskeysClient_ constructs the relevant objects, acting as a client. _BrowserService_ only acts as a bridge between the client and _BrowserPasskeys_ (authenticator) and calls the relevant popups for user interaction.
- A new helper class _PasskeyUtils_ includes the actual checks and parses the objects.
- _BrowserPasskeys_ is pretty much intact, but some functions have been moved to PasskeyUtils.
- Fixes Ed25519 encoding in _BrowserCBOR_.
- Adds new error messages.
- User confirmation for Passkey retrieval is also asked even if `discouraged` is used. This goes against the specification, but currently there's no other way to verify the user.
- `cross-platform` is also accepted for compatibility. This could be removed if there's a potential issue with it.
- Extension data is now handled correctly during Authentication.
- Allowed and excluded credentials are now handled correctly.
- `KPEX_PASSKEY_GENERATED_USER_ID` is renamed to `KPEX_PASSKEY_CREDENTIAL_ID`
- Adds a new option "Allow localhost with Passkeys" to Browser Integration -> Advanced tab. By default it's not allowed to access HTTP sites, but `http://localhost` can be allowed for debugging and testing purposes for local servers.
- Add tag `Passkey` to a Passkey entry, or an entry with an imported Passkey.

Fixes #10287.
2024-03-06 07:42:01 -05:00

110 lines
3.9 KiB
C++

/*
* Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef KEEPASSXC_BROWSERACTION_H
#define KEEPASSXC_BROWSERACTION_H
#include "BrowserMessageBuilder.h"
#include "BrowserService.h"
#include <QJsonArray>
#include <QJsonObject>
#include <QString>
class QLocalSocket;
struct BrowserRequest
{
QString hash;
QString nonce;
QString incrementedNonce;
QJsonObject decrypted;
inline bool isEmpty() const
{
return decrypted.isEmpty();
}
inline QJsonArray getArray(const QString& param) const
{
return decrypted.value(param).toArray();
}
inline bool getBool(const QString& param) const
{
return decrypted.value(param).toBool();
}
inline QJsonObject getObject(const QString& param) const
{
return decrypted.value(param).toObject();
}
inline QString getString(const QString& param) const
{
return decrypted.value(param).toString();
}
};
class BrowserAction
{
public:
explicit BrowserAction() = default;
~BrowserAction() = default;
QJsonObject processClientMessage(QLocalSocket* socket, const QJsonObject& json);
private:
QJsonObject handleAction(QLocalSocket* socket, const QJsonObject& json);
QJsonObject handleChangePublicKeys(const QJsonObject& json, const QString& action);
QJsonObject handleGetDatabaseHash(const QJsonObject& json, const QString& action);
QJsonObject handleAssociate(const QJsonObject& json, const QString& action);
QJsonObject handleTestAssociate(const QJsonObject& json, const QString& action);
QJsonObject handleGetLogins(const QJsonObject& json, const QString& action);
QJsonObject handleGeneratePassword(QLocalSocket* socket, const QJsonObject& json, const QString& action);
QJsonObject handleSetLogin(const QJsonObject& json, const QString& action);
QJsonObject handleLockDatabase(const QJsonObject& json, const QString& action);
QJsonObject handleGetDatabaseGroups(const QJsonObject& json, const QString& action);
QJsonObject handleGetDatabaseEntries(const QJsonObject& json, const QString& action);
QJsonObject handleCreateNewGroup(const QJsonObject& json, const QString& action);
QJsonObject handleGetTotp(const QJsonObject& json, const QString& action);
QJsonObject handleDeleteEntry(const QJsonObject& json, const QString& action);
QJsonObject handleGlobalAutoType(const QJsonObject& json, const QString& action);
#ifdef WITH_XC_BROWSER_PASSKEYS
QJsonObject handlePasskeysGet(const QJsonObject& json, const QString& action);
QJsonObject handlePasskeysRegister(const QJsonObject& json, const QString& action);
#endif
private:
QJsonObject buildResponse(const QString& action, const QString& nonce, const Parameters& params = {});
QJsonObject getErrorReply(const QString& action, const int errorCode) const;
QJsonObject decryptMessage(const QString& message, const QString& nonce);
BrowserRequest decodeRequest(const QJsonObject& json);
StringPairList getConnectionKeys(const BrowserRequest& browserRequest);
private:
static const int MaxUrlLength;
QString m_clientPublicKey;
QString m_publicKey;
QString m_secretKey;
bool m_associated = false;
friend class TestBrowser;
};
#endif // KEEPASSXC_BROWSERACTION_H