mc/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
25417b24f400e26f43f9c05c2e4a4f021a22ef63
mcias/proto/mcias/v1/auth.proto
Kyle Isom 25417b24f4 Add FIDO2/WebAuthn passkey authentication 
Phase 14: Full WebAuthn support for passwordless passkey login and
hardware security key 2FA.

- go-webauthn/webauthn v0.16.1 dependency
- WebAuthnConfig with RPID/RPOrigin/DisplayName validation
- Migration 000009: webauthn_credentials table
- DB CRUD with ownership checks and admin operations
- internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM
- REST: register begin/finish, login begin/finish, list, delete
- Web UI: profile enrollment, login passkey button, admin management
- gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs
- mciasdb: webauthn list/delete/reset subcommands
- OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema
- Policy: self-service enrollment rule, admin remove via wildcard
- Tests: DB CRUD, adapter round-trip, interface compliance
- Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14

Security: Credential IDs and public keys encrypted at rest with
AES-256-GCM via vault master key. Challenge ceremonies use 128-bit
nonces with 120s TTL in sync.Map. Sign counter validated on each
assertion to detect cloned authenticators. Password re-auth required
for registration (SEC-01 pattern). No credential material in API
responses or logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 16:12:59 -07:00

146 lines
4.8 KiB
Protocol Buffer
Raw Blame History

// AuthService: login, logout, token renewal, and TOTP management.
syntax = "proto3";
package mcias.v1;
option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
import "google/protobuf/timestamp.proto";
// --- Login ---
// LoginRequest carries username/password and an optional TOTP code.
// Security: never logged; password and totp_code must not appear in audit logs.
message LoginRequest {
string username = 1;
string password = 2; // security: never logged or stored
string totp_code = 3; // optional; required if TOTP enrolled
}
// LoginResponse returns the signed JWT and its expiry time.
// Security: token is a bearer credential; the caller must protect it.
message LoginResponse {
string token = 1;
google.protobuf.Timestamp expires_at = 2;
}
// --- Logout ---
// LogoutRequest carries no body; the token is extracted from gRPC metadata.
message LogoutRequest {}
// LogoutResponse confirms the token has been revoked.
message LogoutResponse {}
// --- Token renewal ---
// RenewTokenRequest carries no body; the existing token is in metadata.
message RenewTokenRequest {}
// RenewTokenResponse returns a new JWT with a fresh expiry.
message RenewTokenResponse {
string token = 1;
google.protobuf.Timestamp expires_at = 2;
}
// --- TOTP enrollment ---
// EnrollTOTPRequest carries the current password for re-authentication.
// Security (SEC-01): password is required to prevent a stolen session token
// from being used to enroll attacker-controlled TOTP on the victim's account.
message EnrollTOTPRequest {
string password = 1; // security: current password required; never logged
}
// EnrollTOTPResponse returns the TOTP secret and otpauth URI for display.
// Security: the secret is shown once; it is stored only in encrypted form.
message EnrollTOTPResponse {
string secret = 1; // base32-encoded; display once, then discard
string otpauth_uri = 2;
}
// ConfirmTOTPRequest carries the TOTP code to confirm enrollment.
message ConfirmTOTPRequest {
string code = 1;
}
// ConfirmTOTPResponse confirms TOTP enrollment is complete.
message ConfirmTOTPResponse {}
// RemoveTOTPRequest carries the target account ID (admin only).
message RemoveTOTPRequest {
string account_id = 1; // UUID of the account to remove TOTP from
}
// RemoveTOTPResponse confirms removal.
message RemoveTOTPResponse {}
// --- WebAuthn ---
// ListWebAuthnCredentialsRequest lists metadata for an account's WebAuthn credentials.
message ListWebAuthnCredentialsRequest {
string account_id = 1; // UUID
}
// WebAuthnCredentialInfo holds metadata about a stored WebAuthn credential.
// Credential material (IDs, public keys) is never included.
message WebAuthnCredentialInfo {
int64 id = 1;
string name = 2;
string aaguid = 3;
uint32 sign_count = 4;
bool discoverable = 5;
string transports = 6;
google.protobuf.Timestamp created_at = 7;
google.protobuf.Timestamp last_used_at = 8;
}
// ListWebAuthnCredentialsResponse returns credential metadata.
message ListWebAuthnCredentialsResponse {
repeated WebAuthnCredentialInfo credentials = 1;
}
// RemoveWebAuthnCredentialRequest removes a specific WebAuthn credential (admin).
message RemoveWebAuthnCredentialRequest {
string account_id = 1; // UUID
int64 credential_id = 2;
}
// RemoveWebAuthnCredentialResponse confirms removal.
message RemoveWebAuthnCredentialResponse {}
// AuthService handles all authentication flows.
service AuthService {
// Login authenticates with username+password (+optional TOTP) and returns a JWT.
// Public RPC — no auth required.
rpc Login(LoginRequest) returns (LoginResponse);
// Logout revokes the caller's current token.
// Requires: valid JWT in metadata.
rpc Logout(LogoutRequest) returns (LogoutResponse);
// RenewToken exchanges the caller's token for a fresh one.
// Requires: valid JWT in metadata.
rpc RenewToken(RenewTokenRequest) returns (RenewTokenResponse);
// EnrollTOTP begins TOTP enrollment for the calling account.
// Requires: valid JWT in metadata.
rpc EnrollTOTP(EnrollTOTPRequest) returns (EnrollTOTPResponse);
// ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app.
// Requires: valid JWT in metadata.
rpc ConfirmTOTP(ConfirmTOTPRequest) returns (ConfirmTOTPResponse);
// RemoveTOTP removes TOTP from an account (admin only).
// Requires: admin JWT in metadata.
rpc RemoveTOTP(RemoveTOTPRequest) returns (RemoveTOTPResponse);
// ListWebAuthnCredentials returns metadata for an account's WebAuthn credentials.
// Requires: admin JWT in metadata.
rpc ListWebAuthnCredentials(ListWebAuthnCredentialsRequest) returns (ListWebAuthnCredentialsResponse);
// RemoveWebAuthnCredential removes a specific WebAuthn credential.
// Requires: admin JWT in metadata.
rpc RemoveWebAuthnCredential(RemoveWebAuthnCredentialRequest) returns (RemoveWebAuthnCredentialResponse);
}
Reference in New Issue View Git Blame Copy Permalink