diff --git a/packages/backend/package.json b/packages/backend/package.json index 110b8e14ef..396cc963dd 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -51,6 +51,7 @@ "blurhash": "2.0.5", "bull": "4.11.3", "cacheable-lookup": "TheEssem/cacheable-lookup", + "cbor-x": "^1.5.4", "chalk": "5.3.0", "chalk-template": "0.4.0", "chokidar": "^3.5.3", @@ -91,7 +92,7 @@ "meilisearch": "0.34.1", "mfm-js": "0.23.3", "mime-types": "2.1.35", - "msgpackr": "1.9.7", + "msgpackr": "^1.9.9", "multer": "1.4.4-lts.1", "native-utils": "link:native-utils", "nested-property": "4.0.0", diff --git a/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts b/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts index 32f972d0b6..9ea437b037 100644 --- a/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts +++ b/packages/backend/src/server/api/endpoints/i/2fa/key-done.ts @@ -1,4 +1,4 @@ -import { decode } from "msgpackr"; +import { decode } from "cbor-x"; import define from "../../../define.js"; import { UserProfiles, @@ -62,7 +62,7 @@ export default define(meta, paramDef, async (ps, user) => { const clientDataJSONHash = hash(Buffer.from(ps.clientDataJSON, "utf-8")); - const attestation = decode(Buffer.from(ps.attestationObject, "utf-8")); + const attestation = decode(Buffer.from(ps.attestationObject, "hex")); const rpIdHash = attestation.authData.slice(0, 32); if (!rpIdHashReal.equals(rpIdHash)) { @@ -79,7 +79,13 @@ export default define(meta, paramDef, async (ps, user) => { const credentialIdLength = authData.readUInt16BE(53); const credentialId = authData.slice(55, 55 + credentialIdLength); const publicKeyData = authData.slice(55 + credentialIdLength); - const publicKey: Map = decode(publicKeyData); + const publicKey: Map = new Map( + Object.entries(decode(publicKeyData)).map(([key, value]) => [ + Number(key), + value, + ]), + ); + if (publicKey.get(3) !== -7) { throw new Error("alg mismatch"); } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 80ec109348..d9318431ea 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -171,6 +171,9 @@ importers: cacheable-lookup: specifier: TheEssem/cacheable-lookup version: github.com/TheEssem/cacheable-lookup/dd2fb616366a3c68dcf321a57a67295967b204bf + cbor-x: + specifier: ^1.5.4 + version: 1.5.4 chalk: specifier: 5.3.0 version: 5.3.0 @@ -292,8 +295,8 @@ importers: specifier: 2.1.35 version: 2.1.35 msgpackr: - specifier: 1.9.7 - version: 1.9.7 + specifier: ^1.9.9 + version: 1.9.9 multer: specifier: 1.4.4-lts.1 version: 1.4.4-lts.1 @@ -906,7 +909,7 @@ importers: devDependencies: '@swc/cli': specifier: ^0.1.62 - version: 0.1.62(@swc/core@1.3.78) + version: 0.1.62(@swc/core@1.3.78)(chokidar@3.3.1) '@swc/core': specifier: 1.3.78 version: 1.3.78 @@ -1140,7 +1143,7 @@ packages: '@babel/traverse': 7.22.10 '@babel/types': 7.22.10 convert-source-map: 1.9.0 - debug: 4.3.4 + debug: 4.3.4(supports-color@8.1.1) gensync: 1.0.0-beta.2 json5: 2.2.3 semver: 6.3.1 @@ -1162,7 +1165,7 @@ packages: '@babel/traverse': 7.23.2 '@babel/types': 7.23.0 convert-source-map: 2.0.0 - debug: 4.3.4 + debug: 4.3.4(supports-color@8.1.1) gensync: 1.0.0-beta.2 json5: 2.2.3 semver: 6.3.1 @@ -1581,7 +1584,7 @@ packages: '@babel/helper-split-export-declaration': 7.22.6 '@babel/parser': 7.22.10 '@babel/types': 7.22.10 - debug: 4.3.4 + debug: 4.3.4(supports-color@8.1.1) globals: 11.12.0 transitivePeerDependencies: - supports-color @@ -1598,7 +1601,7 @@ packages: '@babel/helper-split-export-declaration': 7.22.6 '@babel/parser': 7.23.0 '@babel/types': 7.23.0 - debug: 4.3.4 + debug: 4.3.4(supports-color@8.1.1) globals: 11.12.0 transitivePeerDependencies: - supports-color @@ -1804,6 +1807,54 @@ packages: '@bull-board/api': 5.8.0(@bull-board/ui@5.8.0) dev: false + /@cbor-extract/cbor-extract-darwin-arm64@2.1.1: + resolution: {integrity: sha512-blVBy5MXz6m36Vx0DfLd7PChOQKEs8lK2bD1WJn/vVgG4FXZiZmZb2GECHFvVPA5T7OnODd9xZiL3nMCv6QUhA==} + cpu: [arm64] + os: [darwin] + requiresBuild: true + dev: false + optional: true + + /@cbor-extract/cbor-extract-darwin-x64@2.1.1: + resolution: {integrity: sha512-h6KFOzqk8jXTvkOftyRIWGrd7sKQzQv2jVdTL9nKSf3D2drCvQB/LHUxAOpPXo3pv2clDtKs3xnHalpEh3rDsw==} + cpu: [x64] + os: [darwin] + requiresBuild: true + dev: false + optional: true + + /@cbor-extract/cbor-extract-linux-arm64@2.1.1: + resolution: {integrity: sha512-SxAaRcYf8S0QHaMc7gvRSiTSr7nUYMqbUdErBEu+HYA4Q6UNydx1VwFE68hGcp1qvxcy9yT5U7gA+a5XikfwSQ==} + cpu: [arm64] + os: [linux] + requiresBuild: true + dev: false + optional: true + + /@cbor-extract/cbor-extract-linux-arm@2.1.1: + resolution: {integrity: sha512-ds0uikdcIGUjPyraV4oJqyVE5gl/qYBpa/Wnh6l6xLE2lj/hwnjT2XcZCChdXwW/YFZ1LUHs6waoYN8PmK0nKQ==} + cpu: [arm] + os: [linux] + requiresBuild: true + dev: false + optional: true + + /@cbor-extract/cbor-extract-linux-x64@2.1.1: + resolution: {integrity: sha512-GVK+8fNIE9lJQHAlhOROYiI0Yd4bAZ4u++C2ZjlkS3YmO6hi+FUxe6Dqm+OKWTcMpL/l71N6CQAmaRcb4zyJuA==} + cpu: [x64] + os: [linux] + requiresBuild: true + dev: false + optional: true + + /@cbor-extract/cbor-extract-win32-x64@2.1.1: + resolution: {integrity: sha512-2Niq1C41dCRIDeD8LddiH+mxGlO7HJ612Ll3D/E73ZWBmycued+8ghTr/Ho3CMOWPUEr08XtyBMVXAjqF+TcKw==} + cpu: [x64] + os: [win32] + requiresBuild: true + dev: false + optional: true + /@chainsafe/is-ip@2.0.2: resolution: {integrity: sha512-ndGqEMG1W5WkGagaqOZHpPU172AGdxr+LD15sv3WIUvT5oCFUrG1Y0CW/v2Egwj4JXEvSibaIIIqImsm98y1nA==} dev: false @@ -3239,33 +3290,13 @@ packages: resolution: {integrity: sha512-Uy0+khmZqUrUGm5dmMqVlnvufZRSK0FbYzVgp0UMstm+F5+W2/jnEEQyc9vo1ZR/E5ZI/B1WjjoTqBqwJL6Krw==} dev: false - /@swc/cli@0.1.62(@swc/core@1.3.78): - resolution: {integrity: sha512-kOFLjKY3XH1DWLfXL1/B5MizeNorHR8wHKEi92S/Zi9Md/AK17KSqR8MgyRJ6C1fhKHvbBCl8wboyKAFXStkYw==} - engines: {node: '>= 12.13'} - hasBin: true - peerDependencies: - '@swc/core': ^1.2.66 - chokidar: ^3.3.1 - peerDependenciesMeta: - chokidar: - optional: true - dependencies: - '@mole-inc/bin-wrapper': 8.0.1 - '@swc/core': 1.3.78 - commander: 7.2.0 - fast-glob: 3.3.1 - semver: 7.5.4 - slash: 3.0.0 - source-map: 0.7.4 - dev: true - /@swc/cli@0.1.62(@swc/core@1.3.78)(chokidar@3.3.1): resolution: {integrity: sha512-kOFLjKY3XH1DWLfXL1/B5MizeNorHR8wHKEi92S/Zi9Md/AK17KSqR8MgyRJ6C1fhKHvbBCl8wboyKAFXStkYw==} engines: {node: '>= 12.13'} hasBin: true peerDependencies: '@swc/core': ^1.2.66 - chokidar: ^3.3.1 + chokidar: ^3.5.1 peerDependenciesMeta: chokidar: optional: true @@ -6229,7 +6260,7 @@ packages: get-port: 5.1.1 ioredis: 5.3.2 lodash: 4.17.21 - msgpackr: 1.9.7 + msgpackr: 1.9.9 semver: 7.5.4 uuid: 8.3.2 transitivePeerDependencies: @@ -6401,6 +6432,28 @@ packages: /caseless@0.12.0: resolution: {integrity: sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==} + /cbor-extract@2.1.1: + resolution: {integrity: sha512-1UX977+L+zOJHsp0mWFG13GLwO6ucKgSmSW6JTl8B9GUvACvHeIVpFqhU92299Z6PfD09aTXDell5p+lp1rUFA==} + hasBin: true + requiresBuild: true + dependencies: + node-gyp-build-optional-packages: 5.0.3 + optionalDependencies: + '@cbor-extract/cbor-extract-darwin-arm64': 2.1.1 + '@cbor-extract/cbor-extract-darwin-x64': 2.1.1 + '@cbor-extract/cbor-extract-linux-arm': 2.1.1 + '@cbor-extract/cbor-extract-linux-arm64': 2.1.1 + '@cbor-extract/cbor-extract-linux-x64': 2.1.1 + '@cbor-extract/cbor-extract-win32-x64': 2.1.1 + dev: false + optional: true + + /cbor-x@1.5.4: + resolution: {integrity: sha512-PVKILDn+Rf6MRhhcyzGXi5eizn1i0i3F8Fe6UMMxXBnWkalq9+C5+VTmlIjAYM4iF2IYF2N+zToqAfYOp+3rfw==} + optionalDependencies: + cbor-extract: 2.1.1 + dev: false + /cbor@8.1.0: resolution: {integrity: sha512-DwGjNW9omn6EwP70aXsn7FQJx5kO12tX0bZkaTjzdVFM6/7nhA4t0EENocKGx6D2Bch9PE2KzCUf5SceBdeijg==} engines: {node: '>=12.19'} @@ -7592,17 +7645,6 @@ packages: ms: 2.1.2 dev: false - /debug@4.3.4: - resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==} - engines: {node: '>=6.0'} - peerDependencies: - supports-color: '*' - peerDependenciesMeta: - supports-color: - optional: true - dependencies: - ms: 2.1.2 - /debug@4.3.4(supports-color@8.1.1): resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==} engines: {node: '>=6.0'} @@ -11475,7 +11517,7 @@ packages: resolution: {integrity: sha512-n3s8EwkdFIJCG3BPKBYvskgXGoy88ARzvegkitk60NxRdwltLOTaH7CUiMRXvwYorl0Q712iEjcWB+fK/MrWVw==} engines: {node: '>=10'} dependencies: - debug: 4.3.4 + debug: 4.3.4(supports-color@8.1.1) istanbul-lib-coverage: 3.2.0 source-map: 0.6.1 transitivePeerDependencies: @@ -13440,8 +13482,8 @@ packages: dev: false optional: true - /msgpackr@1.9.7: - resolution: {integrity: sha512-baUNaLvKQvVhzfWTNO07njwbZK1Lxjtb0P1JL6/EhXdLTHzR57/mZqqJC39TtQKvOmkJA4pcejS4dbk7BDgLLA==} + /msgpackr@1.9.9: + resolution: {integrity: sha512-sbn6mioS2w0lq1O6PpGtsv6Gy8roWM+o3o4Sqjd6DudrL/nOugY+KyJUimoWzHnf9OkO0T6broHFnYE/R05t9A==} optionalDependencies: msgpackr-extract: 3.0.2 dev: false @@ -13629,6 +13671,12 @@ packages: fetch-blob: 3.2.0 formdata-polyfill: 4.0.10 + /node-gyp-build-optional-packages@5.0.3: + resolution: {integrity: sha512-k75jcVzk5wnnc/FMxsf4udAoTEUv2jY3ycfdSd3yWu6Cnd1oee6/CfZJApyscA4FJOmdoixWwiwOyf16RzD5JA==} + hasBin: true + dev: false + optional: true + /node-gyp-build-optional-packages@5.0.7: resolution: {integrity: sha512-YlCCc6Wffkx0kHkmam79GKvDQ6x+QZkMjFGrIMxgFNILFvGSbCp2fCBC55pGTT9gVaz8Na5CLmxt/urtzRv36w==} hasBin: true