mailcow-dockerized/data/web/js/u2f-api.js

//Copyright 2014-2015 Google Inc. All rights reserved.

//Use of this source code is governed by a BSD-style
//license that can be found in the LICENSE file or at
//https://developers.google.com/open-source/licenses/bsd

// ref: https://github.com/google/u2f-ref-code/blob/master/u2f-gae-demo/war/js/u2f-api.js

/**
 * @fileoverview The U2F api.
 */
'use strict';

/**
 * Modification:
 * Wrap implementation so that we can exit if window.u2f is already supplied by the browser (see below).
 */
(function (root) {
    /**
     * Modification:
     * Only continue load this library if window.u2f is not already supplied by the browser.
     */
    var isFirefox = navigator.userAgent.indexOf('Firefox') !== -1 || navigator.userAgent.indexOf('Gecko/') !== -1;
    var browserImplementsU2f = !!((typeof root.u2f !== 'undefined') && root.u2f.register);

    if (isFirefox && browserImplementsU2f) {
        root.u2f.isSupported = true;
        return;
    }

    /**
     * Namespace for the U2F api.
     * @type {Object}
     */
    var u2f = root.u2f || {};

    /**
     * Modification:
     * Check if browser supports U2F API before this wrapper was added.
     */
    u2f.isSupported = !!(((typeof u2f !== 'undefined') && u2f.register) || ((typeof chrome !== 'undefined') && chrome.runtime));

    /**
     * FIDO U2F Javascript API Version
     * @number
     */
    var js_api_version;

    /**
     * The U2F extension id
     * @const {string}
     */
    // The Chrome packaged app extension ID.
    // Uncomment this if you want to deploy a server instance that uses
    // the package Chrome app and does not require installing the U2F Chrome extension.
    u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
    // The U2F Chrome extension ID.
    // Uncomment this if you want to deploy a server instance that uses
    // the U2F Chrome extension to authenticate.
    // u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';


    /**
     * Message types for messsages to/from the extension
     * @const
     * @enum {string}
     */
    u2f.MessageTypes = {
        'U2F_REGISTER_REQUEST': 'u2f_register_request',
        'U2F_REGISTER_RESPONSE': 'u2f_register_response',
        'U2F_SIGN_REQUEST': 'u2f_sign_request',
        'U2F_SIGN_RESPONSE': 'u2f_sign_response',
        'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
        'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
    };


    /**
     * Response status codes
     * @const
     * @enum {number}
     */
    u2f.ErrorCodes = {
        'OK': 0,
        'OTHER_ERROR': 1,
        'BAD_REQUEST': 2,
        'CONFIGURATION_UNSUPPORTED': 3,
        'DEVICE_INELIGIBLE': 4,
        'TIMEOUT': 5
    };


    /**
     * A message for registration requests
     * @typedef {{
     *   type: u2f.MessageTypes,
     *   appId: ?string,
     *   timeoutSeconds: ?number,
     *   requestId: ?number
     * }}
     */
    u2f.U2fRequest;


    /**
     * A message for registration responses
     * @typedef {{
     *   type: u2f.MessageTypes,
     *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
     *   requestId: ?number
     * }}
     */
    u2f.U2fResponse;


    /**
     * An error object for responses
     * @typedef {{
     *   errorCode: u2f.ErrorCodes,
     *   errorMessage: ?string
     * }}
     */
    u2f.Error;

    /**
     * Data object for a single sign request.
     * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
     */
    u2f.Transport;


    /**
     * Data object for a single sign request.
     * @typedef {Array<u2f.Transport>}
     */
    u2f.Transports;

    /**
     * Data object for a single sign request.
     * @typedef {{
     *   version: string,
     *   challenge: string,
     *   keyHandle: string,
     *   appId: string
     * }}
     */
    u2f.SignRequest;


    /**
     * Data object for a sign response.
     * @typedef {{
     *   keyHandle: string,
     *   signatureData: string,
     *   clientData: string
     * }}
     */
    u2f.SignResponse;


    /**
     * Data object for a registration request.
     * @typedef {{
     *   version: string,
     *   challenge: string
     * }}
     */
    u2f.RegisterRequest;


    /**
     * Data object for a registration response.
     * @typedef {{
     *   version: string,
     *   keyHandle: string,
     *   transports: Transports,
     *   appId: string
     * }}
     */
    u2f.RegisterResponse;


    /**
     * Data object for a registered key.
     * @typedef {{
     *   version: string,
     *   keyHandle: string,
     *   transports: ?Transports,
     *   appId: ?string
     * }}
     */
    u2f.RegisteredKey;


    /**
     * Data object for a get API register response.
     * @typedef {{
     *   js_api_version: number
     * }}
     */
    u2f.GetJsApiVersionResponse;


    //Low level MessagePort API support

    /**
     * Sets up a MessagePort to the U2F extension using the
     * available mechanisms.
     * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
     */
    u2f.getMessagePort = function (callback) {
        if (typeof chrome != 'undefined' && chrome.runtime) {
            // The actual message here does not matter, but we need to get a reply
            // for the callback to run. Thus, send an empty signature request
            // in order to get a failure response.
            var msg = {
                type: u2f.MessageTypes.U2F_SIGN_REQUEST,
                signRequests: []
            };
            chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function () {
                if (!chrome.runtime.lastError) {
                    // We are on a whitelisted origin and can talk directly
                    // with the extension.
                    u2f.getChromeRuntimePort_(callback);
                } else {
                    // chrome.runtime was available, but we couldn't message
                    // the extension directly, use iframe
                    u2f.getIframePort_(callback);
                }
            });
        } else if (u2f.isAndroidChrome_()) {
            u2f.getAuthenticatorPort_(callback);
        } else if (u2f.isIosChrome_()) {
            u2f.getIosPort_(callback);
        } else {
            // chrome.runtime was not available at all, which is normal
            // when this origin doesn't have access to any extensions.
            u2f.getIframePort_(callback);
        }
    };

    /**
     * Detect chrome running on android based on the browser's useragent.
     * @private
     */
    u2f.isAndroidChrome_ = function () {
        var userAgent = navigator.userAgent;
        return userAgent.indexOf('Chrome') != -1 &&
            userAgent.indexOf('Android') != -1;
    };

    /**
     * Detect chrome running on iOS based on the browser's platform.
     * @private
     */
    u2f.isIosChrome_ = function () {
        return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1;
    };

    /**
     * Connects directly to the extension via chrome.runtime.connect.
     * @param {function(u2f.WrappedChromeRuntimePort_)} callback
     * @private
     */
    u2f.getChromeRuntimePort_ = function (callback) {
        var port = chrome.runtime.connect(u2f.EXTENSION_ID,
            { 'includeTlsChannelId': true });
        setTimeout(function () {
            callback(new u2f.WrappedChromeRuntimePort_(port));
        }, 0);
    };

    /**
     * Return a 'port' abstraction to the Authenticator app.
     * @param {function(u2f.WrappedAuthenticatorPort_)} callback
     * @private
     */
    u2f.getAuthenticatorPort_ = function (callback) {
        setTimeout(function () {
            callback(new u2f.WrappedAuthenticatorPort_());
        }, 0);
    };

    /**
     * Return a 'port' abstraction to the iOS client app.
     * @param {function(u2f.WrappedIosPort_)} callback
     * @private
     */
    u2f.getIosPort_ = function (callback) {
        setTimeout(function () {
            callback(new u2f.WrappedIosPort_());
        }, 0);
    };

    /**
     * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
     * @param {Port} port
     * @constructor
     * @private
     */
    u2f.WrappedChromeRuntimePort_ = function (port) {
        this.port_ = port;
    };

    /**
     * Format and return a sign request compliant with the JS API version supported by the extension.
     * @param {Array<u2f.SignRequest>} signRequests
     * @param {number} timeoutSeconds
     * @param {number} reqId
     * @return {Object}
     */
    u2f.formatSignRequest_ =
        function (appId, challenge, registeredKeys, timeoutSeconds, reqId) {
            if (js_api_version === undefined || js_api_version < 1.1) {
                // Adapt request to the 1.0 JS API
                var signRequests = [];
                for (var i = 0; i < registeredKeys.length; i++) {
                    signRequests[i] = {
                        version: registeredKeys[i].version,
                        challenge: challenge,
                        keyHandle: registeredKeys[i].keyHandle,
                        appId: appId
                    };
                }
                return {
                    type: u2f.MessageTypes.U2F_SIGN_REQUEST,
                    signRequests: signRequests,
                    timeoutSeconds: timeoutSeconds,
                    requestId: reqId
                };
            }
            // JS 1.1 API
            return {
                type: u2f.MessageTypes.U2F_SIGN_REQUEST,
                appId: appId,
                challenge: challenge,
                registeredKeys: registeredKeys,
                timeoutSeconds: timeoutSeconds,
                requestId: reqId
            };
        };

    /**
     * Format and return a register request compliant with the JS API version supported by the extension..
     * @param {Array<u2f.SignRequest>} signRequests
     * @param {Array<u2f.RegisterRequest>} signRequests
     * @param {number} timeoutSeconds
     * @param {number} reqId
     * @return {Object}
     */
    u2f.formatRegisterRequest_ =
        function (appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
            if (js_api_version === undefined || js_api_version < 1.1) {
                // Adapt request to the 1.0 JS API
                for (var i = 0; i < registerRequests.length; i++) {
                    registerRequests[i].appId = appId;
                }
                var signRequests = [];
                for (var i = 0; i < registeredKeys.length; i++) {
                    signRequests[i] = {
                        version: registeredKeys[i].version,
                        challenge: registerRequests[0],
                        keyHandle: registeredKeys[i].keyHandle,
                        appId: appId
                    };
                }
                return {
                    type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
                    signRequests: signRequests,
                    registerRequests: registerRequests,
                    timeoutSeconds: timeoutSeconds,
                    requestId: reqId
                };
            }
            // JS 1.1 API
            return {
                type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
                appId: appId,
                registerRequests: registerRequests,
                registeredKeys: registeredKeys,
                timeoutSeconds: timeoutSeconds,
                requestId: reqId
            };
        };


    /**
     * Posts a message on the underlying channel.
     * @param {Object} message
     */
    u2f.WrappedChromeRuntimePort_.prototype.postMessage = function (message) {
        this.port_.postMessage(message);
    };


    /**
     * Emulates the HTML 5 addEventListener interface. Works only for the
     * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
     * @param {string} eventName
     * @param {function({data: Object})} handler
     */
    u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
        function (eventName, handler) {
            var name = eventName.toLowerCase();
            if (name == 'message' || name == 'onmessage') {
                this.port_.onMessage.addListener(function (message) {
                    // Emulate a minimal MessageEvent object
                    handler({ 'data': message });
                });
            } else {
                console.error('WrappedChromeRuntimePort only supports onMessage');
            }
        };

    /**
     * Wrap the Authenticator app with a MessagePort interface.
     * @constructor
     * @private
     */
    u2f.WrappedAuthenticatorPort_ = function () {
        this.requestId_ = -1;
        this.requestObject_ = null;
    }

    /**
     * Launch the Authenticator intent.
     * @param {Object} message
     */
    u2f.WrappedAuthenticatorPort_.prototype.postMessage = function (message) {
        var intentUrl =
            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
            ';S.request=' + encodeURIComponent(JSON.stringify(message)) +
            ';end';
        document.location = intentUrl;
    };

    /**
     * Tells what type of port this is.
     * @return {String} port type
     */
    u2f.WrappedAuthenticatorPort_.prototype.getPortType = function () {
        return "WrappedAuthenticatorPort_";
    };


    /**
     * Emulates the HTML 5 addEventListener interface.
     * @param {string} eventName
     * @param {function({data: Object})} handler
     */
    u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function (eventName, handler) {
        var name = eventName.toLowerCase();
        if (name == 'message') {
            var self = this;
            /* Register a callback to that executes when
             * chrome injects the response. */
            window.addEventListener(
                'message', self.onRequestUpdate_.bind(self, handler), false);
        } else {
            console.error('WrappedAuthenticatorPort only supports message');
        }
    };

    /**
     * Callback invoked  when a response is received from the Authenticator.
     * @param function({data: Object}) callback
     * @param {Object} message message Object
     */
    u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
        function (callback, message) {
            var messageObject = JSON.parse(message.data);
            var intentUrl = messageObject['intentURL'];

            var errorCode = messageObject['errorCode'];
            var responseObject = null;
            if (messageObject.hasOwnProperty('data')) {
                responseObject = /** @type {Object} */ (
                    JSON.parse(messageObject['data']));
            }

            callback({ 'data': responseObject });
        };

    /**
     * Base URL for intents to Authenticator.
     * @const
     * @private
     */
    u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
        'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';

    /**
     * Wrap the iOS client app with a MessagePort interface.
     * @constructor
     * @private
     */
    u2f.WrappedIosPort_ = function () { };

    /**
     * Launch the iOS client app request
     * @param {Object} message
     */
    u2f.WrappedIosPort_.prototype.postMessage = function (message) {
        var str = JSON.stringify(message);
        var url = "u2f://auth?" + encodeURI(str);
        location.replace(url);
    };

    /**
     * Tells what type of port this is.
     * @return {String} port type
     */
    u2f.WrappedIosPort_.prototype.getPortType = function () {
        return "WrappedIosPort_";
    };

    /**
     * Emulates the HTML 5 addEventListener interface.
     * @param {string} eventName
     * @param {function({data: Object})} handler
     */
    u2f.WrappedIosPort_.prototype.addEventListener = function (eventName, handler) {
        var name = eventName.toLowerCase();
        if (name !== 'message') {
            console.error('WrappedIosPort only supports message');
        }
    };

    /**
     * Sets up an embedded trampoline iframe, sourced from the extension.
     * @param {function(MessagePort)} callback
     * @private
     */
    u2f.getIframePort_ = function (callback) {
        // Create the iframe
        var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
        var iframe = document.createElement('iframe');
        iframe.src = iframeOrigin + '/u2f-comms.html';
        iframe.setAttribute('style', 'display:none');
        document.body.appendChild(iframe);

        var channel = new MessageChannel();
        var ready = function (message) {
            if (message.data == 'ready') {
                channel.port1.removeEventListener('message', ready);
                callback(channel.port1);
            } else {
                console.error('First event on iframe port was not "ready"');
            }
        };
        channel.port1.addEventListener('message', ready);
        channel.port1.start();

        iframe.addEventListener('load', function () {
            // Deliver the port to the iframe and initialize
            iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
        });
    };


    //High-level JS API

    /**
     * Default extension response timeout in seconds.
     * @const
     */
    u2f.EXTENSION_TIMEOUT_SEC = 30;

    /**
     * A singleton instance for a MessagePort to the extension.
     * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
     * @private
     */
    u2f.port_ = null;

    /**
     * Callbacks waiting for a port
     * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
     * @private
     */
    u2f.waitingForPort_ = [];

    /**
     * A counter for requestIds.
     * @type {number}
     * @private
     */
    u2f.reqCounter_ = 0;

    /**
     * A map from requestIds to client callbacks
     * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
     *                       |function((u2f.Error|u2f.SignResponse)))>}
     * @private
     */
    u2f.callbackMap_ = {};

    /**
     * Creates or retrieves the MessagePort singleton to use.
     * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
     * @private
     */
    u2f.getPortSingleton_ = function (callback) {
        if (u2f.port_) {
            callback(u2f.port_);
        } else {
            if (u2f.waitingForPort_.length == 0) {
                u2f.getMessagePort(function (port) {
                    u2f.port_ = port;
                    u2f.port_.addEventListener('message',
            /** @type {function(Event)} */(u2f.responseHandler_));

                    // Careful, here be async callbacks. Maybe.
                    while (u2f.waitingForPort_.length)
                        u2f.waitingForPort_.shift()(u2f.port_);
                });
            }
            u2f.waitingForPort_.push(callback);
        }
    };

    /**
     * Handles response messages from the extension.
     * @param {MessageEvent.<u2f.Response>} message
     * @private
     */
    u2f.responseHandler_ = function (message) {
        var response = message.data;
        var reqId = response['requestId'];
        if (!reqId || !u2f.callbackMap_[reqId]) {
            console.error('Unknown or missing requestId in response.');
            return;
        }
        var cb = u2f.callbackMap_[reqId];
        delete u2f.callbackMap_[reqId];
        cb(response['responseData']);
    };

    /**
     * Dispatches an array of sign requests to available U2F tokens.
     * If the JS API version supported by the extension is unknown, it first sends a
     * message to the extension to find out the supported API version and then it sends
     * the sign request.
     * @param {string=} appId
     * @param {string=} challenge
     * @param {Array<u2f.RegisteredKey>} registeredKeys
     * @param {function((u2f.Error|u2f.SignResponse))} callback
     * @param {number=} opt_timeoutSeconds
     */
    u2f.sign = function (appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
        if (js_api_version === undefined) {
            // Send a message to get the extension to JS API version, then send the actual sign request.
            u2f.getApiVersion(
                function (response) {
                    js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
                    console.log("Extension JS API Version: ", js_api_version);
                    u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
                });
        } else {
            // We know the JS API version. Send the actual sign request in the supported API version.
            u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
        }
    };

    /**
     * Dispatches an array of sign requests to available U2F tokens.
     * @param {string=} appId
     * @param {string=} challenge
     * @param {Array<u2f.RegisteredKey>} registeredKeys
     * @param {function((u2f.Error|u2f.SignResponse))} callback
     * @param {number=} opt_timeoutSeconds
     */
    u2f.sendSignRequest = function (appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
        u2f.getPortSingleton_(function (port) {
            var reqId = ++u2f.reqCounter_;
            u2f.callbackMap_[reqId] = callback;
            var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
                opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
            var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
            port.postMessage(req);
        });
    };

    /**
     * Dispatches register requests to available U2F tokens. An array of sign
     * requests identifies already registered tokens.
     * If the JS API version supported by the extension is unknown, it first sends a
     * message to the extension to find out the supported API version and then it sends
     * the register request.
     * @param {string=} appId
     * @param {Array<u2f.RegisterRequest>} registerRequests
     * @param {Array<u2f.RegisteredKey>} registeredKeys
     * @param {function((u2f.Error|u2f.RegisterResponse))} callback
     * @param {number=} opt_timeoutSeconds
     */
    u2f.register = function (appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
        if (js_api_version === undefined) {
            // Send a message to get the extension to JS API version, then send the actual register request.
            u2f.getApiVersion(
                function (response) {
                    js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
                    console.log("Extension JS API Version: ", js_api_version);
                    u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
                        callback, opt_timeoutSeconds);
                });
        } else {
            // We know the JS API version. Send the actual register request in the supported API version.
            u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
                callback, opt_timeoutSeconds);
        }
    };

    /**
     * Dispatches register requests to available U2F tokens. An array of sign
     * requests identifies already registered tokens.
     * @param {string=} appId
     * @param {Array<u2f.RegisterRequest>} registerRequests
     * @param {Array<u2f.RegisteredKey>} registeredKeys
     * @param {function((u2f.Error|u2f.RegisterResponse))} callback
     * @param {number=} opt_timeoutSeconds
     */
    u2f.sendRegisterRequest = function (appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
        u2f.getPortSingleton_(function (port) {
            var reqId = ++u2f.reqCounter_;
            u2f.callbackMap_[reqId] = callback;
            var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
                opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
            var req = u2f.formatRegisterRequest_(
                appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
            port.postMessage(req);
        });
    };


    /**
     * Dispatches a message to the extension to find out the supported
     * JS API version.
     * If the user is on a mobile phone and is thus using Google Authenticator instead
     * of the Chrome extension, don't send the request and simply return 0.
     * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
     * @param {number=} opt_timeoutSeconds
     */
    u2f.getApiVersion = function (callback, opt_timeoutSeconds) {
        u2f.getPortSingleton_(function (port) {
            // If we are using Android Google Authenticator or iOS client app,
            // do not fire an intent to ask which JS API version to use.
            if (port.getPortType) {
                var apiVersion;
                switch (port.getPortType()) {
                    case 'WrappedIosPort_':
                    case 'WrappedAuthenticatorPort_':
                        apiVersion = 1.1;
                        break;

                    default:
                        apiVersion = 0;
                        break;
                }
                callback({ 'js_api_version': apiVersion });
                return;
            }
            var reqId = ++u2f.reqCounter_;
            u2f.callbackMap_[reqId] = callback;
            var req = {
                type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
                timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
                    opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
                requestId: reqId
            };
            port.postMessage(req);
        });
    };

    /**
     * Modification:
     * Assign u2f back to window (root) scope.
     */
    root.u2f = u2f;
}(this));