fix: signin の資格情報が足りないだけの場合はエラーにせず200を返すように (#14700)

* fix: signin の資格情報が足りないだけの場合はエラーにせず200を返すように * run api extractor * fix * fix * fix test * /signin -> /signin-flow * fix * fix lint * rename * fix * fix
2024-10-18 11:31:35 +02:00 · 2024-10-05 12:03:47 +09:00 · 2024-10-05 12:03:47 +09:00 · ae3c155490
commit ae3c155490
parent fa06c59eae
13 changed files with 230 additions and 234 deletions
--- a/cypress/e2e/basic.cy.ts
+++ b/cypress/e2e/basic.cy.ts
@ -120,7 +120,7 @@ describe('After user signup', () => {
 	it('signin', () => {
 		cy.visitHome();

-		cy.intercept('POST', '/api/signin').as('signin');
+		cy.intercept('POST', '/api/signin-flow').as('signin');

 		cy.get('[data-cy-signin]').click();

--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@ -55,7 +55,7 @@ Cypress.Commands.add('registerUser', (username, password, isAdmin = false) => {
 Cypress.Commands.add('login', (username, password) => {
 	cy.visitHome();

-	cy.intercept('POST', '/api/signin').as('signin');
+	cy.intercept('POST', '/api/signin-flow').as('signin');

 	cy.get('[data-cy-signin]').click();
 	cy.get('[data-cy-signin-page-input]').should('be.visible', { timeout: 1000 });
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@ -133,7 +133,7 @@ export class ApiServerService {
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
 			};
-		}>('/signin', (request, reply) => this.signinApiService.signin(request, reply));
+		}>('/signin-flow', (request, reply) => this.signinApiService.signin(request, reply));

 		fastify.post<{
 			Body: {
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@ -5,8 +5,8 @@

 import { Inject, Injectable } from '@nestjs/common';
 import bcrypt from 'bcryptjs';
-import * as OTPAuth from 'otpauth';
 import { IsNull } from 'typeorm';
+import * as Misskey from 'misskey-js';
 import { DI } from '@/di-symbols.js';
 import type {
 	MiMeta,
@ -26,27 +26,9 @@ import { CaptchaService } from '@/core/CaptchaService.js';
 import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { SigninService } from './SigninService.js';
-import type { AuthenticationResponseJSON, PublicKeyCredentialRequestOptionsJSON } from '@simplewebauthn/types';
+import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';

-/**
- * next を指定すると、次にクライアント側で行うべき処理を指定できる。
- *
- * - `captcha`: パスワードと、（有効になっている場合は）CAPTCHAを求める
- * - `password`: パスワードを求める
- * - `totp`: ワンタイムパスワードを求める
- * - `passkey`: WebAuthn認証を求める（WebAuthnに対応していないブラウザの場合はワンタイムパスワード）
- */
-
-type SigninErrorResponse = {
-	id: string;
-	next?: 'captcha' | 'password' | 'totp';
-} | {
-	id: string;
-	next: 'passkey';
-	authRequest: PublicKeyCredentialRequestOptionsJSON;
-};
-
@Injectable()
 export class SigninApiService {
 	constructor(
@ -101,7 +83,7 @@ export class SigninApiService {
 		const password = body['password'];
 		const token = body['token'];

-		function error(status: number, error: SigninErrorResponse) {
+		function error(status: number, error: { id: string }) {
 			reply.code(status);
 			return { error };
 		}
@ -152,21 +134,17 @@ export class SigninApiService {
 		const securityKeysAvailable = await this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1);

 		if (password == null) {
-			reply.code(403);
+			reply.code(200);
 			if (profile.twoFactorEnabled) {
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+					finished: false,
 					next: 'password',
-					},
-				} satisfies { error: SigninErrorResponse };
+				} satisfies Misskey.entities.SigninFlowResponse;
 			} else {
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+					finished: false,
 					next: 'captcha',
-					},
-				} satisfies { error: SigninErrorResponse };
+				} satisfies Misskey.entities.SigninFlowResponse;
 			}
 		}

@ -178,7 +156,7 @@ export class SigninApiService {
 		// Compare password
 		const same = await bcrypt.compare(password, profile.password!);

-		const fail = async (status?: number, failure?: SigninErrorResponse) => {
+		const fail = async (status?: number, failure?: { id: string; }) => {
 			// Append signin history
 			await this.signinsRepository.insert({
 				id: this.idService.gen(),
@ -268,27 +246,23 @@ export class SigninApiService {

 			const authRequest = await this.webAuthnService.initiateAuthentication(user.id);

-			reply.code(403);
+			reply.code(200);
 			return {
-				error: {
-					id: '06e661b9-8146-4ae3-bde5-47138c0ae0c4',
+				finished: false,
 				next: 'passkey',
 				authRequest,
-				},
-			} satisfies { error: SigninErrorResponse };
+			} satisfies Misskey.entities.SigninFlowResponse;
 		} else {
 			if (!same || !profile.twoFactorEnabled) {
 				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
 			} else {
-				reply.code(403);
+				reply.code(200);
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+					finished: false,
 					next: 'totp',
-					},
-				} satisfies { error: SigninErrorResponse };
+				} satisfies Misskey.entities.SigninFlowResponse;
 			}
 		}
 		// never get here
--- a/packages/backend/src/server/api/SigninService.ts
+++ b/packages/backend/src/server/api/SigninService.ts
@ -4,6 +4,7 @@
 */

 import { Inject, Injectable } from '@nestjs/common';
+import * as Misskey from 'misskey-js';
 import { DI } from '@/di-symbols.js';
 import type { SigninsRepository, UserProfilesRepository } from '@/models/_.js';
 import { IdService } from '@/core/IdService.js';
@ -57,9 +58,10 @@ export class SigninService {

 		reply.code(200);
 		return {
+			finished: true,
 			id: user.id,
-			i: user.token,
-		};
+			i: user.token!,
+		} satisfies Misskey.entities.SigninFlowResponse;
 	}
 }

--- a/packages/backend/test/e2e/2fa.ts
+++ b/packages/backend/test/e2e/2fa.ts
@ -136,7 +136,7 @@ describe('2要素認証', () => {
 		keyName: string,
 		credentialId: Buffer,
 		requestOptions: PublicKeyCredentialRequestOptionsJSON,
-	}): misskey.entities.SigninRequest => {
+	}): misskey.entities.SigninFlowRequest => {
 		// AuthenticatorAssertionResponse.authenticatorData
 		// https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData
 		const authenticatorData = Buffer.concat([
@ -196,22 +196,21 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(doneResponse.status, 200);

-		const signinWithoutTokenResponse = await api('signin', {
+		const signinWithoutTokenResponse = await api('signin-flow', {
 			...signinParam(),
 		});
-		assert.strictEqual(signinWithoutTokenResponse.status, 403);
+		assert.strictEqual(signinWithoutTokenResponse.status, 200);
 		assert.deepStrictEqual(signinWithoutTokenResponse.body, {
-			error: {
-				id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+			finished: false,
 			next: 'totp',
-			},
 		});

-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			token: otpToken(registerResponse.body.secret),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);

 		// 後片付け
@ -252,29 +251,23 @@ describe('2要素認証', () => {
 		assert.strictEqual(keyDoneResponse.body.id, credentialId.toString('base64url'));
 		assert.strictEqual(keyDoneResponse.body.name, keyName);

-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 		});
-		const signinResponseBody = signinResponse.body as unknown as {
-			error: {
-				id: string;
-				next: 'passkey';
-				authRequest: PublicKeyCredentialRequestOptionsJSON;
-			};
-		};
-		assert.strictEqual(signinResponse.status, 403);
-		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
-		assert.strictEqual(signinResponseBody.error.next, 'passkey');
-		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
-		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
-		assert.strictEqual(signinResponseBody.error.authRequest.allowCredentials && signinResponseBody.error.authRequest.allowCredentials[0]?.id, credentialId.toString('base64url'));
+		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, false);
+		assert.strictEqual(signinResponse.body.next, 'passkey');
+		assert.notEqual(signinResponse.body.authRequest.challenge, undefined);
+		assert.notEqual(signinResponse.body.authRequest.allowCredentials, undefined);
+		assert.strictEqual(signinResponse.body.authRequest.allowCredentials && signinResponse.body.authRequest.allowCredentials[0]?.id, credentialId.toString('base64url'));

-		const signinResponse2 = await api('signin', signinWithSecurityKeyParam({
+		const signinResponse2 = await api('signin-flow', signinWithSecurityKeyParam({
 			keyName,
 			credentialId,
-			requestOptions: signinResponseBody.error.authRequest,
+			requestOptions: signinResponse.body.authRequest,
 		}));
 		assert.strictEqual(signinResponse2.status, 200);
+		assert.strictEqual(signinResponse2.body.finished, true);
 		assert.notEqual(signinResponse2.body.i, undefined);

 		// 後片付け
@ -320,32 +313,26 @@ describe('2要素認証', () => {
 		assert.strictEqual(iResponse.status, 200);
 		assert.strictEqual(iResponse.body.usePasswordLessLogin, true);

-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			password: '',
 		});
-		const signinResponseBody = signinResponse.body as unknown as {
-			error: {
-				id: string;
-				next: 'passkey';
-				authRequest: PublicKeyCredentialRequestOptionsJSON;
-			};
-		};
-		assert.strictEqual(signinResponse.status, 403);
-		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
-		assert.strictEqual(signinResponseBody.error.next, 'passkey');
-		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
-		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
+		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, false);
+		assert.strictEqual(signinResponse.body.next, 'passkey');
+		assert.notEqual(signinResponse.body.authRequest.challenge, undefined);
+		assert.notEqual(signinResponse.body.authRequest.allowCredentials, undefined);

-		const signinResponse2 = await api('signin', {
+		const signinResponse2 = await api('signin-flow', {
 			...signinWithSecurityKeyParam({
 				keyName,
 				credentialId,
-				requestOptions: signinResponseBody.error.authRequest,
+				requestOptions: signinResponse.body.authRequest,
 			} as any),
 			password: '',
 		});
 		assert.strictEqual(signinResponse2.status, 200);
+		assert.strictEqual(signinResponse2.body.finished, true);
 		assert.notEqual(signinResponse2.body.i, undefined);

 		// 後片付け
@ -450,11 +437,12 @@ describe('2要素認証', () => {
 		assert.strictEqual(afterIResponse.status, 200);
 		assert.strictEqual(afterIResponse.body.securityKeys, false);

-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			token: otpToken(registerResponse.body.secret),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);

 		// 後片付け
@ -485,10 +473,11 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(unregisterResponse.status, 204);

-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);

 		// 後片付け
--- a/packages/backend/test/e2e/endpoints.ts
+++ b/packages/backend/test/e2e/endpoints.ts
@ -66,9 +66,9 @@ describe('Endpoints', () => {
 		});
 	});

-	describe('signin', () => {
+	describe('signin-flow', () => {
 		test('間違ったパスワードでサインインできない', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				password: 'bar',
 			});
@ -77,7 +77,7 @@ describe('Endpoints', () => {
 		});

 		test('クエリをインジェクションできない', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				// @ts-expect-error password must be string
 				password: {
@ -89,7 +89,7 @@ describe('Endpoints', () => {
 		});

 		test('正しい情報でサインインできる', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				password: 'test1',
 			});
--- a/packages/frontend/src/components/MkSignin.vue
+++ b/packages/frontend/src/components/MkSignin.vue
@ -83,7 +83,7 @@ import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/br
 import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';

 const emit = defineEmits<{
-	(ev: 'login', v: Misskey.entities.SigninResponse): void;
+	(ev: 'login', v: Misskey.entities.SigninFlowResponse): void;
 }>();

 const props = withDefaults(defineProps<{
@ -212,41 +212,26 @@ async function onTotpSubmitted(token: string) {
 	}
 }

-async function tryLogin(req: Partial<Misskey.entities.SigninRequest>): Promise<Misskey.entities.SigninResponse> {
+async function tryLogin(req: Partial<Misskey.entities.SigninFlowRequest>): Promise<Misskey.entities.SigninFlowResponse> {
 	const _req = {
 		username: req.username ?? userInfo.value?.username,
 		...req,
 	};

-	function assertIsSigninRequest(x: Partial<Misskey.entities.SigninRequest>): x is Misskey.entities.SigninRequest {
+	function assertIsSigninFlowRequest(x: Partial<Misskey.entities.SigninFlowRequest>): x is Misskey.entities.SigninFlowRequest {
 		return x.username != null;
 	}

-	if (!assertIsSigninRequest(_req)) {
+	if (!assertIsSigninFlowRequest(_req)) {
 		throw new Error('Invalid request');
 	}

-	return await misskeyApi('signin', _req).then(async (res) => {
+	return await misskeyApi('signin-flow', _req).then(async (res) => {
+		if (res.finished) {
 			emit('login', res);
 			await onLoginSucceeded(res);
-		return res;
-	}).catch((err) => {
-		onSigninApiError(err);
-		return Promise.reject(err);
-	});
-}
-
-async function onLoginSucceeded(res: Misskey.entities.SigninResponse) {
-	if (props.autoSet) {
-		await login(res.i);
-	}
-}
-
-function onSigninApiError(err?: any): void {
-	const id = err?.id ?? null;
-
-	if (typeof err === 'object' && 'next' in err) {
-		switch (err.next) {
+		} else {
+			switch (res.next) {
 				case 'captcha': {
 					needCaptcha.value = true;
 					page.value = 'password';
@ -262,9 +247,9 @@ function onSigninApiError(err?: any): void {
 					break;
 				}
 				case 'passkey': {
-				if (webAuthnSupported() && 'authRequest' in err) {
+					if (webAuthnSupported()) {
 						credentialRequest.value = parseRequestOptionsFromJSON({
-						publicKey: err.authRequest,
+							publicKey: res.authRequest,
 						});
 						page.value = 'passkey';
 					} else {
@ -273,7 +258,33 @@ function onSigninApiError(err?: any): void {
 					break;
 				}
 			}
-	} else {
+
+			if (doingPasskeyFromInputPage.value === true) {
+				doingPasskeyFromInputPage.value = false;
+				page.value = 'input';
+				password.value = '';
+			}
+			passwordPageEl.value?.resetCaptcha();
+			nextTick(() => {
+				waiting.value = false;
+			});
+		}
+		return res;
+	}).catch((err) => {
+		onSigninApiError(err);
+		return Promise.reject(err);
+	});
+}
+
+async function onLoginSucceeded(res: Misskey.entities.SigninFlowResponse & { finished: true; }) {
+	if (props.autoSet) {
+		await login(res.i);
+	}
+}
+
+function onSigninApiError(err?: any): void {
+	const id = err?.id ?? null;
+
 	switch (id) {
 		case '6cc579cc-885d-43d8-95c2-b8c7fc963280': {
 			os.alert({
@ -352,7 +363,6 @@ function onSigninApiError(err?: any): void {
 			});
 		}
 	}
-	}

 	if (doingPasskeyFromInputPage.value === true) {
 		doingPasskeyFromInputPage.value = false;
--- a/packages/frontend/src/components/MkSignupDialog.form.vue
+++ b/packages/frontend/src/components/MkSignupDialog.form.vue
@ -98,7 +98,7 @@ const props = withDefaults(defineProps<{
 });

 const emit = defineEmits<{
-	(ev: 'signup', user: Misskey.entities.SigninResponse): void;
+	(ev: 'signup', user: Misskey.entities.SigninFlowResponse): void;
 	(ev: 'signupEmailPending'): void;
 }>();

@ -269,14 +269,19 @@ async function onSubmit(): Promise<void> {
 			});
 			emit('signupEmailPending');
 		} else {
-			const res = await misskeyApi('signin', {
+			const res = await misskeyApi('signin-flow', {
 				username: username.value,
 				password: password.value,
 			});
 			emit('signup', res);

-			if (props.autoSet) {
+			if (props.autoSet && res.finished) {
 				return login(res.i);
+			} else {
+				os.alert({
+					type: 'error',
+					text: i18n.ts.somethingHappened,
+				});
 			}
 		}
 	} catch {
--- a/packages/frontend/src/components/MkSignupDialog.vue
+++ b/packages/frontend/src/components/MkSignupDialog.vue
@ -47,7 +47,7 @@ const props = withDefaults(defineProps<{
 });

 const emit = defineEmits<{
-	(ev: 'done', res: Misskey.entities.SigninResponse): void;
+	(ev: 'done', res: Misskey.entities.SigninFlowResponse): void;
 	(ev: 'closed'): void;
 }>();

@ -55,7 +55,7 @@ const dialog = shallowRef<InstanceType<typeof MkModalWindow>>();

 const isAcceptedServerRule = ref(false);

-function onSignup(res: Misskey.entities.SigninResponse) {
+function onSignup(res: Misskey.entities.SigninFlowResponse) {
 	emit('done', res);
 	dialog.value?.close();
 }
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@ -1158,9 +1158,9 @@ export type Endpoints = Overwrite<Endpoints_2, {
        req: SignupPendingRequest;
        res: SignupPendingResponse;
    };
-    'signin': {
-        req: SigninRequest;
-        res: SigninResponse;
+    'signin-flow': {
+        req: SigninFlowRequest;
+        res: SigninFlowResponse;
    };
    'signin-with-passkey': {
        req: SigninWithPasskeyRequest;
@ -1208,11 +1208,11 @@ declare namespace entities {
        SignupResponse,
        SignupPendingRequest,
        SignupPendingResponse,
-        SigninRequest,
+        SigninFlowRequest,
+        SigninFlowResponse,
        SigninWithPasskeyRequest,
        SigninWithPasskeyInitResponse,
        SigninWithPasskeyResponse,
-        SigninResponse,
        PartialRolePolicyOverride,
        EmptyRequest,
        EmptyResponse,
@ -3038,7 +3038,7 @@ type ServerStatsLog = ServerStats[];
 type Signin = components['schemas']['Signin'];

 // @public (undocumented)
-type SigninRequest = {
+type SigninFlowRequest = {
    username: string;
    password?: string;
    token?: string;
@ -3050,9 +3050,17 @@ type SigninRequest = {
 };

 // @public (undocumented)
-type SigninResponse = {
+type SigninFlowResponse = {
+    finished: true;
    id: User['id'];
    i: string;
+} | {
+    finished: false;
+    next: 'captcha' | 'password' | 'totp';
+} | {
+    finished: false;
+    next: 'passkey';
+    authRequest: PublicKeyCredentialRequestOptionsJSON;
 };

 // @public (undocumented)
@ -3069,7 +3077,7 @@ type SigninWithPasskeyRequest = {

 // @public (undocumented)
 type SigninWithPasskeyResponse = {
-    signinResponse: SigninResponse;
+    signinResponse: SigninFlowResponse;
 };

 // @public (undocumented)
--- a/packages/misskey-js/src/api.types.ts
+++ b/packages/misskey-js/src/api.types.ts
@ -3,8 +3,8 @@ import { UserDetailed } from './autogen/models.js';
 import { AdminRolesCreateRequest, AdminRolesCreateResponse, UsersShowRequest } from './autogen/entities.js';
 import {
 	PartialRolePolicyOverride,
-	SigninRequest,
-	SigninResponse,
+	SigninFlowRequest,
+	SigninFlowResponse,
 	SigninWithPasskeyInitResponse,
 	SigninWithPasskeyRequest,
 	SigninWithPasskeyResponse,
@ -81,9 +81,9 @@ export type Endpoints = Overwrite<
 			res: SignupPendingResponse;
 		},
 		// api.jsonには載せないものなのでここで定義
-		'signin': {
-			req: SigninRequest;
-			res: SigninResponse;
+		'signin-flow': {
+			req: SigninFlowRequest;
+			res: SigninFlowResponse;
 		},
 		'signin-with-passkey': {
 			req: SigninWithPasskeyRequest;
--- a/packages/misskey-js/src/entities.ts
+++ b/packages/misskey-js/src/entities.ts
@ -267,7 +267,7 @@ export type SignupPendingResponse = {
 	i: string,
 };

-export type SigninRequest = {
+export type SigninFlowRequest = {
 	username: string;
 	password?: string;
 	token?: string;
@ -278,6 +278,19 @@ export type SigninRequest = {
 	'm-captcha-response'?: string | null;
 };

+export type SigninFlowResponse = {
+	finished: true;
+	id: User['id'];
+	i: string;
+} | {
+	finished: false;
+	next: 'captcha' | 'password' | 'totp';
+} | {
+	finished: false;
+	next: 'passkey';
+	authRequest: PublicKeyCredentialRequestOptionsJSON;
+};
+
 export type SigninWithPasskeyRequest = {
 	credential?: AuthenticationResponseJSON;
 	context?: string;
@ -289,12 +302,7 @@ export type SigninWithPasskeyInitResponse = {
 };

 export type SigninWithPasskeyResponse = {
-	signinResponse: SigninResponse;
-};
-
-export type SigninResponse = {
-	id: User['id'],
-	i: string,
+	signinResponse: SigninFlowResponse;
 };

 type Values<T extends Record<PropertyKey, unknown>> = T[keyof T];