kanidm · micolous · Oct 6, 2023 · Oct 3, 2023 · Oct 3, 2023 · Oct 6, 2023
@@ -18,14 +18,15 @@ webauthn-rs = { workspace = true, features = ["resident-key-support", "preview-f
 webauthn-rs-device-catalog.workspace = true
 
 tide.workspace = true
-tide-rustls = "0.3"
 async-std.workspace = true
-openssl.workspace = true
 structopt = { version = "0.3", default-features = false }
-rustls = "0.19.0"
 tracing.workspace = true
 tracing-subscriber.workspace = true
 rand.workspace = true
 url = { workspace = true , features = ["serde"] }
 
 serde.workspace = true
+
+[dependencies.tide-openssl]
+git = "https://github.com/victorcwai/tide-openssl.git"
+rev = "7d0e2215f2f1ebfa71aa30d132213ed45dd95cbf"
@@ -1,41 +1,64 @@
-Tide with Webauthn
-===================
+# webauthn-rs-demo
 
-This is an example of using tide as the web server with a webauthn
-integration.
+This is the demo site which powers https://webauthn.firstyear.id.au/
 
-How to run it:
---------------
+## Running it locally
 
 ```
-cargo run --example tide
+cargo run --
 ```
 
-Then navigate to "http://localhost:8080/auth" as the server prints out.
+Then navigate to "http://localhost:8080/" as the server prints out.
 
-What if that fails?
--------------------
+### HTTPS/TLS support
 
-If your system can't find localhost, this could be a failure in name resolution.
-You should check your system's etc/hosts file for this. If you navigate to
-"http://127.0.0.1:8080/auth" this example WILL FAIL as the origin is set to
-localhost, not 127.0.0.1.
+TLS support is [enabled by default][0] with the `tls` feature. You can _disable_
+it with `--no-default-features`.
 
-TODO:
+[0]: https://doc.rust-lang.org/cargo/reference/features.html#the-default-feature
+
+Provide the TLS public and private keys in PEM format, and specify an Origin
+(`--origin`) and relying party ID (`--id`):
+
+```sh
+cargo run -- \
+ --bind 192.0.2.1:443 \
+ --tls-public-key /etc/ssl/certs/demo.example.com.pem \
+ --tls-private-key /etc/ssl/certs/demo.example.com.key \
+ --origin https://demo.example.com \
+ --id demo.example.com
+```
+
+If you're testing locally, you can build a short-lived self-signed certificate
+(which won't be trusted by browsers) with `openssl`:
+
+```sh
+openssl genrsa -out /tmp/demo.key
+openssl req -new -x509 -key /tmp/demo.key -out /tmp/demo.pem -days 5 -subj "/CN=localhost/"
+```
+
+Configuring and managing certificates properly is outside the scope of this
+document. :)
+
+## Troubleshooting
+
+If your system can't find `localhost`, this could be a failure in name
+resolution. You should check your system's `/etc/hosts` file for this.
+
+If you navigate to `http://127.0.0.1:8080/`, this example **WILL FAIL** as the
+Origin is set to `localhost`, not `127.0.0.1`.
+
+## TODO
 
 * Improve the Javascript to use the username field correcly.
 * Make it prettier and sparkly.
 * Add cookie handling example.
 
-Building Yew:
--------------
+## Building Yew:
 
-```
+```sh
 cargo install wasm-pack
 npm install --global rollup
-cd tide_yew
+cd ../webauthn-rs-demo-wasm
 ./build_wasm.sh
 ```
-
-
-
@@ -11,6 +11,9 @@ use structopt::StructOpt;
 
 use rand::prelude::*;
 
+use tide_openssl::TlsListener;
+use tracing_subscriber::filter::LevelFilter;
+use tracing_subscriber::EnvFilter;
 use webauthn_rs::prelude::Uuid;
 use webauthn_rs::prelude::{
  AttestedResidentKey,
@@ -22,7 +25,6 @@ use webauthn_rs_core::proto::{Credential, PublicKeyCredential, RegisterPublicKey
 use webauthn_rs_demo_shared::*;
 
 mod actors;
-mod crypto;
 
 use crate::actors::*;
 
@@ -54,8 +56,12 @@ struct CmdOptions {
  env = "BIND_ADDRESS"
  )]
  bind: String,
- #[structopt(short = "s", long = "tls")]
- enable_tls: bool,
+ /// TLS public key, in PEM format
+ #[structopt(long = "tls-public-key", env = "TLS_PUBLIC_KEY")]
+ tls_public_key: Option<String>,
+ /// TLS private key, in PEM format
+ #[structopt(long = "tls-private-key", env = "TLS_PRIVATE_KEY")]
+ tls_private_key: Option<String>,
 }
 
 async fn index_view(_request: tide::Request<AppState>) -> tide::Result {
@@ -675,8 +681,14 @@ async fn condui_finish_login(mut request: tide::Request<AppState>) -> tide::Resu
 #[async_std::main]
 async fn main() -> tide::Result<()> {
  let opt: CmdOptions = CmdOptions::from_args();
- tracing_subscriber::fmt::init();
- debug!("Started logging ...");
+ tracing_subscriber::fmt()
+ .with_env_filter(
+ EnvFilter::builder()
+ .with_default_directive(LevelFilter::INFO.into())
+ .from_env_lossy(),
+ )
+ .compact()
+ .init();
 
  let domain = opt.rp_id.clone();
 
@@ -737,19 +749,26 @@ async fn main() -> tide::Result<()> {
  app.at("/").get(index_view);
  app.at("/*").get(index_view);
 
- if opt.enable_tls {
- debug!("Starting with TLS ...");
- let server_config = crypto::generate_dyn_ssl_config(opt.rp_id.as_str());
- app.listen(
- tide_rustls::TlsListener::build()
- .addrs(opt.bind.as_str())
- .config(server_config),
- )
- .await?;
- } else {
- debug!("Starting without TLS ...");
- app.listen(opt.bind).await?;
- };
+ match (opt.tls_public_key, opt.tls_private_key) {
+ (Some(tls_cert), Some(tls_key)) => {
+ info!("Starting server with TLS...");
+ app.listen(
+ TlsListener::build()
+ .addrs(opt.bind.as_str())
+ .cert(tls_cert)
+ .key(tls_key),
+ )
+ .await?;
+ }
+
+ (None, None) => {
+ info!("Starting without TLS ...");
+ app.listen(opt.bind).await?;
+ }
 
+ (_, _) => {
+ panic!("Must specify both --tls-public-key and --tls-private-key, or neither");
+ }
+ }
  Ok(())
 }