feat: integrate WebAuthn support for enhanced security in agent authentication

- Added WebAuthn registration and verification endpoints in the AgentsController to support FIDO2 security keys.
- Updated the SecurityPart schema and DTOs to include U2F key credentials, enhancing the security model for agents.
- Implemented methods for handling WebAuthn challenges and responses, ensuring secure registration of security keys.
- Enhanced the profile page to display registered security keys and provide an interface for adding new keys.
- Updated package dependencies to include @simplewebauthn libraries for WebAuthn functionality.

Author: tacxou

apps/api/package.json

@@ -36,6 +36,7 @@
     "@nestjs/terminus": "^11.0.0",
     "@sentry/nestjs": "^10.25.0",
     "@sentry/profiling-node": "^10.25.0",
+    "@simplewebauthn/server": "^13.3.0",
     "@tacxou/nestjs_module_factorydrive": "^1.1.6",
     "@tacxou/nestjs_module_factorydrive-s3": "^1.0.5",
     "ajv": "^8.16.0",

apps/api/src/core/agents/_dto/parts/security.part.dto.ts

@@ -1,5 +1,30 @@
-import { ApiProperty } from '@nestjs/swagger'
-import { IsString, IsArray, IsBoolean, IsOptional } from 'class-validator'
+import { ApiProperty } from '@nestjs/swagger';
+import { IsArray, IsBoolean, IsOptional, IsString } from 'class-validator';
+
+export class U2fKeyCredentialDTO {
+  @IsString()
+  @ApiProperty()
+  public credentialId: string;
+
+  @IsString()
+  @IsOptional()
+  @ApiProperty({ required: false })
+  public name?: string;
+
+  @IsArray()
+  @IsString({ each: true })
+  @IsOptional()
+  @ApiProperty({ type: [String], required: false })
+  public transports?: string[];
+
+  @IsOptional()
+  @ApiProperty({ required: false, type: Number })
+  public signCount?: number;
+
+  @IsOptional()
+  @ApiProperty({ required: false, type: String })
+  public createdAt?: string;
+}
 
 /**
  * DTO pour la partie sécurité d'un agent.
@@ -43,7 +68,7 @@ export class SecurityPartDTO {
    */
   @IsOptional()
   @ApiProperty({ type: [String] })
-  public oldPasswords?: string[]
+  public oldPasswords?: string[];
 
   /**
    * Clé secrète pour l'authentification OTP (One-Time Password).
@@ -56,20 +81,19 @@ export class SecurityPartDTO {
   @IsString()
   @IsOptional()
   @ApiProperty()
-  public otpKey?: string
+  public otpKey?: string;
 
   /**
    * Clés U2F/FIDO enregistrées pour l'authentification matérielle.
    * Tableau des identifiants de clés de sécurité physiques.
    *
-   * @type {string[]}
+   * @type {U2fKeyCredentialDTO[]}
    * @optional
    */
   @IsArray()
-  @IsString({ each: true })
   @IsOptional()
-  @ApiProperty({ type: [String] })
-  public u2fKey?: string[]
+  @ApiProperty({ type: [U2fKeyCredentialDTO] })
+  public u2fKey?: U2fKeyCredentialDTO[];
 
   /**
    * Liste des réseaux/IP autorisés pour cet agent.
@@ -84,7 +108,7 @@ export class SecurityPartDTO {
   @IsString({ each: true })
   @IsOptional()
   @ApiProperty({ type: [String] })
-  public allowedNetworks?: string[]
+  public allowedNetworks?: string[];
 
   /**
    * Indique si l'agent doit changer son mot de passe à la prochaine connexion.
@@ -97,7 +121,7 @@ export class SecurityPartDTO {
   @IsBoolean()
   @IsOptional()
   @ApiProperty()
-  public changePwdAtNextLogin: boolean
+  public changePwdAtNextLogin: boolean;
 
   /**
    * Clé secrète unique de l'agent.
@@ -111,5 +135,5 @@ export class SecurityPartDTO {
   @IsString()
   @IsOptional()
   @ApiProperty()
-  public secretKey?: string
+  public secretKey?: string;
 }

apps/api/src/core/agents/_dto/webauthn.dto.ts

@@ -0,0 +1,20 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsOptional, IsString } from 'class-validator';
+
+export class WebAuthnRegisterBeginDto {
+  @IsOptional()
+  @IsString()
+  @ApiProperty({ required: false, description: 'Nom affiché pour la clé (ex: “YubiKey bureau”)' })
+  public name?: string;
+}
+
+export class WebAuthnRegisterFinishDto {
+  @ApiProperty({ description: 'Réponse WebAuthn retournée par navigator.credentials.create()' })
+  // On évite de lier le DTO aux types internes WebAuthn pour ne pas rendre le build fragile.
+  public response: Record<string, unknown>;
+
+  @IsOptional()
+  @IsString()
+  @ApiProperty({ required: false, description: 'Nom affiché pour la clé (ex: “YubiKey bureau”)' })
+  public name?: string;
+}

apps/api/src/core/agents/_schemas/_parts/security.part.schema.ts

@@ -1,5 +1,34 @@
-import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose'
-import { Document } from 'mongoose'
+import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose';
+import { Document } from 'mongoose';
+
+@Schema({ _id: false })
+export class U2fKeyCredential {
+  @Prop({ type: String, required: true })
+  public credentialId: string;
+
+  /**
+   * Clé publique associée à la credential (encodée en base64url).
+   */
+  @Prop({ type: String, required: true })
+  public publicKey: string;
+
+  /**
+   * Compteur de signature WebAuthn (anti-rejeu), fourni par l’authenticator.
+   */
+  @Prop({ type: Number, required: true, default: 0 })
+  public signCount: number;
+
+  @Prop({ type: [String], required: false, default: [] })
+  public transports?: string[];
+
+  @Prop({ type: Date, required: true, default: () => new Date() })
+  public createdAt: Date;
+
+  @Prop({ type: String, required: false, default: '' })
+  public name?: string;
+}
+
+export const U2fKeyCredentialSchema = SchemaFactory.createForClass(U2fKeyCredential);
 
 /**
  * Schéma Mongoose pour la partie sécurité des agents.
@@ -50,7 +79,7 @@ export class SecurityPart extends Document {
     type: [String],
     default: [],
   })
-  public oldPasswords?: string[]
+  public oldPasswords?: string[];
 
   /**
    * Clé secrète pour l'authentification OTP (One-Time Password).
@@ -63,19 +92,20 @@ export class SecurityPart extends Document {
   @Prop({
     type: String,
   })
-  public otpKey?: string
+  public otpKey?: string;
 
   /**
    * Clés U2F/FIDO enregistrées pour l'authentification matérielle.
    * Tableau des identifiants de clés de sécurité physiques enregistrées.
    *
-   * @type {string[]}
+   * @type {U2fKeyCredential[]}
    * @optional
    */
   @Prop({
-    type: [String],
+    type: [U2fKeyCredentialSchema],
+    default: [],
   })
-  public u2fKey?: string[]
+  public u2fKey?: U2fKeyCredential[];
 
   /**
    * Liste des réseaux/IP autorisés pour cet agent.
@@ -89,12 +119,12 @@ export class SecurityPart extends Document {
   @Prop({
     type: [String],
     set: (value: string[] | string | null | undefined): string[] | undefined => {
-      if (value === null || value === undefined) return undefined
-      const values = Array.isArray(value) ? value : [value]
-      return values.map((item) => `${item || ''}`.trim()).filter((item) => item.length > 0)
+      if (value === null || value === undefined) return undefined;
+      const values = Array.isArray(value) ? value : [value];
+      return values.map((item) => `${item || ''}`.trim()).filter((item) => item.length > 0);
     },
   })
-  public allowedNetworks?: string[]
+  public allowedNetworks?: string[];
 
   /**
    * Indique si l'agent doit changer son mot de passe à la prochaine connexion.
@@ -108,7 +138,7 @@ export class SecurityPart extends Document {
     type: Boolean,
     default: false,
   })
-  public changePwdAtNextLogin: boolean
+  public changePwdAtNextLogin: boolean;
 
   /**
    * Clé secrète unique de l'agent.
@@ -122,10 +152,10 @@ export class SecurityPart extends Document {
   @Prop({
     type: String,
   })
-  public secretKey: string
+  public secretKey: string;
 }
 
 /**
  * Factory pour créer le schéma Mongoose à partir de la classe SecurityPart.
  */
-export const SecurityPartSchema = SchemaFactory.createForClass(SecurityPart)
+export const SecurityPartSchema = SchemaFactory.createForClass(SecurityPart);

apps/api/src/core/agents/_utils/agent-password-history.ts

@@ -0,0 +1,60 @@
+import { BadRequestException } from '@nestjs/common';
+import { verify as argon2Verify } from 'argon2';
+
+export async function assertAgentPasswordNotReused(params: {
+  newPassword: string;
+  currentHash: string;
+  oldHashes?: string[] | null;
+}): Promise<void> {
+  const newPassword = `${params?.newPassword || ''}`;
+  const currentHash = `${params?.currentHash || ''}`;
+  const oldHashes = Array.isArray(params?.oldHashes) ? params.oldHashes : [];
+
+  if (currentHash) {
+    const matchesCurrent = await argon2Verify(currentHash, newPassword);
+    if (matchesCurrent) {
+      throw new BadRequestException({
+        message: 'Le mot de passe a déjà été utilisé récemment',
+        error: 'Bad Request',
+        statusCode: 400,
+      });
+    }
+  }
+
+  for (const hash of oldHashes) {
+    const h = `${hash || ''}`;
+    if (!h) continue;
+    const matches = await argon2Verify(h, newPassword);
+    if (matches) {
+      throw new BadRequestException({
+        message: 'Le mot de passe a déjà été utilisé récemment',
+        error: 'Bad Request',
+        statusCode: 400,
+      });
+    }
+  }
+}
+
+export function nextAgentOldPasswords(params: {
+  currentHash: string;
+  oldHashes?: string[] | null;
+  maxCount: number;
+}): string[] {
+  const currentHash = `${params?.currentHash || ''}`;
+  const oldHashes = Array.isArray(params?.oldHashes) ? params.oldHashes : [];
+  const maxCount = Math.max(0, Math.floor(Number(params?.maxCount || 0)));
+
+  const next = [
+    ...(currentHash ? [currentHash] : []),
+    ...oldHashes.map((h) => `${h || ''}`).filter((h) => h.length > 0),
+  ];
+
+  // dédoublonnage simple (les hashes Argon2 incluent un sel, donc doublons rares)
+  const uniq: string[] = [];
+  for (const h of next) {
+    if (!uniq.includes(h)) uniq.push(h);
+  }
+
+  if (maxCount <= 0) return [];
+  return uniq.slice(0, maxCount);
+}