From 2b7932dd49ff8b7db625d87f06eefdacc2d31060 Mon Sep 17 00:00:00 2001
From: yly <no-reply@example.com>
Date: Thu, 14 Mar 2024 17:06:55 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=8C=E6=88=90=20Passkey=20=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Cargo.lock           |  33 +++++++++++
 Cargo.toml           |   2 +-
 auth.conf            |   7 ++-
 auth.db              | Bin 32768 -> 32768 bytes
 loginpage.html       |   4 +-
 register.html        | 137 +++++++++++++++++++++++++++++++++++++++++++
 src/config.rs        |   4 ++
 src/entities/mod.rs  |   4 +-
 src/main.rs          |  18 +++---
 src/services/auth.rs |  65 +++++++++++---------
 src/services/mod.rs  |  20 +++++--
 11 files changed, 248 insertions(+), 46 deletions(-)
 create mode 100644 register.html

diff --git a/Cargo.lock b/Cargo.lock
index 97f69ad..5233cae 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -886,6 +886,12 @@ dependencies = [
  "pin-project-lite",
 ]
 
+[[package]]
+name = "http-range-header"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ce4ef31cda248bbdb6e6820603b82dfcd9e833db65a43e997a0ccec777d11fe"
+
 [[package]]
 name = "httparse"
 version = "1.8.0"
@@ -1080,6 +1086,16 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
+[[package]]
+name = "mime_guess"
+version = "2.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4192263c238a5f0d0c6bfd21f336a313a4ce1c450542449ca191bb657b4642ef"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
 [[package]]
 name = "minijinja"
 version = "1.0.9"
@@ -2214,10 +2230,18 @@ checksum = "1e9cd434a998747dd2c4276bc96ee2e0c7a2eadf3cae88e52be55a05fa9053f5"
 dependencies = [
  "bitflags 2.4.1",
  "bytes",
+ "futures-util",
  "http",
  "http-body",
  "http-body-util",
+ "http-range-header",
+ "httpdate",
+ "mime",
+ "mime_guess",
+ "percent-encoding",
  "pin-project-lite",
+ "tokio",
+ "tokio-util",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -2354,6 +2378,15 @@ version = "1.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
 
+[[package]]
+name = "unicase"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89"
+dependencies = [
+ "version_check",
+]
+
 [[package]]
 name = "unicode-bidi"
 version = "0.3.13"
diff --git a/Cargo.toml b/Cargo.toml
index 75236fe..254245d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -14,7 +14,7 @@ serde = "1.0.190"
 uuid = { version = "1.5.0", features = ["v4", "fast-rng"] }
 totp-rs = "5.4.0"
 tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
-tower-http = { version = "0.5", features = ["trace"] }
+tower-http = { version = "0.5", features = ["trace", "fs"] }
 tracing = "0.1.40"
 askama = "0.10"
 minijinja = "1.0.9"
diff --git a/auth.conf b/auth.conf
index e9141de..f6b67c9 100644
--- a/auth.conf
+++ b/auth.conf
@@ -5,13 +5,14 @@ upstream protected {
 server {
 	listen 8080;
 	location / {
-		auth_request /auth;
+		auth_request /aaron/auth;
 		set $original_full_url $scheme://$host$request_uri;
 		error_page 401 =200 /login;
 		proxy_set_header X-Original-URI $scheme://$host$request_uri;
 		proxy_pass http://protected/;
 	}
-	location = /auth {
+	location 
+	location = /aaron/auth {
 		internal;
 		proxy_pass http://localhost:3000/auth;
 		proxy_pass_request_body off;
@@ -20,7 +21,7 @@ server {
 		proxy_set_header X-Original-Remote-Addr $remote_addr;
 		proxy_set_header X-Original-Host $host;
 	}
-	location /login {
+	location /aaron/login {
 		proxy_pass http://localhost:3000/login;
 		proxy_set_header X-Original-Remote-Addr $remote_addr;
 		proxy_set_header X-Original-Host $host;
diff --git a/auth.db b/auth.db
index 481218c98cc6a6315ce057b5dd391aafa79951cb..22b571f96f9553896b631974cc71afcbbd9cf505 100644
GIT binary patch
literal 32768
zcmeI)O>g2x7zc1W<ZaUsR_Xz5rB;@6Xz0Q&#%3{*Div6#b(bZCm(^x3t|3D(FScV3
zETqjLReR{U$6i+I2iWgY_0UT%{UjYbqzln@6;-WLMSlywjc4Y0{2MMdXzB-LixQ#Z
zctev4GIy8bdG0eo;5hCcTi4mT#?~dae!$jcwq7p$<-t4l_qYe%t7!B`Ze=saZB;gZ
zk9Ie6Td}QJwEK=$xC8+RKmY;|fB*y_009X6p9IdgV{7s4ZT{ORHCqExs%ek4N<%M{
z>vM-I?6}a-ghruQ)&z0xiYV-C2=gVPK*@yeWYUV75Gwl(q0%gulR=$kU8@=T<5>kM
zolzDmRBQUvLhVp^q8$o5b1}rkM&f*ZV=W$!^XE>OWzbbU+(Z^L3(ICXv3^9Mp*?3Q
z%%@Q)Jk>68SSVkN9<)se`xT+IU)d|`rG`+`s^vmS+ejqdTaAAj=Q+zhA`|~)z#h5`
zb3~o++z1meq;R*swa0yPQ)8XIyBgQG|1QnB5j3Q^lhv(P;gcd)jjYD+-{%iQ?%7@X
z<YYwbHo0=Tyf6e;F7DXokR(~l1jq4T-4q7mLI45~fB*y_009U<00Izz00bZaf!iPu
zWjC=D`<aXV$~IUa009U<00Izz00bZa0SG_<0uZ<<frm?x=7*VlR#8+Ur<8VvZCXc4
zDlZW;C1vu8+{qJFmF4beI<h;a{RtmwzTe54s+`M6DJ7pxrxZnLr&=b-rm|96m2$*X
zT55Ybm<G@P>`(t(?2p(lH+6%E3jqi~00Izz00bZa0SG_<0uX?}KM;6urOiiI&gV{p
z=YKvr=GX@d1Rwwb2tWV=5P$##AOHaf{ObbWukp)2JZXL{wmotr?q2K-iyew)`cc(Q
zRdoIHdO9yz9wn!}L!ysUB}pxIizDep)<2d{`@><Wb&~DpdZ}q|Ka<%vRnn;!NpC#$
zCjEw0GqtSLD%Dh9bq3B$G5J?0I(3P`0%`S3_7N-ZlWCBFRx-3wCd_5zjR~tz*Gg4Z
zr6#dTlc2%N1K*XilP`O=Triw|+U_1TzNnY|R_AbX(yZv}si!LgU&<9&3)ZP9d*e=9
zr<QB(J#&=o^Mg!Z(u-BKT7N;tomOp6KIz$GsZl95#j~?BmZLMWDe=TzIhPcvXWG8&
zc+?kn?a^S66h}Vsj4|=7juo&`Z$y$}%WU^Yu0aOYvBjpM5O+J~z<*QjQ<J_a^vJR0
zvyQ3d*oNy2tagy6>yZxef}u!?Y#It;`|L7{IvW?)b0}$3R<YvHS}>h~Ps6(1q1iUr
z5V8n{PuRg*>X@z@j_Z}C!N41=W0!>y^<&!!qB8-LQr3HzUl9Muq-Ge`CM>rhq2_$a
zVtwOc62HspXJ^;>3%~~ZZu8NfIQGE;0SG_<0uX=z1Rwwb2tWV=HzV*}o4q5rgLedY
zNAMrMBba@)gSq^JIsR8>`&lt|5P$##AOHafKmY;|fB*y_009Wx27%!B|E1V#F7`V1
v+ikcX+yew4009U<00Izz00bZa0SG|g76|M_n*4R90$lny(!6t>|Ns99s8Dil

delta 47
zcmZo@U}|V!njp<6GEv5vRfIv$`s2ow1@=q~0-HDT{o<cgzye`13T$Ri_$dznQS%OV

diff --git a/loginpage.html b/loginpage.html
index f8187bf..349a995 100644
--- a/loginpage.html
+++ b/loginpage.html
@@ -63,13 +63,15 @@
 <body>
   <div class="container">
     <h1>Login</h1>
-    <form action="/login{{ url }}" method="POST">
+    <form action="{{ home_url|safe }}/login{{ url }}" method="POST">
       <label for="username">Username:</label>
       <input type="text" id="username" name="username" required>
       <label for="password">Password:</label>
       <input type="password" id="password" name="otp" required>
       <input type="submit" value="Submit">
     </form>
+    <p>Or:</p>
+    <a href="{{ home_url|safe }}/register">Continue with Passkey</a>
   </div>
 </body>
 </html>
diff --git a/register.html b/register.html
new file mode 100644
index 0000000..262eacf
--- /dev/null
+++ b/register.html
@@ -0,0 +1,137 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>WebAuthn登录</title>
+    <script async>
+        /**
+ * Minified by jsDelivr using Terser v5.15.1.
+ * Original file: /npm/js-base64@3.7.4/base64.js
+ *
+ * Do NOT use SRI with dynamically generated files! More information: https://www.jsdelivr.com/using-sri-with-dynamic-files
+ */
+        !function (t, n) { var r, e; "object" == typeof exports && "undefined" != typeof module ? module.exports = n() : "function" == typeof define && define.amd ? define(n) : (r = t.Base64, (e = n()).noConflict = function () { return t.Base64 = r, e }, t.Meteor && (Base64 = e), t.Base64 = e) }("undefined" != typeof self ? self : "undefined" != typeof window ? window : "undefined" != typeof global ? global : this, (function () { "use strict"; var t, n = "3.7.4", r = "function" == typeof atob, e = "function" == typeof btoa, o = "function" == typeof Buffer, u = "function" == typeof TextDecoder ? new TextDecoder : void 0, i = "function" == typeof TextEncoder ? new TextEncoder : void 0, f = Array.prototype.slice.call("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="), c = (t = {}, f.forEach((function (n, r) { return t[n] = r })), t), a = /^(?:[A-Za-z\d+\/]{4})*?(?:[A-Za-z\d+\/]{2}(?:==)?|[A-Za-z\d+\/]{3}=?)?$/, d = String.fromCharCode.bind(String), s = "function" == typeof Uint8Array.from ? Uint8Array.from.bind(Uint8Array) : function (t, n) { return void 0 === n && (n = function (t) { return t }), new Uint8Array(Array.prototype.slice.call(t, 0).map(n)) }, l = function (t) { return t.replace(/=/g, "").replace(/[+\/]/g, (function (t) { return "+" == t ? "-" : "_" })) }, h = function (t) { return t.replace(/[^A-Za-z0-9\+\/]/g, "") }, p = function (t) { for (var n, r, e, o, u = "", i = t.length % 3, c = 0; c < t.length;) { if ((r = t.charCodeAt(c++)) > 255 || (e = t.charCodeAt(c++)) > 255 || (o = t.charCodeAt(c++)) > 255) throw new TypeError("invalid character found"); u += f[(n = r << 16 | e << 8 | o) >> 18 & 63] + f[n >> 12 & 63] + f[n >> 6 & 63] + f[63 & n] } return i ? u.slice(0, i - 3) + "===".substring(i) : u }, y = e ? function (t) { return btoa(t) } : o ? function (t) { return Buffer.from(t, "binary").toString("base64") } : p, A = o ? function (t) { return Buffer.from(t).toString("base64") } : function (t) { for (var n = [], r = 0, e = t.length; r < e; r += 4096)n.push(d.apply(null, t.subarray(r, r + 4096))); return y(n.join("")) }, b = function (t, n) { return void 0 === n && (n = !1), n ? l(A(t)) : A(t) }, g = function (t) { if (t.length < 2) return (n = t.charCodeAt(0)) < 128 ? t : n < 2048 ? d(192 | n >>> 6) + d(128 | 63 & n) : d(224 | n >>> 12 & 15) + d(128 | n >>> 6 & 63) + d(128 | 63 & n); var n = 65536 + 1024 * (t.charCodeAt(0) - 55296) + (t.charCodeAt(1) - 56320); return d(240 | n >>> 18 & 7) + d(128 | n >>> 12 & 63) + d(128 | n >>> 6 & 63) + d(128 | 63 & n) }, B = /[\uD800-\uDBFF][\uDC00-\uDFFFF]|[^\x00-\x7F]/g, x = function (t) { return t.replace(B, g) }, C = o ? function (t) { return Buffer.from(t, "utf8").toString("base64") } : i ? function (t) { return A(i.encode(t)) } : function (t) { return y(x(t)) }, m = function (t, n) { return void 0 === n && (n = !1), n ? l(C(t)) : C(t) }, v = function (t) { return m(t, !0) }, U = /[\xC0-\xDF][\x80-\xBF]|[\xE0-\xEF][\x80-\xBF]{2}|[\xF0-\xF7][\x80-\xBF]{3}/g, F = function (t) { switch (t.length) { case 4: var n = ((7 & t.charCodeAt(0)) << 18 | (63 & t.charCodeAt(1)) << 12 | (63 & t.charCodeAt(2)) << 6 | 63 & t.charCodeAt(3)) - 65536; return d(55296 + (n >>> 10)) + d(56320 + (1023 & n)); case 3: return d((15 & t.charCodeAt(0)) << 12 | (63 & t.charCodeAt(1)) << 6 | 63 & t.charCodeAt(2)); default: return d((31 & t.charCodeAt(0)) << 6 | 63 & t.charCodeAt(1)) } }, w = function (t) { return t.replace(U, F) }, S = function (t) { if (t = t.replace(/\s+/g, ""), !a.test(t)) throw new TypeError("malformed base64."); t += "==".slice(2 - (3 & t.length)); for (var n, r, e, o = "", u = 0; u < t.length;)n = c[t.charAt(u++)] << 18 | c[t.charAt(u++)] << 12 | (r = c[t.charAt(u++)]) << 6 | (e = c[t.charAt(u++)]), o += 64 === r ? d(n >> 16 & 255) : 64 === e ? d(n >> 16 & 255, n >> 8 & 255) : d(n >> 16 & 255, n >> 8 & 255, 255 & n); return o }, E = r ? function (t) { return atob(h(t)) } : o ? function (t) { return Buffer.from(t, "base64").toString("binary") } : S, D = o ? function (t) { return s(Buffer.from(t, "base64")) } : function (t) { return s(E(t), (function (t) { return t.charCodeAt(0) })) }, R = function (t) { return D(T(t)) }, z = o ? function (t) { return Buffer.from(t, "base64").toString("utf8") } : u ? function (t) { return u.decode(D(t)) } : function (t) { return w(E(t)) }, T = function (t) { return h(t.replace(/[-_]/g, (function (t) { return "-" == t ? "+" : "/" }))) }, Z = function (t) { return z(T(t)) }, j = function (t) { return { value: t, enumerable: !1, writable: !0, configurable: !0 } }, I = function () { var t = function (t, n) { return Object.defineProperty(String.prototype, t, j(n)) }; t("fromBase64", (function () { return Z(this) })), t("toBase64", (function (t) { return m(this, t) })), t("toBase64URI", (function () { return m(this, !0) })), t("toBase64URL", (function () { return m(this, !0) })), t("toUint8Array", (function () { return R(this) })) }, O = function () { var t = function (t, n) { return Object.defineProperty(Uint8Array.prototype, t, j(n)) }; t("toBase64", (function (t) { return b(this, t) })), t("toBase64URI", (function () { return b(this, !0) })), t("toBase64URL", (function () { return b(this, !0) })) }, P = { version: n, VERSION: "3.7.4", atob: E, atobPolyfill: S, btoa: y, btoaPolyfill: p, fromBase64: Z, toBase64: m, encode: m, encodeURI: v, encodeURL: v, utob: x, btou: w, decode: Z, isValid: function (t) { if ("string" != typeof t) return !1; var n = t.replace(/\s+/g, "").replace(/={0,2}$/, ""); return !/[^\s0-9a-zA-Z\+/]/.test(n) || !/[^\s0-9a-zA-Z\-_]/.test(n) }, fromUint8Array: b, toUint8Array: R, extendString: I, extendUint8Array: O, extendBuiltins: function () { I(), O() }, Base64: {} }; return Object.keys(P).forEach((function (t) { return P.Base64[t] = P[t] })), P }));
+    //# sourceMappingURL=/sm/a59fea69b86d0d8cc8c7717805d74db48cc3ea11b7c1ed6cf5d5c67bce98b667.map
+    </script>
+    <script>
+        const home_url = "{{home_url|safe}}";
+        function register () {
+            let username = document.getElementById('username').value;
+            if (username === "") {
+                alert("Please enter a username");
+                return;
+            }
+        
+            fetch(`${ home_url }/register_start/` + username, {
+                method: 'POST'
+            })
+            .then(response => response.json() )
+            .then(credentialCreationOptions => {
+                credentialCreationOptions.publicKey.challenge = Base64.toUint8Array(credentialCreationOptions.publicKey.challenge);
+                credentialCreationOptions.publicKey.user.id = Base64.toUint8Array(credentialCreationOptions.publicKey.user.id);
+                if (credentialCreationOptions.publicKey.excludeCredentials != null) {
+                    credentialCreationOptions.publicKey.excludeCredentials.forEach(function (listItem) {
+                        listItem.id = Base64.toUint8Array(listItem.id)
+                    });
+                }
+        
+                return navigator.credentials.create({
+                    publicKey: credentialCreationOptions.publicKey
+                });
+            })
+            .then((credential) => {
+                fetch(`${home_url }/register_finish`, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json'
+                    },
+                    body: JSON.stringify({
+                        id: credential.id,
+                        rawId: Base64.fromUint8Array(new Uint8Array(credential.rawId), true),
+                        type: credential.type,
+                        response: {
+                            attestationObject: Base64.fromUint8Array(new Uint8Array(credential.response.attestationObject), true),
+                            clientDataJSON: Base64.fromUint8Array(new Uint8Array(credential.response.clientDataJSON), true),
+                        },
+                    })
+                })
+                .then((response) => {
+                    if (response.ok){
+                        console.log("Registered!");
+                    } else {
+                        console.log("Error");
+                    }
+                });
+            })
+            .catch(err => {
+                console.log(err);
+                alert("Error whilst registering key");
+            });
+        }
+        
+        function login() {
+            let username = document.getElementById('username').value;
+            if (username === "") {
+                alert("Please enter a username");
+                return;
+            }
+        
+            fetch(`${home_url}/webauthn_login_start/` + username, {
+                method: 'POST'
+            })
+            .then(response => response.json())
+            .then((credentialRequestOptions) => {
+                credentialRequestOptions.publicKey.challenge = Base64.toUint8Array(credentialRequestOptions.publicKey.challenge);
+                credentialRequestOptions.publicKey.allowCredentials.forEach(function (listItem) {
+                    listItem.id = Base64.toUint8Array(listItem.id)
+                });
+        
+                return navigator.credentials.get({
+                    publicKey: credentialRequestOptions.publicKey
+                });
+            })
+            .then((assertion) => {
+                fetch(`${home_url}/webauthn_login_finish`, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json'
+                    },
+                    body: JSON.stringify({
+                        id: assertion.id,
+                        rawId: Base64.fromUint8Array(new Uint8Array(assertion.rawId), true),
+                        type: assertion.type,
+                        response: {
+                            authenticatorData: Base64.fromUint8Array(new Uint8Array(assertion.response.authenticatorData), true),
+                            clientDataJSON: Base64.fromUint8Array(new Uint8Array(assertion.response.clientDataJSON), true),
+                            signature: Base64.fromUint8Array(new Uint8Array(assertion.response.signature), true),
+                            userHandle: assertion.response.userHandle
+                        },
+                    }),
+                })
+                .then((response) => {
+                    if (response.ok){
+                        console.log("Logged In!");
+                        window.location.replace("/");
+                    } else {
+                        console.log("Error");
+                    }
+                });
+            });
+        }
+    </script>
+</head>
+
+<body>
+    <p>Welcome to the WebAuthn Server!</p>
+
+    <div>
+        <input type="text" id="username" placeholder="Enter your username here">
+        <button onclick="register()">Register</button>
+        <button onclick="login()">Login</button>
+    </div>
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/src/config.rs b/src/config.rs
index 547c405..ea59be9 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -11,7 +11,11 @@ pub const SESSION_ACTIVE_TIME: Lazy<u64> = Lazy::new(|| {
 pub const COOKIE_DOMAIN: Lazy<String> =
     Lazy::new(|| env::var("DOMAIN").ok().unwrap_or(".aaronhu.cn".to_owned()));
 pub const LOGIN_PAGE_HTML: &str = include_str!("../loginpage.html");
+pub const REGISTER_PAGE_HTML: &str = include_str!("../register.html");
 pub const PORT: Lazy<String> = Lazy::new(|| env::var("PORT").unwrap_or("3000".to_string()));
+// 部署此应用的URL,默认为/aaron
+pub const HOME_URL: Lazy<String> =
+    Lazy::new(|| env::var("HOME_URL").unwrap_or("/aaron".to_owned()));
 pub const DATABASE_URL: Lazy<String> =
     Lazy::new(|| env::var("DATABASE_URL").unwrap_or("".to_owned()));
 pub const RP_ID: Lazy<String> =
diff --git a/src/entities/mod.rs b/src/entities/mod.rs
index be38210..7a9dbb6 100644
--- a/src/entities/mod.rs
+++ b/src/entities/mod.rs
@@ -29,8 +29,8 @@ impl ServerState {
         // Now, with the builder you can define other options.
         // Set a "nice" relying party name. Has no security properties and
         // may be changed in the future.
-        let _RP_NAME = RP_NAME.to_string();
-        let builder = builder.rp_name(&_RP_NAME);
+        let _rp_name = RP_NAME.to_string();
+        let builder = builder.rp_name(&_rp_name);
 
         // Consume the builder and create our webauthn instance.
         let webauthn = Arc::new(builder.build().expect("Invalid configuration"));
diff --git a/src/main.rs b/src/main.rs
index b42a121..207a95e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,22 +1,23 @@
 
 
 
-use axum::{routing::{get, post, Route}, Router};
+use axum::{routing::{get, get_service, post, Route}, Router};
 use entities::*;
 
-use services::{auth::{self, finish_authentication, start_authentication}, gc_task, login, login_page};
+use services::{auth::{self, finish_authentication, start_authentication}, gc_task, login, login_page, register_page};
 use std::net::SocketAddr;
 use std::sync::Arc;
-use tower_cookies::{CookieManagerLayer};
+use tower_cookies::CookieManagerLayer;
 use tower_http::trace::{self, TraceLayer};
 use tower_sessions::{Expiry, MemoryStore, SessionManagerLayer};
+use tower_http::services::{ServeDir, ServeFile};
 use tracing::Level;
 
 pub mod config;
 pub mod controllers;
 pub mod entities;
 pub mod services;
-use config::{PORT};
+use config::{HOME_URL, PORT};
 #[tokio::main]
 async fn main() {
     // 初始化日志记录器
@@ -29,11 +30,11 @@ async fn main() {
     let app = Router::new()
         .route("/auth", get(crate::services::auth_otp)) // http://127.0.0.1:3000
         .route("/login", get(login_page).post(login))
+        .route("/register", get(register_page))
         .route("/register_start/:username", post(auth::start_register))
-        .route("/register_finish/:username", post(auth::finish_register))
+        .route("/register_finish", post(auth::finish_register))
         .route("/webauthn_login_start/:username", post(start_authentication))
-        .route("/webauthn_login_finish/:username", post(finish_authentication))
-
+        .route("/webauthn_login_finish", post(finish_authentication))
         .layer(
             TraceLayer::new_for_http()
                 .make_span_with(trace::DefaultMakeSpan::new().level(Level::INFO))
@@ -42,7 +43,8 @@ async fn main() {
         .with_state(state.clone())
         .layer(CookieManagerLayer::new())
         .layer(session_layer);
-    let aaronhu = Router::new().nest("/aaron/", app);
+    // 嵌套防止撞路由
+    let aaronhu = Router::new().nest(&HOME_URL, app);
     let port = PORT.parse::<u16>().unwrap_or(3000);
     let addr = SocketAddr::from(([127, 0, 0, 1], port));
     // run it with hyper on localhost:3000
diff --git a/src/services/auth.rs b/src/services/auth.rs
index 2e4646d..439efc8 100644
--- a/src/services/auth.rs
+++ b/src/services/auth.rs
@@ -11,7 +11,7 @@ use axum::{
     response::IntoResponse,
 };
 use std::time::Instant;
-use tower_cookies::Cookies;
+use tower_cookies::{Cookie, Cookies};
 use tower_sessions::Session;
 use tracing::*;
 
@@ -23,7 +23,7 @@ use tracing::*;
 // 1. Import the prelude - this contains everything needed for the server to function.
 use webauthn_rs::prelude::*;
 
-use crate::config::{COOKIE_NAME, SESSION_ACTIVE_TIME};
+use crate::config::{COOKIE_DOMAIN, COOKIE_NAME, SESSION_ACTIVE_TIME};
 use crate::ServerState;
 
 // 2. The first step a client (user) will carry out is requesting a credential to be
@@ -61,7 +61,7 @@ use crate::ServerState;
 // the challenge to the browser.
 
 // TODO - Improve error handling and messages
-fn auth_user(cookie_content:String,session_table:&mut HashMap<Uuid, Instant>) -> bool {
+fn auth_user(cookie_content: String, session_table: &mut HashMap<Uuid, Instant>) -> bool {
     let Ok(uuid) = Uuid::parse_str(&cookie_content) else {
         return false;
     };
@@ -71,25 +71,29 @@ fn auth_user(cookie_content:String,session_table:&mut HashMap<Uuid, Instant>) ->
     if *expire <= Instant::now() {
         return false;
     }
-    session_table.insert(uuid, Instant::now()+Duration::from_secs(*SESSION_ACTIVE_TIME));
-    tracing::info!("valid cookie {}",uuid);
+    session_table.insert(
+        uuid,
+        Instant::now() + Duration::from_secs(*SESSION_ACTIVE_TIME),
+    );
+    tracing::info!("valid cookie {}", uuid);
     return true;
-
 }
-#[debug_handler]
+
 pub async fn start_register(
     State(state): State<Arc<ServerState>>,
     cookies: Cookies,
     session: Session,
     Path(username): Path<String>,
 ) -> Result<Json<CreationChallengeResponse>, String> {
-    tracing::info!("Start register");
+    tracing::info!("开始注册");
     // todo!("Auth User");
     let Some(cookie_content) = cookies.get(&COOKIE_NAME) else {
+        tracing::info!("用户没有Cookie");
         return Err(WebauthnError::AuthenticationFailure.to_string());
     };
     let mut session_table = state.session.lock().await;
-    if !auth_user(cookie_content.value().to_string(), &mut session_table){
+    if !auth_user(cookie_content.value().to_string(), &mut session_table) {
+        tracing::info!("用户Cookie无效，不在Session表中");
         return Err(WebauthnError::AuthenticationFailure.to_string());
     }
     // Remove any previous registrations that may have occurred from the session.
@@ -166,7 +170,7 @@ pub async fn finish_register(
     session: Session,
     Json(reg): Json<RegisterPublicKeyCredential>,
 ) -> Result<impl IntoResponse, String> {
-    info!("Confirming registration....");
+    info!("完成注册...");
     let pool = &state.db;
     let Ok(Some((user_name, user_id, reg_state))) = session
         .get::<(String, Uuid, PasskeyRegistration)>("reg_state")
@@ -175,21 +179,20 @@ pub async fn finish_register(
         return Err(WebauthnError::AuthenticationFailure.to_string()); //Corrupt Session
     };
 
-    let _ = session.remove::<(Uuid, PasskeyAuthentication)>("reg_state").await;
+    let _ = session
+        .remove::<(Uuid, PasskeyAuthentication)>("reg_state")
+        .await;
 
     let res = match state.webauthn.finish_passkey_registration(&reg, &reg_state) {
         Ok(key) => {
-            info!("Passkey is okay");
+            info!("Passkey 正常");
             let uid = &user_id.to_string();
             let username = &user_name.to_string();
             // Check if the user_id already exists
-            let record = sqlx::query!(
-                "SELECT COUNT(KEY) AS count FROM users WHERE KEY = $1;",
-                uid
-            )
-            .fetch_one(pool)
-            .await
-            .map_err(|_| WebauthnError::AuthenticationFailure.to_string())?;
+            let record = sqlx::query!("SELECT COUNT(KEY) AS count FROM users WHERE KEY = $1;", uid)
+                .fetch_one(pool)
+                .await
+                .map_err(|_| WebauthnError::AuthenticationFailure.to_string())?;
 
             // If the user doesn't exist, insert them into the users table
             if record.count == 0
@@ -329,6 +332,7 @@ pub async fn start_authentication(
 pub async fn finish_authentication(
     State(state): State<Arc<ServerState>>,
     session: Session,
+    cookies: Cookies,
     Json(auth): Json<PublicKeyCredential>,
 ) -> Result<impl IntoResponse, String> {
     let pool = &state.db;
@@ -383,13 +387,10 @@ pub async fn finish_authentication(
                 }
             }
 
-            let user_name = sqlx::query!(
-                "SELECT NAME FROM users WHERE KEY = $1;",
-                uid
-            )
-            .fetch_one(pool)
-            .await
-            .map_err(|_| WebauthnError::AuthenticationFailure.to_string())?;
+            let user_name = sqlx::query!("SELECT NAME FROM users WHERE KEY = $1;", uid)
+                .fetch_one(pool)
+                .await
+                .map_err(|_| WebauthnError::AuthenticationFailure.to_string())?;
             // Add our own values to the session
             session
                 .insert("user_id", user_id)
@@ -399,7 +400,17 @@ pub async fn finish_authentication(
                 .insert("user_name", user_name.NAME)
                 .await
                 .map_err(|_| WebauthnError::InvalidUsername.to_string())?;
-
+            let mut lock = state.session.lock().await;
+            let uuid = Uuid::new_v4();
+            let expires = Instant::now() + Duration::from_secs(*SESSION_ACTIVE_TIME);
+            lock.insert(
+                uuid,
+                expires
+            );
+            let mut new_cookie = Cookie::new(COOKIE_NAME.to_string(), uuid.to_string());
+            new_cookie.set_domain(COOKIE_DOMAIN.to_string());
+            cookies.add(new_cookie);
+            info!("从passkey登录创建了新Session{},过期时间{}s后",uuid,*SESSION_ACTIVE_TIME);
             StatusCode::OK
         }
         Err(e) => {
diff --git a/src/services/mod.rs b/src/services/mod.rs
index 4a1b0c2..5ab1896 100644
--- a/src/services/mod.rs
+++ b/src/services/mod.rs
@@ -16,6 +16,7 @@ use tower_cookies::{Cookie, Cookies};
 
 use uuid::Uuid;
 
+use crate::config::{HOME_URL, REGISTER_PAGE_HTML};
 use crate::{ServerState, UserLoginForm};
 use super::config::{COOKIE_DOMAIN, COOKIE_NAME, LOGIN_PAGE_HTML, SESSION_ACTIVE_TIME};
 
@@ -114,7 +115,7 @@ pub async fn login_page(headers: HeaderMap<HeaderValue>) -> impl IntoResponse {
                 let uri = "?original_url=".to_owned() + uri;
                 return Html(
                     template
-                        .render(context! { url => uri })
+                        .render(context! { url => uri, home_url => HOME_URL.to_string() })
                         .unwrap_or("Error".to_string()),
                 );
             }
@@ -122,7 +123,18 @@ pub async fn login_page(headers: HeaderMap<HeaderValue>) -> impl IntoResponse {
     }
     Html(
         template
-            .render(context! { url => String::new() })
+            .render(context! { url => String::new(), home_url => HOME_URL.to_string() })
+            .unwrap_or("Error".to_string()),
+    )
+}
+pub async fn register_page(headers: HeaderMap<HeaderValue>) -> impl IntoResponse {
+    tracing::info!("Headers: {:#?}", headers);
+    let mut env = Environment::new();
+    env.add_template("register.html", REGISTER_PAGE_HTML).unwrap();
+    let template = env.get_template("register.html").unwrap();
+    Html(
+        template
+            .render(context! { url => String::new(), home_url => HOME_URL.to_string() })
             .unwrap_or("Error".to_string()),
     )
 }
@@ -165,7 +177,7 @@ pub async fn login_with_passkey(
     let Ok(mut conn) = conn else {
         return Err((StatusCode::BAD_GATEWAY, "db连接错误"));
     };
-    tracing::info!("{:?}", &frm);
+    tracing::info!("开始使用passkey登陆{:?}", &frm);
     let target = sqlx::query_as::<_, UserLoginForm>(
         r"
         SELECT NAME, KEY FROM USERS WHERE NAME = ?
@@ -174,7 +186,7 @@ pub async fn login_with_passkey(
     .bind(frm.username)
     .fetch_optional(&mut *conn)
     .await;
-    tracing::info!("{:?}", &target);
+    tracing::info!("数据库返回 {:?}", &target);
 
     if let Ok(Some(target)) = target {
         if check_otp(target.otp, frm.otp) {