7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

migrating from u2f-api.js to webauthn

Browse Source
This commit is contained in:
FreddlePat
2022-01-12 21:09:18 +01:00
parent e2b4b6f6bc
commit d1d134038f
42 changed files with 918 additions and 461 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
data/web/json_api.php
View File

@@ -117,12 +117,12 @@ if (isset($_GET['query'])) {
echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success;
}
}
if (!isset($_POST['attr']) && $category != "fido2-registration") {
if (!isset($_POST['attr']) && $category != "fido2-registration" && $category != "webauthn-tfa-registration") {
echo $request_incomplete;
exit;
}
else {
if ($category != "fido2-registration") {
if ($category != "fido2-registration" && $category != "webauthn-tfa-registration") {
$attr = (array)json_decode($_POST['attr'], true);
}
unset($attr['csrf_token']);
@@ -170,6 +170,48 @@ if (isset($_GET['query'])) {
exit;
}
break;
case "webauthn-tfa-registration":
if (isset($_SESSION["mailcow_cc_role"])) {
// parse post data
$post = trim(file_get_contents('php://input'));
if ($post) $post = json_decode($post);
// decode base64 strings
$clientDataJSON = base64_decode($post->clientDataJSON);
$attestationObject = base64_decode($post->attestationObject);
// process registration data from authenticator
try {
// processCreate($clientDataJSON, $attestationObject, $challenge, $requireUserVerification=false, $requireUserPresent=true, $failIfRootMismatch=true)
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $_SESSION['challenge'], false, true);
}
catch (Throwable $ex) {
// err
$return = new stdClass();
$return->success = false;
$return->msg = $ex->getMessage();
echo json_encode($return);
exit;
}
// safe authenticator in mysql `tfa` table
$_data['tfa_method'] = $post->tfa_method;
$_data['key_id'] = $post->key_id;
$_data['registration'] = $data;
set_tfa($_data);
// send response
$return = new stdClass();
$return->success = true;
echo json_encode($return);
exit;
}
else {
// err - request incomplete
echo $request_incomplete;
exit;
}
break;
case "time_limited_alias":
process_add_return(mailbox('add', 'time_limited_alias', $attr));
break;
@@ -350,6 +392,7 @@ if (isset($_GET['query'])) {
exit();
}
switch ($category) {
// u2f - deprecated, should be removed
case "u2f-registration":
header('Content-Type: application/javascript');
if (isset($_SESSION["mailcow_cc_role"]) && $_SESSION["mailcow_cc_username"] == $object) {
@@ -366,21 +409,6 @@ if (isset($_GET['query'])) {
return;
}
break;
// fido2-registration via GET
case "fido2-registration":
header('Content-Type: application/json');
if (isset($_SESSION["mailcow_cc_role"])) {
// Exclude existing CredentialIds, if any
$excludeCredentialIds = fido2(array("action" => "get_user_cids"));
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds);
print(json_encode($createArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
}
else {
return;
}
break;
case "u2f-authentication":
header('Content-Type: application/javascript');
if (isset($_SESSION['pending_mailcow_cc_username']) && $_SESSION['pending_mailcow_cc_username'] == $object) {
@@ -403,6 +431,21 @@ if (isset($_GET['query'])) {
return;
}
break;
// fido2
case "fido2-registration":
header('Content-Type: application/json');
if (isset($_SESSION["mailcow_cc_role"])) {
// Exclude existing CredentialIds, if any
$excludeCredentialIds = fido2(array("action" => "get_user_cids"));
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds);
print(json_encode($createArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
}
else {
return;
}
break;
case "fido2-get-args":
header('Content-Type: application/json');
// Login without username, no ids!
@@ -416,6 +459,36 @@ if (isset($_GET['query'])) {
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
break;
// webauthn two factor authentication
case "webauthn-tfa-registration":
if (isset($_SESSION["mailcow_cc_role"])) {
$excludeCredentialIds = null;
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, false, $GLOBALS['WEBAUTHN_UV_FLAG_REGISTER'], true);
print(json_encode($createArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
}
else {
return;
}
break;
case "webauthn-tfa-get-args":
$stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
$stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username']));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
while($row = array_shift($rows)) {
$cids[] = base64_decode($row['keyHandle']);
}
$getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN']);
$getArgs->publicKey->extensions = array('appid' => "https://".$getArgs->publicKey->rpId);
print(json_encode($getArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge();
return;
break;
}
if (isset($_SESSION['mailcow_cc_role'])) {
switch ($category) {