[Web] Different UV flag for auth and register, remove unique key from fido2, delete tfa/fido2 when removing user object

2020-11-16 15:01:02 +01:00
parent c1376b4f4c
commit ff071e5120
5 changed files with 23 additions and 11 deletions
--- a/data/web/inc/functions.admin.inc.php
+++ b/data/web/inc/functions.admin.inc.php
@@ -229,6 +229,14 @@ function admin($_action, $_data = null) {
        $stmt->execute(array(
          ':username' => $username,
        ));
+        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
        $_SESSION['return'][] = array(
          'type' => 'success',
          'log' => array(__FUNCTION__, $_action, $_data_log),
--- a/data/web/inc/functions.domain_admin.inc.php
+++ b/data/web/inc/functions.domain_admin.inc.php
@@ -358,6 +358,14 @@ function domain_admin($_action, $_data = null) {
        $stmt->execute(array(
          ':username' => $username,
        ));
+        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
+        $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username,
+        ));
        $_SESSION['return'][] = array(
          'type' => 'success',
          'log' => array(__FUNCTION__, $_action, $_data_log),
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
  try {
    global $pdo;

-    $db_version = "15112020_1110";
+    $db_version = "16112020_1210";

    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -102,11 +102,6 @@ function init_db_schema() {
          "modified" => "DATETIME ON UPDATE NOW(0)",
          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
        ),
-        "keys" => array(
-          "unique" => array(
-            "fido2_username_CID" => array("username", "certificateSubject")
-          )
-        ),
        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
      ),
      "_sogo_static_view" => array(
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -178,7 +178,8 @@ $SHOW_LAST_LOGIN = true;
 // true = required
 // false = preferred
 // string 'required' 'preferred' 'discouraged'
-$FIDO2_UV_FLAG = 'preferred';
+$FIDO2_UV_FLAG_REGISTER = 'preferred';
+$FIDO2_UV_FLAG_LOGIN = 'preferred'; // iOS ignores the key via NFC if required - known issue
 $FIDO2_USER_PRESENT_FLAG = true;
 $FIDO2_FORMATS = array('android-key', 'android-safetynet', 'fido-u2f', 'none', 'packed', 'tpm');