From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id BE25B6BB72
 for <pbs-devel@lists.proxmox.com>; Fri, 19 Feb 2021 15:41:21 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id B50AE1A4F9
 for <pbs-devel@lists.proxmox.com>; Fri, 19 Feb 2021 15:40:51 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 8693C1A4E7
 for <pbs-devel@lists.proxmox.com>; Fri, 19 Feb 2021 15:40:50 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 4E21B41A13
 for <pbs-devel@lists.proxmox.com>; Fri, 19 Feb 2021 15:40:50 +0100 (CET)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Fri, 19 Feb 2021 15:40:49 +0100
Message-Id: <20210219144049.22810-2-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210219144049.22810-1-d.csapak@proxmox.com>
References: <20210219144049.22810-1-d.csapak@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.212 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [cred.id, user.id]
Subject: [pbs-devel] [PATCH proxmox-backup 2/2] ui: window/Settings /
 WebAuthn: add browser setting for userVerificationo
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 14:41:21 -0000

some fido2/webauthn keys can have a pin, and the client can request
a mode for the user verification.

'default' (no value set), lets the browser/device decide if the user has to
enter the pin of the device
'discouraged' requests that the user should not need to enter the pin
'preferred' requests that the user should need to enter the pin (if possible)

since we use webauthn only as a 2nd factor, having the user enter
the device pin on login may seem too much hassle for some users, so
give them the option

since this is a client option anyway, do not save it in the backend, but
in the browser local storage

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 www/LoginView.js          |  5 +++++
 www/window/AddWebauthn.js |  7 +++++++
 www/window/Settings.js    | 30 +++++++++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/www/LoginView.js b/www/LoginView.js
index 1c7a977c..a3ffec77 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -390,6 +390,11 @@ Ext.define('PBS.login.TfaWindow', {
 		// Byte array fixup, keep challenge string:
 		challenge.string = challenge.publicKey.challenge;
 		challenge.publicKey.challenge = PBS.Utils.base64url_to_bytes(challenge.string);
+		let userVerification = Ext.state.Manager.getProvider().get('webauthn-user-verification');
+		if (userVerification !== undefined) {
+		    challenge.publicKey.userVerification = userVerification;
+		}
+
 		for (const cred of challenge.publicKey.allowCredentials) {
 		    cred.id = PBS.Utils.base64url_to_bytes(cred.id);
 		}
diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
index 16731a63..d2434f2c 100644
--- a/www/window/AddWebauthn.js
+++ b/www/window/AddWebauthn.js
@@ -79,6 +79,13 @@ Ext.define('PBS.window.AddWebauthn', {
 		// string to pass in the response:
 		let challenge_str = challenge_obj.publicKey.challenge;
 		challenge_obj.publicKey.challenge = PBS.Utils.base64url_to_bytes(challenge_str);
+		let userVerification = Ext.state.Manager.getProvider().get('webauthn-user-verification');
+		if (userVerification !== undefined) {
+		    challenge_obj.publicKey.authenticatorSelection = {
+			userVerification,
+		    };
+		}
+
 		challenge_obj.publicKey.user.id =
 		    PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
 
diff --git a/www/window/Settings.js b/www/window/Settings.js
index ee8464be..7059605c 100644
--- a/www/window/Settings.js
+++ b/www/window/Settings.js
@@ -30,6 +30,9 @@ Ext.define('PBS.window.Settings', {
 	    let username = sp.get('login-username') || Proxmox.Utils.noneText;
 	    me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
 
+	    let userverification= sp.get('webauthn-user-verification') || '__default__';
+	    me.lookupReference('webauthnUserVerification').setValue(userverification);
+
 	    let settings = ['fontSize', 'fontFamily', 'letterSpacing', 'lineHeight'];
 	    settings.forEach(function(setting) {
 		let val = localStorage.getItem('pve-xterm-' + setting);
@@ -91,7 +94,7 @@ Ext.define('PBS.window.Settings', {
 	    },
 	    'button[name=reset]': {
 		click: function() {
-		    let blacklist = ['login-username'];
+		    let blacklist = ['login-username', 'webauthn-user-verification'];
 		    let sp = Ext.state.Manager.getProvider();
 		    for (const state of Object.values(sp.state)) {
 			if (blacklist.indexOf(state) !== -1) {
@@ -114,6 +117,14 @@ Ext.define('PBS.window.Settings', {
 		    sp.clear('login-username');
 		},
 	    },
+	    'field[reference=webauthnUserVerification]': {
+		change: function(e, v) {
+		    if (v === '__default__') {
+			v = undefined;
+		    }
+		    Ext.state.Manager.getProvider().set('webauthn-user-verification', v);
+		},
+	    },
 	},
     },
 
@@ -174,6 +185,23 @@ Ext.define('PBS.window.Settings', {
 		    },
 		],
 	    },
+	    {
+		xtype: 'box',
+		autoEl: { tag: 'hr' },
+	    },
+	    {
+		xtype: 'proxmoxKVComboBox',
+		fieldLabel: gettext('WebAuthn User Verification') + ':',
+		labelWidth: 150,
+		stateId: 'webauthn-user-verification',
+		reference: 'webauthnUserVerification',
+		value: '__default__',
+		comboItems: [
+		    ['__default__', Proxmox.Utils.defaultText],
+		    ['discouraged', gettext('Discouraged')],
+		    ['preferred', gettext('Preferred')],
+		],
+	    },
 	],
     },
     {
-- 
2.20.1