From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 6076E69D69
 for <pbs-devel@lists.proxmox.com>; Thu, 25 Feb 2021 10:01:25 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5B05031F12
 for <pbs-devel@lists.proxmox.com>; Thu, 25 Feb 2021 10:01:25 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 1AF1731EDC
 for <pbs-devel@lists.proxmox.com>; Thu, 25 Feb 2021 10:01:24 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D6E024615D
 for <pbs-devel@lists.proxmox.com>; Thu, 25 Feb 2021 10:01:23 +0100 (CET)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Thu, 25 Feb 2021 10:01:18 +0100
Message-Id: <20210225090122.1094-1-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.207 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox-backup v2 0/4] improving webauthn
 handling
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 09:01:25 -0000

it seems my gui patch for setting the userverification was a bit
hasty, since the rust crate has some options for that

this series reverts the gui part, and sets the backend
to 'discourage' userVerification, since 'Preferred' is not more secure
and makes logging in harder (on some devices)

in the future (when [0] is solved), we could expose a server
setting (either per instance or per user) that sets either always
'Discouraged' or 'Required'

changes from v1:
* show webauthn errors on login
* explicitly handle register errors, and try to give a meaningful message
  for errors that indicate a duplicate authenticator

0: https://github.com/kanidm/webauthn-rs/pull/49

Dominik Csapak (4):
  config/tfa: set UserVerificationPolicy to Discouraged
  Revert "ui: window/Settings / WebAuthn: add browser setting for
    userVerificationo"
  config/tfa: webauthn: disallow registering a token twice
  ui: LoginView: show webauthn errors in window

 src/config/tfa.rs         | 19 ++++++++++++++++---
 www/LoginView.js          | 19 ++++++++++++++-----
 www/window/AddWebauthn.js | 34 ++++++++++++++++++++++++++--------
 www/window/Settings.js    | 30 +-----------------------------
 4 files changed, 57 insertions(+), 45 deletions(-)

-- 
2.20.1