Re: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox Backup Server development discussion
	<pbs-devel@lists.proxmox.com>,
	Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice
Date: Mon, 22 Feb 2021 15:08:45 +0100	[thread overview]
Message-ID: <db4a4a5e-abdd-d0ab-c711-ccd4c43d8596@proxmox.com> (raw)
In-Reply-To: <20210222094301.13858-4-d.csapak@proxmox.com>

On 22.02.21 10:43, Dominik Csapak wrote:
> by adding the existing credential id to the 'excludeCredentials' list

But the webauthn does not cares about this, meaning its intended to
work.

> this prevents the browser from registering a token twice, which
> lets authentication fail on some browser/token combinations
> (e.g. onlykey+chromium)

isn't that a FW bug there and should be fixed there?

Would like to avoid such special handling for buggy FW/HW/.. especially
if the workaround is as simple as "just don't register it twice"
(outside of testing I never came to the idea of registering a token
more than once in those accounts I use a fido/u2f token)

> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  src/config/tfa.rs         | 15 +++++++++++++--
>  www/window/AddWebauthn.js |  7 +++++++
>  2 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/src/config/tfa.rs b/src/config/tfa.rs
> index 29e0fb48..7c656d20 100644
> --- a/src/config/tfa.rs
> +++ b/src/config/tfa.rs
> @@ -803,9 +803,20 @@ impl TfaUserData {
>          userid: &Userid,
>          description: String,
>      ) -> Result<String, Error> {
> +        let cred_ids: Vec<_> = self
> +            .enabled_webauthn_entries()
> +            .map(|cred| cred.cred_id.clone())
> +            .collect();
> +
>          let userid_str = userid.to_string();
> -        let (challenge, state) = webauthn
> -            .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
> +        let (challenge, state) = webauthn.generate_challenge_register_options(
> +            userid_str.as_bytes().to_vec(),
> +            userid_str.clone(),
> +            userid_str.clone(),
> +            Some(cred_ids),
> +            Some(UserVerificationPolicy::Discouraged),
> +        )?;
> +
>          let challenge_string = challenge.public_key.challenge.to_string();
>          let challenge = serde_json::to_string(&challenge)?;
>  
> diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
> index 16731a63..a3888206 100644
> --- a/www/window/AddWebauthn.js
> +++ b/www/window/AddWebauthn.js
> @@ -82,6 +82,13 @@ Ext.define('PBS.window.AddWebauthn', {
>  		challenge_obj.publicKey.user.id =
>  		    PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
>  
> +		// convert existing authenticators structure
> +		challenge_obj.publicKey.excludeCredentials =
> +		    (challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
> +			id: PBS.Utils.base64url_to_bytes(cred.id),
> +			type: cred.type,
> +		    }));
> +
>  		let msg = Ext.Msg.show({
>  		    title: `Webauthn: ${gettext('Setup')}`,
>  		    message: gettext('Please press the button on your Webauthn Device'),
>

next prev parent reply	other threads:[~2021-02-22 14:09 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-22  9:42 [pbs-devel] [PATCH proxmox-backup 0/3] improving webauthn handling Dominik Csapak
2021-02-22  9:42 ` [pbs-devel] [PATCH proxmox-backup 1/3] config/tfa: set UserVerificationPolicy to Discouraged Dominik Csapak
2021-02-22  9:43 ` [pbs-devel] [PATCH proxmox-backup 2/3] Revert "ui: window/Settings / WebAuthn: add browser setting for userVerificationo" Dominik Csapak
2021-02-22  9:43 ` [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice Dominik Csapak
2021-02-22 14:08   ` Thomas Lamprecht [this message]
2021-02-22 14:47     ` Dominik Csapak
2021-02-23  7:49       ` Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db4a4a5e-abdd-d0ab-c711-ccd4c43d8596@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal