From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <t.lamprecht@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id D906968EE4
 for <pbs-devel@lists.proxmox.com>; Mon, 22 Feb 2021 15:09:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id C33BEA300
 for <pbs-devel@lists.proxmox.com>; Mon, 22 Feb 2021 15:08:47 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id D9DEAA2F2
 for <pbs-devel@lists.proxmox.com>; Mon, 22 Feb 2021 15:08:46 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 97517441E7
 for <pbs-devel@lists.proxmox.com>; Mon, 22 Feb 2021 15:08:46 +0100 (CET)
Message-ID: <db4a4a5e-abdd-d0ab-c711-ccd4c43d8596@proxmox.com>
Date: Mon, 22 Feb 2021 15:08:45 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101
 Thunderbird/86.0
Content-Language: en-US
To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>, Dominik Csapak <d.csapak@proxmox.com>
References: <20210222094301.13858-1-d.csapak@proxmox.com>
 <20210222094301.13858-4-d.csapak@proxmox.com>
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
In-Reply-To: <20210222094301.13858-4-d.csapak@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.057 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.001 Looks like a legit reply (A)
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn:
 disallow registering a token twice
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2021 14:09:17 -0000

On 22.02.21 10:43, Dominik Csapak wrote:
> by adding the existing credential id to the 'excludeCredentials' list

But the webauthn does not cares about this, meaning its intended to
work.

> this prevents the browser from registering a token twice, which
> lets authentication fail on some browser/token combinations
> (e.g. onlykey+chromium)

isn't that a FW bug there and should be fixed there?

Would like to avoid such special handling for buggy FW/HW/.. especially
if the workaround is as simple as "just don't register it twice"
(outside of testing I never came to the idea of registering a token
more than once in those accounts I use a fido/u2f token)

> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  src/config/tfa.rs         | 15 +++++++++++++--
>  www/window/AddWebauthn.js |  7 +++++++
>  2 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/src/config/tfa.rs b/src/config/tfa.rs
> index 29e0fb48..7c656d20 100644
> --- a/src/config/tfa.rs
> +++ b/src/config/tfa.rs
> @@ -803,9 +803,20 @@ impl TfaUserData {
>          userid: &Userid,
>          description: String,
>      ) -> Result<String, Error> {
> +        let cred_ids: Vec<_> = self
> +            .enabled_webauthn_entries()
> +            .map(|cred| cred.cred_id.clone())
> +            .collect();
> +
>          let userid_str = userid.to_string();
> -        let (challenge, state) = webauthn
> -            .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
> +        let (challenge, state) = webauthn.generate_challenge_register_options(
> +            userid_str.as_bytes().to_vec(),
> +            userid_str.clone(),
> +            userid_str.clone(),
> +            Some(cred_ids),
> +            Some(UserVerificationPolicy::Discouraged),
> +        )?;
> +
>          let challenge_string = challenge.public_key.challenge.to_string();
>          let challenge = serde_json::to_string(&challenge)?;
>  
> diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
> index 16731a63..a3888206 100644
> --- a/www/window/AddWebauthn.js
> +++ b/www/window/AddWebauthn.js
> @@ -82,6 +82,13 @@ Ext.define('PBS.window.AddWebauthn', {
>  		challenge_obj.publicKey.user.id =
>  		    PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
>  
> +		// convert existing authenticators structure
> +		challenge_obj.publicKey.excludeCredentials =
> +		    (challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
> +			id: PBS.Utils.base64url_to_bytes(cred.id),
> +			type: cred.type,
> +		    }));
> +
>  		let msg = Ext.Msg.show({
>  		    title: `Webauthn: ${gettext('Setup')}`,
>  		    message: gettext('Please press the button on your Webauthn Device'),
>