From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 2/2] ui: window/Settings / WebAuthn: add browser setting for userVerificationo
Date: Fri, 19 Feb 2021 15:40:49 +0100 [thread overview]
Message-ID: <20210219144049.22810-2-d.csapak@proxmox.com> (raw)
In-Reply-To: <20210219144049.22810-1-d.csapak@proxmox.com>
some fido2/webauthn keys can have a pin, and the client can request
a mode for the user verification.
'default' (no value set), lets the browser/device decide if the user has to
enter the pin of the device
'discouraged' requests that the user should not need to enter the pin
'preferred' requests that the user should need to enter the pin (if possible)
since we use webauthn only as a 2nd factor, having the user enter
the device pin on login may seem too much hassle for some users, so
give them the option
since this is a client option anyway, do not save it in the backend, but
in the browser local storage
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
www/LoginView.js | 5 +++++
www/window/AddWebauthn.js | 7 +++++++
www/window/Settings.js | 30 +++++++++++++++++++++++++++++-
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/www/LoginView.js b/www/LoginView.js
index 1c7a977c..a3ffec77 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -390,6 +390,11 @@ Ext.define('PBS.login.TfaWindow', {
// Byte array fixup, keep challenge string:
challenge.string = challenge.publicKey.challenge;
challenge.publicKey.challenge = PBS.Utils.base64url_to_bytes(challenge.string);
+ let userVerification = Ext.state.Manager.getProvider().get('webauthn-user-verification');
+ if (userVerification !== undefined) {
+ challenge.publicKey.userVerification = userVerification;
+ }
+
for (const cred of challenge.publicKey.allowCredentials) {
cred.id = PBS.Utils.base64url_to_bytes(cred.id);
}
diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
index 16731a63..d2434f2c 100644
--- a/www/window/AddWebauthn.js
+++ b/www/window/AddWebauthn.js
@@ -79,6 +79,13 @@ Ext.define('PBS.window.AddWebauthn', {
// string to pass in the response:
let challenge_str = challenge_obj.publicKey.challenge;
challenge_obj.publicKey.challenge = PBS.Utils.base64url_to_bytes(challenge_str);
+ let userVerification = Ext.state.Manager.getProvider().get('webauthn-user-verification');
+ if (userVerification !== undefined) {
+ challenge_obj.publicKey.authenticatorSelection = {
+ userVerification,
+ };
+ }
+
challenge_obj.publicKey.user.id =
PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
diff --git a/www/window/Settings.js b/www/window/Settings.js
index ee8464be..7059605c 100644
--- a/www/window/Settings.js
+++ b/www/window/Settings.js
@@ -30,6 +30,9 @@ Ext.define('PBS.window.Settings', {
let username = sp.get('login-username') || Proxmox.Utils.noneText;
me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));
+ let userverification= sp.get('webauthn-user-verification') || '__default__';
+ me.lookupReference('webauthnUserVerification').setValue(userverification);
+
let settings = ['fontSize', 'fontFamily', 'letterSpacing', 'lineHeight'];
settings.forEach(function(setting) {
let val = localStorage.getItem('pve-xterm-' + setting);
@@ -91,7 +94,7 @@ Ext.define('PBS.window.Settings', {
},
'button[name=reset]': {
click: function() {
- let blacklist = ['login-username'];
+ let blacklist = ['login-username', 'webauthn-user-verification'];
let sp = Ext.state.Manager.getProvider();
for (const state of Object.values(sp.state)) {
if (blacklist.indexOf(state) !== -1) {
@@ -114,6 +117,14 @@ Ext.define('PBS.window.Settings', {
sp.clear('login-username');
},
},
+ 'field[reference=webauthnUserVerification]': {
+ change: function(e, v) {
+ if (v === '__default__') {
+ v = undefined;
+ }
+ Ext.state.Manager.getProvider().set('webauthn-user-verification', v);
+ },
+ },
},
},
@@ -174,6 +185,23 @@ Ext.define('PBS.window.Settings', {
},
],
},
+ {
+ xtype: 'box',
+ autoEl: { tag: 'hr' },
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ fieldLabel: gettext('WebAuthn User Verification') + ':',
+ labelWidth: 150,
+ stateId: 'webauthn-user-verification',
+ reference: 'webauthnUserVerification',
+ value: '__default__',
+ comboItems: [
+ ['__default__', Proxmox.Utils.defaultText],
+ ['discouraged', gettext('Discouraged')],
+ ['preferred', gettext('Preferred')],
+ ],
+ },
],
},
{
--
2.20.1
next prev parent reply other threads:[~2021-02-19 14:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-19 14:40 [pbs-devel] [PATCH proxmox-backup 1/2] ui: add browser settings window Dominik Csapak
2021-02-19 14:40 ` Dominik Csapak [this message]
2021-02-19 15:53 ` [pbs-devel] applied: " Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210219144049.22810-2-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox