From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice
Date: Mon, 22 Feb 2021 10:43:01 +0100 [thread overview]
Message-ID: <20210222094301.13858-4-d.csapak@proxmox.com> (raw)
In-Reply-To: <20210222094301.13858-1-d.csapak@proxmox.com>
by adding the existing credential id to the 'excludeCredentials' list
this prevents the browser from registering a token twice, which
lets authentication fail on some browser/token combinations
(e.g. onlykey+chromium)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/config/tfa.rs | 15 +++++++++++++--
www/window/AddWebauthn.js | 7 +++++++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/config/tfa.rs b/src/config/tfa.rs
index 29e0fb48..7c656d20 100644
--- a/src/config/tfa.rs
+++ b/src/config/tfa.rs
@@ -803,9 +803,20 @@ impl TfaUserData {
userid: &Userid,
description: String,
) -> Result<String, Error> {
+ let cred_ids: Vec<_> = self
+ .enabled_webauthn_entries()
+ .map(|cred| cred.cred_id.clone())
+ .collect();
+
let userid_str = userid.to_string();
- let (challenge, state) = webauthn
- .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
+ let (challenge, state) = webauthn.generate_challenge_register_options(
+ userid_str.as_bytes().to_vec(),
+ userid_str.clone(),
+ userid_str.clone(),
+ Some(cred_ids),
+ Some(UserVerificationPolicy::Discouraged),
+ )?;
+
let challenge_string = challenge.public_key.challenge.to_string();
let challenge = serde_json::to_string(&challenge)?;
diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
index 16731a63..a3888206 100644
--- a/www/window/AddWebauthn.js
+++ b/www/window/AddWebauthn.js
@@ -82,6 +82,13 @@ Ext.define('PBS.window.AddWebauthn', {
challenge_obj.publicKey.user.id =
PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
+ // convert existing authenticators structure
+ challenge_obj.publicKey.excludeCredentials =
+ (challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
+ id: PBS.Utils.base64url_to_bytes(cred.id),
+ type: cred.type,
+ }));
+
let msg = Ext.Msg.show({
title: `Webauthn: ${gettext('Setup')}`,
message: gettext('Please press the button on your Webauthn Device'),
--
2.20.1
next prev parent reply other threads:[~2021-02-22 9:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 9:42 [pbs-devel] [PATCH proxmox-backup 0/3] improving webauthn handling Dominik Csapak
2021-02-22 9:42 ` [pbs-devel] [PATCH proxmox-backup 1/3] config/tfa: set UserVerificationPolicy to Discouraged Dominik Csapak
2021-02-22 9:43 ` [pbs-devel] [PATCH proxmox-backup 2/3] Revert "ui: window/Settings / WebAuthn: add browser setting for userVerificationo" Dominik Csapak
2021-02-22 9:43 ` Dominik Csapak [this message]
2021-02-22 14:08 ` [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice Thomas Lamprecht
2021-02-22 14:47 ` Dominik Csapak
2021-02-23 7:49 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210222094301.13858-4-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox