From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0F0946C2BA for ; Mon, 22 Feb 2021 10:43:35 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 064A52D317 for ; Mon, 22 Feb 2021 10:43:05 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8994B2D2FE for ; Mon, 22 Feb 2021 10:43:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5690841ADC for ; Mon, 22 Feb 2021 10:43:03 +0100 (CET) From: Dominik Csapak To: pbs-devel@lists.proxmox.com Date: Mon, 22 Feb 2021 10:43:01 +0100 Message-Id: <20210222094301.13858-4-d.csapak@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210222094301.13858-1-d.csapak@proxmox.com> References: <20210222094301.13858-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.211 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2021 09:43:35 -0000 by adding the existing credential id to the 'excludeCredentials' list this prevents the browser from registering a token twice, which lets authentication fail on some browser/token combinations (e.g. onlykey+chromium) Signed-off-by: Dominik Csapak --- src/config/tfa.rs | 15 +++++++++++++-- www/window/AddWebauthn.js | 7 +++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/config/tfa.rs b/src/config/tfa.rs index 29e0fb48..7c656d20 100644 --- a/src/config/tfa.rs +++ b/src/config/tfa.rs @@ -803,9 +803,20 @@ impl TfaUserData { userid: &Userid, description: String, ) -> Result { + let cred_ids: Vec<_> = self + .enabled_webauthn_entries() + .map(|cred| cred.cred_id.clone()) + .collect(); + let userid_str = userid.to_string(); - let (challenge, state) = webauthn - .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?; + let (challenge, state) = webauthn.generate_challenge_register_options( + userid_str.as_bytes().to_vec(), + userid_str.clone(), + userid_str.clone(), + Some(cred_ids), + Some(UserVerificationPolicy::Discouraged), + )?; + let challenge_string = challenge.public_key.challenge.to_string(); let challenge = serde_json::to_string(&challenge)?; diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js index 16731a63..a3888206 100644 --- a/www/window/AddWebauthn.js +++ b/www/window/AddWebauthn.js @@ -82,6 +82,13 @@ Ext.define('PBS.window.AddWebauthn', { challenge_obj.publicKey.user.id = PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id); + // convert existing authenticators structure + challenge_obj.publicKey.excludeCredentials = + (challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({ + id: PBS.Utils.base64url_to_bytes(cred.id), + type: cred.type, + })); + let msg = Ext.Msg.show({ title: `Webauthn: ${gettext('Setup')}`, message: gettext('Please press the button on your Webauthn Device'), -- 2.20.1