From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice
Date: Mon, 22 Feb 2021 15:08:45 +0100 [thread overview]
Message-ID: <db4a4a5e-abdd-d0ab-c711-ccd4c43d8596@proxmox.com> (raw)
In-Reply-To: <20210222094301.13858-4-d.csapak@proxmox.com>
On 22.02.21 10:43, Dominik Csapak wrote:
> by adding the existing credential id to the 'excludeCredentials' list
But the webauthn does not cares about this, meaning its intended to
work.
> this prevents the browser from registering a token twice, which
> lets authentication fail on some browser/token combinations
> (e.g. onlykey+chromium)
isn't that a FW bug there and should be fixed there?
Would like to avoid such special handling for buggy FW/HW/.. especially
if the workaround is as simple as "just don't register it twice"
(outside of testing I never came to the idea of registering a token
more than once in those accounts I use a fido/u2f token)
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> src/config/tfa.rs | 15 +++++++++++++--
> www/window/AddWebauthn.js | 7 +++++++
> 2 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/src/config/tfa.rs b/src/config/tfa.rs
> index 29e0fb48..7c656d20 100644
> --- a/src/config/tfa.rs
> +++ b/src/config/tfa.rs
> @@ -803,9 +803,20 @@ impl TfaUserData {
> userid: &Userid,
> description: String,
> ) -> Result<String, Error> {
> + let cred_ids: Vec<_> = self
> + .enabled_webauthn_entries()
> + .map(|cred| cred.cred_id.clone())
> + .collect();
> +
> let userid_str = userid.to_string();
> - let (challenge, state) = webauthn
> - .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
> + let (challenge, state) = webauthn.generate_challenge_register_options(
> + userid_str.as_bytes().to_vec(),
> + userid_str.clone(),
> + userid_str.clone(),
> + Some(cred_ids),
> + Some(UserVerificationPolicy::Discouraged),
> + )?;
> +
> let challenge_string = challenge.public_key.challenge.to_string();
> let challenge = serde_json::to_string(&challenge)?;
>
> diff --git a/www/window/AddWebauthn.js b/www/window/AddWebauthn.js
> index 16731a63..a3888206 100644
> --- a/www/window/AddWebauthn.js
> +++ b/www/window/AddWebauthn.js
> @@ -82,6 +82,13 @@ Ext.define('PBS.window.AddWebauthn', {
> challenge_obj.publicKey.user.id =
> PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
>
> + // convert existing authenticators structure
> + challenge_obj.publicKey.excludeCredentials =
> + (challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
> + id: PBS.Utils.base64url_to_bytes(cred.id),
> + type: cred.type,
> + }));
> +
> let msg = Ext.Msg.show({
> title: `Webauthn: ${gettext('Setup')}`,
> message: gettext('Please press the button on your Webauthn Device'),
>
next prev parent reply other threads:[~2021-02-22 14:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 9:42 [pbs-devel] [PATCH proxmox-backup 0/3] improving webauthn handling Dominik Csapak
2021-02-22 9:42 ` [pbs-devel] [PATCH proxmox-backup 1/3] config/tfa: set UserVerificationPolicy to Discouraged Dominik Csapak
2021-02-22 9:43 ` [pbs-devel] [PATCH proxmox-backup 2/3] Revert "ui: window/Settings / WebAuthn: add browser setting for userVerificationo" Dominik Csapak
2021-02-22 9:43 ` [pbs-devel] [PATCH proxmox-backup 3/3] config/tfa: webauthn: disallow registering a token twice Dominik Csapak
2021-02-22 14:08 ` Thomas Lamprecht [this message]
2021-02-22 14:47 ` Dominik Csapak
2021-02-23 7:49 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db4a4a5e-abdd-d0ab-c711-ccd4c43d8596@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox