From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id F10A79DE06 for ; Tue, 6 Jun 2023 12:03:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C88E032F9D for ; Tue, 6 Jun 2023 12:03:19 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 6 Jun 2023 12:03:19 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DE3BD48C7D for ; Tue, 6 Jun 2023 12:03:18 +0200 (CEST) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Tue, 6 Jun 2023 12:03:17 +0200 Message-Id: <20230606100318.110005-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.130 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v3 widget-toolkit 1/2] tfa: improve UX for recovery keys and when none are left X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2023 10:03:50 -0000 If we get an empty challenge, tell the user to contact an administrator as it means no 2nd factors and no recovery keys are available. Currently if only 1 key was available and it had a high ID, we'd show something like: "Recovery keys available: 9, Warning, less than 4 keys available." Let's start off with the warning, and then be explicit about the IDs. Signed-off-by: Wolfgang Bumiller --- changes since v2: - fix wrong tfa type comparison - hide recovery input field when no recovery keys are left src/window/TfaWindow.js | 75 ++++++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/src/window/TfaWindow.js b/src/window/TfaWindow.js index 22ac50d..3646e0e 100644 --- a/src/window/TfaWindow.js +++ b/src/window/TfaWindow.js @@ -45,11 +45,17 @@ Ext.define('Proxmox.window.TfaLoginWindow', { let lastTabId = me.getLastTabUsed(); let initialTab = -1, i = 0; + let count2nd = 0; + let hasRecovery = false; for (const k of ['webauthn', 'totp', 'recovery', 'u2f', 'yubico']) { const available = !!challenge[k]; vm.set(`availableChallenge.${k}`, available); if (available) { + count2nd++; + if (k === 'recovery') { + hasRecovery = true; + } if (i === lastTabId) { initialTab = i; } else if (initialTab < 0) { @@ -58,15 +64,32 @@ Ext.define('Proxmox.window.TfaLoginWindow', { } i++; } + if (!count2nd || (count2nd === 1 && hasRecovery && !challenge.recovery.length)) { + // no 2nd factors available (and if recovery keys are configured they're empty) + me.lookup('cannotLogin').setVisible(true); + me.lookup('recoveryKey').setVisible(false); + view.down('tabpanel').setActiveTab(2); // recovery + return; + } view.down('tabpanel').setActiveTab(initialTab); if (challenge.recovery) { - me.lookup('availableRecovery').update(Ext.String.htmlEncode( - gettext('Available recovery keys: ') + view.challenge.recovery.join(', '), - )); - me.lookup('availableRecovery').setVisible(true); - if (view.challenge.recovery.length <= 3) { - me.lookup('recoveryLow').setVisible(true); + if (!view.challenge.recovery.length) { + me.lookup('recoveryEmpty').setVisible(true); + me.lookup('recoveryKey').setVisible(false); + } else { + let idList = view + .challenge + .recovery + .map((id) => Ext.String.format(gettext('ID {0}'), id)) + .join(', '); + me.lookup('availableRecovery').update(Ext.String.htmlEncode( + Ext.String.format(gettext('Available recovery keys: {0}'), idList), + )); + me.lookup('availableRecovery').setVisible(true); + if (view.challenge.recovery.length <= 3) { + me.lookup('recoveryLow').setVisible(true); + } } } @@ -365,19 +388,23 @@ Ext.define('Proxmox.window.TfaLoginWindow', { items: [ { xtype: 'box', - reference: 'availableRecovery', + reference: 'cannotLogin', hidden: true, + html: '' + + Ext.String.format( + gettext('No second factor left! Please contact an administrator!'), + 4, + ), }, { - xtype: 'textfield', - fieldLabel: gettext('Please enter one of your single-use recovery keys'), - labelWidth: 300, - name: 'recoveryKey', - disabled: true, - reference: 'recoveryKey', - allowBlank: false, - regex: /^[0-9a-f]{4}(-[0-9a-f]{4}){3}$/, - regexText: gettext('Does not look like a valid recovery key'), + xtype: 'box', + reference: 'recoveryEmpty', + hidden: true, + html: '' + + Ext.String.format( + gettext('No more recovery keys left! Please generate a new set!'), + 4, + ), }, { xtype: 'box', @@ -389,6 +416,22 @@ Ext.define('Proxmox.window.TfaLoginWindow', { 4, ), }, + { + xtype: 'box', + reference: 'availableRecovery', + hidden: true, + }, + { + xtype: 'textfield', + fieldLabel: gettext('Please enter one of your single-use recovery keys'), + labelWidth: 300, + name: 'recoveryKey', + disabled: true, + reference: 'recoveryKey', + allowBlank: false, + regex: /^[0-9a-f]{4}(-[0-9a-f]{4}){3}$/, + regexText: gettext('Does not look like a valid recovery key'), + }, ], }, { -- 2.39.2