config/tfa: webauthn: disallow registering a token twice
by adding the existing credential id to the 'excludeCredentials' list this prevents the browser from registering a token twice, which lets authentication fail on some browser/token combinations (e.g. onlykey/solokey+chromium) while is seems this is currently a bug in chromium, in a future spec update the underlying behaviour should be better defined, making this an authenticator bug also explicitly catch registering errors and show appropriate error messages 0: https://bugs.chromium.org/p/chromium/issues/detail?id=1087642 Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
parent
b452e2df74
commit
831c43c91b
@ -803,9 +803,20 @@ impl TfaUserData {
|
||||
userid: &Userid,
|
||||
description: String,
|
||||
) -> Result<String, Error> {
|
||||
let cred_ids: Vec<_> = self
|
||||
.enabled_webauthn_entries()
|
||||
.map(|cred| cred.cred_id.clone())
|
||||
.collect();
|
||||
|
||||
let userid_str = userid.to_string();
|
||||
let (challenge, state) = webauthn
|
||||
.generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
|
||||
let (challenge, state) = webauthn.generate_challenge_register_options(
|
||||
userid_str.as_bytes().to_vec(),
|
||||
userid_str.clone(),
|
||||
userid_str.clone(),
|
||||
Some(cred_ids),
|
||||
Some(UserVerificationPolicy::Discouraged),
|
||||
)?;
|
||||
|
||||
let challenge_string = challenge.public_key.challenge.to_string();
|
||||
let challenge = serde_json::to_string(&challenge)?;
|
||||
|
||||
|
@ -82,13 +82,38 @@ Ext.define('PBS.window.AddWebauthn', {
|
||||
challenge_obj.publicKey.user.id =
|
||||
PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
|
||||
|
||||
// convert existing authenticators structure
|
||||
challenge_obj.publicKey.excludeCredentials =
|
||||
(challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
|
||||
id: PBS.Utils.base64url_to_bytes(cred.id),
|
||||
type: cred.type,
|
||||
}));
|
||||
|
||||
let msg = Ext.Msg.show({
|
||||
title: `Webauthn: ${gettext('Setup')}`,
|
||||
message: gettext('Please press the button on your Webauthn Device'),
|
||||
buttons: [],
|
||||
});
|
||||
|
||||
let token_response = await navigator.credentials.create(challenge_obj);
|
||||
let token_response;
|
||||
try {
|
||||
token_response = await navigator.credentials.create(challenge_obj);
|
||||
} catch (error) {
|
||||
let errmsg = `<i class="fa fa-warning warning"></i>
|
||||
${error.name}: ${error.message}`;
|
||||
if (error.name === 'InvalidStateError') {
|
||||
// probably a duplicate token
|
||||
throw `${gettext('There was an error during authenticator registration.')}
|
||||
<br>
|
||||
${gettext('This probably means that this authenticator is already registered.')}
|
||||
<br><br>
|
||||
${errmsg}`;
|
||||
} else {
|
||||
throw `${gettext('There was an error during token registration.')}
|
||||
<br><br>
|
||||
${errmsg}`;
|
||||
}
|
||||
}
|
||||
|
||||
// We cannot pass ArrayBuffers to the API, so extract & convert the data.
|
||||
let response = {
|
||||
|
Loading…
Reference in New Issue
Block a user