tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

config/tfa: webauthn: disallow registering a token twice 

by adding the existing credential id to the 'excludeCredentials' list

this prevents the browser from registering a token twice, which
lets authentication fail on some browser/token combinations
(e.g. onlykey/solokey+chromium)
while is seems this is currently a bug in chromium, in a future spec
update the underlying behaviour should be better defined, making this
an authenticator bug

also explicitly catch registering errors and show appropriate error messages

0: https://bugs.chromium.org/p/chromium/issues/detail?id=1087642

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2021-02-25 10:01:21 +01:00 committed by Thomas Lamprecht
parent b452e2df74
commit 831c43c91b
2 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/config/tfa.rs
View File

@ -803,9 +803,20 @@ impl TfaUserData {
userid: &Userid, userid: &Userid,
description: String, description: String,
) -> Result<String, Error> { ) -> Result<String, Error> {
let cred_ids: Vec<_> = self
.enabled_webauthn_entries()
.map(|cred| cred.cred_id.clone())
.collect();
let userid_str = userid.to_string(); let userid_str = userid.to_string();
let (challenge, state) = webauthn let (challenge, state) = webauthn.generate_challenge_register_options(
.generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?; userid_str.as_bytes().to_vec(),
userid_str.clone(),
userid_str.clone(),
Some(cred_ids),
Some(UserVerificationPolicy::Discouraged),
)?;
let challenge_string = challenge.public_key.challenge.to_string(); let challenge_string = challenge.public_key.challenge.to_string();
let challenge = serde_json::to_string(&challenge)?; let challenge = serde_json::to_string(&challenge)?;

27
www/window/AddWebauthn.js
View File

@ -82,13 +82,38 @@ Ext.define('PBS.window.AddWebauthn', {
challenge_obj.publicKey.user.id = challenge_obj.publicKey.user.id =
PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id); PBS.Utils.base64url_to_bytes(challenge_obj.publicKey.user.id);
// convert existing authenticators structure
challenge_obj.publicKey.excludeCredentials =
(challenge_obj.publicKey.excludeCredentials || []).map((cred) => ({
id: PBS.Utils.base64url_to_bytes(cred.id),
type: cred.type,
}));
let msg = Ext.Msg.show({ let msg = Ext.Msg.show({
title: `Webauthn: ${gettext('Setup')}`, title: `Webauthn: ${gettext('Setup')}`,
message: gettext('Please press the button on your Webauthn Device'), message: gettext('Please press the button on your Webauthn Device'),
buttons: [], buttons: [],
}); });
let token_response = await navigator.credentials.create(challenge_obj); let token_response;
try {
token_response = await navigator.credentials.create(challenge_obj);
} catch (error) {
let errmsg = `<i class="fa fa-warning warning"></i>
${error.name}: ${error.message}`;
if (error.name === 'InvalidStateError') {
// probably a duplicate token
throw `${gettext('There was an error during authenticator registration.')}
<br>
${gettext('This probably means that this authenticator is already registered.')}
<br><br>
${errmsg}`;
} else {
throw `${gettext('There was an error during token registration.')}
<br><br>
${errmsg}`;
}
}
// We cannot pass ArrayBuffers to the API, so extract & convert the data. // We cannot pass ArrayBuffers to the API, so extract & convert the data.
let response = { let response = {