From a13a3c45f2d3998158e51ef4e8d43ca4a3c3eafe Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 19 Feb 2023 11:48:35 +1100 Subject: [PATCH] fix: encoding --- go.mod | 2 +- go.sum | 4 ++-- internal/handlers/handler_sign_webauthn.go | 10 ++++---- internal/handlers/webauthn.go | 27 +++++++++++++++------- web/src/services/Webauthn.ts | 4 ---- 5 files changed, 28 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index e7184e759..95cc5ba7b 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/go-ldap/ldap/v3 v3.4.4 github.com/go-rod/rod v0.112.5 github.com/go-sql-driver/mysql v1.7.0 - github.com/go-webauthn/webauthn v0.7.2-0.20230215030733-184b9e43f224 + github.com/go-webauthn/webauthn v0.8.0 github.com/golang-jwt/jwt/v4 v4.4.3 github.com/golang/mock v1.6.0 github.com/google/uuid v1.3.0 diff --git a/go.sum b/go.sum index f2d46e05c..32c7c19a0 100644 --- a/go.sum +++ b/go.sum @@ -192,8 +192,8 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg78 github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-webauthn/revoke v0.1.9 h1:gSJ1ckA9VaKA2GN4Ukp+kiGTk1/EXtaDb1YE8RknbS0= github.com/go-webauthn/revoke v0.1.9/go.mod h1:j6WKPnv0HovtEs++paan9g3ar46gm1NarktkXBaPR+w= -github.com/go-webauthn/webauthn v0.7.2-0.20230215030733-184b9e43f224 h1:FD36ZZlNO+E1MarHZiWT6KiZpEUc06slIeT1P2suK9k= -github.com/go-webauthn/webauthn v0.7.2-0.20230215030733-184b9e43f224/go.mod h1:22OJd+TV8oHrjjXmPHtcPR82lR/yR5m5ilGiF8yPFrE= +github.com/go-webauthn/webauthn v0.8.0 h1:0MPTC348uPc88XCmn5VZaI+Lp0u2LXawYpPvNayLsio= +github.com/go-webauthn/webauthn v0.8.0/go.mod h1:22OJd+TV8oHrjjXmPHtcPR82lR/yR5m5ilGiF8yPFrE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= diff --git a/internal/handlers/handler_sign_webauthn.go b/internal/handlers/handler_sign_webauthn.go index 523e5a692..aa9bbb840 100644 --- a/internal/handlers/handler_sign_webauthn.go +++ b/internal/handlers/handler_sign_webauthn.go @@ -58,9 +58,11 @@ func WebauthnAssertionGET(ctx *middlewares.AutheliaCtx) { if len(extensions) != 0 { opts = append(opts, webauthn.WithAssertionExtensions(extensions)) } - var assertion *protocol.CredentialAssertion - data := session.Webauthn{} + var ( + assertion *protocol.CredentialAssertion + data session.Webauthn + ) if assertion, data.SessionData, err = w.BeginLogin(user, opts...); err != nil { ctx.Logger.Errorf("Unable to create %s authentication challenge for user '%s': %+v", regulation.AuthTypeWebauthn, userSession.Username, err) @@ -207,8 +209,8 @@ func WebauthnAssertionPOST(ctx *middlewares.AutheliaCtx) { } userSession.SetTwoFactorWebauthn(ctx.Clock.Now(), - assertionResponse.Response.AuthenticatorData.Flags.UserPresent(), - assertionResponse.Response.AuthenticatorData.Flags.UserVerified()) + assertionResponse.Response.AuthenticatorData.Flags.HasUserPresent(), + assertionResponse.Response.AuthenticatorData.Flags.HasUserVerified()) if err = ctx.SaveSession(userSession); err != nil { ctx.Logger.Errorf(logFmtErrSessionSave, "removal of the authentiation challenge and authentication time", regulation.AuthTypeWebauthn, userSession.Username, err) diff --git a/internal/handlers/webauthn.go b/internal/handlers/webauthn.go index 9aff664a4..32e48ef1f 100644 --- a/internal/handlers/webauthn.go +++ b/internal/handlers/webauthn.go @@ -51,19 +51,30 @@ func newWebauthn(ctx *middlewares.AutheliaCtx) (w *webauthn.WebAuthn, err error) } config := &webauthn.Config{ - RPDisplayName: ctx.Configuration.Webauthn.DisplayName, - RPID: origin.Hostname(), - RPOrigins: []string{origin.String()}, - RPIcon: "", - + RPID: origin.Hostname(), + RPDisplayName: ctx.Configuration.Webauthn.DisplayName, + RPOrigins: []string{origin.String()}, AttestationPreference: ctx.Configuration.Webauthn.ConveyancePreference, AuthenticatorSelection: protocol.AuthenticatorSelection{ AuthenticatorAttachment: protocol.CrossPlatform, - UserVerification: ctx.Configuration.Webauthn.UserVerification, RequireResidentKey: protocol.ResidentKeyNotRequired(), + ResidentKey: protocol.ResidentKeyRequirementDiscouraged, + UserVerification: ctx.Configuration.Webauthn.UserVerification, + }, + Debug: false, + EncodeUserIDAsString: true, + Timeouts: webauthn.TimeoutsConfig{ + Login: webauthn.TimeoutConfig{ + Enforce: true, + Timeout: ctx.Configuration.Webauthn.Timeout, + TimeoutUVD: ctx.Configuration.Webauthn.Timeout, + }, + Registration: webauthn.TimeoutConfig{ + Enforce: true, + Timeout: ctx.Configuration.Webauthn.Timeout, + TimeoutUVD: ctx.Configuration.Webauthn.Timeout, + }, }, - - Timeout: int(ctx.Configuration.Webauthn.Timeout.Milliseconds()), } ctx.Logger.Tracef("Creating new Webauthn RP instance with ID %s and Origins %s", config.RPID, strings.Join(config.RPOrigins, ", ")) diff --git a/web/src/services/Webauthn.ts b/web/src/services/Webauthn.ts index 492f45cde..64dc266ae 100644 --- a/web/src/services/Webauthn.ts +++ b/web/src/services/Webauthn.ts @@ -104,8 +104,6 @@ function getAssertionResultFromDOMException( } } -const decode = (str: string): string => window.atob(str.replace("-", "+").replace("_", "/")).toString(); - export async function getAttestationCreationOptions( description: string, ): Promise { @@ -127,8 +125,6 @@ export async function getAttestationCreationOptions( }; } - response.data.data.publicKey.user.id = decode(response.data.data.publicKey.user.id); - return { options: response.data.data.publicKey, status: response.status,