[Web] Different UV flag for auth and register, remove unique key from fido2, delete tfa/fido2 when removing user object
This commit is contained in:
parent
c1376b4f4c
commit
ff071e5120
@ -229,6 +229,14 @@ function admin($_action, $_data = null) {
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_action, $_data_log),
|
||||
|
@ -358,6 +358,14 @@ function domain_admin($_action, $_data = null) {
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
|
||||
$stmt->execute(array(
|
||||
':username' => $username,
|
||||
));
|
||||
$_SESSION['return'][] = array(
|
||||
'type' => 'success',
|
||||
'log' => array(__FUNCTION__, $_action, $_data_log),
|
||||
|
@ -3,7 +3,7 @@ function init_db_schema() {
|
||||
try {
|
||||
global $pdo;
|
||||
|
||||
$db_version = "15112020_1110";
|
||||
$db_version = "16112020_1210";
|
||||
|
||||
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
|
||||
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
|
||||
@ -102,11 +102,6 @@ function init_db_schema() {
|
||||
"modified" => "DATETIME ON UPDATE NOW(0)",
|
||||
"active" => "TINYINT(1) NOT NULL DEFAULT '1'"
|
||||
),
|
||||
"keys" => array(
|
||||
"unique" => array(
|
||||
"fido2_username_CID" => array("username", "certificateSubject")
|
||||
)
|
||||
),
|
||||
"attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
|
||||
),
|
||||
"_sogo_static_view" => array(
|
||||
|
@ -178,7 +178,8 @@ $SHOW_LAST_LOGIN = true;
|
||||
// true = required
|
||||
// false = preferred
|
||||
// string 'required' 'preferred' 'discouraged'
|
||||
$FIDO2_UV_FLAG = 'preferred';
|
||||
$FIDO2_UV_FLAG_REGISTER = 'preferred';
|
||||
$FIDO2_UV_FLAG_LOGIN = 'preferred'; // iOS ignores the key via NFC if required - known issue
|
||||
$FIDO2_USER_PRESENT_FLAG = true;
|
||||
$FIDO2_FORMATS = array('android-key', 'android-safetynet', 'fido-u2f', 'none', 'packed', 'tpm');
|
||||
|
||||
|
@ -150,7 +150,7 @@ if (isset($_GET['query'])) {
|
||||
$attestationObject = base64_decode($post->attestationObject);
|
||||
$challenge = $_SESSION['challenge'];
|
||||
try {
|
||||
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
|
||||
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
|
||||
}
|
||||
catch (Throwable $ex) {
|
||||
$return = new stdClass();
|
||||
@ -285,7 +285,7 @@ if (isset($_GET['query'])) {
|
||||
exit;
|
||||
}
|
||||
try {
|
||||
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
|
||||
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
|
||||
}
|
||||
catch (Throwable $ex) {
|
||||
unset($process_fido2);
|
||||
@ -356,7 +356,7 @@ if (isset($_GET['query'])) {
|
||||
$_SESSION["mailcow_cc_username"] == $object) {
|
||||
// Exclude existing CredentialIds, if any
|
||||
$excludeCredentialIds = fido2(array("action" => "get_user_cids"));
|
||||
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG'], $excludeCredentialIds);
|
||||
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds);
|
||||
print(json_encode($createArgs));
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
return;
|
||||
@ -395,7 +395,7 @@ if (isset($_GET['query'])) {
|
||||
// return;
|
||||
// }
|
||||
$ids = NULL;
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG']);
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
|
||||
print(json_encode($getArgs));
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
return;
|
||||
|
Loading…
Reference in New Issue
Block a user