From ab21c7a06b89e85ed216ac67711a0f6723f49781 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com> Date: Fri, 14 Jan 2022 20:59:32 +0100 Subject: [PATCH] prevent user from registering authenticator multiple times --- data/web/json_api.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index c3f8d9fc..dfaa7383 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -465,11 +465,18 @@ if (isset($_GET['query'])) { // webauthn two factor authentication case "webauthn-tfa-registration": if (isset($_SESSION["mailcow_cc_role"])) { + // Exclude existing CredentialIds, if any + $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username"); + $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username'])); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); + while($row = array_shift($rows)) { + $excludeCredentialIds[] = base64_decode($row['keyHandle']); + } // getCreateArgs($userId, $userName, $userDisplayName, $timeout=20, $requireResidentKey=false, $requireUserVerification=false, $crossPlatformAttachment=null, $excludeCredentialIds=array()) // cross-platform: true, if type internal is not allowed // false, if only internal is allowed // null, if internal and cross-platform is allowed - $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, false, $GLOBALS['WEBAUTHN_UV_FLAG_REGISTER'], null); + $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, false, $GLOBALS['WEBAUTHN_UV_FLAG_REGISTER'], null, $excludeCredentialIds); print(json_encode($createArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge();