From ff071e5120e6ce5ec5a0d6fbc5393d1ed6fd6465 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 16 Nov 2020 15:01:02 +0100 Subject: [PATCH] [Web] Different UV flag for auth and register, remove unique key from fido2, delete tfa/fido2 when removing user object --- data/web/inc/functions.admin.inc.php | 8 ++++++++ data/web/inc/functions.domain_admin.inc.php | 8 ++++++++ data/web/inc/init_db.inc.php | 7 +------ data/web/inc/vars.inc.php | 3 ++- data/web/json_api.php | 8 ++++---- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/data/web/inc/functions.admin.inc.php b/data/web/inc/functions.admin.inc.php index 3bac1688..bb0400e5 100644 --- a/data/web/inc/functions.admin.inc.php +++ b/data/web/inc/functions.admin.inc.php @@ -229,6 +229,14 @@ function admin($_action, $_data = null) { $stmt->execute(array( ':username' => $username, )); + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_data_log), diff --git a/data/web/inc/functions.domain_admin.inc.php b/data/web/inc/functions.domain_admin.inc.php index 8ac3dea4..206b3715 100644 --- a/data/web/inc/functions.domain_admin.inc.php +++ b/data/web/inc/functions.domain_admin.inc.php @@ -358,6 +358,14 @@ function domain_admin($_action, $_data = null) { $stmt->execute(array( ':username' => $username, )); + $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); + $stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username"); + $stmt->execute(array( + ':username' => $username, + )); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_data_log), diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index dcc70dac..396e0aa5 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "15112020_1110"; + $db_version = "16112020_1210"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -102,11 +102,6 @@ function init_db_schema() { "modified" => "DATETIME ON UPDATE NOW(0)", "active" => "TINYINT(1) NOT NULL DEFAULT '1'" ), - "keys" => array( - "unique" => array( - "fido2_username_CID" => array("username", "certificateSubject") - ) - ), "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" ), "_sogo_static_view" => array( diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php index 16c4e1ae..66526569 100644 --- a/data/web/inc/vars.inc.php +++ b/data/web/inc/vars.inc.php @@ -178,7 +178,8 @@ $SHOW_LAST_LOGIN = true; // true = required // false = preferred // string 'required' 'preferred' 'discouraged' -$FIDO2_UV_FLAG = 'preferred'; +$FIDO2_UV_FLAG_REGISTER = 'preferred'; +$FIDO2_UV_FLAG_LOGIN = 'preferred'; // iOS ignores the key via NFC if required - known issue $FIDO2_USER_PRESENT_FLAG = true; $FIDO2_FORMATS = array('android-key', 'android-safetynet', 'fido-u2f', 'none', 'packed', 'tpm'); diff --git a/data/web/json_api.php b/data/web/json_api.php index 4570e09e..d7ac4f06 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -150,7 +150,7 @@ if (isset($_GET['query'])) { $attestationObject = base64_decode($post->attestationObject); $challenge = $_SESSION['challenge']; try { - $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); + $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); } catch (Throwable $ex) { $return = new stdClass(); @@ -285,7 +285,7 @@ if (isset($_GET['query'])) { exit; } try { - $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); + $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); } catch (Throwable $ex) { unset($process_fido2); @@ -356,7 +356,7 @@ if (isset($_GET['query'])) { $_SESSION["mailcow_cc_username"] == $object) { // Exclude existing CredentialIds, if any $excludeCredentialIds = fido2(array("action" => "get_user_cids")); - $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG'], $excludeCredentialIds); + $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds); print(json_encode($createArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return; @@ -395,7 +395,7 @@ if (isset($_GET['query'])) { // return; // } $ids = NULL; - $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG']); + $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']); print(json_encode($getArgs)); $_SESSION['challenge'] = $WebAuthn->getChallenge(); return;