paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] Different UV flag for auth and register, remove unique key from fido2, delete tfa/fido2 when removing user object

master
andryyy 2020-11-16 15:01:02 +01:00
parent c1376b4f4c
commit ff071e5120
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
5 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
data/web/inc/functions.admin.inc.php
View File

@ -229,6 +229,14 @@ function admin($_action, $_data = null) {
$stmt->execute(array( $stmt->execute(array(
':username' => $username, ':username' => $username,
)); ));
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'success', 'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_data_log), 'log' => array(__FUNCTION__, $_action, $_data_log),

8
data/web/inc/functions.domain_admin.inc.php
View File

@ -358,6 +358,14 @@ function domain_admin($_action, $_data = null) {
$stmt->execute(array( $stmt->execute(array(
':username' => $username, ':username' => $username,
)); ));
$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$stmt = $pdo->prepare("DELETE FROM `fido2` WHERE `username` = :username");
$stmt->execute(array(
':username' => $username,
));
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'success', 'type' => 'success',
'log' => array(__FUNCTION__, $_action, $_data_log), 'log' => array(__FUNCTION__, $_action, $_data_log),

7
data/web/inc/init_db.inc.php
View File

@ -3,7 +3,7 @@ function init_db_schema() {
try { try {
global $pdo; global $pdo;
$db_version = "15112020_1110"; $db_version = "16112020_1210";
$stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@ -102,11 +102,6 @@ function init_db_schema() {
"modified" => "DATETIME ON UPDATE NOW(0)", "modified" => "DATETIME ON UPDATE NOW(0)",
"active" => "TINYINT(1) NOT NULL DEFAULT '1'" "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
), ),
"keys" => array(
"unique" => array(
"fido2_username_CID" => array("username", "certificateSubject")
)
),
"attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC" "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
), ),
"_sogo_static_view" => array( "_sogo_static_view" => array(

3
data/web/inc/vars.inc.php
View File

@ -178,7 +178,8 @@ $SHOW_LAST_LOGIN = true;
// true = required // true = required
// false = preferred // false = preferred
// string 'required' 'preferred' 'discouraged' // string 'required' 'preferred' 'discouraged'
$FIDO2_UV_FLAG = 'preferred'; $FIDO2_UV_FLAG_REGISTER = 'preferred';
$FIDO2_UV_FLAG_LOGIN = 'preferred'; // iOS ignores the key via NFC if required - known issue
$FIDO2_USER_PRESENT_FLAG = true; $FIDO2_USER_PRESENT_FLAG = true;
$FIDO2_FORMATS = array('android-key', 'android-safetynet', 'fido-u2f', 'none', 'packed', 'tpm'); $FIDO2_FORMATS = array('android-key', 'android-safetynet', 'fido-u2f', 'none', 'packed', 'tpm');

8
data/web/json_api.php
View File

@ -150,7 +150,7 @@ if (isset($_GET['query'])) {
$attestationObject = base64_decode($post->attestationObject); $attestationObject = base64_decode($post->attestationObject);
$challenge = $_SESSION['challenge']; $challenge = $_SESSION['challenge'];
try { try {
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); $data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
} }
catch (Throwable $ex) { catch (Throwable $ex) {
$return = new stdClass(); $return = new stdClass();
@ -285,7 +285,7 @@ if (isset($_GET['query'])) {
exit; exit;
} }
try { try {
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']); $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
} }
catch (Throwable $ex) { catch (Throwable $ex) {
unset($process_fido2); unset($process_fido2);
@ -356,7 +356,7 @@ if (isset($_GET['query'])) {
$_SESSION["mailcow_cc_username"] == $object) { $_SESSION["mailcow_cc_username"] == $object) {
// Exclude existing CredentialIds, if any // Exclude existing CredentialIds, if any
$excludeCredentialIds = fido2(array("action" => "get_user_cids")); $excludeCredentialIds = fido2(array("action" => "get_user_cids"));
$createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG'], $excludeCredentialIds); $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds);
print(json_encode($createArgs)); print(json_encode($createArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge(); $_SESSION['challenge'] = $WebAuthn->getChallenge();
return; return;
@ -395,7 +395,7 @@ if (isset($_GET['query'])) {
// return; // return;
// } // }
$ids = NULL; $ids = NULL;
$getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG']); $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
print(json_encode($getArgs)); print(json_encode($getArgs));
$_SESSION['challenge'] = $WebAuthn->getChallenge(); $_SESSION['challenge'] = $WebAuthn->getChallenge();
return; return;