Capture IP address and Target URL in Duo 2FA request

This commit is contained in:
Amir Zarrinkafsh 2019-03-27 17:57:16 +11:00
parent c2810101a4
commit 274c6135c7
No known key found for this signature in database
GPG Key ID: ECDB8EF9E77E4EBF
2 changed files with 13 additions and 9 deletions

View File

@ -24,11 +24,11 @@ describe("routes/secondfactor/duo-push/Post", function() {
hostname: 'abc',
integration_key: 'xyz',
secret_key: 'secret',
}
};
req = ExpressMock.RequestMock();
res = ExpressMock.ResponseMock();
})
});
it("should raise authentication level of user", async function() {
const mock = Sinon.stub(DuoApi, "Client");
@ -37,7 +37,7 @@ describe("routes/secondfactor/duo-push/Post", function() {
});
req.session.auth = {
userid: 'john'
}
};
Assert.equal(req.session.auth.authentication_level, undefined);
await Post(vars)(req, res as any);
@ -54,7 +54,7 @@ describe("routes/secondfactor/duo-push/Post", function() {
});
req.session.auth = {
userid: 'john'
}
};
vars.config.duo_api = undefined;
Assert.equal(req.session.auth.authentication_level, undefined);
@ -72,7 +72,7 @@ describe("routes/secondfactor/duo-push/Post", function() {
});
req.session.auth = {
userid: 'john'
}
};
Assert.equal(req.session.auth.authentication_level, undefined);
await Post(vars)(req, res as any);
@ -90,7 +90,7 @@ describe("routes/secondfactor/duo-push/Post", function() {
});
req.session.auth = {
userid: 'john'
}
};
Assert.equal(req.session.auth.authentication_level, undefined);
const promise = Post(vars)(req, res as any)

View File

@ -6,6 +6,8 @@ import * as UserMessage from "../../../../../../shared/UserMessages";
import redirect from "../redirect";
import { Level } from "../../../authentication/Level";
import { DuoPushConfiguration } from "../../../configuration/schema/DuoPushConfiguration";
import GetHeader from "../../../utils/GetHeader";
import { HEADER_X_TARGET_URL } from "../../../../../../shared/constants";
const DuoApi = require("@duosecurity/duo_api");
interface DuoResponse {
@ -17,11 +19,13 @@ interface DuoResponse {
stat: "OK" | "FAIL";
}
function triggerAuth(username: string, config: DuoPushConfiguration): Promise<DuoResponse> {
function triggerAuth(username: string, config: DuoPushConfiguration, req: Express.Request): Promise<DuoResponse> {
return new Promise((resolve, reject) => {
const clientIP = req.ip;
const targetURL = GetHeader(req, HEADER_X_TARGET_URL);
const client = new DuoApi.Client(config.integration_key, config.secret_key, config.hostname);
const timer = setTimeout(() => reject(new Error("Call to duo push API timed out.")), 60000);
client.jsonApiCall("POST", "/auth/v2/auth", { username, factor: "push", device: "auto" }, (data: DuoResponse) => {
client.jsonApiCall("POST", "/auth/v2/auth", { username, ipaddr: clientIP, factor: "push", device: "auto", pushinfo: `target%20url=${targetURL}`}, (data: DuoResponse) => {
clearTimeout(timer);
resolve(data);
});
@ -37,7 +41,7 @@ export default function(vars: ServerVariables) {
}
const authSession = AuthenticationSessionHandler.get(req, vars.logger);
const authRes = await triggerAuth(authSession.userid, vars.config.duo_api);
const authRes = await triggerAuth(authSession.userid, vars.config.duo_api, req);
if (authRes.response.result !== "allow") {
throw new Error("User denied access.");
}