mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
92d328926d
* refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
78 lines
2.3 KiB
Go
78 lines
2.3 KiB
Go
package handlers
|
|
|
|
import (
|
|
"crypto/elliptic"
|
|
"fmt"
|
|
|
|
"github.com/tstranex/u2f"
|
|
|
|
"github.com/authelia/authelia/v4/internal/middlewares"
|
|
"github.com/authelia/authelia/v4/internal/session"
|
|
"github.com/authelia/authelia/v4/internal/storage"
|
|
)
|
|
|
|
// SecondFactorU2FSignGet handler for initiating a signing request.
|
|
func SecondFactorU2FSignGet(ctx *middlewares.AutheliaCtx) {
|
|
if ctx.XForwardedProto() == nil {
|
|
ctx.Error(errMissingXForwardedProto, messageMFAValidationFailed)
|
|
return
|
|
}
|
|
|
|
if ctx.XForwardedHost() == nil {
|
|
ctx.Error(errMissingXForwardedHost, messageMFAValidationFailed)
|
|
return
|
|
}
|
|
|
|
appID := fmt.Sprintf("%s://%s", ctx.XForwardedProto(), ctx.XForwardedHost())
|
|
|
|
var trustedFacets = []string{appID}
|
|
challenge, err := u2f.NewChallenge(appID, trustedFacets)
|
|
|
|
if err != nil {
|
|
handleAuthenticationUnauthorized(ctx, fmt.Errorf("unable to create U2F challenge: %s", err), messageMFAValidationFailed)
|
|
return
|
|
}
|
|
|
|
userSession := ctx.GetSession()
|
|
keyHandleBytes, publicKeyBytes, err := ctx.Providers.StorageProvider.LoadU2FDeviceHandle(userSession.Username)
|
|
|
|
if err != nil {
|
|
if err == storage.ErrNoU2FDeviceHandle {
|
|
handleAuthenticationUnauthorized(ctx, fmt.Errorf("no device handle found for user %s", userSession.Username), messageMFAValidationFailed)
|
|
return
|
|
}
|
|
|
|
handleAuthenticationUnauthorized(ctx, fmt.Errorf("unable to retrieve U2F device handle: %s", err), messageMFAValidationFailed)
|
|
|
|
return
|
|
}
|
|
|
|
var registration u2f.Registration
|
|
registration.KeyHandle = keyHandleBytes
|
|
x, y := elliptic.Unmarshal(elliptic.P256(), publicKeyBytes)
|
|
registration.PubKey.Curve = elliptic.P256()
|
|
registration.PubKey.X = x
|
|
registration.PubKey.Y = y
|
|
|
|
// Save the challenge and registration for use in next request
|
|
userSession.U2FRegistration = &session.U2FRegistration{
|
|
KeyHandle: keyHandleBytes,
|
|
PublicKey: publicKeyBytes,
|
|
}
|
|
userSession.U2FChallenge = challenge
|
|
err = ctx.SaveSession(userSession)
|
|
|
|
if err != nil {
|
|
handleAuthenticationUnauthorized(ctx, fmt.Errorf("unable to save U2F challenge and registration in session: %s", err), messageMFAValidationFailed)
|
|
return
|
|
}
|
|
|
|
signRequest := challenge.SignRequest([]u2f.Registration{registration})
|
|
err = ctx.SetJSONBody(signRequest)
|
|
|
|
if err != nil {
|
|
handleAuthenticationUnauthorized(ctx, fmt.Errorf("unable to set sign request in body: %s", err), messageMFAValidationFailed)
|
|
return
|
|
}
|
|
}
|