mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
92d328926d
* refactor(handlers): lower case error messages also refactor verifyAuth function to detect malicious activity both with session cookie and authorization header. * refacto(handlers): simplify error construction * fix(handlers): check prefix in authorization header to determine auth method * fix(handlers): determining the method should be done with headers instead of query arg * refacto(handlers): rollback changes of verifyAuth * don't lowercase log messages * Apply suggestions from code review Make sure logger errors are not lowercased. * fix: uppercase logger errors and remove unused param * Do not lowercase logger errors * Remove unused param targetURL * Rename url variable to not conflict with imported package Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
71 lines
2.1 KiB
Go
71 lines
2.1 KiB
Go
package handlers
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/tstranex/u2f"
|
|
|
|
"github.com/authelia/authelia/v4/internal/middlewares"
|
|
)
|
|
|
|
var u2fConfig = &u2f.Config{
|
|
// Chrome 66+ doesn't return the device's attestation
|
|
// certificate by default.
|
|
SkipAttestationVerify: true,
|
|
}
|
|
|
|
// SecondFactorU2FIdentityStart the handler for initiating the identity validation.
|
|
var SecondFactorU2FIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{
|
|
MailTitle: "Register your key",
|
|
MailButtonContent: "Register",
|
|
TargetEndpoint: "/security-key/register",
|
|
ActionClaim: ActionU2FRegistration,
|
|
IdentityRetrieverFunc: identityRetrieverFromSession,
|
|
})
|
|
|
|
func secondFactorU2FIdentityFinish(ctx *middlewares.AutheliaCtx, username string) {
|
|
if ctx.XForwardedProto() == nil {
|
|
ctx.Error(errMissingXForwardedProto, messageOperationFailed)
|
|
return
|
|
}
|
|
|
|
if ctx.XForwardedHost() == nil {
|
|
ctx.Error(errMissingXForwardedHost, messageOperationFailed)
|
|
return
|
|
}
|
|
|
|
appID := fmt.Sprintf("%s://%s", ctx.XForwardedProto(), ctx.XForwardedHost())
|
|
ctx.Logger.Tracef("U2F appID is %s", appID)
|
|
|
|
var trustedFacets = []string{appID}
|
|
|
|
challenge, err := u2f.NewChallenge(appID, trustedFacets)
|
|
|
|
if err != nil {
|
|
ctx.Error(fmt.Errorf("unable to generate new U2F challenge for registration: %s", err), messageOperationFailed)
|
|
return
|
|
}
|
|
|
|
// Save the challenge in the user session.
|
|
userSession := ctx.GetSession()
|
|
userSession.U2FChallenge = challenge
|
|
err = ctx.SaveSession(userSession)
|
|
|
|
if err != nil {
|
|
ctx.Error(fmt.Errorf("unable to save U2F challenge in session: %s", err), messageOperationFailed)
|
|
return
|
|
}
|
|
|
|
err = ctx.SetJSONBody(u2f.NewWebRegisterRequest(challenge, []u2f.Registration{}))
|
|
if err != nil {
|
|
ctx.Logger.Errorf("Unable to create request to enrol new token: %s", err)
|
|
}
|
|
}
|
|
|
|
// SecondFactorU2FIdentityFinish the handler for finishing the identity validation.
|
|
var SecondFactorU2FIdentityFinish = middlewares.IdentityVerificationFinish(
|
|
middlewares.IdentityVerificationFinishArgs{
|
|
ActionClaim: ActionU2FRegistration,
|
|
IsTokenUserValidFunc: isTokenUserValidFor2FARegistration,
|
|
}, secondFactorU2FIdentityFinish)
|