Commit ca20d14a authored by Côme Chilliet's avatar Côme Chilliet

🚑 fix(webauthn) Add some security checks

issue #6013
parent 2f8b8942
......@@ -39,17 +39,29 @@ textdomain($domain);
session::start();
reset_errors();
/* Force SSL for second factor */
if ($ssl != '') {
header("Location: $ssl");
exit;
}
CSRFProtection::check();
$ui = session::get('ui');
$config = session::get('config');
/* Logged in? Redirect to FD */
if (session::is_set('connected')) {
header('Location: main.php');
exit;
}
/* If SSL is forced, just forward to the SSL enabled site */
if (($config->get_cfg_value('forcessl') == 'TRUE') && ($ssl != '')) {
header("Location: $ssl");
/* Missing data? Redirect to login */
if (!session::is_set('ui') || !session::is_set('config')) {
header('Location: index.php');
exit;
}
$ui = session::get('ui');
$config = session::get('config');
timezone::setDefaultTimezoneFromConfig();
/* Check for invalid sessions */
......@@ -73,6 +85,8 @@ if (session::get('_LAST_PAGE_REQUEST') != '') {
}
session::set('_LAST_PAGE_REQUEST', time());
LoginWebAuthnPost::processWebAuthnJavascriptRequests();
session::set('DEBUGLEVEL', $config->get_cfg_value('DEBUGLEVEL'));
/* Set template compile directory */
......@@ -80,5 +94,4 @@ $smarty->compile_dir = $config->get_cfg_value('templateCompileDirectory', SPOOL_
Language::init();
LoginWebAuthnPost::processWebAuthnJavascriptRequests();
LoginWebAuthnPost::displaySecondFactorPage();
......@@ -65,6 +65,8 @@ class LoginWebAuthnPost extends LoginPost
static::init();
session::un_set('fdWebauthnRegistrations');
$smarty->assign('focusfield', 'username');
if (($_SERVER['REQUEST_METHOD'] == 'POST') && isset($_POST['login']) && isset($_POST['username']) && isset($_POST['password'])) {
......@@ -115,7 +117,7 @@ class LoginWebAuthnPost extends LoginPost
return TRUE;
}
/*! \brief Display the login page and exit() */
/*! \brief Redirect to the second factor page */
static protected function redirectSecondFactorPage ()
{
session::un_set('connected');
......@@ -123,7 +125,7 @@ class LoginWebAuthnPost extends LoginPost
exit;
}
/*! \brief Display the login page and exit() */
/*! \brief Display the second factor page and exit() */
static function displaySecondFactorPage ()
{
global $smarty,$message,$config,$ssl,$error_collector,$error_collector_mailto;
......@@ -194,6 +196,7 @@ class LoginWebAuthnPost extends LoginPost
$getArgs = $WebAuthn->getGetArgs($ids);
/* Serializing avoids failed autoload of WebAuthn classes before our require_once (at session start) */
session::set('challenge', serialize($WebAuthn->getChallenge()));
return $getArgs;
......@@ -209,12 +212,12 @@ class LoginWebAuthnPost extends LoginPost
if ($post) {
$post = json_decode($post);
}
$clientDataJSON = base64_decode($post->clientDataJSON);
$authenticatorData = base64_decode($post->authenticatorData);
$signature = base64_decode($post->signature);
$id = base64_decode($post->id);
$challenge = unserialize(session::get('challenge'));
$credentialPublicKey = NULL;
$clientDataJSON = base64_decode($post->clientDataJSON);
$authenticatorData = base64_decode($post->authenticatorData);
$signature = base64_decode($post->signature);
$id = base64_decode($post->id);
$challenge = unserialize(session::get('challenge'));
$credentialPublicKey = NULL;
$fdWebauthnRegistrations = session::get('fdWebauthnRegistrations');
......@@ -249,7 +252,6 @@ class LoginWebAuthnPost extends LoginPost
$ui = session::get('ui');
/* Not account expired or password forced change go to main page */
logging::log('security', 'login', $ui->uid, [], 'Logged in successfully');
session::set('connected', 1);
session::set('DEBUGLEVEL', $config->get_cfg_value('DEBUGLEVEL'));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment