Jakach/jakach-login
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding ratelimiting with reddis db
Deploy / deploy (push) Failing after 3s
Details

Browse Source
This commit is contained in:
janis steiner
2026-05-06 09:27:02 +02:00
parent d82a08f77b
commit 5deb0e1056
16 changed files with 312 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app-code/api/account/update_passkey.php
+30 -8
View File
@@ -30,15 +30,19 @@ try {
// read get argument and post body
$fn = filter_input(INPUT_GET, 'fn');
if (!in_array($fn, ['getCreateArgs', 'processCreate'], true)) {
throw new Exception('Invalid passkey operation.');
}
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
$userVerification = 'preferred';
$userName = preg_replace('/[^0-9a-z_]/i', '', $_SESSION["username"] ?? "");
if ($userName === "") {
throw new Exception('Missing account session.');
}
$userId = bin2hex($userName);
$userDisplayName = $userName;
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
$userName = preg_replace('/[^0-9a-z]/i', '', $_SESSION["username"]);
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
$post = trim(file_get_contents('php://input'));
@@ -96,6 +100,7 @@ try {
// Handle different functions
if ($fn === 'getCreateArgs') {
check_rate_limit($conn, 'passkey_register_args', 10, 60 * 60, $userName);
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
header('Content-Type: application/json');
@@ -103,6 +108,7 @@ try {
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
$_SESSION['passkey_register_username'] = $userName;
} else if ($fn === 'getGetArgs') {
$ids = [];
@@ -137,6 +143,15 @@ try {
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
} else if ($fn === 'processCreate') {
check_rate_limit($conn, 'passkey_register_process', 5, 60 * 60, $userName);
if (empty($_SESSION['challenge']) || ($_SESSION['passkey_register_username'] ?? '') !== $userName) {
throw new Exception('Invalid passkey session.');
}
foreach (['clientDataJSON', 'attestationObject'] as $requiredField) {
if (!is_object($post) || empty($post->{$requiredField})) {
throw new Exception('Invalid passkey response.');
}
}
// Process create
$challenge = $_SESSION['challenge'];
$clientDataJSON = base64_decode($post->clientDataJSON);
@@ -151,8 +166,15 @@ try {
$data->userDisplayName = $userDisplayName;
// Store registration data in the database
$credentialId = $data->credentialId;
$credentialPublicKey = $data->credentialPublicKey;
$signatureCounter = (int)$data->signatureCounter;
$stmt = $conn->prepare("UPDATE users set credential_id = ?, public_key = ?, counter = ?, auth_method_enabled_passkey = 1, auth_method_required_passkey = 1 WHERE username = ?");
$stmt->execute([ $data->credentialId, $data->credentialPublicKey, $data->signatureCounter,$userName]);
$stmt->bind_param("ssis", $credentialId, $credentialPublicKey, $signatureCounter, $userName);
$stmt->execute();
$stmt->close();
unset($_SESSION['challenge'], $_SESSION['passkey_register_username']);
clear_rate_limit($conn, 'passkey_register_process', $userName);
$msg = 'registration success.';
$return = new stdClass();
@@ -165,7 +187,7 @@ try {
} catch (Throwable $ex) {
$return = new stdClass();
$return->success = false;
$return->msg = $ex->getMessage();
$return->msg = 'Passkey registration failed.';
header('Content-Type: application/json');
print(json_encode($return));