finishing touches for passkey auth, oauth and more
This commit is contained in:
Janis Steiner
@@ -46,36 +46,22 @@ try {
|
||||
if ($fn !== 'getStoredDataHtml') {
|
||||
|
||||
// Formats
|
||||
$formats = [];
|
||||
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
|
||||
$formats[] = 'android-key';
|
||||
//}
|
||||
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
|
||||
$formats[] = 'android-safetynet';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_apple')) {
|
||||
$formats[] = 'apple';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
|
||||
$formats[] = 'fido-u2f';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_none')) {
|
||||
$formats[] = 'none';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_packed')) {
|
||||
$formats[] = 'packed';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
|
||||
$formats[] = 'tpm';
|
||||
//}
|
||||
$formats = [];
|
||||
$formats[] = 'android-key';
|
||||
$formats[] = 'android-safetynet';
|
||||
$formats[] = 'apple';
|
||||
$formats[] = 'fido-u2f';
|
||||
$formats[] = 'none';
|
||||
$formats[] = 'packed';
|
||||
$formats[] = 'tpm';
|
||||
|
||||
$rpId=$_SERVER['SERVER_NAME'];
|
||||
|
||||
$typeUsb = true;
|
||||
$typeNfc = true;
|
||||
$typeBle = true;
|
||||
$typeInt = true;
|
||||
$typeHyb = true;
|
||||
$rpId=$_SERVER['SERVER_NAME'];
|
||||
|
||||
$typeUsb = true;
|
||||
$typeNfc = true;
|
||||
$typeBle = true;
|
||||
$typeInt = true;
|
||||
$typeHyb = true;
|
||||
|
||||
// cross-platform: true, if type internal is not allowed
|
||||
// false, if only internal is allowed
|
||||
@@ -94,28 +80,14 @@ try {
|
||||
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
|
||||
|
||||
// add root certificates to validate new registrations
|
||||
//if (filter_input(INPUT_GET, 'solo')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'apple')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'yubico')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'hypersecu')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'google')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'microsoft')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'mds')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
||||
//}
|
||||
|
||||
}
|
||||
|
||||
@@ -176,9 +148,7 @@ try {
|
||||
$data->userDisplayName = $userDisplayName;
|
||||
|
||||
// Store registration data in the database
|
||||
$stmt = $conn->prepare("UPDATE users set credential_id = ?, public_key = ?, counter = ?, auth_method_enabled_passkey = 1, auth_method_required_passkey = 1 WHERE username = ?");
|
||||
//$stmt = $conn->prepare("INSERT INTO users (user_hex_id, credential_id, public_key, counter) VALUES (?, ?, ?, ?)");
|
||||
//var_dump($data);
|
||||
$stmt = $conn->prepare("UPDATE users set credential_id = ?, public_key = ?, counter = ?, auth_method_enabled_passkey = 1, auth_method_required_passkey = 1 WHERE username = ?");
|
||||
$stmt->execute([ $data->credentialId, $data->credentialPublicKey, $data->signatureCounter,$userName]);
|
||||
|
||||
$msg = 'registration success.';
|
||||
@@ -198,3 +168,4 @@ try {
|
||||
print(json_encode($return));
|
||||
}
|
||||
?>
|
||||
|
||||
|
||||
55
app-code/api/auth/check_auth_key.php
Normal file
55
app-code/api/auth/check_auth_key.php
Normal file
@@ -0,0 +1,55 @@
|
||||
<?php
|
||||
header('Content-Type: application/json');
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD, $DB_DATABASE);
|
||||
|
||||
$auth_key=$_GET["auth_token"];
|
||||
$sql="SELECT user_id FROM auth_tokens WHERE auth_token = ?;";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 's', $auth_key);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_store_result($stmt);
|
||||
//if auth key is valid
|
||||
if(mysqli_stmt_num_rows($stmt) == 1){
|
||||
$user_id=0;
|
||||
mysqli_stmt_bind_result($stmt,$user_id);
|
||||
mysqli_stmt_fetch($stmt);
|
||||
//we now have userid, close stmt
|
||||
mysqli_stmt_close($stmt);
|
||||
|
||||
$sql="SELECT username, email, telegram_id FROM users WHERE id = ?";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'i', $user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_store_result($stmt);
|
||||
$username="";
|
||||
$email="";
|
||||
$telegram="";
|
||||
mysqli_stmt_bind_result($stmt,$username,$email,$telegram);
|
||||
mysqli_stmt_fetch($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
$data=[
|
||||
'status'=>'success',
|
||||
'msg'=>'user authenticated',
|
||||
'username'=>$username,
|
||||
'email'=>$email,
|
||||
'telegram_id'=>$telegram,
|
||||
'id'=>$user_id
|
||||
];
|
||||
|
||||
//remove auth key
|
||||
$sql="DELETE FROM auth_tokens WHERE auth_token = ?;";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 's', $auth_key);
|
||||
mysqli_stmt_execute($stmt);
|
||||
echo(json_encode($data));
|
||||
}else{
|
||||
$data=[
|
||||
'status' => 'failure',
|
||||
'msg'=>'invalid auth key',
|
||||
'auth_key'=>$auth_key
|
||||
];
|
||||
echo(json_encode($data));
|
||||
}
|
||||
|
||||
?>
|
||||
@@ -32,36 +32,22 @@ try {
|
||||
if ($fn !== 'getStoredDataHtml') {
|
||||
|
||||
// Formats
|
||||
$formats = [];
|
||||
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
|
||||
$formats[] = 'android-key';
|
||||
//}
|
||||
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
|
||||
$formats[] = 'android-safetynet';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_apple')) {
|
||||
$formats[] = 'apple';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
|
||||
$formats[] = 'fido-u2f';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_none')) {
|
||||
$formats[] = 'none';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_packed')) {
|
||||
$formats[] = 'packed';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
|
||||
$formats[] = 'tpm';
|
||||
//}
|
||||
$formats = [];
|
||||
$formats[] = 'android-key';
|
||||
$formats[] = 'android-safetynet';
|
||||
$formats[] = 'apple';
|
||||
$formats[] = 'fido-u2f';
|
||||
$formats[] = 'none';
|
||||
$formats[] = 'packed';
|
||||
$formats[] = 'tpm';
|
||||
|
||||
$rpId=$_SERVER['SERVER_NAME'];
|
||||
|
||||
$typeUsb = true;
|
||||
$typeNfc = true;
|
||||
$typeBle = true;
|
||||
$typeInt = true;
|
||||
$typeHyb = true;
|
||||
$rpId=$_SERVER['SERVER_NAME'];
|
||||
|
||||
$typeUsb = true;
|
||||
$typeNfc = true;
|
||||
$typeBle = true;
|
||||
$typeInt = true;
|
||||
$typeHyb = true;
|
||||
|
||||
// cross-platform: true, if type internal is not allowed
|
||||
// false, if only internal is allowed
|
||||
@@ -80,28 +66,14 @@ try {
|
||||
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
|
||||
|
||||
// add root certificates to validate new registrations
|
||||
//if (filter_input(INPUT_GET, 'solo')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'apple')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'yubico')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'hypersecu')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'google')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'microsoft')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'mds')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
||||
//}
|
||||
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -23,20 +23,35 @@ else if($_SESSION["needs_auth"]===false && $_SESSION["mfa_required"]==1 && $_SES
|
||||
|
||||
//check for mfa
|
||||
}
|
||||
else if($_SESSION["needs_auth"]===false && $_SESSION["passkey_required"]==1 && $_SESSION["passkey_authenticated"]==0){
|
||||
/*else if($_SESSION["needs_auth"]===false && $_SESSION["passkey_required"]==1 && $_SESSION["passkey_authenticated"]==0){
|
||||
//check for passkey
|
||||
$data=[
|
||||
'message' => 'auth_passkey',
|
||||
'redirect' => '/login/passkey.php'
|
||||
];
|
||||
echo(json_encode($data));
|
||||
}else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 && $_SESSION["pw_authenticated"]==1 && $_SESSION["passkey_authenticated"]){
|
||||
}*/else if ($_SESSION["needs_auth"]===false && $_SESSION["mfa_authenticated"]==1 && $_SESSION["pw_authenticated"]==1){
|
||||
//fully authenticated
|
||||
$_SESSION["logged_in"]=true;
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => $send_to
|
||||
];
|
||||
//create auth token which other services can then use to check if user logged in
|
||||
$user_id=$_SESSION["id"];
|
||||
$auth_token=bin2hex(random_bytes(128));
|
||||
$sql="INSERT INTO auth_tokens (auth_token,user_id) VALUES(?,?);";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 'si', $auth_token,$user_id);
|
||||
mysqli_stmt_execute($stmt);
|
||||
mysqli_stmt_close($stmt);
|
||||
if(!empty($send_to)){
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => $send_to."?auth=$auth_token"
|
||||
];
|
||||
}else{
|
||||
$data=[
|
||||
'message' => 'done',
|
||||
'redirect' => ''
|
||||
];
|
||||
}
|
||||
echo(json_encode($data));
|
||||
}
|
||||
else{
|
||||
@@ -45,7 +60,7 @@ else{
|
||||
$username=$_SESSION["username"];
|
||||
$_SESSION["needs_auth"]=false;
|
||||
$_SESSION["logged_in"]=false;
|
||||
$sql="SELECT auth_method_required_pw, auth_method_required_2fa, auth_method_required_passkey FROM users WHERE username = ?";
|
||||
$sql="SELECT auth_method_required_pw, auth_method_required_2fa, auth_method_required_passkey, id FROM users WHERE username = ?";
|
||||
$stmt = mysqli_prepare($conn, $sql);
|
||||
mysqli_stmt_bind_param($stmt, 's', $username);
|
||||
mysqli_stmt_execute($stmt);
|
||||
@@ -54,7 +69,7 @@ else{
|
||||
$mfa=0;
|
||||
$passkey=0;
|
||||
if(mysqli_stmt_num_rows($stmt) == 1){
|
||||
mysqli_stmt_bind_result($stmt, $pw,$mfa,$passkey);
|
||||
mysqli_stmt_bind_result($stmt, $pw,$mfa,$passkey,$user_id);
|
||||
mysqli_stmt_fetch($stmt);
|
||||
$_SESSION["pw_required"] = $pw;
|
||||
$_SESSION["pw_authenticated"] = ($pw == 0) ? 1 : 0; // If $pw is 0, set pw_authenticated to 1
|
||||
@@ -62,6 +77,7 @@ else{
|
||||
$_SESSION["mfa_authenticated"] = ($mfa == 0) ? 1 : 0;
|
||||
$_SESSION["passkey_required"] = $passkey;
|
||||
$_SESSION["passkey_authenticated"] = ($passkey == 0) ? 1 : 0;
|
||||
$_SESSION["id"]=$user_id;
|
||||
$data=[
|
||||
'message' => 'prepared_start_auth',
|
||||
'redirect' => '/login/'
|
||||
|
||||
Reference in New Issue
Block a user