adding add passkey to setup
This commit is contained in:
jakani24
@@ -8,7 +8,210 @@
|
||||
<title>Change Password</title>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
//js to handle passkey
|
||||
async function createRegistration() {
|
||||
try {
|
||||
|
||||
// check browser support
|
||||
if (!window.fetch || !navigator.credentials || !navigator.credentials.create) {
|
||||
throw new Error('Browser not supported.');
|
||||
}
|
||||
|
||||
// get create args
|
||||
let rep = await window.fetch('/insecure_zone/php/create_admin_backend.php?fn=getCreateArgs' + getGetParams(), {method:'GET', cache:'no-cache'});
|
||||
const createArgs = await rep.json();
|
||||
|
||||
// error handling
|
||||
if (createArgs.success === false) {
|
||||
throw new Error(createArgs.msg || 'unknown error occured');
|
||||
}
|
||||
|
||||
// replace binary base64 data with ArrayBuffer. a other way to do this
|
||||
// is the reviver function of JSON.parse()
|
||||
recursiveBase64StrToArrayBuffer(createArgs);
|
||||
|
||||
// create credentials
|
||||
const cred = await navigator.credentials.create(createArgs);
|
||||
|
||||
// create object
|
||||
const authenticatorAttestationResponse = {
|
||||
transports: cred.response.getTransports ? cred.response.getTransports() : null,
|
||||
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
|
||||
attestationObject: cred.response.attestationObject ? arrayBufferToBase64(cred.response.attestationObject) : null
|
||||
};
|
||||
|
||||
// check auth on server side
|
||||
rep = await window.fetch('/insecure_zone/php/create_admin_backend.php?fn=processCreate' + getGetParams(), {
|
||||
method : 'POST',
|
||||
body : JSON.stringify(authenticatorAttestationResponse),
|
||||
cache : 'no-cache'
|
||||
});
|
||||
const authenticatorAttestationServerResponse = await rep.json();
|
||||
|
||||
// prompt server response
|
||||
if (authenticatorAttestationServerResponse.success) {
|
||||
reloadServerPreview();
|
||||
window.alert(authenticatorAttestationServerResponse.msg || 'registration success');
|
||||
} else {
|
||||
throw new Error(authenticatorAttestationServerResponse.msg);
|
||||
}
|
||||
|
||||
} catch (err) {
|
||||
reloadServerPreview();
|
||||
window.alert(err.message || 'unknown error occured');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
function queryFidoMetaDataService() {
|
||||
window.fetch('/insecure_zone/php/create_admin_backend.php?fn=queryFidoMetaDataService' + getGetParams(), {method:'GET',cache:'no-cache'}).then(function(response) {
|
||||
return response.json();
|
||||
|
||||
}).then(function(json) {
|
||||
if (json.success) {
|
||||
window.alert(json.msg);
|
||||
} else {
|
||||
throw new Error(json.msg);
|
||||
}
|
||||
}).catch(function(err) {
|
||||
window.alert(err.message || 'unknown error occured');
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* convert RFC 1342-like base64 strings to array buffer
|
||||
* @param {mixed} obj
|
||||
* @returns {undefined}
|
||||
*/
|
||||
function recursiveBase64StrToArrayBuffer(obj) {
|
||||
let prefix = '=?BINARY?B?';
|
||||
let suffix = '?=';
|
||||
if (typeof obj === 'object') {
|
||||
for (let key in obj) {
|
||||
if (typeof obj[key] === 'string') {
|
||||
let str = obj[key];
|
||||
if (str.substring(0, prefix.length) === prefix && str.substring(str.length - suffix.length) === suffix) {
|
||||
str = str.substring(prefix.length, str.length - suffix.length);
|
||||
|
||||
let binary_string = window.atob(str);
|
||||
let len = binary_string.length;
|
||||
let bytes = new Uint8Array(len);
|
||||
for (let i = 0; i < len; i++) {
|
||||
bytes[i] = binary_string.charCodeAt(i);
|
||||
}
|
||||
obj[key] = bytes.buffer;
|
||||
}
|
||||
} else {
|
||||
recursiveBase64StrToArrayBuffer(obj[key]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert a ArrayBuffer to Base64
|
||||
* @param {ArrayBuffer} buffer
|
||||
* @returns {String}
|
||||
*/
|
||||
function arrayBufferToBase64(buffer) {
|
||||
let binary = '';
|
||||
let bytes = new Uint8Array(buffer);
|
||||
let len = bytes.byteLength;
|
||||
for (let i = 0; i < len; i++) {
|
||||
binary += String.fromCharCode( bytes[ i ] );
|
||||
}
|
||||
return window.btoa(binary);
|
||||
}
|
||||
|
||||
function ascii_to_hex(str) {
|
||||
let hex = '';
|
||||
for (let i = 0; i < str.length; i++) {
|
||||
let ascii = str.charCodeAt(i).toString(16);
|
||||
hex += ('00' + ascii).slice(-2); // Ensure each hex value is 2 characters long
|
||||
}
|
||||
return hex;
|
||||
}
|
||||
/**
|
||||
* Get URL parameter
|
||||
* @returns {String}
|
||||
*/
|
||||
function getGetParams() {
|
||||
let url = '';
|
||||
|
||||
url += '&apple=1';
|
||||
url += '&yubico=1';
|
||||
url += '&solo=1'
|
||||
url += '&hypersecu=1';
|
||||
url += '&google=1';
|
||||
url += 'µsoft=1';
|
||||
url += '&mds=1';
|
||||
|
||||
url += '&requireResidentKey=0';
|
||||
|
||||
url += '&type_usb=1';
|
||||
url += '&type_nfc=1';
|
||||
url += '&type_ble=1';
|
||||
url += '&type_int=1';
|
||||
url += '&type_hybrid=1';
|
||||
|
||||
url += '&fmt_android-key=1';
|
||||
url += '&fmt_android-safetynet=1';
|
||||
url += '&fmt_apple=1';
|
||||
url += '&fmt_fido-u2f=1';
|
||||
url += '&fmt_none=1';
|
||||
url += '&fmt_packed=1';
|
||||
url += '&fmt_tpm=1';
|
||||
|
||||
url += '&rpId=auth.jakach.com';
|
||||
|
||||
url += '&userId=' + encodeURIComponent(ascii_to_hex(document.getElementById('username').value));
|
||||
url += '&userName=' + encodeURIComponent(document.getElementById('username').value);
|
||||
url += '&userDisplayName=' + encodeURIComponent(document.getElementById('username').value);
|
||||
|
||||
url += '&userVerification=discouraged';
|
||||
|
||||
return url;
|
||||
}
|
||||
|
||||
function reloadServerPreview() {
|
||||
//let iframe = document.getElementById('serverPreview');
|
||||
//iframe.src = iframe.src;
|
||||
}
|
||||
|
||||
function setAttestation(attestation) {
|
||||
let inputEls = document.getElementsByTagName('input');
|
||||
for (const inputEl of inputEls) {
|
||||
if (inputEl.id && inputEl.id.match(/^(fmt|cert)\_/)) {
|
||||
inputEl.disabled = !attestation;
|
||||
}
|
||||
if (inputEl.id && inputEl.id.match(/^fmt\_/)) {
|
||||
inputEl.checked = attestation ? inputEl.id !== 'fmt_none' : inputEl.id === 'fmt_none';
|
||||
}
|
||||
if (inputEl.id && inputEl.id.match(/^cert\_/)) {
|
||||
inputEl.checked = attestation ? inputEl.id === 'cert_mds' : false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* force https on load
|
||||
* @returns {undefined}
|
||||
*/
|
||||
window.onload = function() {
|
||||
if (location.protocol !== 'https:' && location.host !== 'localhost') {
|
||||
location.href = location.href.replace('http', 'https');
|
||||
}
|
||||
//if (!document.getElementById('rpId').value) {
|
||||
// document.getElementById('rpId').value = location.hostname;
|
||||
//}
|
||||
|
||||
//if (!document.getElementById('attestation_yes').checked) {
|
||||
// setAttestation(false);
|
||||
//}
|
||||
}
|
||||
</script>
|
||||
<div class="container mt-5">
|
||||
<div class="row justify-content-center">
|
||||
<div class="col-md-6">
|
||||
@@ -17,9 +220,10 @@
|
||||
<h4>Add a passkey?</h4>
|
||||
</div>
|
||||
<div class="card-body">
|
||||
<input type="text" id="username" name="username" value="<?php echo($_GET["username"]); ?>" style="display:hidden"></input>
|
||||
<p>You can add a device specific passkey which allows you to login in securely with your fingerprint / hardware key etc.</p>
|
||||
<button type="button" class="btn btn-primary btn-block" onclick="checkRegistration()">Add a passkey</button>
|
||||
<br>
|
||||
<br><br>
|
||||
<a href="end.php" class="btn btn-primary btn-block">Skip for now</a>
|
||||
|
||||
</div>
|
||||
|
||||
@@ -62,7 +62,7 @@
|
||||
$stmt->close();
|
||||
$conn->close();
|
||||
echo '<br><div class="alert alert-success" role="alert">
|
||||
Admin user created successfully! <a href="add_passkey.php">Continue installation</a>
|
||||
Admin user created successfully! <a href="add_passkey.php?username='.$username.'">Continue installation</a>
|
||||
</div>';
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,189 @@
|
||||
<?php
|
||||
//with db:
|
||||
|
||||
require_once 'WebAuthn.php';
|
||||
// Assuming you've already established a database connection here
|
||||
include "../../../config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
if ($conn->connect_error) {
|
||||
$success=0;
|
||||
die("Connection failed: " . $conn->connect_error);
|
||||
}
|
||||
try {
|
||||
session_start();
|
||||
|
||||
// read get argument and post body
|
||||
$fn = filter_input(INPUT_GET, 'fn');
|
||||
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
|
||||
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
|
||||
|
||||
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
|
||||
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
|
||||
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
|
||||
|
||||
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
|
||||
$userName = preg_replace('/[^0-9a-z]/i', '', $userName);
|
||||
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
|
||||
|
||||
$post = trim(file_get_contents('php://input'));
|
||||
if ($post) {
|
||||
$post = json_decode($post, null, 512, JSON_THROW_ON_ERROR);
|
||||
}
|
||||
|
||||
if ($fn !== 'getStoredDataHtml') {
|
||||
|
||||
// Formats
|
||||
$formats = [];
|
||||
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
|
||||
$formats[] = 'android-key';
|
||||
//}
|
||||
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
|
||||
$formats[] = 'android-safetynet';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_apple')) {
|
||||
$formats[] = 'apple';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
|
||||
$formats[] = 'fido-u2f';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_none')) {
|
||||
$formats[] = 'none';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_packed')) {
|
||||
$formats[] = 'packed';
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
|
||||
$formats[] = 'tpm';
|
||||
//}
|
||||
|
||||
$rpId=$_SERVER['SERVER_NAME'];
|
||||
|
||||
$typeUsb = true;
|
||||
$typeNfc = true;
|
||||
$typeBle = true;
|
||||
$typeInt = true;
|
||||
$typeHyb = true;
|
||||
|
||||
// cross-platform: true, if type internal is not allowed
|
||||
// false, if only internal is allowed
|
||||
// null, if internal and cross-platform is allowed
|
||||
$crossPlatformAttachment = null;
|
||||
if (($typeUsb || $typeNfc || $typeBle || $typeHyb) && !$typeInt) {
|
||||
$crossPlatformAttachment = true;
|
||||
|
||||
} else if (!$typeUsb && !$typeNfc && !$typeBle && !$typeHyb && $typeInt) {
|
||||
$crossPlatformAttachment = false;
|
||||
}
|
||||
|
||||
|
||||
// new Instance of the server library.
|
||||
// make sure that $rpId is the domain name.
|
||||
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
|
||||
|
||||
// add root certificates to validate new registrations
|
||||
//if (filter_input(INPUT_GET, 'solo')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'apple')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'yubico')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'hypersecu')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'google')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
|
||||
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'microsoft')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
|
||||
//}
|
||||
//if (filter_input(INPUT_GET, 'mds')) {
|
||||
$WebAuthn->addRootCertificates('rootCertificates/mds');
|
||||
//}
|
||||
|
||||
}
|
||||
|
||||
// Handle different functions
|
||||
if ($fn === 'getCreateArgs') {
|
||||
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($createArgs));
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
|
||||
} else if ($fn === 'getGetArgs') {
|
||||
$ids = [];
|
||||
|
||||
if ($requireResidentKey) {
|
||||
if (!isset($_SESSION['registrations']) || !is_array($_SESSION['registrations']) || count($_SESSION['registrations']) === 0) {
|
||||
throw new Exception('we do not have any registrations in session to check the registration');
|
||||
}
|
||||
|
||||
} else {
|
||||
// load registrations from session stored there by processCreate.
|
||||
// normaly you have to load the credential Id's for a username
|
||||
// from the database.
|
||||
if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) {
|
||||
foreach ($_SESSION['registrations'] as $reg) {
|
||||
if ($reg->userId === $userId) {
|
||||
$ids[] = $reg->credentialId;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (count($ids) === 0) {
|
||||
throw new Exception('no registrations in session for userId ' . $userId);
|
||||
}
|
||||
}
|
||||
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($getArgs));
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
} else if ($fn === 'processCreate') {
|
||||
// Process create
|
||||
$challenge = $_SESSION['challenge'];
|
||||
$clientDataJSON = base64_decode($post->clientDataJSON);
|
||||
$attestationObject = base64_decode($post->attestationObject);
|
||||
|
||||
// Process create and store data in the database
|
||||
$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);
|
||||
|
||||
// add user infos
|
||||
$data->userId = $userId;
|
||||
$data->userName = $userName;
|
||||
$data->userDisplayName = $userDisplayName;
|
||||
$data->email="a@a.com";
|
||||
$data->perms="11111111111111111";
|
||||
$data->password="...";
|
||||
|
||||
// Store registration data in the database
|
||||
$stmt = $conn->prepare("INSERT INTO users (email,perms,password,username,user_hex_id, credential_id, public_key, counter) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
|
||||
//var_dump($data);
|
||||
$stmt->execute([$data->email,$data->perms,$data->email, $data->userName, $userId, $data->credentialId, $data->credentialPublicKey, $data->signatureCounter]);
|
||||
|
||||
$msg = 'registration success.';
|
||||
$return = new stdClass();
|
||||
$return->success = true;
|
||||
$return->msg = $msg;
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($return));
|
||||
}
|
||||
|
||||
} catch (Throwable $ex) {
|
||||
$return = new stdClass();
|
||||
$return->success = false;
|
||||
$return->msg = $ex->getMessage();
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($return));
|
||||
}
|
||||
?>
|
||||
Reference in New Issue
Block a user