janis/ma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding passkey to login

Browse Source
This commit is contained in:
jakani24
2024-04-26 15:17:23 +02:00
parent 39cbb2bc73
commit f2fe16b819
2 changed files with 603 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
src/server/cyberhex-code/system/insecure_zone/php/login.php
View File

@@ -13,7 +13,209 @@ if(isset($_SESSION["login"])){
<title>Cyberhex login page</title>
</head>
<body>
<script>
//js that handelsour passkey login
async function checkRegistration() {
try {
if (!window.fetch || !navigator.credentials || !navigator.credentials.create) {
throw new Error('Browser not supported.');
}
// get check args
let rep = await window.fetch('login_backend.php?fn=getGetArgs' + getGetParams(), {method:'GET',cache:'no-cache'});
const getArgs = await rep.json();
// error handling
if (getArgs.success === false) {
throw new Error(getArgs.msg);
}
// replace binary base64 data with ArrayBuffer. a other way to do this
// is the reviver function of JSON.parse()
recursiveBase64StrToArrayBuffer(getArgs);
// check credentials with hardware
const cred = await navigator.credentials.get(getArgs);
// create object for transmission to server
const authenticatorAttestationResponse = {
id: cred.rawId ? arrayBufferToBase64(cred.rawId) : null,
clientDataJSON: cred.response.clientDataJSON ? arrayBufferToBase64(cred.response.clientDataJSON) : null,
authenticatorData: cred.response.authenticatorData ? arrayBufferToBase64(cred.response.authenticatorData) : null,
signature: cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null,
userHandle: cred.response.userHandle ? arrayBufferToBase64(cred.response.userHandle) : null
};
// send to server
rep = await window.fetch('login_backend.php?fn=processGet' + getGetParams(), {
method:'POST',
body: JSON.stringify(authenticatorAttestationResponse),
cache:'no-cache'
});
const authenticatorAttestationServerResponse = await rep.json();
// check server response
if (authenticatorAttestationServerResponse.success) {
reloadServerPreview();
//window.alert(authenticatorAttestationServerResponse.msg || 'login success');
//auth success, send to index
window.location.href = "/system/secure_zone/php/index.php";
} else {
throw new Error(authenticatorAttestationServerResponse.msg);
}
} catch (err) {
reloadServerPreview();
if(err.message=="User does not exist"){
//we will display a warning here later on
alert("User does not exist!!! check line 71 of login.html to set warning");
}else{
window.alert(err.message || 'unknown error occured');
}
}
}
function queryFidoMetaDataService() {
window.fetch('login_backend.php?fn=queryFidoMetaDataService' + getGetParams(), {method:'GET',cache:'no-cache'}).then(function(response) {
return response.json();
}).then(function(json) {
if (json.success) {
window.alert(json.msg);
} else {
throw new Error(json.msg);
}
}).catch(function(err) {
window.alert(err.message || 'unknown error occured');
});
}
/**
* convert RFC 1342-like base64 strings to array buffer
* @param {mixed} obj
* @returns {undefined}
*/
function recursiveBase64StrToArrayBuffer(obj) {
let prefix = '=?BINARY?B?';
let suffix = '?=';
if (typeof obj === 'object') {
for (let key in obj) {
if (typeof obj[key] === 'string') {
let str = obj[key];
if (str.substring(0, prefix.length) === prefix && str.substring(str.length - suffix.length) === suffix) {
str = str.substring(prefix.length, str.length - suffix.length);
let binary_string = window.atob(str);
let len = binary_string.length;
let bytes = new Uint8Array(len);
for (let i = 0; i < len; i++) {
bytes[i] = binary_string.charCodeAt(i);
}
obj[key] = bytes.buffer;
}
} else {
recursiveBase64StrToArrayBuffer(obj[key]);
}
}
}
}
/**
* Convert a ArrayBuffer to Base64
* @param {ArrayBuffer} buffer
* @returns {String}
*/
function arrayBufferToBase64(buffer) {
let binary = '';
let bytes = new Uint8Array(buffer);
let len = bytes.byteLength;
for (let i = 0; i < len; i++) {
binary += String.fromCharCode( bytes[ i ] );
}
return window.btoa(binary);
}
function ascii_to_hex(str) {
let hex = '';
for (let i = 0; i < str.length; i++) {
let ascii = str.charCodeAt(i).toString(16);
hex += ('00' + ascii).slice(-2); // Ensure each hex value is 2 characters long
}
return hex;
}
/**
* Get URL parameter
* @returns {String}
*/
function getGetParams() {
let url = '';
url += '&apple=1';
url += '&yubico=1';
url += '&solo=1'
url += '&hypersecu=1';
url += '&google=1';
url += '&microsoft=1';
url += '&mds=1';
url += '&requireResidentKey=0';
url += '&type_usb=1';
url += '&type_nfc=1';
url += '&type_ble=1';
url += '&type_int=1';
url += '&type_hybrid=1';
url += '&fmt_android-key=1';
url += '&fmt_android-safetynet=1';
url += '&fmt_apple=1';
url += '&fmt_fido-u2f=1';
url += '&fmt_none=1';
url += '&fmt_packed=1';
url += '&fmt_tpm=1';
url += '&rpId=auth.jakach.com';
url += '&userId=' + encodeURIComponent(ascii_to_hex(document.getElementById('username').value));
url += '&userName=' + encodeURIComponent(document.getElementById('username').value);
url += '&userDisplayName=' + encodeURIComponent(document.getElementById('username').value);
url += '&userVerification=discouraged';
return url;
}
function reloadServerPreview() {
}
function setAttestation(attestation) {
let inputEls = document.getElementsByTagName('input');
for (const inputEl of inputEls) {
if (inputEl.id && inputEl.id.match(/^(fmt|cert)\_/)) {
inputEl.disabled = !attestation;
}
if (inputEl.id && inputEl.id.match(/^fmt\_/)) {
inputEl.checked = attestation ? inputEl.id !== 'fmt_none' : inputEl.id === 'fmt_none';
}
if (inputEl.id && inputEl.id.match(/^cert\_/)) {
inputEl.checked = attestation ? inputEl.id === 'cert_mds' : false;
}
}
}
/**
* force https on load
* @returns {undefined}
*/
window.onload = function() {
if (location.protocol !== 'https:' && location.host !== 'localhost') {
location.href = location.href.replace('http', 'https');
}
}
</script>
<div class="container mt-5">
<div class="row justify-content-center">
<div class="col-md-6">
@@ -32,11 +234,10 @@ if(isset($_SESSION["login"])){
<input type="password" class="form-control" id="password" name="password" required>
</div>
<br>
<button type="submit" class="btn btn-primary btn-block">Login</button>
<button type="submit" class="btn btn-primary btn-block">Login with password</button>
</form>
<br>
<p>Or</p>
<button type="button" class="btn btn-primary btn-block" onclick="checkRegistration()">&#10068; Login with a passkey</button>
<button type="button" class="btn btn-primary btn-block" onclick="checkRegistration()">Login with a passkey</button>
<!-- php code to verify password-->
<?php
// Check if the form is submitted

399
src/server/cyberhex-code/system/secure_zone/php/login_backend.php Normal file
View File

@@ -0,0 +1,399 @@
<?php
/*
require_once 'WebAuthn.php';
try {
session_start();
// read get argument and post body
$fn = filter_input(INPUT_GET, 'fn');
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
$userName = preg_replace('/[^0-9a-z]/i', '', $userName);
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
$post = trim(file_get_contents('php://input'));
if ($post) {
$post = json_decode($post, null, 512, JSON_THROW_ON_ERROR);
}
if ($fn !== 'getStoredDataHtml') {
// Formats
$formats = [];
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
$formats[] = 'android-key';
//}
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
$formats[] = 'android-safetynet';
//}
//if (filter_input(INPUT_GET, 'fmt_apple')) {
$formats[] = 'apple';
//}
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
$formats[] = 'fido-u2f';
//}
//if (filter_input(INPUT_GET, 'fmt_none')) {
$formats[] = 'none';
//}
//if (filter_input(INPUT_GET, 'fmt_packed')) {
$formats[] = 'packed';
//}
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
$formats[] = 'tpm';
//}
$rpId=$_SERVER['SERVER_NAME'];
$typeUsb = true;
$typeNfc = true;
$typeBle = true;
$typeInt = true;
$typeHyb = true;
// cross-platform: true, if type internal is not allowed
// false, if only internal is allowed
// null, if internal and cross-platform is allowed
$crossPlatformAttachment = null;
if (($typeUsb || $typeNfc || $typeBle || $typeHyb) && !$typeInt) {
$crossPlatformAttachment = true;
} else if (!$typeUsb && !$typeNfc && !$typeBle && !$typeHyb && $typeInt) {
$crossPlatformAttachment = false;
}
// new Instance of the server library.
// make sure that $rpId is the domain name.
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
// add root certificates to validate new registrations
//if (filter_input(INPUT_GET, 'solo')) {
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
//}
//if (filter_input(INPUT_GET, 'apple')) {
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
//}
//if (filter_input(INPUT_GET, 'yubico')) {
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
//}
//if (filter_input(INPUT_GET, 'hypersecu')) {
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
//}
//if (filter_input(INPUT_GET, 'google')) {
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
//}
//if (filter_input(INPUT_GET, 'microsoft')) {
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
//}
//if (filter_input(INPUT_GET, 'mds')) {
$WebAuthn->addRootCertificates('rootCertificates/mds');
//}
}
// ------------------------------------
// request for create arguments
// ------------------------------------
if ($fn === 'getCreateArgs') {
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
header('Content-Type: application/json');
print(json_encode($createArgs));
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
// ------------------------------------
// request for get arguments
// ------------------------------------
} else if ($fn === 'getGetArgs') {
$ids = [];
if ($requireResidentKey) {
if (!isset($_SESSION['registrations']) || !is_array($_SESSION['registrations']) || count($_SESSION['registrations']) === 0) {
throw new Exception('we do not have any registrations in session to check the registration');
}
} else {
// load registrations from session stored there by processCreate.
// normaly you have to load the credential Id's for a username
// from the database.
if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) {
foreach ($_SESSION['registrations'] as $reg) {
if ($reg->userId === $userId) {
$ids[] = $reg->credentialId;
}
}
}
if (count($ids) === 0) {
throw new Exception('no registrations in session for userId ' . $userId);
}
}
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
header('Content-Type: application/json');
print(json_encode($getArgs));
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
}else if ($fn === 'processGet') {
$clientDataJSON = base64_decode($post->clientDataJSON);
$authenticatorData = base64_decode($post->authenticatorData);
$signature = base64_decode($post->signature);
$userHandle = base64_decode($post->userHandle);
$id = base64_decode($post->id);
$challenge = $_SESSION['challenge'] ?? '';
$credentialPublicKey = null;
// looking up correspondending public key of the credential id
// you should also validate that only ids of the given user name
// are taken for the login.
if (isset($_SESSION['registrations']) && is_array($_SESSION['registrations'])) {
foreach ($_SESSION['registrations'] as $reg) {
if ($reg->credentialId === $id) {
$credentialPublicKey = $reg->credentialPublicKey;
break;
}
}
}
if ($credentialPublicKey === null) {
throw new Exception('Public Key for credential ID not found!');
}
// if we have resident key, we have to verify that the userHandle is the provided userId at registration
if ($requireResidentKey && $userHandle !== hex2bin($reg->userId)) {
throw new \Exception('userId doesnt match (is ' . bin2hex($userHandle) . ' but expect ' . $reg->userId . ')');
}
// process the get request. throws WebAuthnException if it fails
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $credentialPublicKey, $challenge, null, $userVerification === 'required');
//we have authenticated the user!
$return = new stdClass();
$return->success = true;
header('Content-Type: application/json');
print(json_encode($return));
}
} catch (Throwable $ex) {
$return = new stdClass();
$return->success = false;
$return->msg = $ex->getMessage();
header('Content-Type: application/json');
print(json_encode($return));
}
*/
?>
<?php
//with db:
require_once 'WebAuthn.php';
// Assuming you've already established a database connection here
include "../config.php";
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
if ($conn->connect_error) {
$success=0;
die("Connection failed: " . $conn->connect_error);
}
try {
session_start();
// read get argument and post body
$fn = filter_input(INPUT_GET, 'fn');
$requireResidentKey = !!filter_input(INPUT_GET, 'requireResidentKey');
$userVerification = filter_input(INPUT_GET, 'userVerification', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = filter_input(INPUT_GET, 'userId', FILTER_SANITIZE_SPECIAL_CHARS);
$userName = filter_input(INPUT_GET, 'userName', FILTER_SANITIZE_SPECIAL_CHARS);
$userDisplayName = filter_input(INPUT_GET, 'userDisplayName', FILTER_SANITIZE_SPECIAL_CHARS);
$userId = preg_replace('/[^0-9a-f]/i', '', $userId);
$userName = preg_replace('/[^0-9a-z]/i', '', $userName);
$userDisplayName = preg_replace('/[^0-9a-z öüäéèàÖÜÄÉÈÀÂÊÎÔÛâêîôû]/i', '', $userDisplayName);
$post = trim(file_get_contents('php://input'));
if ($post) {
$post = json_decode($post, null, 512, JSON_THROW_ON_ERROR);
}
if ($fn !== 'getStoredDataHtml') {
// Formats
$formats = [];
//if (filter_input(INPUT_GET, 'fmt_android-key')) {
$formats[] = 'android-key';
//}
///if (filter_input(INPUT_GET, 'fmt_android-safetynet')) {
$formats[] = 'android-safetynet';
//}
//if (filter_input(INPUT_GET, 'fmt_apple')) {
$formats[] = 'apple';
//}
//if (filter_input(INPUT_GET, 'fmt_fido-u2f')) {
$formats[] = 'fido-u2f';
//}
//if (filter_input(INPUT_GET, 'fmt_none')) {
$formats[] = 'none';
//}
//if (filter_input(INPUT_GET, 'fmt_packed')) {
$formats[] = 'packed';
//}
//if (filter_input(INPUT_GET, 'fmt_tpm')) {
$formats[] = 'tpm';
//}
$rpId=$_SERVER['SERVER_NAME'];
$typeUsb = true;
$typeNfc = true;
$typeBle = true;
$typeInt = true;
$typeHyb = true;
// cross-platform: true, if type internal is not allowed
// false, if only internal is allowed
// null, if internal and cross-platform is allowed
$crossPlatformAttachment = null;
if (($typeUsb || $typeNfc || $typeBle || $typeHyb) && !$typeInt) {
$crossPlatformAttachment = true;
} else if (!$typeUsb && !$typeNfc && !$typeBle && !$typeHyb && $typeInt) {
$crossPlatformAttachment = false;
}
// new Instance of the server library.
// make sure that $rpId is the domain name.
$WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $rpId, $formats);
// add root certificates to validate new registrations
//if (filter_input(INPUT_GET, 'solo')) {
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
//}
//if (filter_input(INPUT_GET, 'apple')) {
$WebAuthn->addRootCertificates('rootCertificates/apple.pem');
//}
//if (filter_input(INPUT_GET, 'yubico')) {
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
//}
//if (filter_input(INPUT_GET, 'hypersecu')) {
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
//}
//if (filter_input(INPUT_GET, 'google')) {
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
//}
//if (filter_input(INPUT_GET, 'microsoft')) {
$WebAuthn->addRootCertificates('rootCertificates/microsoftTpmCollection.pem');
//}
//if (filter_input(INPUT_GET, 'mds')) {
$WebAuthn->addRootCertificates('rootCertificates/mds');
//}
}
// Handle different functions
if ($fn === 'getCreateArgs') {
// Get create arguments
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification);
header('Content-Type: application/json');
print(json_encode($createArgs));
// Save challenge to session or somewhere else if needed
} else if ($fn === 'getGetArgs') {
$ids = [];
//get registrations form user table
//put credential id into session where userid = $userId
$stmt = $conn->prepare("SELECT credential_id FROM users WHERE user_hex_id = ?");
$stmt->bind_param("s", $userId);
$stmt->execute();
$registration = $stmt->get_result();
$row = $registration->fetch_assoc();
if ($registration->num_rows <= 0) {
throw new Exception('User does not exist');
}
$_SESSION["registrations"]["credentialId"]=$row["credential_id"];
$ids[]=$row["credential_id"];
$_SESSION["registrations"]["userId"]=$userId;
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
header('Content-Type: application/json');
print(json_encode($getArgs));
// save challange to session. you have to deliver it to processGet later.
$_SESSION['challenge'] = $WebAuthn->getChallenge();
}else if ($fn === 'processGet') {
// Process get
// Retrieve registration data from the database based on credential ID
$id = base64_decode($post->id);
$stmt = $conn->prepare("SELECT * FROM users WHERE credential_id = ?");
$stmt->bind_param("s", $_SESSION["registrations"]["credentialId"]);
$stmt->execute();
$registration = $stmt->get_result();
$row = $registration->fetch_assoc();
if (!$registration) {
throw new Exception('Public Key for credential ID not found!');
}
$clientDataJSON = base64_decode($post->clientDataJSON);
$authenticatorData = base64_decode($post->authenticatorData);
$signature = base64_decode($post->signature);
$userHandle = base64_decode($post->userHandle);
$challenge = $_SESSION['challenge'] ?? '';
$credentialPublicKey = $row['public_key'];
// Process the get request
$WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $credentialPublicKey, $challenge, null, $userVerification === 'required');
// Authentication success
//set sessionso user is authenticated
$_SESSION["username"]=$row["username"];
$_SESSION["login"]=true;
$_SESSION["perms"]=$row["perms"];
$_SESSION["email"]=$row["email"];
$_SESSION["telegram_id"]=$row["telegram_id"];
$return = new stdClass();
$return->success = true;
header('Content-Type: application/json');
print(json_encode($return));
}
} catch (Throwable $ex) {
$return = new stdClass();
$return->success = false;
$return->msg = $ex->getMessage();
header('Content-Type: application/json');
print(json_encode($return));
}
?>