Possibility to forbid U2F unregistration (#1148)
This commit is contained in:
parent
30e5d25ed0
commit
05c77feebc
|
@ -250,6 +250,7 @@ sub defaultValues {
|
|||
'trustedProxies' => '',
|
||||
'twitterAuthnLevel' => 1,
|
||||
'u2fActivation' => 0,
|
||||
'u2fUserCanRemoveKey' => 1,
|
||||
'upgradeSession' => 1,
|
||||
'userControl' => '^[\\w\\.\\-@]+$',
|
||||
'userDB' => 'Same',
|
||||
|
|
|
@ -3266,6 +3266,10 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'u2fUserCanRemoveKey' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'upgradeSession' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
|
|
|
@ -1072,6 +1072,11 @@ sub attributes {
|
|||
documentation =>
|
||||
'Authentication level for users authentified by password+U2F'
|
||||
},
|
||||
u2fUserCanRemoveKey => {
|
||||
type => 'bool',
|
||||
default => 1,
|
||||
documentation => 'Authorize users to remove existing U2F key',
|
||||
},
|
||||
|
||||
# TOTP second factor
|
||||
totp2fActivation => {
|
||||
|
|
|
@ -653,10 +653,8 @@ sub tree {
|
|||
title => 'utotp2f',
|
||||
help => 'utotp2f.html',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'utotp2fActivation',
|
||||
'utotp2fAuthnLevel'
|
||||
]
|
||||
nodes =>
|
||||
[ 'utotp2fActivation', 'utotp2fAuthnLevel' ]
|
||||
},
|
||||
{
|
||||
title => 'u2f',
|
||||
|
@ -664,7 +662,7 @@ sub tree {
|
|||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'u2fActivation', 'u2fSelfRegistration',
|
||||
'u2fAuthnLevel'
|
||||
'u2fAuthnLevel', 'u2fUserCanRemoveKey',
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
@ -732,6 +732,7 @@
|
|||
"u2f":"U2F",
|
||||
"u2fActivation":"تفعيل",
|
||||
"u2fAuthnLevel":"U2F مستوى إثبات الهوية",
|
||||
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
|
||||
"u2fSelfRegistration":"التسجيل الذاتي",
|
||||
"u2fSessions":"U2F sessions explorer",
|
||||
"uid":"المعرف",
|
||||
|
|
|
@ -732,6 +732,7 @@
|
|||
"u2f":"U2F",
|
||||
"u2fActivation":"Activation",
|
||||
"u2fAuthnLevel":"U2F authentication level",
|
||||
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
|
||||
"u2fSelfRegistration":"Self registration",
|
||||
"u2fSessions":"U2F sessions explorer",
|
||||
"uid":"Identifier",
|
||||
|
|
|
@ -732,6 +732,7 @@
|
|||
"u2f":"U2F",
|
||||
"u2fActivation":"Activation",
|
||||
"u2fAuthnLevel":"Niveau d'authentification U2F",
|
||||
"u2fUserCanRemoveKey":"Authoriser les utilisateurs à effacer leur clef U2F",
|
||||
"u2fSelfRegistration":"Auto-enregistrement",
|
||||
"u2fSessions":"Explorateur de sessions U2F",
|
||||
"uid":"Identifiant",
|
||||
|
|
|
@ -732,6 +732,7 @@
|
|||
"u2f":"U2F",
|
||||
"u2fActivation":"Attivazione",
|
||||
"u2fAuthnLevel":"Livello di autenticazione U2F",
|
||||
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
|
||||
"u2fSelfRegistration":"Auto-registrazione",
|
||||
"u2fSessions":"U2F sessions explorer",
|
||||
"uid":"Identificatore",
|
||||
|
|
|
@ -732,6 +732,7 @@
|
|||
"u2f":"U2F",
|
||||
"u2fActivation":"Kích hoạt",
|
||||
"u2fAuthnLevel":"Mức xác thực U2F",
|
||||
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
|
||||
"u2fSelfRegistration":"Tự đăng ký ",
|
||||
"u2fSessions":"U2F sessions explorer",
|
||||
"uid":"Trình định danh",
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -70,27 +70,7 @@ sub run {
|
|||
return $self->p->sendError( $req, $err, 200 );
|
||||
}
|
||||
|
||||
if ( $action eq 'unregister' ) {
|
||||
my $challenge = $self->crypter->registrationChallenge;
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
|
||||
}
|
||||
if ( $action eq 'unregistration' ) {
|
||||
$self->p->updatePersistentSession(
|
||||
$req,
|
||||
{
|
||||
_u2fKeyHandle => '',
|
||||
_u2fUserKey => ''
|
||||
}
|
||||
);
|
||||
$self->userLogger->notice('U2F key unregistration succeed');
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ],
|
||||
['{"result":1}'] ];
|
||||
my $err = Crypt::U2F::Server::Simple::lastError();
|
||||
$self->userLogger->warn("U2F Unregistration failed: $err");
|
||||
return $self->p->sendError( $req, $err, 200 );
|
||||
}
|
||||
|
||||
if ( $action eq 'verify' ) {
|
||||
elsif ( $action eq 'verify' ) {
|
||||
my ( $err, $error ) = $self->loadUser($req);
|
||||
if ( $err == -1 ) {
|
||||
return $self->p->sendError( $req, "U2F error: $error", 200 );
|
||||
|
@ -101,7 +81,7 @@ sub run {
|
|||
my $challenge = $req->datas->{crypter}->authenticationChallenge;
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
|
||||
}
|
||||
if ( $action eq 'signature' ) {
|
||||
elsif ( $action eq 'signature' ) {
|
||||
my $resp;
|
||||
unless ( $resp = $req->param('signature') ) {
|
||||
return $self->p->sendError( $req, 'Missing signature parameter',
|
||||
|
@ -123,6 +103,32 @@ sub run {
|
|||
[qq'{"result":$res}']
|
||||
];
|
||||
}
|
||||
|
||||
# Check if unregistration is allowed
|
||||
unless ( $self->conf->{u2fUserCanRemoveKey} ) {
|
||||
return $self->p->sendError( $req, 'notAutorizated', 200 );
|
||||
}
|
||||
if ( $action eq 'unregister' ) {
|
||||
my $challenge = $self->crypter->registrationChallenge;
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
|
||||
}
|
||||
elsif ( $action eq 'unregistration' ) {
|
||||
$self->p->updatePersistentSession(
|
||||
$req,
|
||||
{
|
||||
_u2fKeyHandle => '',
|
||||
_u2fUserKey => ''
|
||||
}
|
||||
);
|
||||
$self->userLogger->notice('U2F key unregistration succeed');
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ],
|
||||
['{"result":1}'] ];
|
||||
my $err = Crypt::U2F::Server::Simple::lastError();
|
||||
$self->userLogger->warn("U2F Unregistration failed: $err");
|
||||
return $self->p->sendError( $req, $err, 200 );
|
||||
}
|
||||
$self->logger->error("Unknown action $action");
|
||||
return $self->p->sendError( $req, 'notAutorizated', 200 );
|
||||
}
|
||||
|
||||
sub loadUser {
|
||||
|
|
Loading…
Reference in New Issue
Block a user