Commit fd6d70a8 authored by o's avatar o
Browse files

support für relogin mit nur 2fa

parent b774a1a9
......@@ -69,13 +69,14 @@ module ApiBackend
end
end
def self.reissue_saml(user, token, saml_request)
def self.reissue_saml(user, token, saml_request, options = {})
if EmailValidation::immerda_email_conform(user)
return post(['auth', 'reissue_saml'],
{"email"=>user, "token" => token, 'saml_request' => saml_request})
{"email"=>user,
"token" => token,
'saml_request' => saml_request
}.merge(options))
end
rescue
nil
end
def self.logout_urls
......@@ -92,10 +93,9 @@ module ApiBackend
nil
end
def self.webauthn_challenge(email, password)
def self.webauthn_challenge(email)
post(['auth','webauthn_challenge'],{
'email' => email,
'password' => password,
})
end
......
......@@ -80,26 +80,30 @@ class LoginController < ApplicationController
rescue ApiBackend::ApiError => e
if e.api_msg == 'missing_2fa'
flash[:notice] = nil
session[:tfa_query] = true
has_webauthn = ApiBackend::webauthn_challenge(@input_user_id, @input_pw)
if has_webauthn['challenge']
@webauthn_challenge = true
@credential_request_options = {
challenge: has_webauthn['challenge'],
rpId: has_webauthn['rp_id'],
allowCredentials: has_webauthn['allow_credentials'],
}
else
@webauthn_challenge = false
end
return render '2fa'
return query_2fa(@input_user_id)
end
end
return login_failed
end
def query_2fa(user)
flash[:notice] = nil
session[:tfa_query] = true
has_webauthn = ApiBackend::webauthn_challenge(user)
if has_webauthn['challenge']
@webauthn_challenge = true
@credential_request_options = {
challenge: has_webauthn['challenge'],
rpId: has_webauthn['rp_id'],
allowCredentials: has_webauthn['allow_credentials'],
}
else
@webauthn_challenge = false
end
render '2fa'
end
def new
flash[:notice] = nil
new_login_session
......@@ -232,6 +236,23 @@ EOF
load_custom_params_new
end
def load_2fa_params
if params[:totp] =~ /^[0-9]{6}$/
@input_totp = params[:totp]
end
if params[:response].present? && params[:challenge].present?
response = JSON.parse(params[:response])
@input_webauthn = {
challenge: params[:challenge],
credential_id: jsb64_tob64(response.fetch("id")),
client_data_json: jsb64_tob64(response.fetch("clientDataJSON")),
authenticator_data: jsb64_tob64(response.fetch("authenticatorData")),
signature: jsb64_tob64(response.fetch("signature")),
}
end
end
def load_params
load_params_new
......@@ -253,20 +274,7 @@ EOF
# username is a honeypot field
@honeypot_trigger = params[:username].present?
if params[:totp] =~ /^[0-9]{6}$/
@input_totp = params[:totp]
end
if params[:response].present? && params[:challenge].present?
response = JSON.parse(params[:response])
@input_webauthn = {
challenge: params[:challenge],
credential_id: jsb64_tob64(response.fetch("id")),
client_data_json: jsb64_tob64(response.fetch("clientDataJSON")),
authenticator_data: jsb64_tob64(response.fetch("authenticatorData")),
signature: jsb64_tob64(response.fetch("signature")),
}
end
load_2fa_params
session[:pre_auth] ||= ApiBackend::pre_auth(@input_user_id)
......
......@@ -44,14 +44,24 @@ class SamlLoginController < LoginController
load_custom_params_new
user = session[:login_user]
if res = ApiBackend::reissue_saml(user,
session[:login_token],
@saml_request)
reset_user_session
begin
load_2fa_params
if res = ApiBackend::reissue_saml(user,
session[:login_token],
@saml_request,
totp: @input_totp,
webauthn: @input_webauthn)
reset_user_session
save_login_token(res, user)
save_login_token(res, user)
return successful_login(res, nil)
return successful_login(res, nil)
end
rescue ApiBackend::ApiError => e
if e.api_msg == 'missing_2fa'
@relogin = true
return query_2fa(user)
end
end
end
......
......@@ -2,14 +2,15 @@
<p>
<%= t(:submit_tfa_description) %><% if @webauthn_challenge -%> <%= t(:submit_webauthn_description) %><% end -%>
</p>
<div class="tfa-form">
<%= form_tag(request.path, method: 'post', target: '_self') do %>
<% if @webauthn_challenge -%>
<div>
<%= image_tag "webauthn.png" %>
</div>
<br />
<% end -%>
<table>
<div class="tfa-form">
<%= form_tag(@relogin ? '/login/saml_relogin' : request.path, method: 'post', target: '_self') do %>
<table>
<tr><td>
<%= label_tag(:totp, (t :totp)) %>
</td><td>
......
......@@ -2,6 +2,7 @@ Rails.application.routes.draw do
root to: 'main#show'
get '/login/saml', to: 'saml_login#new'
post '/login/saml_relogin', to: 'saml_login#new'
post '/login/saml_post', to: 'saml_login#new'
post '/login/saml', to: 'saml_login#login'
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment