Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[WebAuthn] show user deprecated warning

FreddleSpl0it 3 years ago
parent
2a52d876b0
commit
a849d03a00
3 changed files with 14 additions and 88 deletions
Unified View Show Diff Stats
  1. 3 72
      data/web/inc/functions.inc.php
  2. 4 1
      data/web/inc/init_db.inc.php
  3. 7 15
      data/web/templates/modals/footer.twig

+ 3 - 72
data/web/inc/functions.inc.php
View File 

@@ -1698,80 +1698,11 @@ function verify_tfa_login($username, $_data, $WebAuthn) {
 
         break;

         break;

         // u2f - deprecated, should be removed

         // u2f - deprecated, should be removed

         case "u2f":

         case "u2f":

-            $tokenData = json_decode($_data['token']);

-            $clientDataJSON = base64_decode($tokenData->clientDataJSON);

-            $authenticatorData = base64_decode($tokenData->authenticatorData);

-            $signature = base64_decode($tokenData->signature);

-            $id = base64_decode($tokenData->id);

-            $challenge = $_SESSION['challenge'];

-

-            $stmt = $pdo->prepare("SELECT `key_id`, `keyHandle`, `username`, `publicKey` FROM `tfa` WHERE `keyHandle` = :tokenId");

-            $stmt->execute(array(':tokenId' => $tokenData->id));

-            $process_webauthn = $stmt->fetch(PDO::FETCH_ASSOC);

-

-            if (empty($process_webauthn) || empty($process_webauthn['publicKey']) || empty($process_webauthn['username'])) return false;

-            

-            if ($process_webauthn['publicKey'] === false) {

-                $_SESSION['return'][] =  array(

-                    'type' => 'danger',

-                    'log' => array(__FUNCTION__, $username, '*'),

-                    'msg' => array('webauthn_verification_failed', 'publicKey not found')

-                );

-                return false;

-            }

-            try {

-                $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_webauthn['publicKey'], $challenge, null, $GLOBALS['WEBAUTHN_UV_FLAG_LOGIN'], $GLOBALS['WEBAUTHN_USER_PRESENT_FLAG']);

-            }

-            catch (Throwable $ex) {

-                $_SESSION['return'][] =  array(

-                    'type' => 'danger',

-                    'log' => array(__FUNCTION__, $username, '*'),

-                    'msg' => array('webauthn_verification_failed', $ex->getMessage())

-                );

-                return false;

-            }

-

-            

-            $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");

-            $stmt->execute(array(':username' => $process_webauthn['username']));

-            $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);

-            if ($obj_props['superadmin'] === 1) {

-                $_SESSION["mailcow_cc_role"] = "admin";

-            }

-            elseif ($obj_props['superadmin'] === 0) {

-                $_SESSION["mailcow_cc_role"] = "domainadmin";

-            }

-            else {

-                $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");

-                $stmt->execute(array(':username' => $process_webauthn['username']));

-                $row = $stmt->fetch(PDO::FETCH_ASSOC);

-                if ($row['username'] == $process_webauthn['username']) {

-                $_SESSION["mailcow_cc_role"] = "user";

-                }

-            }

-

-        

-            if ($process_webauthn['username'] != $_SESSION['pending_mailcow_cc_username']){

-                $_SESSION['return'][] =  array(

-                    'type' => 'danger',

-                    'log' => array(__FUNCTION__, $username, '*'),

-                    'msg' => array('webauthn_verification_failed', 'user who requests does not match with sql entry')

-                );

-                return false;

-            }

+            // delete old keys that used u2f

+            $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `authmech` = :authmech AND `username` = :username");

+            $stmt->execute(array(':authmech' => 'u2f', ':username' => $username));

 

 

-

-            $_SESSION["mailcow_cc_username"] = $process_webauthn['username'];

-            $_SESSION['tfa_id'] = $process_webauthn['key_id'];

-            $_SESSION['authReq'] = null;

-            unset($_SESSION["challenge"]);

-            $_SESSION['return'][] =  array(

-                'type' => 'success',

-                'log' => array("webauthn_login"),

-                'msg' => array('logged_in_as', $process_webauthn['username'])

-            );

             return true;

             return true;

-        break;

         case "webauthn":

         case "webauthn":

             $tokenData = json_decode($_data['token']);

             $tokenData = json_decode($_data['token']);

             $clientDataJSON = base64_decode($tokenData->clientDataJSON);

             $clientDataJSON = base64_decode($tokenData->clientDataJSON);

+ 4 - 1
data/web/inc/init_db.inc.php
View File 

@@ -3,7 +3,7 @@ function init_db_schema() {
 
   try {

   try {

     global $pdo;

     global $pdo;

 

 

-    $db_version = "31102021_0620";

+    $db_version = "31102021_0621";

 

 

     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");

     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");

     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));

     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));

@@ -1189,6 +1189,9 @@ function init_db_schema() {
 
     

     

     // Mitigate imapsync pipemess issue

     // Mitigate imapsync pipemess issue

     $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%';");

     $pdo->query("UPDATE `imapsync` SET `custom_params` = '' WHERE `custom_params` LIKE '%pipemess%';");

+    

+    // Migrate webauthn tfa

+    $stmt = $pdo->query("ALTER TABLE `tfa` MODIFY COLUMN `authmech` ENUM('yubi_otp', 'u2f', 'hotp', 'totp', 'webauthn')");

 

 

     // Inject admin if not exists

     // Inject admin if not exists

     $stmt = $pdo->query("SELECT NULL FROM `admin`"); 

     $stmt = $pdo->query("SELECT NULL FROM `admin`");

+ 7 - 15
data/web/templates/modals/footer.twig
View File 

@@ -188,23 +188,15 @@
 
           <input type="hidden" name="verify_tfa_login"/><br/>
 
           <input type="hidden" name="verify_tfa_login"/><br/>
 
         </form>
 
         </form>
 
         {% endif %}
 
         {% endif %}
 
-        {# leave this here to support older keys that used u2f for registration #}
 
+        {# leave this here to inform users that u2f is deprecated #}
 
         {% if pending_tfa_method == 'u2f' %}
 
         {% if pending_tfa_method == 'u2f' %}
 
-        <form role="form" method="post" id="webauthn_auth_form">
 
-          <center>
 
-            <div style="cursor:pointer" id="start_webauthn_confirmation">
 
-              <svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 24 24">
 
-                <path d="M17.81 4.47c-.08 0-.16-.02-.23-.06C15.66 3.42 14 3 12.01 3c-1.98 0-3.86.47-5.57 1.41-.24.13-.54.04-.68-.2-.13-.24-.04-.55.2-.68C7.82 2.52 9.86 2 12.01 2c2.13 0 3.99.47 6.03 1.52.25.13.34.43.21.67-.09.18-.26.28-.44.28zM3.5 9.72c-.1 0-.2-.03-.29-.09-.23-.16-.28-.47-.12-.7.99-1.4 2.25-2.5 3.75-3.27C9.98 4.04 14 4.03 17.15 5.65c1.5.77 2.76 1.86 3.75 3.25.16.22.11.54-.12.7-.23.16-.54.11-.7-.12-.9-1.26-2.04-2.25-3.39-2.94-2.87-1.47-6.54-1.47-9.4.01-1.36.7-2.5 1.7-3.4 2.96-.08.14-.23.21-.39.21zm6.25 12.07c-.13 0-.26-.05-.35-.15-.87-.87-1.34-1.43-2.01-2.64-.69-1.23-1.05-2.73-1.05-4.34 0-2.97 2.54-5.39 5.66-5.39s5.66 2.42 5.66 5.39c0 .28-.22.5-.5.5s-.5-.22-.5-.5c0-2.42-2.09-4.39-4.66-4.39-2.57 0-4.66 1.97-4.66 4.39 0 1.44.32 2.77.93 3.85.64 1.15 1.08 1.64 1.85 2.42.19.2.19.51 0 .71-.11.1-.24.15-.37.15zm7.17-1.85c-1.19 0-2.24-.3-3.1-.89-1.49-1.01-2.38-2.65-2.38-4.39 0-.28.22-.5.5-.5s.5.22.5.5c0 1.41.72 2.74 1.94 3.56.71.48 1.54.71 2.54.71.24 0 .64-.03 1.04-.1.27-.05.53.13.58.41.05.27-.13.53-.41.58-.57.11-1.07.12-1.21.12zM14.91 22c-.04 0-.09-.01-.13-.02-1.59-.44-2.63-1.03-3.72-2.1-1.4-1.39-2.17-3.24-2.17-5.22 0-1.62 1.38-2.94 3.08-2.94 1.7 0 3.08 1.32 3.08 2.94 0 1.07.93 1.94 2.08 1.94s2.08-.87 2.08-1.94c0-3.77-3.25-6.83-7.25-6.83-2.84 0-5.44 1.58-6.61 4.03-.39.81-.59 1.76-.59 2.8 0 .78.07 2.01.67 3.61.1.26-.03.55-.29.64-.26.1-.55-.04-.64-.29-.49-1.31-.73-2.61-.73-3.96 0-1.2.23-2.29.68-3.24 1.33-2.79 4.28-4.6 7.51-4.6 4.55 0 8.25 3.51 8.25 7.83 0 1.62-1.38 2.94-3.08 2.94s-3.08-1.32-3.08-2.94c0-1.07-.93-1.94-2.08-1.94s-2.08.87-2.08 1.94c0 1.71.66 3.31 1.87 4.51.95.94 1.86 1.46 3.27 1.85.27.07.42.35.35.61-.05.23-.26.38-.47.38z"></path>
 
-              </svg>
 
-              <p>{{ lang.tfa.start_webauthn_validation }}</p>
 
-              <hr>
 
-            </div>
 
-          </center>
 
-          <p id="webauthn_status_auth"></p>
 
-          <div class="alert alert-danger" style="display:none" id="webauthn_return_code"></div>
 
-          <input type="hidden" name="token" id="webauthn_auth_data"/>
 
-          <input type="hidden" name="tfa_method" value="webauthn">
 
+        <form role="form" method="post" id="u2f_auth_form">
 
+          <p>It seems that your Key was registered using the deprecated U2F method. We will deactivate Two-Factor-Authenticaiton for you and delete your Key.</p>
 
+          <p><b>Please register your Key in the admin panel with the new WebAuthn method.</b></p>
 
+          <input type="hidden" name="token" value="destroy" />
 
+          <input type="hidden" name="tfa_method" value="u2f">
 
           <input type="hidden" name="verify_tfa_login"/><br/>
 
           <input type="hidden" name="verify_tfa_login"/><br/>
 
+          <button type="submit" class="btn btn-xs-lg btn-success" value="Login">{{ lang.login.login }}</button>
 
         </form>
 
         </form>
 
         {% endif %}
 
         {% endif %}
 
       </div>
 
       </div>