2024-08-29 11:44:06 +02:00 · 2024-08-27 13:41:02 +02:00
5 changed files with 34 additions and 20 deletions
--- a/bid_main/templates/bid_main/mfa/u2f.html
+++ b/bid_main/templates/bid_main/mfa/u2f.html
@ -12,10 +12,16 @@ Multi-factor Authentication Setup
    <div class="col-md-6">
      {% with form=form|add_form_classes %}
      <form method="post" id="u2f-register-form">{% csrf_token %}
+        {% with field=form.credential %}
+          {% include "components/forms/field.html" %}
+        {% endwith %}
        {% with field=form.name %}
          {% include "components/forms/field.html" %}
        {% endwith %}
-        {% with field=form.credential %}
+        {% with field=form.signature %}
+          {% include "components/forms/field.html" %}
+        {% endwith %}
+        {% with field=form.state %}
          {% include "components/forms/field.html" %}
        {% endwith %}
        <button type="submit" class="btn">Add security key</button>
--- a/bid_main/views/mfa.py
+++ b/bid_main/views/mfa.py
@ -135,24 +135,19 @@ class U2fView(mixins.MfaRequiredIfConfiguredMixin, FormView):
    template_name = "bid_main/mfa/u2f.html"

    def get_form_kwargs(self):
-        kwargs = super().get_form_kwargs()
+        credentials = [
+            AttestedCredentialData(d.credential)
+            for d in U2fDevice.objects.filter(user=self.request.user).all()
+        ]
        rp_id = self.request.get_host().split(':')[0]  # remove port, required by webauthn
+        credential_creation_options, state = register_begin(
+            rp_id, self.request.user, credentials,
+        )
+        kwargs = super().get_form_kwargs()
+        kwargs['credential_creation_options'] = json.dumps(dict(credential_creation_options))
        kwargs['rp_id'] = rp_id
+        kwargs['state'] = dict(state)
        kwargs['user'] = self.request.user
-
-        if self.request.method == 'GET':
-            credentials = [
-                AttestedCredentialData(d.credential)
-                for d in U2fDevice.objects.filter(user=self.request.user).all()
-            ]
-            credential_creation_options, state = register_begin(
-                rp_id, self.request.user, credentials,
-            )
-            self.request.session['u2f_register_state'] = dict(state)
-            kwargs['credential_creation_options'] = json.dumps(dict(credential_creation_options))
-        if self.request.method == 'POST':
-            kwargs['state'] = self.request.session.pop('u2f_register_state', None)
-
        return kwargs

    @transaction.atomic
--- a/bid_main/views/normal_pages.py
+++ b/bid_main/views/normal_pages.py
@ -111,8 +111,8 @@ class LoginView(mixins.RedirectToPrivacyAgreeMixin, mixins.PageIdMixin, otp_agen
        if self.request.user.is_authenticated:
            devices = self.request.user.mfa_devices_per_category().get('u2f', None)
            if devices and not self._use_recovery() and not self._use_totp():
-                rp_id = self.request.get_host().split(':')[0]  # remove port, required by webauthn
                credentials = [AttestedCredentialData(d.credential) for d in devices]
+                rp_id = self.request.get_host().split(':')[0]  # remove port, required by webauthn
                request_options, state = authenticate_begin(rp_id, credentials)
                kwargs = self.get_form_kwargs()
                kwargs['credentials'] = credentials
--- a/mfa/fido2.py
+++ b/mfa/fido2.py
@ -21,7 +21,7 @@ def get_fido2server(rp_id):
    )


-def register_begin(rp_id, user, credentials=[]):
+def register_begin(rp_id, user, credentials):
    return get_fido2server(rp_id).register_begin(
        PublicKeyCredentialUserEntity(
            display_name=user.email,
--- a/mfa/forms.py
+++ b/mfa/forms.py
@ -198,21 +198,34 @@ class U2fMfaForm(forms.Form):
            attrs={"placeholder": "device name (for your convenience)"},
        ),
    )
+    signature = forms.CharField(widget=forms.HiddenInput)
+    state = forms.JSONField(widget=forms.HiddenInput)

    def __init__(self, *args, **kwargs):
        credential_creation_options = kwargs.pop('credential_creation_options', None)
        self.rp_id = kwargs.pop('rp_id', None)
-        self.state = kwargs.pop('state', None)
+        state = kwargs.pop('state', None)
        self.user = kwargs.pop('user', None)
+        kwargs['initial']['signature'] = _sign(f"{self.user.email}_{state['challenge']}")
+        kwargs['initial']['state'] = state
        super().__init__(*args, **kwargs)
        self.fields['credential'].widget.attrs['creation-options'] = credential_creation_options

+    def clean(self):
+        super().clean()
+        signature = self.cleaned_data.get('signature')
+        state = self.cleaned_data.get('state')
+        if not _verify_signature(f"{self.user.email}_{state['challenge']}", signature):
+            raise forms.ValidationError(_('Invalid signature'))
+        return self.cleaned_data
+
    def save(self):
        credential = self.cleaned_data.get('credential')
        name = self.cleaned_data.get('name')
+        state = self.cleaned_data.get('state')
        auth_data = None
        try:
-            auth_data = register_complete(self.rp_id, self.state, credential)
+            auth_data = register_complete(self.rp_id, state, credential)
        except Exception:
            raise forms.ValidationError(_('Verification failed'))
        U2fDevice.objects.create(