From 4c0781b5a0d88b621d7e9909b36c343474080d5c Mon Sep 17 00:00:00 2001
From: Daniel Seifert <ds@shopmodule.com>
Date: Wed, 26 Oct 2022 10:15:49 +0200
Subject: [PATCH] disable create credential on insecure connections

---
 .../Controller/Admin/d3user_webauthn.php          |  2 ++
 src/Application/Model/Webauthn.php                | 15 +++++++++++++++
 .../views/admin/tpl/d3user_webauthn.tpl           |  4 ++--
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/Application/Controller/Admin/d3user_webauthn.php b/src/Application/Controller/Admin/d3user_webauthn.php
index 269f14f..527cec4 100755
--- a/src/Application/Controller/Admin/d3user_webauthn.php
+++ b/src/Application/Controller/Admin/d3user_webauthn.php
@@ -42,6 +42,8 @@ class d3user_webauthn extends AdminDetailsController
      */
     public function render()
     {
+        $this->addTplParam('readonly', (bool) !(oxNew(Webauthn::class)->isAvailable()));
+
         parent::render();
 
         $soxId = $this->getEditObjectId();
diff --git a/src/Application/Model/Webauthn.php b/src/Application/Model/Webauthn.php
index 44a3d2f..7028313 100644
--- a/src/Application/Model/Webauthn.php
+++ b/src/Application/Model/Webauthn.php
@@ -22,6 +22,21 @@ class Webauthn
     public const SESSION_CREATIONS_OPTIONS = 'd3WebAuthnCreationOptions';
     public const SESSION_ASSERTION_OPTIONS = 'd3WebAuthnAssertionOptions';
 
+    public function isAvailable()
+    {
+        if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
+            return true;
+        }
+        if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ||
+            !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on'
+        ) {
+            return true;
+        }
+
+        Registry::getUtilsView()->addErrorToDisplay('WebAuthn is available on secure connections only.');
+        return false;
+    }
+
     /**
      * @return false|string
      */
diff --git a/src/Application/views/admin/tpl/d3user_webauthn.tpl b/src/Application/views/admin/tpl/d3user_webauthn.tpl
index 8a4445c..76110c8 100755
--- a/src/Application/views/admin/tpl/d3user_webauthn.tpl
+++ b/src/Application/views/admin/tpl/d3user_webauthn.tpl
@@ -93,12 +93,12 @@
                                 <tr>
                                     <td class="edittext">
                                         <label for="credentialname">Name des Schlüssels</label>
-                                        <input id="credentialname" type="text" name="credenialname">
+                                        <input id="credentialname" type="text" name="credenialname" [{$readonly}]>
                                     </td>
                                 </tr>
                                 <tr>
                                     <td class="edittext">
-                                        <button type="submit">[{oxmultilang ident="D3_WEBAUTHN_ADDKEY"}]</button>
+                                        <button type="submit" [{$readonly}]>[{oxmultilang ident="D3_WEBAUTHN_ADDKEY"}]</button>
                                     </td>
                                 </tr>
                             [{/block}]