D3Public/webauthn
8
0
Fork 0
Code Pull Requests Packages Projects Releases Activity

can add new key and delete existing one in frontend

Browse Source
This commit is contained in:
Daniel Seifert 2022-10-26 21:37:02 +02:00
parent cdd2118aab
commit b588c36f72
Signed by: DanielS
GPG Key ID: 6A513E13AEE66170
4 changed files with 165 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/Application/Controller/Admin/d3user_webauthn.php
View File

@ -27,7 +27,6 @@ use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
use OxidEsales\Eshop\Core\Exception\DatabaseErrorException; use OxidEsales\Eshop\Core\Exception\DatabaseErrorException;
use OxidEsales\Eshop\Core\Registry; use OxidEsales\Eshop\Core\Registry;
use OxidEsales\Eshop\Core\UtilsView;
class d3user_webauthn extends AdminDetailsController class d3user_webauthn extends AdminDetailsController
{ {
@ -147,62 +146,4 @@ class d3user_webauthn extends AdminDetailsController
$credential = oxNew(PublicKeyCredential::class); $credential = oxNew(PublicKeyCredential::class);
$credential->delete(Registry::getRequest()->getRequestEscapedParameter('deleteoxid')); $credential->delete(Registry::getRequest()->getRequestEscapedParameter('deleteoxid'));
} }
public function registerNewKey()
{
$this->getWebauthnObject()->registerNewKey(Registry::getRequest()->getRequestParameter('authn'));
}
/**
* @throws Exception
*/
public function save()
{
parent::save();
$aParams = Registry::getRequest()->getRequestEscapedParameter("editval");
try {
/** @var d3webauthn $oWebauthn */
$oWebauthn = $this->getWebauthnObject();
/*
if ($oWebauthn->checkIfAlreadyExist($this->getEditObjectId())) {
$oException = oxNew(StandardException::class, 'D3_TOTP_ALREADY_EXIST');
throw $oException;
};
if ($aParams['d3totp__oxid']) {
$oWebauthn->load($aParams['d3totp__oxid']);
} else {
$aParams['d3totp__usetotp'] = 1;
$seed = Registry::getRequest()->getRequestEscapedParameter("secret");
$otp = Registry::getRequest()->getRequestEscapedParameter("otp");
$oWebauthn->saveSecret($seed);
$oWebauthn->assign($aParams);
$oWebauthn->verify($otp, $seed);
$oWebauthn->setId();
}
$oWebauthn->save();
*/
} catch (Exception $oExcp) {
$this->_sSaveError = $oExcp->getMessage();
}
}
/**
* @throws DatabaseConnectionException
*/
public function delete()
{
$aParams = Registry::getRequest()->getRequestEscapedParameter("editval");
/** @var d3webauthn $oWebauthn */
$oWebauthn = $this->getWebauthnObject();
if ($aParams['d3totp__oxid']) {
$oWebauthn->load($aParams['d3totp__oxid']);
$oWebauthn->delete();
Registry::get(UtilsView::class)->addErrorToDisplay('D3_TOTP_REGISTERDELETED');
}
}
} }

75
src/Application/Controller/d3_account_webauthn.php
View File

@ -17,8 +17,8 @@ namespace D3\Webauthn\Application\Controller;
use D3\Webauthn\Application\Model\Credential\PublicKeyCredential; use D3\Webauthn\Application\Model\Credential\PublicKeyCredential;
use D3\Webauthn\Application\Model\Credential\PublicKeyCredentialList; use D3\Webauthn\Application\Model\Credential\PublicKeyCredentialList;
use D3\Webauthn\Application\Model\d3webauthn; use D3\Webauthn\Application\Model\Webauthn;
use D3\Webauthn\Application\Model\Webauthn\d3PublicKeyCredentialUserEntity; use D3\Webauthn\Application\Model\WebauthnErrors;
use OxidEsales\Eshop\Application\Controller\AccountController; use OxidEsales\Eshop\Application\Controller\AccountController;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
use OxidEsales\Eshop\Core\Exception\DatabaseErrorException; use OxidEsales\Eshop\Core\Exception\DatabaseErrorException;
@ -35,11 +35,6 @@ class d3_account_webauthn extends AccountController
*/ */
public function render() public function render()
{ {
if (Registry::getRequest()->getRequestEscapedParameter('error')) {
dumpvar(Registry::getRequest()->getRequestEscapedParameter('error'));
Registry::getUtilsView()->addErrorToDisplay('error occured');
}
$sRet = parent::render(); $sRet = parent::render();
// is logged in ? // is logged in ?
@ -50,56 +45,68 @@ dumpvar(Registry::getRequest()->getRequestEscapedParameter('error'));
$this->addTplParam('user', $this->getUser()); $this->addTplParam('user', $this->getUser());
// $this->setAuthnRegister();
return $sRet; return $sRet;
} }
/** /**
* @return publicKeyCredentialList|object * @return publicKeyCredentialList
* @throws DatabaseConnectionException
* @throws DatabaseErrorException
*/ */
public function getCredentialList() public function getCredentialList()
{ {
$credentialList = oxNew(PublicKeyCredentialList::class);
$oUser = $this->getUser(); $oUser = $this->getUser();
if ($oUser) { $credentialList = oxNew(PublicKeyCredentialList::class);
/** @var d3PublicKeyCredentialUserEntity $userEntity */ return $credentialList->getAllFromUser($oUser);
$userEntity = oxNew(d3PublicKeyCredentialUserEntity::class, $oUser);
$credentialList->loadAllForUserEntity($userEntity);
} }
return $credentialList; public function requestNewCredential()
{
$this->setPageType('requestnew');
$this->setAuthnRegister();
}
public function setPageType($pageType)
{
$this->addTplParam('pageType', $pageType);
} }
/**
* @throws DatabaseConnectionException
* @throws DatabaseErrorException
*/
public function setAuthnRegister() public function setAuthnRegister()
{ {
$webauthn = oxNew(d3webauthn::class); $authn = oxNew(Webauthn::class);
$publicKeyCredentialCreationOptions = $webauthn->setAuthnRegister('36944b76d6e583fe2.12734046'); $publicKeyCredentialCreationOptions = $authn->getCreationOptions($this->getUser());
$this->addTplParam( $this->addTplParam(
'webauthn_publickey_register', 'webauthn_publickey_create',
json_encode($publicKeyCredentialCreationOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) $publicKeyCredentialCreationOptions
);
$this->addTplParam('isAdmin', isAdmin());
$this->addTplParam('keyname', Registry::getRequest()->getRequestEscapedParameter('credenialname'));
}
public function saveAuthn()
{
if (strlen(Registry::getRequest()->getRequestEscapedParameter('error'))) {
$errors = oxNew(WebauthnErrors::class);
Registry::getUtilsView()->addErrorToDisplay(
$errors->translateError(Registry::getRequest()->getRequestEscapedParameter('error'))
); );
} }
public function registerNewKey() if (strlen(Registry::getRequest()->getRequestEscapedParameter('credential'))) {
{ /** @var Webauthn $webauthn */
$webauthn = oxNew(d3webauthn::class); $webauthn = oxNew(Webauthn::class);
$webauthn->registerNewKey(Registry::getRequest()->getRequestParameter('authn')); $webauthn->saveAuthn(
Registry::getRequest()->getRequestEscapedParameter('credential'),
Registry::getRequest()->getRequestEscapedParameter('keyname')
);
}
} }
public function deleteKey() public function deleteKey()
{ {
if (Registry::getRequest()->getRequestEscapedParameter('oxid')) { if (Registry::getRequest()->getRequestEscapedParameter('deleteoxid')) {
$credential = oxNew(publicKeyCredential::class); /** @var PublicKeyCredential $credential */
$credential->delete(Registry::getRequest()->getRequestEscapedParameter('oxid')); $credential = oxNew(PublicKeyCredential::class);
$credential->delete(Registry::getRequest()->getRequestEscapedParameter('deleteoxid'));
} }
} }
} }

21
src/Application/views/admin/tpl/d3user_webauthn.tpl
View File

@ -44,24 +44,26 @@
document.getElementById('myedit').submit(); document.getElementById('myedit').submit();
} }
} }
function toggle(elementId) {
document.getElementById(elementId).classList.toggle("hidden-delete");
}
[{/capture}] [{/capture}]
[{oxscript add=$smarty.capture.javascripts}] [{oxscript add=$smarty.capture.javascripts}]
[{if $oxid && $oxid != '-1'}] [{if $oxid && $oxid != '-1'}]
[{if $pageType === 'requestnew'}] [{if $pageType === 'requestnew'}]
<div class="container-fluid"> <div class="container-fluid">
<div class="row"> <div class="row justify-content-center">
<div class="col-6">
[{include file="js_create.tpl"}] [{include file="js_create.tpl"}]
<div> <div class="card">
<div class="card-body">
<p class="card-text">
Bitte die Anfrage Ihres Browsers bestätigen. Bitte die Anfrage Ihres Browsers bestätigen.
</p>
<button onclick="document.getElementById('webauthn').submit();">Abbrechen</button>
</div> </div>
<button onclick="document.getElementById('webauthn').submit();">Abbrechen</button> </div>
</div>
</div> </div>
</div> </div>
[{else}] [{else}]
@ -122,9 +124,10 @@
[{oxmultilang ident="D3_WEBAUTHN_REGISTEREDKEYS"}] [{oxmultilang ident="D3_WEBAUTHN_REGISTEREDKEYS"}]
</div> </div>
<div class="card-body"> <div class="card-body">
[{if $oView->getCredentialList($userid)}] [{assign var="list" value=$oView->getCredentialList($oxid)}]
[{if $list|@count}]
<ul class="list-group list-group-flush"> <ul class="list-group list-group-flush">
[{foreach from=$oView->getCredentialList($userid) item="credential"}] [{foreach from=$list item="credential"}]
<li class="list-group-item"> <li class="list-group-item">
[{$credential->getName()}] [{$credential->getName()}]
<a onclick="deleteItem('[{$credential->getId()}]'); return false;" href="#" class="btn btn-danger btn-sm"> <a onclick="deleteItem('[{$credential->getId()}]'); return false;" href="#" class="btn btn-danger btn-sm">

273
src/Application/views/tpl/d3_account_webauthn.tpl
View File

@ -1,84 +1,121 @@
[{capture append="oxidBlock_content"}] [{capture append="oxidBlock_content"}]
[{capture name="javascripts"}] [{capture name="javascripts"}]
function arrayToBase64String(a) {
return btoa(String.fromCharCode(...a));
}
function base64url2base64(input) {
input = input
.replace(/=/g, "")
.replace(/-/g, '+')
.replace(/_/g, '/');
const pad = input.length % 4;
if(pad) {
if(pad === 1) {
throw new Error('InvalidLengthError: Input base64url string is the wrong length to determine padding');
}
input += new Array(5-pad).join('=');
}
return input;
}
function authnregister() {
let publicKey = [{$webauthn_publickey_register}];
publicKey.challenge = Uint8Array.from(window.atob(base64url2base64(publicKey.challenge)), function(c){return c.charCodeAt(0);});
publicKey.user.id = Uint8Array.from(window.atob(publicKey.user.id), function(c){return c.charCodeAt(0);});
if (publicKey.excludeCredentials) {
publicKey.excludeCredentials = publicKey.excludeCredentials.map(function(data) {
data.id = Uint8Array.from(window.atob(base64url2base64(data.id)), function(c){return c.charCodeAt(0);});
return data;
});
}
navigator.credentials.create({ 'publicKey': publicKey }).then(function(data){
let publicKeyCredential = {
id: data.id,
type: data.type,
rawId: arrayToBase64String(new Uint8Array(data.rawId)),
response: {
clientDataJSON: arrayToBase64String(new Uint8Array(data.response.clientDataJSON)),
attestationObject: arrayToBase64String(new Uint8Array(data.response.attestationObject))
}
};
document.getElementById('fncname').value = 'registerNewKey';
document.getElementById('authnvalue').value = btoa(JSON.stringify(publicKeyCredential));
document.getElementById('actionform').submit();
}).catch(function(error){
document.getElementById('errorvalue').value = btoa(JSON.stringify(error));
document.getElementById('actionform').submit();
});
}
function deleteItem(id) { function deleteItem(id) {
if (confirm('wirklich loeschen?') === true) {
document.getElementById('fncname').value = 'deleteKey'; document.getElementById('fncname').value = 'deleteKey';
document.getElementById('oxidvalue').value = id; document.getElementById('oxidvalue').value = id;
document.getElementById('actionform').submit(); document.getElementById('actionform').submit();
} }
function toggle(elementId) {
$("#" + elementId).toggle();
} }
[{/capture}] [{/capture}]
[{oxscript add=$smarty.capture.javascripts}] [{oxscript add=$smarty.capture.javascripts}]
<h1 class="page-header">[{oxmultilang ident="D3_WEBAUTHN_ACCOUNT"}]</h1> <h1 class="page-header">[{oxmultilang ident="D3_WEBAUTHN_ACCOUNT"}]</h1>
<style>
.contentbox {
padding-bottom: 15px;
}
</style>
[{if $pageType === 'requestnew'}]
<div class="container-fluid">
<div class="row justify-content-center">
<div class="col-6">
[{include file="js_create.tpl"}]
<div class="card">
<div class="card-body">
<p class="card-text">
Bitte die Anfrage Ihres Browsers bestätigen.
</p>
<button onclick="document.getElementById('webauthn').submit();">Abbrechen</button>
</div>
</div>
</div>
</div>
</div>
[{else}]
<form action="[{$oViewConf->getSelfActionLink()}]" id="actionform" name="d3webauthnform" class="form-horizontal" method="post"> <form action="[{$oViewConf->getSelfActionLink()}]" id="actionform" name="d3webauthnform" class="form-horizontal" method="post">
<div class="hidden"> <div class="hidden">
[{$oViewConf->getHiddenSid()}] [{$oViewConf->getHiddenSid()}]
[{$oViewConf->getNavFormParams()}] [{$oViewConf->getNavFormParams()}]
<input type="hidden" id="fncname" name="fnc" value=""> <input type="hidden" id="fncname" name="fnc" value="">
<input type="hidden" name="cl" value="[{$oViewConf->getActiveClassName()}]"> <input type="hidden" name="cl" value="[{$oViewConf->getActiveClassName()}]">
<input type="hidden" id="oxidvalue" name="oxid" value="">
<input type="hidden" id="authnvalue" name="authn" value=""> <input type="hidden" id="authnvalue" name="authn" value="">
<input type="hidden" id="errorvalue" name="error" value=""> <input type="hidden" id="errorvalue" name="error" value="">
<input type="hidden" name="deleteoxid" id="oxidvalue" value="">
<button type="submit" style="display: none;"></button>
</div> </div>
</form> </form>
<div class="container-fluid">
<div class="row">
<div class="col-12 col-lg-6 contentbox">
<div class="card">
[{block name="user_d3user_totp_registernew"}]
<div class="card-header">
[{oxmultilang ident="D3_WEBAUTHN_ACC_REGISTERNEW"}]
</div>
<div class="card-body">
<form name="newcred" id="newcred" action="[{$oViewConf->getSelfLink()}]" method="post">
[{$oViewConf->getHiddenSid()}]
<input type="hidden" name="cl" value="[{$oView->getClassName()}]">
<input type="hidden" name="fnc" value="requestNewCredential">
<input type="hidden" name="oxid" value="[{$oxid}]">
[{block name="user_d3user_totp_registerform"}]
<label for="credentialname">Name des Schlüssels</label>
<p class="card-text">
<input id="credentialname" type="text" name="credenialname" [{$readonly}]>
</p>
<p class="card-text">
<button type="submit" [{$readonly}] class="btn btn-primary btn-success">
[{oxmultilang ident="D3_WEBAUTHN_ACC_ADDKEY"}]
</button>
</p>
[{/block}]
</form>
</div>
[{/block}]
</div>
</div>
<div class="col-12 col-lg-6 contentbox">
<div class="card">
[{block name="user_d3user_totp_form2"}]
<div class="card-header">
[{oxmultilang ident="D3_WEBAUTHN_ACC_REGISTEREDKEYS"}]
</div>
<div class="card-body">
[{assign var="list" value=$oView->getCredentialList()}]
[{if $list|@count}]
<ul class="list-group list-group-flush">
[{foreach from=$list item="credential"}]
<li class="list-group-item">
[{$credential->getName()}]
<a onclick="deleteItem('[{$credential->getId()}]'); return false;" href="#" class="btn btn-danger btn-sm">
<span class="glyphicon glyphicon-pencil"></span>
delete
</a>
</li>
[{/foreach}]
</ul>
[{else}]
<div class="card-text">
kein Schluessel registriert
</div>
[{/if}]
</div>
[{/block}]
</div>
</div>
</div>
</div>
[{/if}]
[{*
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading">settings</div> <div class="panel-heading">settings</div>
<div class="panel-body"> <div class="panel-body">
@ -124,130 +161,8 @@
</div> </div>
</div> </div>
</div> </div>
<div class="panel panel-default">
<div class="panel-heading">[{oxmultilang ident="D3_WEBAUTHN_ACC_REGISTERNEW"}]</div>
<div class="panel-body">
<button onclick="authnregister();">[{oxmultilang ident="D3_WEBAUTHN_ACC_ADDKEY"}]</button>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">[{oxmultilang ident="D3_WEBAUTHN_ACC_REGISTEREDKEYS"}]</div>
<div class="panel-body">
<div class="list-group">
[{foreach from=$oView->getCredentialList() item="credential"}]
<a href="#" onclick="toggle('keydetails_[{$credential->getId()}]'); return false;" class="list-group-item">
[{$credential->d3GetName()}] (last used: XX)
</a>
<div class="list-group-item" id="keydetails_[{$credential->getId()}]" style="display: none">
<a onclick="deleteItem('[{$credential->getId()}]'); return false;"><span class="glyphicon glyphicon-pencil">delete</span></a>
</div>
[{/foreach}]
</div>
</div>
</div>
[{if 1 == 0 && false == $totp->getId()}]
<div class="registerNew [{* flow *}] panel panel-default [{* wave *}] card">
<div class="[{* flow *}] panel-heading [{* wave *}] card-header">
[{oxmultilang ident="D3_TOTP_REGISTERNEW"}]
</div>
<div class="[{* flow *}] panel-body [{* wave *}] card-body">
<dl>
<dt>
[{oxmultilang ident="D3_TOTP_QRCODE"}]&nbsp;
</dt>
<dd>
[{$totp->getQrCodeElement()}]
</dd>
</dl>
<p>
[{oxmultilang ident="D3_TOTP_QRCODE_HELP"}]
</p>
<hr>
<dl>
<dt>
<label for="secret">[{oxmultilang ident="D3_TOTP_SECRET"}]</label>
</dt>
<dd>
<textarea rows="3" cols="50" id="secret" name="secret" class="editinput" readonly="readonly">[{$totp->getSecret()}]</textarea>
</dd>
</dl>
<p>
[{oxmultilang ident="D3_TOTP_SECRET_HELP"}]
</p>
<hr>
<dl>
<dt>
<label for="otp">[{oxmultilang ident="D3_TOTP_CURROTP"}]</label>
</dt>
<dd>
<input type="text" class="editinput" size="6" maxlength="6" id="otp" name="otp" value="" [{$readonly}]>
</dd>
</dl>
<p>
[{oxmultilang ident="D3_TOTP_CURROTP_HELP"}]
</p>
</div>
</div>
[{/if}]
[{if 1 == 0 && $totp->getId()}]
[{block name="d3_account_totp_deletenotes"}]
<div class="[{* flow *}] panel panel-default [{* wave *}] card">
<div class="[{* flow *}] panel-heading [{* wave *}] card-header">
[{oxmultilang ident="D3_TOTP_REGISTEREXIST"}]
</div>
<div class="[{* flow *}] panel-body [{* wave *}] card-body">
[{oxmultilang ident="D3_TOTP_REGISTERDELETE_DESC"}]
</div>
</div>
[{/block}]
[{block name="d3_account_totp_backupcodes"}]
<div class="[{* flow *}] panel panel-default [{* wave *}] card">
<div class="[{* flow *}] panel-heading [{* wave *}] card-header">
[{oxmultilang ident="D3_TOTP_BACKUPCODES"}]
</div>
<div class="[{* flow *}] panel-body [{* wave *}] card-body">
[{if $oView->getBackupCodes()}]
[{block name="d3_account_totp_backupcodes_list"}]
<label for="backupcodes">[{oxmultilang ident="D3_TOTP_BACKUPCODES_DESC"}]</label>
<textarea id="backupcodes" rows="10" cols="20">[{$oView->getBackupCodes()}]</textarea>
[{/block}]
[{else}]
[{block name="d3_account_totp_backupcodes_info"}]
[{oxmultilang ident="D3_TOTP_AVAILBACKUPCODECOUNT" args=$oView->getAvailableBackupCodeCount()}]<br>
[{oxmultilang ident="D3_TOTP_AVAILBACKUPCODECOUNT_DESC"}]
[{/block}]
[{/if}]
</div>
</div>
[{/block}]
[{/if}]
[{*
<p class="submitBtn">
<button type="submit" class="btn btn-primary"
[{if $totp->getId()}]
onclick="
if(false === document.getElementById('totp_use').checked && false === confirm('[{oxmultilang ident="D3_TOTP_REGISTERDELETE_CONFIRM"}]')) {return false;}
document.getElementById('fncname').value = 'delete';
"
[{else}]
onclick="document.getElementById('fncname').value = 'create';"
[{/if}]
>
[{oxmultilang ident="D3_TOTP_ACCOUNT_SAVE"}]
</button>
</p>
</form>
[{/block}]
*}] *}]
[{/capture}] [{/capture}]
[{capture append="oxidBlock_sidebar"}] [{capture append="oxidBlock_sidebar"}]