separate session var names between frontend and backend

This commit is contained in:
Daniel Seifert 2022-11-23 08:46:25 +01:00
parent f74d6985fb
commit e866141a34
Signed by: DanielS
GPG Key ID: 8A7C4C6ED1915C6F
7 changed files with 50 additions and 28 deletions

View File

@ -59,8 +59,8 @@ class d3webauthnadminlogin extends AdminController
*/
public function render(): string
{
if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) ||
!$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER)
if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) ||
!$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER)
) {
$this->getUtils()->redirect('index.php?cl=admin_start');
if (!defined('OXID_PHP_UNIT')) {
@ -86,12 +86,12 @@ class d3webauthnadminlogin extends AdminController
*/
public function generateCredentialRequest(): void
{
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER);
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
try {
/** @var Webauthn $webauthn */
$webauthn = $this->d3GetWebauthnObject();
$publicKeyCredentialRequestOptions = $webauthn->getRequestOptions($userId);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions);
$this->addTplParam('webauthn_publickey_login', $publicKeyCredentialRequestOptions);
$this->addTplParam('isAdmin', isAdmin());
} catch (WebauthnException $e) {
@ -110,7 +110,7 @@ class d3webauthnadminlogin extends AdminController
{
/** @var d3_User_Webauthn $user */
$user = $this->d3GetUserObject();
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER);
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
try {
$error = Registry::getRequest()->getRequestEscapedParameter('error');
@ -125,7 +125,7 @@ class d3webauthnadminlogin extends AdminController
$webAuthn = $this->d3GetWebauthnObject();
$webAuthn->assertAuthn($credential);
$user->load($userId);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, true);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH, true);
/** @var d3_webauthn_UserComponent $userCmp */
$loginController = oxNew(LoginController::class);
@ -154,7 +154,7 @@ class d3webauthnadminlogin extends AdminController
*/
public function getPreviousClass(): ?string
{
return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS);
return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS);
}
/**
@ -162,7 +162,7 @@ class d3webauthnadminlogin extends AdminController
*/
public function previousClassIsOrderStep(): bool
{
$sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS);
$sClassKey = $this->getPreviousClass();
$resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey);
$resolvedClass = $resolvedClass ?: 'start';

View File

@ -127,7 +127,7 @@ class d3webauthnlogin extends FrontendController
*/
public function previousClassIsOrderStep(): bool
{
$sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS);
$sClassKey = $this->getPreviousClass();
$resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey);
$resolvedClass = $resolvedClass ?: 'start';
@ -171,7 +171,7 @@ class d3webauthnlogin extends FrontendController
// relogin, don't extract from this try block
$setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential);
$this->d3GetSession()->setVariable('usr', $user->getId());
$this->d3GetSession()->setVariable(WebauthnConf::OXID_FRONTEND_AUTH, $user->getId());
$this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS);

View File

@ -203,7 +203,11 @@ class Webauthn
/** @var User $user */
$user = oxNew(User::class);
$user->load(Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER));
$user->load(
isAdmin() ?
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER) :
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER)
);
/** @var UserEntity $userEntity */
$userEntity = oxNew(UserEntity::class, $user);

View File

@ -17,16 +17,26 @@ namespace D3\Webauthn\Application\Model;
class WebauthnConf
{
public const WEBAUTHN_SESSION_AUTH = 'webauthn_auth'; // has valid webauthn, user is logged in completly
public const WEBAUTHN_LOGIN_OBJECT = 'authnloginobject'; // webauthn register options, required for credential check
public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthnCurrentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthnLoginUser'; // username entered in login form
public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthnCurrentClass'; // no usage
public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthnNavFormParams'; // no usage
public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthnNavigationParams'; // no usage
public const OXID_ADMIN_AUTH = 'auth';
public const OXID_FRONTEND_AUTH = 'usr';
public const GLOBAL_SWITCH = 'blDisableWebauthnGlobally';
public const WEBAUTHN_SESSION_AUTH = 'd3webauthn_auth'; // has valid webauthn, user is logged in completly
public const WEBAUTHN_LOGIN_OBJECT = 'd3webauthn_loginobject'; // webauthn register options, required for credential check
public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthn_currentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthn_loginUser'; // username entered in login form
public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthn_currentClass'; // no usage
public const TYPE_CREATE = 'TYPECREATE';
public const TYPE_GET = 'TYPEGET';
public const WEBAUTHN_ADMIN_SESSION_AUTH = 'd3webauthn_be_auth'; // has valid webauthn, user is logged in completly
public const WEBAUTHN_ADMIN_LOGIN_OBJECT = 'd3webauthn_be_loginobject'; // webauthn register options, required for credential check
public const WEBAUTHN_ADMIN_SESSION_CURRENTUSER = 'd3webauthn_be_currentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_ADMIN_SESSION_LOGINUSER = 'd3webauthn_be_loginUser'; // username entered in login form
public const WEBAUTHN_ADMIN_SESSION_CURRENTCLASS= 'd3webauthn_be_currentClass'; // no usage
public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthn_navFormParams'; // no usage
public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthn_navigationParams'; // no usage
public const GLOBAL_SWITCH = 'd3webauthn_disabledGlobally';
public const TYPE_CREATE = 'TYPECREATE';
public const TYPE_GET = 'TYPEGET';
}

View File

@ -45,7 +45,7 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
public function checklogin()
{
$lgn_user = Registry::getRequest()->getRequestParameter('user') ?:
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER);
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER);
$password = Registry::getRequest()->getRequestParameter('pwd');
/** @var d3_User_Webauthn $user */
@ -53,24 +53,24 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
$userId = $user->d3GetLoginUserId($lgn_user, 'malladmin');
if ($lgn_user && $userId &&
false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) &&
false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) &&
(!strlen(trim((string) $password)))
) {
$webauthn = $this->d3GetWebauthnObject();
if ($webauthn->isActive($userId)
&& !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH)
&& !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH)
) {
Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS,
WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS,
$this->getClassKey() != 'd3webauthnadminlogin' ? $this->getClassKey() : 'admin_start'
);
Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER,
WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER,
$userId
);
Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_LOGINUSER,
WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER,
$lgn_user
);

View File

@ -39,6 +39,13 @@ class d3_User_Webauthn extends d3_User_Webauthn_parent
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_NAVFORMPARAMS);
return $return;

View File

@ -15,6 +15,7 @@
namespace D3\Webauthn\tests\integration;
use D3\Webauthn\Application\Model\WebauthnConf;
use OxidEsales\Eshop\Application\Controller\Admin\LoginController;
use OxidEsales\Eshop\Core\DatabaseProvider;
use OxidEsales\Eshop\Core\Registry;
@ -31,7 +32,7 @@ class passwordAdminAuthTest extends integrationTestCase
public function createTestData()
{
$admin = DatabaseProvider::getDb()->getOne('SELECT oxid FROM oxuser WHERE oxrights = "malladmin"');
Registry::getSession()->setVariable('auth', $admin);
Registry::getSession()->setVariable(WebauthnConf::OXID_ADMIN_AUTH, $admin);
$this->createUser(
$this->userList[1],
[