From e866141a347ce5aae9c63c6e2c53ceb2bfd6ddc1 Mon Sep 17 00:00:00 2001 From: Daniel Seifert Date: Wed, 23 Nov 2022 08:46:25 +0100 Subject: [PATCH] separate session var names between frontend and backend --- .../Controller/Admin/d3webauthnadminlogin.php | 16 +++++----- .../Controller/d3webauthnlogin.php | 4 +-- src/Application/Model/Webauthn.php | 6 +++- src/Application/Model/WebauthnConf.php | 30 ++++++++++++------- .../Admin/d3_LoginController_Webauthn.php | 12 ++++---- .../Application/Model/d3_User_Webauthn.php | 7 +++++ .../integration/passwordAdminAuthTest.php | 3 +- 7 files changed, 50 insertions(+), 28 deletions(-) diff --git a/src/Application/Controller/Admin/d3webauthnadminlogin.php b/src/Application/Controller/Admin/d3webauthnadminlogin.php index 1e3b629..666975e 100755 --- a/src/Application/Controller/Admin/d3webauthnadminlogin.php +++ b/src/Application/Controller/Admin/d3webauthnadminlogin.php @@ -59,8 +59,8 @@ class d3webauthnadminlogin extends AdminController */ public function render(): string { - if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) || - !$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER) + if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) || + !$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER) ) { $this->getUtils()->redirect('index.php?cl=admin_start'); if (!defined('OXID_PHP_UNIT')) { @@ -86,12 +86,12 @@ class d3webauthnadminlogin extends AdminController */ public function generateCredentialRequest(): void { - $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); + $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER); try { /** @var Webauthn $webauthn */ $webauthn = $this->d3GetWebauthnObject(); $publicKeyCredentialRequestOptions = $webauthn->getRequestOptions($userId); - $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions); + $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions); $this->addTplParam('webauthn_publickey_login', $publicKeyCredentialRequestOptions); $this->addTplParam('isAdmin', isAdmin()); } catch (WebauthnException $e) { @@ -110,7 +110,7 @@ class d3webauthnadminlogin extends AdminController { /** @var d3_User_Webauthn $user */ $user = $this->d3GetUserObject(); - $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); + $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER); try { $error = Registry::getRequest()->getRequestEscapedParameter('error'); @@ -125,7 +125,7 @@ class d3webauthnadminlogin extends AdminController $webAuthn = $this->d3GetWebauthnObject(); $webAuthn->assertAuthn($credential); $user->load($userId); - $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, true); + $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH, true); /** @var d3_webauthn_UserComponent $userCmp */ $loginController = oxNew(LoginController::class); @@ -154,7 +154,7 @@ class d3webauthnadminlogin extends AdminController */ public function getPreviousClass(): ?string { - return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); + return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS); } /** @@ -162,7 +162,7 @@ class d3webauthnadminlogin extends AdminController */ public function previousClassIsOrderStep(): bool { - $sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); + $sClassKey = $this->getPreviousClass(); $resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey); $resolvedClass = $resolvedClass ?: 'start'; diff --git a/src/Application/Controller/d3webauthnlogin.php b/src/Application/Controller/d3webauthnlogin.php index fa533be..12339e3 100755 --- a/src/Application/Controller/d3webauthnlogin.php +++ b/src/Application/Controller/d3webauthnlogin.php @@ -127,7 +127,7 @@ class d3webauthnlogin extends FrontendController */ public function previousClassIsOrderStep(): bool { - $sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); + $sClassKey = $this->getPreviousClass(); $resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey); $resolvedClass = $resolvedClass ?: 'start'; @@ -171,7 +171,7 @@ class d3webauthnlogin extends FrontendController // relogin, don't extract from this try block $setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook'); $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential); - $this->d3GetSession()->setVariable('usr', $user->getId()); + $this->d3GetSession()->setVariable(WebauthnConf::OXID_FRONTEND_AUTH, $user->getId()); $this->setUser(null); $this->setLoginStatus(USER_LOGIN_SUCCESS); diff --git a/src/Application/Model/Webauthn.php b/src/Application/Model/Webauthn.php index 4a062f6..9fc477b 100644 --- a/src/Application/Model/Webauthn.php +++ b/src/Application/Model/Webauthn.php @@ -203,7 +203,11 @@ class Webauthn /** @var User $user */ $user = oxNew(User::class); - $user->load(Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER)); + $user->load( + isAdmin() ? + Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER) : + Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER) + ); /** @var UserEntity $userEntity */ $userEntity = oxNew(UserEntity::class, $user); diff --git a/src/Application/Model/WebauthnConf.php b/src/Application/Model/WebauthnConf.php index 379178e..5f097ce 100755 --- a/src/Application/Model/WebauthnConf.php +++ b/src/Application/Model/WebauthnConf.php @@ -17,16 +17,26 @@ namespace D3\Webauthn\Application\Model; class WebauthnConf { - public const WEBAUTHN_SESSION_AUTH = 'webauthn_auth'; // has valid webauthn, user is logged in completly - public const WEBAUTHN_LOGIN_OBJECT = 'authnloginobject'; // webauthn register options, required for credential check - public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthnCurrentUser'; // oxid assigned to user from entered username - public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthnLoginUser'; // username entered in login form - public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthnCurrentClass'; // no usage - public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthnNavFormParams'; // no usage - public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthnNavigationParams'; // no usage + public const OXID_ADMIN_AUTH = 'auth'; + public const OXID_FRONTEND_AUTH = 'usr'; - public const GLOBAL_SWITCH = 'blDisableWebauthnGlobally'; + public const WEBAUTHN_SESSION_AUTH = 'd3webauthn_auth'; // has valid webauthn, user is logged in completly + public const WEBAUTHN_LOGIN_OBJECT = 'd3webauthn_loginobject'; // webauthn register options, required for credential check + public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthn_currentUser'; // oxid assigned to user from entered username + public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthn_loginUser'; // username entered in login form + public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthn_currentClass'; // no usage - public const TYPE_CREATE = 'TYPECREATE'; - public const TYPE_GET = 'TYPEGET'; + public const WEBAUTHN_ADMIN_SESSION_AUTH = 'd3webauthn_be_auth'; // has valid webauthn, user is logged in completly + public const WEBAUTHN_ADMIN_LOGIN_OBJECT = 'd3webauthn_be_loginobject'; // webauthn register options, required for credential check + public const WEBAUTHN_ADMIN_SESSION_CURRENTUSER = 'd3webauthn_be_currentUser'; // oxid assigned to user from entered username + public const WEBAUTHN_ADMIN_SESSION_LOGINUSER = 'd3webauthn_be_loginUser'; // username entered in login form + public const WEBAUTHN_ADMIN_SESSION_CURRENTCLASS= 'd3webauthn_be_currentClass'; // no usage + + public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthn_navFormParams'; // no usage + public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthn_navigationParams'; // no usage + + public const GLOBAL_SWITCH = 'd3webauthn_disabledGlobally'; + + public const TYPE_CREATE = 'TYPECREATE'; + public const TYPE_GET = 'TYPEGET'; } \ No newline at end of file diff --git a/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php b/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php index e5f92c9..8709891 100755 --- a/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php +++ b/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php @@ -45,7 +45,7 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent public function checklogin() { $lgn_user = Registry::getRequest()->getRequestParameter('user') ?: - Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER); + Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER); $password = Registry::getRequest()->getRequestParameter('pwd'); /** @var d3_User_Webauthn $user */ @@ -53,24 +53,24 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent $userId = $user->d3GetLoginUserId($lgn_user, 'malladmin'); if ($lgn_user && $userId && - false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) && + false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) && (!strlen(trim((string) $password))) ) { $webauthn = $this->d3GetWebauthnObject(); if ($webauthn->isActive($userId) - && !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) + && !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) ) { Registry::getSession()->setVariable( - WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS, + WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS, $this->getClassKey() != 'd3webauthnadminlogin' ? $this->getClassKey() : 'admin_start' ); Registry::getSession()->setVariable( - WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER, + WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER, $userId ); Registry::getSession()->setVariable( - WebauthnConf::WEBAUTHN_SESSION_LOGINUSER, + WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER, $lgn_user ); diff --git a/src/Modules/Application/Model/d3_User_Webauthn.php b/src/Modules/Application/Model/d3_User_Webauthn.php index 802a083..6f04fd4 100755 --- a/src/Modules/Application/Model/d3_User_Webauthn.php +++ b/src/Modules/Application/Model/d3_User_Webauthn.php @@ -39,6 +39,13 @@ class d3_User_Webauthn extends d3_User_Webauthn_parent Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); + + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH); + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT); + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER); + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER); + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS); + Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_NAVFORMPARAMS); return $return; diff --git a/src/tests/integration/passwordAdminAuthTest.php b/src/tests/integration/passwordAdminAuthTest.php index 003faa0..17dab3f 100644 --- a/src/tests/integration/passwordAdminAuthTest.php +++ b/src/tests/integration/passwordAdminAuthTest.php @@ -15,6 +15,7 @@ namespace D3\Webauthn\tests\integration; +use D3\Webauthn\Application\Model\WebauthnConf; use OxidEsales\Eshop\Application\Controller\Admin\LoginController; use OxidEsales\Eshop\Core\DatabaseProvider; use OxidEsales\Eshop\Core\Registry; @@ -31,7 +32,7 @@ class passwordAdminAuthTest extends integrationTestCase public function createTestData() { $admin = DatabaseProvider::getDb()->getOne('SELECT oxid FROM oxuser WHERE oxrights = "malladmin"'); - Registry::getSession()->setVariable('auth', $admin); + Registry::getSession()->setVariable(WebauthnConf::OXID_ADMIN_AUTH, $admin); $this->createUser( $this->userList[1], [