D3Public
/
webauthn
8
0
Fork 0
Code Pull Requests Packages Projects Releases Activity

separate session var names between frontend and backend

This commit is contained in:
Daniel Seifert 2022-11-23 08:46:25 +01:00
parent f74d6985fb
commit e866141a34
Signed by: DanielS
GPG Key ID: 8A7C4C6ED1915C6F
7 changed files with 50 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/Application/Controller/Admin/d3webauthnadminlogin.php
View File

@ -59,8 +59,8 @@ class d3webauthnadminlogin extends AdminController
*/ */
public function render(): string public function render(): string
{ {
if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) || if ($this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) ||
!$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER) !$this->d3GetSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER)
) { ) {
$this->getUtils()->redirect('index.php?cl=admin_start'); $this->getUtils()->redirect('index.php?cl=admin_start');
if (!defined('OXID_PHP_UNIT')) { if (!defined('OXID_PHP_UNIT')) {
@ -86,12 +86,12 @@ class d3webauthnadminlogin extends AdminController
*/ */
public function generateCredentialRequest(): void public function generateCredentialRequest(): void
{ {
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
try { try {
/** @var Webauthn $webauthn */ /** @var Webauthn $webauthn */
$webauthn = $this->d3GetWebauthnObject(); $webauthn = $this->d3GetWebauthnObject();
$publicKeyCredentialRequestOptions = $webauthn->getRequestOptions($userId); $publicKeyCredentialRequestOptions = $webauthn->getRequestOptions($userId);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions); $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT, $publicKeyCredentialRequestOptions);
$this->addTplParam('webauthn_publickey_login', $publicKeyCredentialRequestOptions); $this->addTplParam('webauthn_publickey_login', $publicKeyCredentialRequestOptions);
$this->addTplParam('isAdmin', isAdmin()); $this->addTplParam('isAdmin', isAdmin());
} catch (WebauthnException $e) { } catch (WebauthnException $e) {
@ -110,7 +110,7 @@ class d3webauthnadminlogin extends AdminController
{ {
/** @var d3_User_Webauthn $user */ /** @var d3_User_Webauthn $user */
$user = $this->d3GetUserObject(); $user = $this->d3GetUserObject();
$userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); $userId = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
try { try {
$error = Registry::getRequest()->getRequestEscapedParameter('error'); $error = Registry::getRequest()->getRequestEscapedParameter('error');
@ -125,7 +125,7 @@ class d3webauthnadminlogin extends AdminController
$webAuthn = $this->d3GetWebauthnObject(); $webAuthn = $this->d3GetWebauthnObject();
$webAuthn->assertAuthn($credential); $webAuthn->assertAuthn($credential);
$user->load($userId); $user->load($userId);
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, true); $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH, true);
/** @var d3_webauthn_UserComponent $userCmp */ /** @var d3_webauthn_UserComponent $userCmp */
$loginController = oxNew(LoginController::class); $loginController = oxNew(LoginController::class);
@ -154,7 +154,7 @@ class d3webauthnadminlogin extends AdminController
*/ */
public function getPreviousClass(): ?string public function getPreviousClass(): ?string
{ {
return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); return $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS);
} }
/** /**
@ -162,7 +162,7 @@ class d3webauthnadminlogin extends AdminController
*/ */
public function previousClassIsOrderStep(): bool public function previousClassIsOrderStep(): bool
{ {
$sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); $sClassKey = $this->getPreviousClass();
$resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey); $resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey);
$resolvedClass = $resolvedClass ?: 'start'; $resolvedClass = $resolvedClass ?: 'start';

4
src/Application/Controller/d3webauthnlogin.php
View File

@ -127,7 +127,7 @@ class d3webauthnlogin extends FrontendController
*/ */
public function previousClassIsOrderStep(): bool public function previousClassIsOrderStep(): bool
{ {
$sClassKey = $this->d3GetSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); $sClassKey = $this->getPreviousClass();
$resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey); $resolvedClass = $this->d3GetControllerClassNameResolver()->getClassNameById($sClassKey);
$resolvedClass = $resolvedClass ?: 'start'; $resolvedClass = $resolvedClass ?: 'start';
@ -171,7 +171,7 @@ class d3webauthnlogin extends FrontendController
// relogin, don't extract from this try block // relogin, don't extract from this try block
$setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook'); $setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential); $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential);
$this->d3GetSession()->setVariable('usr', $user->getId()); $this->d3GetSession()->setVariable(WebauthnConf::OXID_FRONTEND_AUTH, $user->getId());
$this->setUser(null); $this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS); $this->setLoginStatus(USER_LOGIN_SUCCESS);

6
src/Application/Model/Webauthn.php
View File

@ -203,7 +203,11 @@ class Webauthn
/** @var User $user */ /** @var User $user */
$user = oxNew(User::class); $user = oxNew(User::class);
$user->load(Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER)); $user->load(
isAdmin() ?
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER) :
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER)
);
/** @var UserEntity $userEntity */ /** @var UserEntity $userEntity */
$userEntity = oxNew(UserEntity::class, $user); $userEntity = oxNew(UserEntity::class, $user);

30
src/Application/Model/WebauthnConf.php
View File

@ -17,16 +17,26 @@ namespace D3\Webauthn\Application\Model;
class WebauthnConf class WebauthnConf
{ {
public const WEBAUTHN_SESSION_AUTH = 'webauthn_auth'; // has valid webauthn, user is logged in completly public const OXID_ADMIN_AUTH = 'auth';
public const WEBAUTHN_LOGIN_OBJECT = 'authnloginobject'; // webauthn register options, required for credential check public const OXID_FRONTEND_AUTH = 'usr';
public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthnCurrentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthnLoginUser'; // username entered in login form
public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthnCurrentClass'; // no usage
public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthnNavFormParams'; // no usage
public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthnNavigationParams'; // no usage
public const GLOBAL_SWITCH = 'blDisableWebauthnGlobally'; public const WEBAUTHN_SESSION_AUTH = 'd3webauthn_auth'; // has valid webauthn, user is logged in completly
public const WEBAUTHN_LOGIN_OBJECT = 'd3webauthn_loginobject'; // webauthn register options, required for credential check
public const WEBAUTHN_SESSION_CURRENTUSER = 'd3webauthn_currentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_SESSION_LOGINUSER = 'd3webauthn_loginUser'; // username entered in login form
public const WEBAUTHN_SESSION_CURRENTCLASS = 'd3webauthn_currentClass'; // no usage
public const TYPE_CREATE = 'TYPECREATE'; public const WEBAUTHN_ADMIN_SESSION_AUTH = 'd3webauthn_be_auth'; // has valid webauthn, user is logged in completly
public const TYPE_GET = 'TYPEGET'; public const WEBAUTHN_ADMIN_LOGIN_OBJECT = 'd3webauthn_be_loginobject'; // webauthn register options, required for credential check
public const WEBAUTHN_ADMIN_SESSION_CURRENTUSER = 'd3webauthn_be_currentUser'; // oxid assigned to user from entered username
public const WEBAUTHN_ADMIN_SESSION_LOGINUSER = 'd3webauthn_be_loginUser'; // username entered in login form
public const WEBAUTHN_ADMIN_SESSION_CURRENTCLASS= 'd3webauthn_be_currentClass'; // no usage
public const WEBAUTHN_SESSION_NAVFORMPARAMS = 'd3webauthn_navFormParams'; // no usage
public const WEBAUTHN_SESSION_NAVPARAMS = 'd3webauthn_navigationParams'; // no usage
public const GLOBAL_SWITCH = 'd3webauthn_disabledGlobally';
public const TYPE_CREATE = 'TYPECREATE';
public const TYPE_GET = 'TYPEGET';
} }

12
src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php
View File

@ -45,7 +45,7 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
public function checklogin() public function checklogin()
{ {
$lgn_user = Registry::getRequest()->getRequestParameter('user') ?: $lgn_user = Registry::getRequest()->getRequestParameter('user') ?:
Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER); Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER);
$password = Registry::getRequest()->getRequestParameter('pwd'); $password = Registry::getRequest()->getRequestParameter('pwd');
/** @var d3_User_Webauthn $user */ /** @var d3_User_Webauthn $user */
@ -53,24 +53,24 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
$userId = $user->d3GetLoginUserId($lgn_user, 'malladmin'); $userId = $user->d3GetLoginUserId($lgn_user, 'malladmin');
if ($lgn_user && $userId && if ($lgn_user && $userId &&
false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) && false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH) &&
(!strlen(trim((string) $password))) (!strlen(trim((string) $password)))
) { ) {
$webauthn = $this->d3GetWebauthnObject(); $webauthn = $this->d3GetWebauthnObject();
if ($webauthn->isActive($userId) if ($webauthn->isActive($userId)
&& !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) && !Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH)
) { ) {
Registry::getSession()->setVariable( Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS, WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS,
$this->getClassKey() != 'd3webauthnadminlogin' ? $this->getClassKey() : 'admin_start' $this->getClassKey() != 'd3webauthnadminlogin' ? $this->getClassKey() : 'admin_start'
); );
Registry::getSession()->setVariable( Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER, WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER,
$userId $userId
); );
Registry::getSession()->setVariable( Registry::getSession()->setVariable(
WebauthnConf::WEBAUTHN_SESSION_LOGINUSER, WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER,
$lgn_user $lgn_user
); );

7
src/Modules/Application/Model/d3_User_Webauthn.php
View File

@ -39,6 +39,13 @@ class d3_User_Webauthn extends d3_User_Webauthn_parent
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTCLASS);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_AUTH);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_LOGIN_OBJECT);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_LOGINUSER);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_ADMIN_SESSION_CURRENTCLASS);
Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_NAVFORMPARAMS); Registry::getSession()->deleteVariable(WebauthnConf::WEBAUTHN_SESSION_NAVFORMPARAMS);
return $return; return $return;

3
src/tests/integration/passwordAdminAuthTest.php
View File

@ -15,6 +15,7 @@
namespace D3\Webauthn\tests\integration; namespace D3\Webauthn\tests\integration;
use D3\Webauthn\Application\Model\WebauthnConf;
use OxidEsales\Eshop\Application\Controller\Admin\LoginController; use OxidEsales\Eshop\Application\Controller\Admin\LoginController;
use OxidEsales\Eshop\Core\DatabaseProvider; use OxidEsales\Eshop\Core\DatabaseProvider;
use OxidEsales\Eshop\Core\Registry; use OxidEsales\Eshop\Core\Registry;
@ -31,7 +32,7 @@ class passwordAdminAuthTest extends integrationTestCase
public function createTestData() public function createTestData()
{ {
$admin = DatabaseProvider::getDb()->getOne('SELECT oxid FROM oxuser WHERE oxrights = "malladmin"'); $admin = DatabaseProvider::getDb()->getOne('SELECT oxid FROM oxuser WHERE oxrights = "malladmin"');
Registry::getSession()->setVariable('auth', $admin); Registry::getSession()->setVariable(WebauthnConf::OXID_ADMIN_AUTH, $admin);
$this->createUser( $this->createUser(
$this->userList[1], $this->userList[1],
[ [