D3Public
/
webauthn
8
0
Fork 0
Code Pull Requests Packages Projects Releases Activity

remove possible login vulnerability

This commit is contained in:
Daniel Seifert 2022-11-08 23:12:56 +01:00
parent 2bf7399aa4
commit f8a755dc6f
Signed by: DanielS
GPG Key ID: 6A513E13AEE66170
1 changed files with 18 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/Modules/Application/Component/d3_webauthn_UserComponent.php
View File

@ -99,30 +99,6 @@ class d3_webauthn_UserComponent extends d3_webauthn_UserComponent_parent
$this->d3WebauthnClearSessionVariables();
}
/**
* @param User $user
* @param $sWebauthn
*/
protected function d3WebauthnRelogin(User $user, $sWebauthn): void
{
$setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $sWebauthn);
$this->d3GetSession()->setVariable('usr', $user->getId());
$this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS);
// cookie must be set ?
if ($setSessionCookie && Registry::getConfig()->getConfigParam('blShowRememberMe')) {
Registry::getUtilsServer()->setUserCookie(
$user->oxuser__oxusername->value,
$user->oxuser__oxpassword->value,
Registry::getConfig()->getShopId()
);
}
$this->_afterLogin($user);
}
/**
* @return void
*/
@ -165,7 +141,24 @@ class d3_webauthn_UserComponent extends d3_webauthn_UserComponent_parent
$webAuthn = oxNew( Webauthn::class );
$webAuthn->assertAuthn( $credential );
$user->load(Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER));
$this->d3WebauthnRelogin($user, $credential);
// relogin, don't extract from this try block
$setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
$this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential);
$this->d3GetSession()->setVariable('usr', $user->getId());
$this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS);
// cookie must be set ?
if ($setSessionCookie && Registry::getConfig()->getConfigParam('blShowRememberMe')) {
Registry::getUtilsServer()->setUserCookie(
$user->oxuser__oxusername->value,
$user->oxuser__oxpassword->value,
Registry::getConfig()->getShopId()
);
}
$this->_afterLogin($user);
}
} catch (WebauthnException $e) {
Registry::getUtilsView()->addErrorToDisplay($e);