From f8a755dc6ffc5bbeb6b96daa465205df7d3e87a6 Mon Sep 17 00:00:00 2001
From: Daniel Seifert <git@daniel-seifert.com>
Date: Tue, 8 Nov 2022 23:12:56 +0100
Subject: [PATCH] remove possible login vulnerability

---
 .../Component/d3_webauthn_UserComponent.php   | 43 ++++++++-----------
 1 file changed, 18 insertions(+), 25 deletions(-)

diff --git a/src/Modules/Application/Component/d3_webauthn_UserComponent.php b/src/Modules/Application/Component/d3_webauthn_UserComponent.php
index 8aff3f1..bc88f37 100755
--- a/src/Modules/Application/Component/d3_webauthn_UserComponent.php
+++ b/src/Modules/Application/Component/d3_webauthn_UserComponent.php
@@ -99,30 +99,6 @@ class d3_webauthn_UserComponent extends d3_webauthn_UserComponent_parent
         $this->d3WebauthnClearSessionVariables();
     }
 
-    /**
-     * @param User $user
-     * @param $sWebauthn
-     */
-    protected function d3WebauthnRelogin(User $user, $sWebauthn): void
-    {
-        $setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
-        $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $sWebauthn);
-        $this->d3GetSession()->setVariable('usr', $user->getId());
-        $this->setUser(null);
-        $this->setLoginStatus(USER_LOGIN_SUCCESS);
-
-        // cookie must be set ?
-        if ($setSessionCookie && Registry::getConfig()->getConfigParam('blShowRememberMe')) {
-            Registry::getUtilsServer()->setUserCookie(
-                $user->oxuser__oxusername->value,
-                $user->oxuser__oxpassword->value,
-                Registry::getConfig()->getShopId()
-            );
-        }
-
-        $this->_afterLogin($user);
-    }
-
     /**
      * @return void
      */
@@ -165,7 +141,24 @@ class d3_webauthn_UserComponent extends d3_webauthn_UserComponent_parent
                 $webAuthn = oxNew( Webauthn::class );
                 $webAuthn->assertAuthn( $credential );
                 $user->load(Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_CURRENTUSER));
-                $this->d3WebauthnRelogin($user, $credential);
+
+                // relogin, don't extract from this try block
+                $setSessionCookie = Registry::getRequest()->getRequestParameter('lgn_cook');
+                $this->d3GetSession()->setVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH, $credential);
+                $this->d3GetSession()->setVariable('usr', $user->getId());
+                $this->setUser(null);
+                $this->setLoginStatus(USER_LOGIN_SUCCESS);
+
+                // cookie must be set ?
+                if ($setSessionCookie && Registry::getConfig()->getConfigParam('blShowRememberMe')) {
+                    Registry::getUtilsServer()->setUserCookie(
+                        $user->oxuser__oxusername->value,
+                        $user->oxuser__oxpassword->value,
+                        Registry::getConfig()->getShopId()
+                    );
+                }
+
+                $this->_afterLogin($user);
             }
         } catch (WebauthnException $e) {
             Registry::getUtilsView()->addErrorToDisplay($e);