extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2025-06-21 12:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix the user provider not honoring the useWebauthnOnly option

Browse Source
This commit is contained in:
Bubka 2023-03-02 15:07:46 +01:00
parent 47be24b60f
commit 4006deb1e0
2 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/Extensions/WebauthnTwoFAuthUserProvider.php Normal file
View File

@ -0,0 +1,28 @@
<?php
namespace App\Extensions;
use Illuminate\Auth\EloquentUserProvider;
use App\Models\WebAuthnAuthenticatable;
use Laragear\WebAuthn\Auth\WebAuthnUserProvider;
class WebauthnTwoFAuthUserProvider extends WebAuthnUserProvider
{
/**
* Validate a user against the given credentials.
*
* @param \Illuminate\Contracts\Auth\Authenticatable|\App\Models\WebAuthnAuthenticatable|\App\Models\User $user
* @param array $credentials
*
* @return bool
*/
public function validateCredentials($user, array $credentials): bool
{
if ($user instanceof WebAuthnAuthenticatable && $this->isSignedChallenge($credentials)) {
return $this->validateWebAuthn();
}
// If the user disabled the fallback is enabled, we will validate the credential password.
return $user->preferences['useWebauthnOnly'] == false && EloquentUserProvider::validateCredentials($user, $credentials);
}
}

12
app/Providers/AuthServiceProvider.php
View File

@ -88,19 +88,17 @@ class AuthServiceProvider extends ServiceProvider
return new ReverseProxyGuard(Auth::createUserProvider($config['provider'])); return new ReverseProxyGuard(Auth::createUserProvider($config['provider']));
}); });
// Previously we were using a custom user provider derived from the Larapass user provider // We use a custom user provider derivated from the Laragear\WebAuthn one to honor the "useWebauthnOnly" user option.
// in order to honor the "useWebauthnOnly" user option. // As this option is now available in the $user->preferences array it is no more possible to overload the $fallback
// Since Laragear\WebAuthn now replaces DarkGhostHunter\Larapass, the new approach is // value here because $user is not available at registration.
// simplier: We overload the 'eloquent-webauthn' registration from Laragear\WebAuthn\WebAuthnServiceProvider
// with a custom closure that uses the "useWebauthnOnly" user option
Auth::provider( Auth::provider(
'eloquent-webauthn', 'eloquent-webauthn',
static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider { static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider {
return new \Laragear\WebAuthn\Auth\WebAuthnUserProvider( return new \App\Extensions\WebauthnTwoFAuthUserProvider(
$app->make('hash'), $app->make('hash'),
$config['model'], $config['model'],
$app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class), $app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class),
Settings::get('useWebauthnOnly') ? false : true true
); );
} }
); );