From 5c83e1775258b45a8d2e482039bb2a016da2c852 Mon Sep 17 00:00:00 2001 From: Bubka <858858+Bubka@users.noreply.github.com> Date: Tue, 21 Feb 2023 09:29:05 +0100 Subject: [PATCH] Let the WebAuthn form log in any user --- app/Http/Controllers/Auth/LoginController.php | 6 +++-- .../Auth/WebAuthnLoginController.php | 21 +++++++-------- resources/js/views/auth/Login.vue | 26 +++++++++++++++---- resources/js/views/settings/WebAuthn.vue | 3 +++ resources/lang/en/errors.php | 2 ++ 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index fb919457..a1f048dc 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -71,8 +71,10 @@ class LoginController extends Controller */ public function logout(Request $request) { + $user = $request->user(); Auth::logout(); - Log::info('User logged out'); + + Log::info(sprintf('User id #%s logged out', $user->id)); return response()->json(['message' => 'signed out'], Response::HTTP_OK); } @@ -151,6 +153,6 @@ class LoginController extends Controller $user->last_seen_at = Carbon::now()->format('Y-m-d H:i:s'); $user->save(); - Log::info('User authenticated'); + Log::info(sprintf('User id #%s authenticated using login & pwd', $user->id)); } } diff --git a/app/Http/Controllers/Auth/WebAuthnLoginController.php b/app/Http/Controllers/Auth/WebAuthnLoginController.php index 826a63ac..6161b565 100644 --- a/app/Http/Controllers/Auth/WebAuthnLoginController.php +++ b/app/Http/Controllers/Auth/WebAuthnLoginController.php @@ -43,16 +43,13 @@ class WebAuthnLoginController extends Controller break; } - // Since 2FAuth is single user designed we fetch the user instance. - // This lets Larapass validate the request without the need to ask - // the visitor for an email address. - $user = User::first(); - - return $user - ? $request->toVerify($user) - : response()->json([ - 'message' => 'no registered user', - ], 400); + return $request->toVerify($request->validate([ + 'email' => [ + 'required', + 'email', + new \App\Rules\CaseInsensitiveEmailExists + ] + ])); } /** @@ -69,7 +66,7 @@ class WebAuthnLoginController extends Controller $response = $request->response; // Some authenticators do not send a userHandle so we hack the response to be compliant - // with Larapass/webauthn-lib implementation that waits for a userHandle + // with Laragear\WebAuthn implementation that waits for a userHandle if (! Arr::exists($response, 'userHandle') || blank($response['userHandle'])) { $response['userHandle'] = User::getFromCredentialId($request->id)?->userHandle(); $request->merge(['response' => $response]); @@ -98,6 +95,6 @@ class WebAuthnLoginController extends Controller $user->last_seen_at = Carbon::now()->format('Y-m-d H:i:s'); $user->save(); - Log::info('User authenticated via webauthn'); + Log::info(sprintf('User id #%s authenticated using webauthn', $user->id)); } } diff --git a/resources/js/views/auth/Login.vue b/resources/js/views/auth/Login.vue index d5a80137..2083702f 100644 --- a/resources/js/views/auth/Login.vue +++ b/resources/js/views/auth/Login.vue @@ -5,9 +5,10 @@
{{ $t('auth.webauthn.use_security_device_to_sign_in') }}
-
- -
+
+ + +

{{ $t('auth.webauthn.lost_your_device') }} {{ $t('auth.webauthn.recover_your_account') }}

{{ $t('auth.sign_in_using') }}  @@ -103,11 +104,26 @@ return false } - const loginOptions = await this.axios.post('/webauthn/login/options').then(res => res.data) + const loginOptions = await this.form.post('/webauthn/login/options').then(res => res.data) const publicKey = this.webauthn.parseIncomingServerOptions(loginOptions) const credentials = await navigator.credentials.get({ publicKey: publicKey }) .catch(error => { - this.$notify({ type: 'is-danger', text: this.$t('auth.webauthn.unknown_device') }) + if (error.name == 'AbortError') { + this.$notify({ type: 'is-warning', text: this.$t('errors.aborted_by_user') }) + } + else if (error.name == 'SecurityError') { + this.$notify({ type: 'is-danger', text: this.$t('errors.security_error_check_rpid') }) + } + else if (error.name == 'NotAllowedError') { + this.$notify({ type: 'is-danger', text: this.$t('errors.not_allowed_operation') }) + } + else if (error.name == 'NotSupportedError') { + this.$notify({ type: 'is-danger', text: this.$t('errors.unsupported_operation') }) + } + else if (error.name == 'InvalidStateError') { + this.$notify({ type: 'is-danger', text: this.$t('auth.webauthn.unknown_device') }) + } + else this.$notify({ type: 'is-danger', text: this.$t('errors.unknown_error') }) }) if (!credentials) return false diff --git a/resources/js/views/settings/WebAuthn.vue b/resources/js/views/settings/WebAuthn.vue index daab253c..08765771 100644 --- a/resources/js/views/settings/WebAuthn.vue +++ b/resources/js/views/settings/WebAuthn.vue @@ -167,6 +167,9 @@ else if (error.name == 'NotAllowedError') { this.$notify({ type: 'is-danger', text: this.$t('errors.not_allowed_operation') }) } + else if (error.name == 'NotSupportedError') { + this.$notify({ type: 'is-danger', text: this.$t('errors.unsupported_operation') }) + } return false } diff --git a/resources/lang/en/errors.php b/resources/lang/en/errors.php index 8f8fc2fa..1d24ff5d 100644 --- a/resources/lang/en/errors.php +++ b/resources/lang/en/errors.php @@ -35,6 +35,8 @@ return [ 'aborted_by_user' => 'Aborted by user', 'security_device_unsupported' => 'Unsupported or in use device', 'not_allowed_operation' => 'Operation not allowed', + 'unsupported_operation' => 'Unsupported operation', + 'unknown_error' => 'Unknown error', 'security_error_check_rpid' => 'Security error
Check your WEBAUTHN_ID env var', 'unsupported_with_reverseproxy' => 'Not applicable when using an auth proxy', 'user_deletion_failed' => 'User account deletion failed, no data have been deleted',