Merged v3.1

Author: mkalioby

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Change Log
 
+## 3.1
+
+* Upgraded to fido==1.2.0
+* Added: CSP Compliance (optional), thanks to @lvanbuiten, to under CSP refer to [van Buiten](https://github.com/mkalioby/django-mfa2/pull/93#issuecomment-2847112870)
+* Fix: issue when finding the user based on credential id.
+* Fix: Move key delete to be POST call. Thanks to @AndreasDickow
+
+## 3.0.1
+
+* Fix: Issue with some usernames that crashes FIDO2 registration.
+
 ## 3.0
 
 This is a major cleanup and CSS adjustments so please test before deployment.

README.md

@@ -224,6 +224,7 @@ function some_func() {
 * [ezrajrice](https://github.com/ezrajrice)
 * [Spitfireap](https://github.com/Spitfireap)
 * [peterthomassen](https://github.com/peterthomassen)
+* [lvanbuiten](https://github.com/lvanbuiten)
 
 
  # Security contact information

example/example-ssl-requirements.txt

@@ -1 +1,2 @@
 django-sslserver
+django-csp~=3.8

example/example/settings.py

@@ -41,6 +41,7 @@
     "django.contrib.messages",
     "django.contrib.staticfiles",
     "mfa",
+    'csp',
     "sslserver",
 ]
 
@@ -49,6 +50,7 @@
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
@@ -168,3 +170,13 @@
     "localhost"  # Server rp id for FIDO2, it the full domain of your project
 )
 FIDO_SERVER_NAME = "TestApp"
+
+
+CSP = ("'self'", f'*.localhost')
+CSP_DEFAULT_SRC = CSP
+CSP_IMG_SRC = CSP + ('data:', 'blob:')
+CSP_FONT_SRC = CSP + ('data:',)
+CSP_SCRIPT_SRC = CSP
+CSP_STYLE_SRC = CSP
+CSP_CONNECT_SRC = CSP
+CSP_FORM_ACTION = CSP

example/example/templates/logout.html

@@ -16,7 +16,7 @@
   <link href="{% static  'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">
 
   <!-- Custom styles for this template-->
-  <link href="{% static 'css/sb-admin.css'%}" rel="stylesheet">
+  <link href="{% static 'css/sb-admin.min.css'%}" rel="stylesheet">
 
 </head>
 

example/example/urls.py

@@ -20,7 +20,7 @@
 
 urlpatterns = [
     path("admin/", admin.site.urls),
-    path("mfa/", include("mfa.urls")),
+    path("mfa2/", include("mfa.urls")),
     path("auth/login", auth.loginView, name="login"),
     path("auth/logout", auth.logoutView, name="logout"),
     path("devices/add/", TrustedDevice.add, name="add_trusted_device"),

mfa/FIDO2.py

@@ -1,4 +1,5 @@
 import json
+from base64 import urlsafe_b64encode
 
 from fido2.server import Fido2Server, PublicKeyCredentialRpEntity
 from fido2.webauthn import RegistrationResponse
@@ -58,7 +59,7 @@ def begin_registeration(request):
     user_verification = getattr(settings, "MFA_FIDO2_USER_VERIFICATION", None)
     registration_data, state = server.register_begin(
         {
-            "id": request.user.username.encode("utf8"),
+            "id":urlsafe_b64encode(request.user.username.encode("utf8")),
             "name": request.user.username,
             "displayName": request.user.username,
         },
@@ -103,8 +104,9 @@ def complete_reg(request):
         }
         uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
         uk.key_type = "FIDO2"
-        if auth_data.credential_data.credential_id:
-            uk.user_handle = auth_data.credential_data.credential_id
+        if data.get("id"):
+            uk.user_handle = data.get('id')
+
         uk.save()
         if (
             getattr(settings, "MFA_ENFORCE_RECOVERY_METHOD", False)
@@ -189,7 +191,7 @@ def authenticate_complete(request):
             username = request.user.username
         server = getServer()
         data = json.loads(request.body)
-        userHandle = data.get("response", {}).get("userHandle")
+        userHandle = data['id']
         credential_id = data["id"]
 
         if userHandle:
@@ -204,12 +206,16 @@ def authenticate_complete(request):
                             websafe_decode(keys[0].properties["device"])
                         )
                     ]
+                else:
+                    credentials = getUserCredentials(username)
         elif credential_id and username is None:
             keys = User_Keys.objects.filter(user_handle=credential_id)
             if keys.exists():
                 credentials = [
                     AttestedCredentialData(websafe_decode(keys[0].properties["device"]))
                 ]
+            else:
+                credentials = getUserCredentials(username)
         else:
             credentials = getUserCredentials(username)
 
@@ -220,16 +226,13 @@ def authenticate_complete(request):
                 response=data,
             )
         except ValueError:
-            return (
-                JsonResponse(
+            return JsonResponse(
                     {
                         "status": "ERR",
                         "message": "Wrong challenge received, make sure that this is your security and try again.",
                     },
                     status=400,
                 ),
-            )
-
         except Exception as excep:
             return JsonResponse({"status": "ERR", "message": str(excep)}, status=500)
 
@@ -239,7 +242,7 @@ def authenticate_complete(request):
             return JsonResponse({"status": "OK"})
 
         else:
-            if keys is None:
+            if keys is None or len(keys)==0:
                 keys = User_Keys.objects.filter(
                     username=username, key_type="FIDO2", enabled=1
                 )

mfa/static/mfa/css/mfa.css

@@ -0,0 +1,126 @@
+.text-center {
+    text-align: center;
+}
+
+.text-right {
+    text-align: right;
+}
+
+.padding-10 {
+    padding: 10px;
+}
+
+.padding-left-0 {
+    padding-left: 0;
+}
+
+.padding-left-15 {
+    padding-left: 15px;
+}
+
+.padding-left-25 {
+    padding-left: 25px;
+}
+
+.padding-top-10 {
+    padding-top: 10px;
+}
+
+.padding-right-30 {
+    padding-right: 30px;
+}
+
+#popUpModal {
+    top: 40px;
+
+    & .modal-dialog {
+        height: 80%;
+        width: 80%;
+    }
+}
+
+.img-circle {
+    padding: 3px;
+    height: 50px;
+}
+
+.success-message {
+    color: green;
+}
+.error-message {
+    color: red;
+}
+
+.font-10 {
+    font-size: 10px;
+}
+
+.color-gray {
+    color: #333333;
+}
+
+.bg-white {
+    background-color: #f0f0f0;
+}
+
+.institution-code {
+    font-size: 10pt;
+    font-family: Calibri;
+    height: 34px;width: 230px
+}
+
+.td-digits {
+    font-size: 16px;
+    font-weight: bold;
+    margin-left: 50px;
+}
+
+#two-factor-steps {
+    border: 1px solid #ccc;
+    border-radius: 3px;
+    padding: 15px;
+
+    & .row {
+        margin: 0;
+        align-items: center;
+    }
+
+    & .toolbtn {
+        border-radius: 7px;
+        cursor: pointer;
+
+        & :hover {
+            background-color: gray;
+            transition: 0.2s;
+        }
+
+        & :active {
+            background-color: green;
+            transition: 0.2s;
+        }
+    }
+
+    & #answer {
+        display: inline;
+        width: 95%
+    }
+
+    & #second_step {
+        display: none;
+        text-align: center;
+        align-content: center
+    }
+
+    & .tokenrow {
+        margin-top: 10px;
+        margin-left: 5px;
+    }
+}
+
+.row.margin-3 {
+    margin: 3px;
+}
+
+.row.margin-left-15, .auth-card .row {
+    margin-left: 15px;
+}

mfa/static/mfa/js/Email/recheck.js

@@ -0,0 +1,6 @@
+$(document).ready(function () {
+    const mode = JSON.parse(document.getElementById('mode').textContent);
+    if (mode == "recheck") {
+        $("#send_totp").click(function () {send_totp()});
+    }
+})

mfa/static/mfa/js/FIDO2/add.js

@@ -0,0 +1,64 @@
+var MakeCredReq = (makeCredReq) => {
+    makeCredReq.publicKey.challenge = base64url.decode(makeCredReq.publicKey.challenge);
+    makeCredReq.publicKey.user.id = base64url.decode(makeCredReq.publicKey.user.id);
+
+    for (let excludeCred of makeCredReq.publicKey.excludeCredentials) {
+        excludeCred.id = base64url.decode(excludeCred.id);
+    }
+
+    return makeCredReq
+}
+
+function begin_reg() {
+    const fido2_begin_reg = JSON.parse(document.getElementById('fido2_begin_reg').textContent);
+    const fido2_complete_reg = JSON.parse(document.getElementById('fido2_complete_reg').textContent);
+    const redirect_html = JSON.parse(document.getElementById('redirect_html').textContent);
+    const reg_success_msg = JSON.parse(document.getElementById('reg_success_msg').textContent);
+    const manage_recovery_codes = JSON.parse(document.getElementById('manage_recovery_codes').textContent);
+    const RECOVERY_METHOD = JSON.parse(document.getElementById('RECOVERY_METHOD').textContent);
+    const mfa_home = JSON.parse(document.getElementById('mfa_home').textContent);
+    fetch(fido2_begin_reg, {}).then(function (response) {
+        if (response.ok) {
+            return response.json().then(function (req) {
+                return MakeCredReq(req)
+            });
+        }
+        throw new Error('Error getting registration data!');
+    }).then(function (options) {
+        //options.publicKey.attestation="direct"
+        console.log(options)
+        return navigator.credentials.create(options);
+    }).then(function (attestation) {
+        return fetch(fido2_complete_reg, {
+            method: 'POST',
+            body: JSON.stringify(publicKeyCredentialToJSON(attestation))
+        });
+    }).then(function (response) {
+        var stat = response.ok ? 'successful' : 'unsuccessful';
+        return response.json()
+    }).then(function (res) {
+        if (res["status"] == 'OK')
+            $("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='"+redirect_html+"'>"+reg_success_msg+"</a></div>")
+        else if (res['status'] = "RECOVERY") {
+            setTimeout(function () {
+                location.href = manage_recovery_codes
+            }, 2500)
+            $("#res").html("<div class='alert alert-success'>Registered Successfully, but <a href='"+manage_recovery_codes+"'>redirecting to "+RECOVERY_METHOD+" method</a></div>")
+        } else
+            $("#res").html("<div class='alert alert-danger'>Registration Failed as " + res["message"] + ", <a href='#' id='failed_begin_reg'> try again or <a href='"+mfa_home+"'> Go to Security Home</a></div>")
+            $("#failed_begin_reg").click(function() {begin_reg()});
+    }, function (reason) {
+        $("#res").html("<div class='alert alert-danger'>Registration Failed as " + reason + ", <a href='#' id='failed_begin_reg'> try again </a> or <a href='"+mfa_home+"'> Go to Security Home</a></div>")
+        $("#failed_begin_reg").click(function() {begin_reg()});
+    })
+}
+
+$(document).ready(function () {
+    ua = new UAParser().getResult()
+    if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari") {
+        $("#res").html("<button class='btn btn-success' id='ua_begin_reg'>Start...</button>")
+        $("#ua_begin_reg").click(function() { begin_reg(); });
+    } else {
+        setTimeout(begin_reg, 500)
+    }
+})