[Web] Separate FIDO2 logins

2025-12-13 18:06:01 +00:00 · 2025-03-07 13:12:48 +01:00
parent 6f9c8deab7
commit bc21e7fe50
6 changed files with 107 additions and 84 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1250,6 +1250,7 @@ function set_tfa($_data) {
 }
 function fido2($_data) {
  global $pdo;
+  global $WebAuthn;
  $_data_log = $_data;
  // Not logging registration data, only actions
  // Silent errors for "get" requests
@@ -1383,6 +1384,81 @@ function fido2($_data) {
        'msg' => array('object_modified', htmlspecialchars($username))
      );
    break;
+    case "verify":
+      $tokenData = json_decode($_data['token']);
+      $clientDataJSON = base64_decode($tokenData->clientDataJSON);
+      $authenticatorData = base64_decode($tokenData->authenticatorData);
+      $signature = base64_decode($tokenData->signature);
+      $id = base64_decode($tokenData->id);
+      $challenge = $_SESSION['challenge'];
+      $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $tokenData->id));
+      if ($process_fido2['pub_key'] === false) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => "login_failed"
+        );
+        return false;
+      }
+      try {
+        $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
+      }
+      catch (Throwable $ex) {
+        unset($process_fido2);
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username'], $ex->getMessage()),
+          'msg' => "login_failed"
+        );
+        return false;
+      }
+      $return = new stdClass();
+      $return->success = true;
+      $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
+      $stmt->execute(array(':username' => $process_fido2['username']));
+      $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
+      if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) {
+        $_SESSION["mailcow_cc_role"] = "admin";
+      }
+      elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) {
+        $_SESSION["mailcow_cc_role"] = "domainadmin";
+      }
+      elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) {
+        $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
+        $stmt->execute(array(':username' => $process_fido2['username']));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if ($row['username'] == $process_fido2['username']) {
+          $_SESSION["mailcow_cc_role"] = "user";
+        }
+      }
+      else {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+      if (empty($_SESSION["mailcow_cc_role"])) {
+        session_unset();
+        session_destroy();
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+          'msg' => 'login_failed'
+        );
+        return false;
+      }
+      $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
+      $_SESSION["fido2_cid"] = $process_fido2['cid'];
+      unset($_SESSION["challenge"]);
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array("fido2_login", $_data['user'], $process_fido2['username']),
+        'msg' => array('logged_in_as', $process_fido2['username'])
+      );
+      return true;
+    break;
  }
 }
 function unset_tfa_key($_data) {
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -18,6 +18,14 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_mailcow_cc_role']);
  unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "admin"
+  ));
+  exit;
+}

 if (isset($_GET["cancel_tfa_login"])) {
  unset($_SESSION['pending_pw_reset_token']);
--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -29,6 +29,14 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_mailcow_cc_role']);
  unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "domainadmin"
+  ));
+  exit;
+}

 if (isset($_GET["cancel_tfa_login"])) {
  unset($_SESSION['pending_pw_reset_token']);
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -83,6 +83,14 @@ if (isset($_POST["verify_tfa_login"])) {
  unset($_SESSION['pending_mailcow_cc_role']);
  unset($_SESSION['pending_tfa_methods']);
 }
+if (isset($_POST["verify_fido2_login"])) {
+  fido2(array(
+    "action" => "verify",
+    "token" => $_POST["token"],
+    "user" => "user"
+  ));
+  exit;
+}

 if (isset($_GET["cancel_tfa_login"])) {
  unset($_SESSION['pending_pw_reset_token']);
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -334,81 +334,6 @@ if (isset($_GET['query'])) {
          exit();
      }
    break;
-    case "process":
-      // only allow POST requests to process API endpoints
-      if ($_SERVER['REQUEST_METHOD'] != 'POST') {
-        http_response_code(405);
-        echo json_encode(array(
-            'type' => 'error',
-            'msg' => 'only POST method is allowed'
-        ));
-        exit();
-      }
-      switch ($category) {
-        case "fido2-args":
-          header('Content-Type: application/json');
-          $post = trim(file_get_contents('php://input'));
-          if ($post) {
-            $post = json_decode($post);
-          }
-          $clientDataJSON = base64_decode($post->clientDataJSON);
-          $authenticatorData = base64_decode($post->authenticatorData);
-          $signature = base64_decode($post->signature);
-          $id = base64_decode($post->id);
-          $challenge = $_SESSION['challenge'];
-          $process_fido2 = fido2(array("action" => "get_by_b64cid", "cid" => $post->id));
-          if ($process_fido2['pub_key'] === false) {
-            $return = new stdClass();
-            $return->success = false;
-            echo json_encode($return);
-            exit;
-          }
-          try {
-            $WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $process_fido2['pub_key'], $challenge, null, $GLOBALS['FIDO2_UV_FLAG_LOGIN'], $GLOBALS['FIDO2_USER_PRESENT_FLAG']);
-          }
-          catch (Throwable $ex) {
-            unset($process_fido2);
-            $return = new stdClass();
-            $return->success = false;
-            echo json_encode($return);
-            exit;
-          }
-          $return = new stdClass();
-          $return->success = true;
-          $stmt = $pdo->prepare("SELECT `superadmin` FROM `admin` WHERE `username` = :username");
-          $stmt->execute(array(':username' => $process_fido2['username']));
-          $obj_props = $stmt->fetch(PDO::FETCH_ASSOC);
-          if ($obj_props['superadmin'] === 1) {
-            $_SESSION["mailcow_cc_role"] = "admin";
-          }
-          elseif ($obj_props['superadmin'] === 0) {
-            $_SESSION["mailcow_cc_role"] = "domainadmin";
-          }
-          else {
-            $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username");
-            $stmt->execute(array(':username' => $process_fido2['username']));
-            $row = $stmt->fetch(PDO::FETCH_ASSOC);
-            if ($row['username'] == $process_fido2['username']) {
-              $_SESSION["mailcow_cc_role"] = "user";
-            }
-          }
-          if (empty($_SESSION["mailcow_cc_role"])) {
-            session_unset();
-            session_destroy();
-            exit;
-          }
-          $_SESSION["mailcow_cc_username"] = $process_fido2['username'];
-          $_SESSION["fido2_cid"] = $process_fido2['cid'];
-          unset($_SESSION["challenge"]);
-          $_SESSION['return'][] =  array(
-            'type' => 'success',
-            'log' => array("fido2_login"),
-            'msg' => array('logged_in_as', $process_fido2['username'])
-          );
-          echo json_encode($return);
-        break;
-      }
-    break;
    case "get":
      function process_get_return($data, $object = true) {
        if ($object === true) {
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -391,15 +391,13 @@ function recursiveBase64StrToArrayBuffer(obj) {
        signature : cred.response.signature ? arrayBufferToBase64(cred.response.signature) : null
      };
    }).then(JSON.stringify).then(function(AuthenticatorAttestationResponse) {
-      return window.fetch("/api/v1/process/fido2-args", {method:'POST', body: AuthenticatorAttestationResponse, cache:'no-cache'});
+      var formData = new FormData();
+      formData.append("token", AuthenticatorAttestationResponse);
+      formData.append("verify_fido2_login", "true");
+
+      return window.fetch(window.location.href, {method:'POST', body: formData, cache:'no-cache'});
    }).then(function(response) {
-      return response.json();
-    }).then(function(json) {
-      if (json.success) {
      window.location = window.location.href.split("#")[0];
-  } else {
-    throw new Error();
-  }
    }).catch(function(err) {
    if (typeof err.message === 'undefined') {
      mailcow_alert_box(lang_fido2.fido2_validation_failed, "danger");