trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stages/authenticator_webauthn: fix rp_id and origin generation

This commit is contained in:
Jens Langhammer 2021-02-23 23:39:00 +01:00
parent 55af786852
commit e8259791f0
2 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
authentik/stages/authenticator_webauthn/stage.py
View File

@ -18,7 +18,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.stage import ChallengeStageView from authentik.flows.stage import ChallengeStageView
from authentik.lib.templatetags.authentik_utils import avatar from authentik.lib.templatetags.authentik_utils import avatar
from authentik.stages.authenticator_webauthn.models import WebAuthnDevice from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
from authentik.stages.authenticator_webauthn.utils import generate_challenge from authentik.stages.authenticator_webauthn.utils import generate_challenge, get_origin, get_rp_id
RP_NAME = "authentik" RP_NAME = "authentik"
@ -52,8 +52,8 @@ class AuthenticatorWebAuthnChallengeResponse(ChallengeResponse):
none_attestation_permitted = True none_attestation_permitted = True
webauthn_registration_response = WebAuthnRegistrationResponse( webauthn_registration_response = WebAuthnRegistrationResponse(
self.request.get_host(), get_rp_id(self.request),
self.request.build_absolute_uri("/"), get_origin(self.request),
response, response,
challenge, challenge,
trusted_attestation_cert_required=trusted_attestation_cert_required, trusted_attestation_cert_required=trusted_attestation_cert_required,
@ -110,7 +110,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
make_credential_options = WebAuthnMakeCredentialOptions( make_credential_options = WebAuthnMakeCredentialOptions(
challenge, challenge,
RP_NAME, RP_NAME,
self.request.get_host(), get_rp_id(self.request),
user.uid, user.uid,
user.username, user.username,
user.name, user.name,
@ -154,7 +154,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
public_key=webauthn_credential.public_key, public_key=webauthn_credential.public_key,
credential_id=webauthn_credential.credential_id, credential_id=webauthn_credential.credential_id,
sign_count=webauthn_credential.sign_count, sign_count=webauthn_credential.sign_count,
rp_id=self.request.get_host(), rp_id=get_rp_id(self.request),
) )
else: else:
return self.executor.stage_invalid( return self.executor.stage_invalid(

14
authentik/stages/authenticator_webauthn/utils.py
View File

@ -1,6 +1,7 @@
"""webauthn utils""" """webauthn utils"""
import base64 import base64
import os import os
from django.http import HttpRequest
CHALLENGE_DEFAULT_BYTE_LEN = 32 CHALLENGE_DEFAULT_BYTE_LEN = 32
@ -21,3 +22,16 @@ def generate_challenge(challenge_len=CHALLENGE_DEFAULT_BYTE_LEN):
if not isinstance(challenge_base64, str): if not isinstance(challenge_base64, str):
challenge_base64 = challenge_base64.decode("utf-8") challenge_base64 = challenge_base64.decode("utf-8")
return challenge_base64 return challenge_base64
def get_rp_id(request: HttpRequest) -> str:
"""Get hostname from http request, without port"""
host = request.get_host()
if ":" in host:
return host.split(":")[0]
return host
def get_origin(request: HttpRequest) -> str:
"""Return Origin by building an absolute URL and removing the
trailing slash"""
full_url = request.build_absolute_uri("/")
return full_url[:-1]