mirror of
https://github.com/getnamingo/registry.git
synced 2025-05-10 16:58:34 +02:00
217 lines
No EOL
9 KiB
PHP
217 lines
No EOL
9 KiB
PHP
<?php
|
|
|
|
namespace App\Controllers;
|
|
|
|
use Psr\Http\Message\ResponseInterface as Response;
|
|
use Psr\Http\Message\ServerRequestInterface as Request;
|
|
use Psr\Container\ContainerInterface;
|
|
|
|
class ProfileController extends Controller
|
|
{
|
|
private $webAuthn;
|
|
|
|
public function __construct() {
|
|
$rpName = 'Namingo';
|
|
$rpId = envi('APP_DOMAIN');
|
|
$formats = [
|
|
'android-key',
|
|
'android-safetynet',
|
|
'apple',
|
|
'fido-u2f',
|
|
'none',
|
|
'packed',
|
|
'tpm'
|
|
];
|
|
|
|
$this->webAuthn = new \lbuchs\WebAuthn\WebAuthn($rpName, $rpId, $formats);
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/solo.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/apple.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/yubico.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/hypersecu.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/globalSign.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/googleHardware.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/microsoftTpmCollection.pem');
|
|
$this->webAuthn->addRootCertificates(envi('APP_ROOT').'/vendor/lbuchs/webauthn/_test/rootCertificates/mds');
|
|
}
|
|
|
|
public function profile(Request $request, Response $response)
|
|
{
|
|
global $container;
|
|
|
|
$username = $_SESSION['auth_username'];
|
|
$email = $_SESSION['auth_email'];
|
|
$userId = $_SESSION['auth_user_id'];
|
|
$status = $_SESSION['auth_status'];
|
|
|
|
$db = $container->get('db');
|
|
$tfa = new \RobThree\Auth\TwoFactorAuth('Namingo');
|
|
$secret = $tfa->createSecret();
|
|
$qrcodeDataUri = $tfa->getQRCodeImageAsDataUri($email, $secret);
|
|
|
|
if ($status == 0) {
|
|
$status = "Confirmed";
|
|
} else {
|
|
$status = "Unknown";
|
|
}
|
|
$roles = $_SESSION['auth_roles'];
|
|
if ($roles == 0) {
|
|
$role = "Admin";
|
|
} else {
|
|
$role = "Unknown";
|
|
}
|
|
|
|
$csrfName = $container->get('csrf')->getTokenName();
|
|
$csrfValue = $container->get('csrf')->getTokenValue();
|
|
|
|
$_SESSION['2fa_secret'] = $secret;
|
|
|
|
$is_2fa_activated = $db->selectValue(
|
|
'SELECT tfa_enabled FROM users WHERE id = ? LIMIT 1',
|
|
[$userId]
|
|
);
|
|
$is_weba_activated = $db->select(
|
|
'SELECT * FROM users_webauthn WHERE user_id = ?',
|
|
[$userId]
|
|
);
|
|
if ($is_2fa_activated) {
|
|
return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
|
|
} else if ($is_weba_activated) {
|
|
return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'qrcodeDataUri' => $qrcodeDataUri, 'secret' => $secret, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue, 'weba' => $is_weba_activated]);
|
|
} else {
|
|
return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'qrcodeDataUri' => $qrcodeDataUri, 'secret' => $secret, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
|
|
}
|
|
|
|
}
|
|
|
|
public function activate2fa(Request $request, Response $response)
|
|
{
|
|
global $container;
|
|
|
|
if ($request->getMethod() === 'POST') {
|
|
// Retrieve POST data
|
|
$data = $request->getParsedBody();
|
|
$db = $container->get('db');
|
|
$verificationCode = $data['verificationCode'] ?? null;
|
|
$userId = $_SESSION['auth_user_id'];
|
|
$secret = $_SESSION['2fa_secret'];
|
|
|
|
$csrfName = $container->get('csrf')->getTokenName();
|
|
$csrfValue = $container->get('csrf')->getTokenValue();
|
|
$username = $_SESSION['auth_username'];
|
|
$email = $_SESSION['auth_email'];
|
|
$status = $_SESSION['auth_status'];
|
|
|
|
if ($status == 0) {
|
|
$status = "Confirmed";
|
|
} else {
|
|
$status = "Unknown";
|
|
}
|
|
$roles = $_SESSION['auth_roles'];
|
|
if ($roles == 0) {
|
|
$role = "Admin";
|
|
} else {
|
|
$role = "Unknown";
|
|
}
|
|
|
|
try {
|
|
$db->update(
|
|
'users',
|
|
[
|
|
'tfa_secret' => $secret,
|
|
'tfa_enabled' => 1,
|
|
'auth_method' => '2fa',
|
|
'backup_codes' => null
|
|
],
|
|
[
|
|
'id' => $userId
|
|
]
|
|
);
|
|
} catch (Exception $e) {
|
|
return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
|
|
}
|
|
|
|
return view($response,'admin/profile/profile.twig',['email' => $email, 'username' => $username, 'status' => $status, 'role' => $role, 'csrf_name' => $csrfName, 'csrf_value' => $csrfValue]);
|
|
}
|
|
}
|
|
|
|
public function getRegistrationChallenge(Request $request, Response $response)
|
|
{
|
|
$userName = $_SESSION['auth_username'];
|
|
$userEmail = $_SESSION['auth_email'];
|
|
$userId = $_SESSION['auth_user_id'];
|
|
$hexUserId = dechex($userId);
|
|
// Ensure even length for the hexadecimal string
|
|
if(strlen($hexUserId) % 2 != 0){
|
|
$hexUserId = '0' . $hexUserId;
|
|
}
|
|
$createArgs = $this->webAuthn->getCreateArgs(\hex2bin($hexUserId), $userName, $userName, 60*4, true, 'required', null);
|
|
|
|
$response->getBody()->write(json_encode($createArgs));
|
|
$challenge = $this->webAuthn->getChallenge();
|
|
$_SESSION['challenge_data'] = $challenge->getBinaryString();
|
|
|
|
return $response->withHeader('Content-Type', 'application/json');
|
|
}
|
|
|
|
public function verifyRegistration(Request $request, Response $response)
|
|
{
|
|
$challengeData = $_SESSION['challenge_data'];
|
|
$challenge = new \lbuchs\WebAuthn\Binary\ByteBuffer($challengeData);
|
|
|
|
global $container;
|
|
$data = json_decode($request->getBody()->getContents(), null, 512, JSON_THROW_ON_ERROR);
|
|
$userName = $_SESSION['auth_username'];
|
|
$userEmail = $_SESSION['auth_email'];
|
|
$userId = $_SESSION['auth_user_id'];
|
|
|
|
try {
|
|
// Decode the incoming data
|
|
$clientDataJSON = base64_decode($data->clientDataJSON);
|
|
$attestationObject = base64_decode($data->attestationObject);
|
|
|
|
// Retrieve the challenge from the session
|
|
//$challenge = $_SESSION['challenge'];
|
|
|
|
// Process the WebAuthn response
|
|
$credential = $this->webAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, 'required', true, false);
|
|
|
|
// add user infos
|
|
$credential->userId = $userId;
|
|
$credential->userName = $userName;
|
|
$credential->userDisplayName = $userName;
|
|
|
|
// Store the credential data in the database
|
|
$db = $container->get('db');
|
|
$counter = is_null($credential->signatureCounter) ? 0 : $credential->signatureCounter;
|
|
$db->insert(
|
|
'users_webauthn',
|
|
[
|
|
'user_id' => $_SESSION['auth_user_id'],
|
|
'credential_id' => base64_encode($credential->credentialId),
|
|
'public_key' => $credential->credentialPublicKey,
|
|
'attestation_object' => base64_encode($attestationObject),
|
|
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
|
|
'sign_count' => $counter
|
|
]
|
|
);
|
|
|
|
$msg = 'registration success.';
|
|
if ($credential->rootValid === false) {
|
|
$msg = 'registration ok, but certificate does not match any of the selected root ca.';
|
|
}
|
|
|
|
$return = new \stdClass();
|
|
$return->success = true;
|
|
$return->msg = $msg;
|
|
|
|
// Send success response
|
|
$response->getBody()->write(json_encode($return));
|
|
return $response->withHeader('Content-Type', 'application/json');
|
|
} catch (\Exception $e) {
|
|
// Handle error, return an appropriate response
|
|
$response->getBody()->write(json_encode(['error' => $e->getMessage()]));
|
|
return $response->withHeader('Content-Type', 'application/json')->withStatus(400);
|
|
}
|
|
}
|
|
|
|
} |