few bugfixes, fido/u2f still WIP

This commit is contained in:
Roman 2024-04-07 18:29:33 +02:00
parent 0974ac9260
commit 6c551b08d8
19 changed files with 164 additions and 67 deletions

@ -255,8 +255,11 @@ abstract class Request {
$this->success = $req->execute(["method" => self::getEndpoint()]); $this->success = $req->execute(["method" => self::getEndpoint()]);
$this->lastError = $req->getLastError(); $this->lastError = $req->getLastError();
if (!$this->success) { if (!$this->success) {
$res = $req->getResult();
if (!$this->context->getUser()) { if (!$this->context->getUser()) {
$this->result["loggedIn"] = false; $this->result["loggedIn"] = false;
} else if (isset($res["twoFactorToken"])) {
$this->result["twoFactorToken"] = $res["twoFactorToken"];
} }
return false; return false;
} }
@ -284,7 +287,7 @@ abstract class Request {
// this should actually not occur, how to handle this case? // this should actually not occur, how to handle this case?
$this->success = $success; $this->success = $success;
} }
} catch (\Error $err) { } catch (\Throwable $err) {
http_response_code(500); http_response_code(500);
$this->createError($err->getMessage()); $this->createError($err->getMessage());
$this->logger->error($err->getMessage()); $this->logger->error($err->getMessage());

@ -61,7 +61,6 @@ namespace Core\API\TFA {
use Core\API\Parameter\StringType; use Core\API\Parameter\StringType;
use Core\API\TfaAPI; use Core\API\TfaAPI;
use Core\Driver\SQL\Condition\Compare;
use Core\Driver\SQL\Query\Insert; use Core\Driver\SQL\Query\Insert;
use Core\Objects\Context; use Core\Objects\Context;
use Core\Objects\TwoFactor\AttestationObject; use Core\Objects\TwoFactor\AttestationObject;
@ -265,10 +264,7 @@ namespace Core\API\TFA {
$settings = $this->context->getSettings(); $settings = $this->context->getSettings();
$relyingParty = $settings->getSiteName(); $relyingParty = $settings->getSiteName();
$sql = $this->context->getSQL(); $sql = $this->context->getSQL();
// TODO: for react development, localhost / HTTP_HOST is required, otherwise a DOMException is thrown
$domain = parse_url($settings->getBaseUrl(), PHP_URL_HOST); $domain = parse_url($settings->getBaseUrl(), PHP_URL_HOST);
// $domain = "localhost";
if (!$clientDataJSON || !$attestationObjectRaw) { if (!$clientDataJSON || !$attestationObjectRaw) {
$challenge = null; $challenge = null;
@ -329,12 +325,13 @@ namespace Core\API\TFA {
return $this->createError("Unsupported key type. Expected: -7"); return $this->createError("Unsupported key type. Expected: -7");
} }
$twoFactorToken->authenticate();
$this->success = $twoFactorToken->confirmKeyBased($sql, base64_encode($authData->getCredentialID()), $publicKey) !== false; $this->success = $twoFactorToken->confirmKeyBased($sql, base64_encode($authData->getCredentialID()), $publicKey) !== false;
$this->lastError = $sql->getLastError(); $this->lastError = $sql->getLastError();
if ($this->success) { if ($this->success) {
$this->result["twoFactorToken"] = $twoFactorToken->jsonSerialize(); $this->result["twoFactorToken"] = $twoFactorToken->jsonSerialize();
$this->context->invalidateSessions(); $this->context->invalidateSessions(true);
} }
} }

@ -146,6 +146,7 @@ namespace Core\API\User {
use Core\Driver\SQL\Condition\Compare; use Core\Driver\SQL\Condition\Compare;
use Core\Driver\SQL\Condition\CondIn; use Core\Driver\SQL\Condition\CondIn;
use Core\Driver\SQL\Expression\JsonArrayAgg; use Core\Driver\SQL\Expression\JsonArrayAgg;
use Core\Objects\TwoFactor\KeyBasedTwoFactorToken;
use ImagickException; use ImagickException;
use Core\Objects\Context; use Core\Objects\Context;
use Core\Objects\DatabaseEntity\GpgKey; use Core\Objects\DatabaseEntity\GpgKey;
@ -374,6 +375,12 @@ namespace Core\API\User {
$this->result["loggedIn"] = false; $this->result["loggedIn"] = false;
$userGroups = []; $userGroups = [];
} else { } else {
$twoFactorToken = $currentUser->getTwoFactorToken();
if ($twoFactorToken instanceof KeyBasedTwoFactorToken && !$twoFactorToken->hasChallenge()) {
$twoFactorToken->generateChallenge();
}
$this->result["loggedIn"] = true; $this->result["loggedIn"] = true;
$userGroups = array_keys($currentUser->getGroups()); $userGroups = array_keys($currentUser->getGroups());
$this->result["user"] = $currentUser->jsonSerialize(); $this->result["user"] = $currentUser->jsonSerialize();
@ -629,7 +636,7 @@ namespace Core\API\User {
$this->result["loggedIn"] = true; $this->result["loggedIn"] = true;
$this->result["user"] = $user->jsonSerialize(); $this->result["user"] = $user->jsonSerialize();
$this->result["session"] = $session->jsonSerialize(); $this->result["session"] = $session->jsonSerialize(["expires", "csrfToken"]);
$this->result["logoutIn"] = $session->getExpiresSeconds(); $this->result["logoutIn"] = $session->getExpiresSeconds();
$this->check2FA($tfaToken); $this->check2FA($tfaToken);
$this->success = true; $this->success = true;
@ -1310,6 +1317,7 @@ namespace Core\API\User {
} }
$settings = $this->context->getSettings(); $settings = $this->context->getSettings();
$siteName = htmlspecialchars($settings->getSiteName());
$baseUrl = htmlspecialchars($settings->getBaseUrl()); $baseUrl = htmlspecialchars($settings->getBaseUrl());
$token = htmlspecialchars(urlencode($token)); $token = htmlspecialchars(urlencode($token));
$url = "$baseUrl/confirmGPG?token=$token"; $url = "$baseUrl/confirmGPG?token=$token";
@ -1317,14 +1325,12 @@ namespace Core\API\User {
"you imported a GPG public key for end-to-end encrypted mail communication. " . "you imported a GPG public key for end-to-end encrypted mail communication. " .
"To confirm the key and verify, you own the corresponding private key, please click on the following link. " . "To confirm the key and verify, you own the corresponding private key, please click on the following link. " .
"The link is active for one hour.<br><br>" . "The link is active for one hour.<br><br>" .
"<a href='$url'>$url</a><br> "<a href='$url'>$url</a><br>Best Regards<br>$siteName Administration";
Best Regards<br>" .
$settings->getSiteName() . " Administration";
$sendMail = new \Core\API\Mail\Send($this->context); $sendMail = new \Core\API\Mail\Send($this->context);
$this->success = $sendMail->execute(array( $this->success = $sendMail->execute(array(
"to" => $currentUser->getEmail(), "to" => $currentUser->getEmail(),
"subject" => $settings->getSiteName() . " - Confirm GPG-Key", "subject" => "[$siteName] Confirm GPG-Key",
"body" => $mailBody, "body" => $mailBody,
"gpgFingerprint" => $gpgKey->getFingerprint() "gpgFingerprint" => $gpgKey->getFingerprint()
)); ));

@ -29,7 +29,7 @@ namespace Core\API\Visitors {
class ProcessVisit extends VisitorsAPI { class ProcessVisit extends VisitorsAPI {
public function __construct(Context $context, bool $externalCall = false) { public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, array( parent::__construct($context, $externalCall, array(
"cookie" => new StringType("cookie") "cookie" => new StringType("cookie", 26)
)); ));
$this->isPublic = false; $this->isPublic = false;
} }

@ -91,6 +91,7 @@ class Context {
} }
public function sendCookies(): void { public function sendCookies(): void {
// TODO: what will we do, when there is a domain mismatch? forbid access or just send cookies for the current domain? or should we send a redirect?
$domain = $this->getSettings()->getDomain(); $domain = $this->getSettings()->getDomain();
$this->language->sendCookie($domain); $this->language->sendCookie($domain);
$this->session?->sendCookie($domain); $this->session?->sendCookie($domain);

@ -2,6 +2,7 @@
namespace Core\Objects\TwoFactor; namespace Core\Objects\TwoFactor;
use CBOR\MapObject;
use Core\Objects\ApiObject; use Core\Objects\ApiObject;
class AttestationObject extends ApiObject { class AttestationObject extends ApiObject {
@ -9,14 +10,14 @@ class AttestationObject extends ApiObject {
use CBORDecoder; use CBORDecoder;
private string $format; private string $format;
private array $statement; private MapObject $statement;
private AuthenticationData $authData; private AuthenticationData $authData;
public function __construct(string $buffer) { public function __construct(string $buffer) {
$data = $this->decode($buffer)->getNormalizedData(); $data = $this->decode($buffer);
$this->format = $data["fmt"]; $this->format = $data["fmt"];
$this->statement = $data["attStmt"]; $this->statement = $data["attStmt"];
$this->authData = new AuthenticationData($data["authData"]); $this->authData = new AuthenticationData($data["authData"]->getValue());
} }
public function jsonSerialize(): array { public function jsonSerialize(): array {

@ -6,31 +6,47 @@ use Core\Objects\ApiObject;
class AuthenticationData extends ApiObject { class AuthenticationData extends ApiObject {
use CBORDecoder;
const FLAG_USER_PRESENT = 1;
const FLAG_USER_VERIFIED = 4;
const FLAG_ATTESTED_DATA_INCLUDED = 64;
const FLAG_EXTENSION_DATA_INCLUDED = 128;
private string $rpIDHash; private string $rpIDHash;
private int $flags; private int $flags;
private int $counter; private int $signCount;
private string $aaguid; private string $aaguid;
private string $credentialID; private string $credentialID;
private array $extensions;
private PublicKey $publicKey; private PublicKey $publicKey;
public function __construct(string $buffer) { public function __construct(string $buffer) {
if (strlen($buffer) < 32 + 1 + 4) { $bufferLength = strlen($buffer);
if ($bufferLength < 32 + 1 + 4) {
throw new \Exception("Invalid authentication data buffer size"); throw new \Exception("Invalid authentication data buffer size");
} }
$offset = 0; $offset = 0;
$this->rpIDHash = substr($buffer, $offset, 32); $offset += 32; $this->rpIDHash = substr($buffer, $offset, 32); $offset += 32;
$this->flags = ord($buffer[$offset]); $offset += 1; $this->flags = ord(substr($buffer, $offset, 1)); $offset += 1;
$this->counter = unpack("N", $buffer, $offset)[1]; $offset += 4; $this->signCount = unpack("N", substr($buffer, $offset, 4))[1]; $offset += 4;
if (strlen($buffer) >= $offset + 4 + 2) { if ($this->attestedCredentialData()) {
$this->aaguid = substr($buffer, $offset, 16); $offset += 16; $this->aaguid = substr($buffer, $offset, 16); $offset += 16;
$credentialIdLength = unpack("n", $buffer, $offset)[1]; $offset += 2; $credentialIdLength = unpack("n", substr($buffer, $offset, 4))[1]; $offset += 2;
$this->credentialID = substr($buffer, $offset, $credentialIdLength); $offset += $credentialIdLength; $this->credentialID = substr($buffer, $offset, $credentialIdLength); $offset += $credentialIdLength;
$credentialData = substr($buffer, $offset); if ($offset < $bufferLength) {
$this->publicKey = new PublicKey($credentialData); $publicKeyData = $this->decode(substr($buffer, $offset));
$this->publicKey = new PublicKey($publicKeyData);
// TODO: we should add $publicKeyData->length to $offset, but it's not implemented yet?;
}
}
if ($this->hasExtensionData()) {
// not supported yet
} }
} }
@ -38,7 +54,7 @@ class AuthenticationData extends ApiObject {
return [ return [
"rpIDHash" => base64_encode($this->rpIDHash), "rpIDHash" => base64_encode($this->rpIDHash),
"flags" => $this->flags, "flags" => $this->flags,
"counter" => $this->counter, "signCount" => $this->signCount,
"aaguid" => base64_encode($this->aaguid), "aaguid" => base64_encode($this->aaguid),
"credentialID" => base64_encode($this->credentialID), "credentialID" => base64_encode($this->credentialID),
"publicKey" => $this->publicKey->jsonSerialize() "publicKey" => $this->publicKey->jsonSerialize()
@ -54,26 +70,26 @@ class AuthenticationData extends ApiObject {
} }
public function isUserPresent(): bool { public function isUserPresent(): bool {
return boolval($this->flags & (1 << 0)); return boolval($this->flags & self::FLAG_USER_PRESENT);
} }
public function isUserVerified(): bool { public function isUserVerified(): bool {
return boolval($this->flags & (1 << 2)); return boolval($this->flags & self::FLAG_USER_VERIFIED);
} }
public function attestedCredentialData(): bool { public function attestedCredentialData(): bool {
return boolval($this->flags & (1 << 6)); return boolval($this->flags & self::FLAG_ATTESTED_DATA_INCLUDED);
} }
public function hasExtensionData(): bool { public function hasExtensionData(): bool {
return boolval($this->flags & (1 << 7)); return boolval($this->flags & self::FLAG_EXTENSION_DATA_INCLUDED);
} }
public function getPublicKey(): PublicKey { public function getPublicKey(): PublicKey {
return $this->publicKey; return $this->publicKey;
} }
public function getCredentialID() { public function getCredentialID(): string {
return $this->credentialID; return $this->credentialID;
} }
} }

@ -2,14 +2,13 @@
namespace Core\Objects\TwoFactor; namespace Core\Objects\TwoFactor;
use CBOR\Decoder;
use CBOR\StringStream; use CBOR\StringStream;
trait CBORDecoder { trait CBORDecoder {
protected function decode(string $buffer): \CBOR\CBORObject { protected function decode(string $buffer): \CBOR\CBORObject {
$objectManager = new \CBOR\OtherObject\OtherObjectManager(); $decoder = Decoder::create();
$tagManager = new \CBOR\Tag\TagObjectManager();
$decoder = new \CBOR\Decoder($tagManager, $objectManager);
return $decoder->decode(new StringStream($buffer)); return $decoder->decode(new StringStream($buffer));
} }

@ -37,7 +37,7 @@ class KeyBasedTwoFactorToken extends TwoFactorToken {
} }
public function hasChallenge(): bool { public function hasChallenge(): bool {
return isset($this->challenge); return isset($this->challenge) && !empty($this->challenge);
} }
public function getChallenge(): string { public function getChallenge(): string {

@ -2,26 +2,24 @@
namespace Core\Objects\TwoFactor; namespace Core\Objects\TwoFactor;
use CBOR\MapObject;
use Core\Objects\ApiObject; use Core\Objects\ApiObject;
class PublicKey extends ApiObject { class PublicKey extends ApiObject {
use CBORDecoder;
private int $keyType; private int $keyType;
private int $usedAlgorithm; private int $usedAlgorithm;
private int $curveType; private int $curveType;
private string $xCoordinate; private string $xCoordinate;
private string $yCoordinate; private string $yCoordinate;
public function __construct(?string $cborData = null) { public function __construct(?MapObject $publicKeyData = null) {
if ($cborData) { if ($publicKeyData) {
$data = $this->decode($cborData)->getNormalizedData(); $this->keyType = $publicKeyData["1"]->getValue();
$this->keyType = $data["1"]; $this->usedAlgorithm = $publicKeyData["3"]->getValue();
$this->usedAlgorithm = $data["3"]; $this->curveType = $publicKeyData["-1"]->getValue();
$this->curveType = $data["-1"]; $this->xCoordinate = $publicKeyData["-2"]->getValue();
$this->xCoordinate = $data["-2"]; $this->yCoordinate = $publicKeyData["-3"]->getValue();
$this->yCoordinate = $data["-3"];
} }
} }
@ -53,8 +51,8 @@ class PublicKey extends ApiObject {
public function getNormalizedData(): array { public function getNormalizedData(): array {
return [ return [
"1" => $this->keyType, "1" => $this->keyType,
"3" => $this->usedAlgorithm, "3" => $this->usedAlgorithm,
"-1" => $this->curveType, "-1" => $this->curveType,
"-2" => $this->xCoordinate, "-2" => $this->xCoordinate,
"-3" => $this->yCoordinate, "-3" => $this->yCoordinate,

@ -67,7 +67,7 @@ if ($installation) {
} else { } else {
try { try {
$response = $router->run($requestedUri); $response = $router->run($requestedUri);
} catch (\Error $e) { } catch (\Throwable $e) {
http_response_code(500); http_response_code(500);
$router->getLogger()->error($e->getMessage()); $router->getLogger()->error($e->getMessage());
$response = $router->returnStatusCode(500); $response = $router->returnStatusCode(500);

@ -51,7 +51,7 @@ $(document).ready(function () {
btn.prop("disabled", false); btn.prop("disabled", false);
$("#password").val(""); $("#password").val("");
createdDiv.hide(); createdDiv.hide();
if (res.emailConfirmed === false) { if (res.user.confirmed === false) {
showAlert("danger", res.msg + ' <a href="/resendConfirmEmail">Click here</a> to resend the confirmation mail.', true); showAlert("danger", res.msg + ' <a href="/resendConfirmEmail">Click here</a> to resend the confirmation mail.', true);
} else { } else {
showAlert("danger", res.msg); showAlert("danger", res.msg);

@ -6,7 +6,7 @@
"react": "^18.2.0" "react": "^18.2.0"
}, },
"scripts": { "scripts": {
"dev": "react-app-rewired start" "dev": "HTTPS=true react-app-rewired start"
}, },
"author": "", "author": "",
"license": "ISC", "license": "ISC",

@ -28,6 +28,14 @@ export default function App() {
}); });
}, [api]); }, [api]);
const onLogout = useCallback(() => {
api.logout().then(data => {
if (!data.success) {
setError("Error logging out: " + data.msg);
}
});
}, [api]);
const onInit = useCallback((force = false) => { const onInit = useCallback((force = false) => {
if (loaded && !force) { if (loaded && !force) {
return; return;
@ -97,8 +105,8 @@ export default function App() {
} else { } else {
return <b>{L("general.loading")} <Icon icon={"spinner"}/></b> return <b>{L("general.loading")} <Icon icon={"spinner"}/></b>
} }
} else if (!user || !api.loggedIn) { } else if (!user || !api.loggedIn || (api.user.twoFactorToken?.confirmed && !api.user.twoFactorToken.authenticated)) {
return <LoginForm api={api} info={info} onLogin={fetchUser} /> return <LoginForm api={api} info={info} onLogin={fetchUser} onLogout={onLogout} />
} else { } else {
return <AdminDashboard api={api} info={info} /> return <AdminDashboard api={api} info={info} />
} }

@ -1,17 +1,76 @@
import {Box, Paper} from "@mui/material"; import {Box, CircularProgress, Paper} from "@mui/material";
import {LocaleContext} from "shared/locale"; import {LocaleContext} from "shared/locale";
import {useCallback, useContext} from "react"; import {useCallback, useContext} from "react";
import {decodeText, encodeText} from "shared/util";
export default function MfaFido(props) { export default function MfaFido(props) {
const {api, showDialog, setDialogData, ...other} = props; const {api, showDialog, setDialogData, set2FA, ...other} = props;
const {translate: L} = useContext(LocaleContext); const {translate: L} = useContext(LocaleContext);
const openDialog = useCallback(() => { const openDialog = useCallback(() => {
if (api.hasPermission("tfa/registerKey")) { if (!api.hasPermission("tfa/registerKey")) {
return;
} }
}, [api, showDialog]);
if (typeof navigator.credentials !== 'object' || typeof navigator.credentials.create !== 'function') {
showDialog(L("Key-based Two-Factor-Authentication (2FA) is not supported on this device."), L("Not supported"));
}
api.register2FA().then(res => {
if (!res.success) {
showDialog(res.msg, L("Error registering 2FA-Device"));
return;
}
setDialogData({
show: true,
title: L("Register a 2FA-Device"),
message: L("You may need to interact with your Device, e.g. typing in your PIN or touching to confirm the registration."),
inputs: [
{ type: "custom", key: "progress", element: CircularProgress }
],
options: [L("general.cancel")],
})
navigator.credentials.create({
publicKey: {
challenge: encodeText(window.atob(res.data.challenge)),
rp: res.data.relyingParty,
user: {
id: encodeText(res.data.id),
name: api.user.name,
displayName: api.user.fullName
},
userVerification: "discouraged",
attestation: "direct",
pubKeyCredParams: [{
type: "public-key",
alg: -7, // "ES256" IANA COSE Algorithms registry
}]
}
}).then(res => {
if (res.response) {
let clientDataJSON = decodeText(res.response.clientDataJSON);
let attestationObject = window.btoa(String.fromCharCode.apply(null, new Uint8Array(res.response.attestationObject)));
api.register2FA(clientDataJSON, attestationObject).then((res) => {
setDialogData({show: false});
if (res.success) {
showDialog(L("account.confirm_fido_success"), L("general.success"));
set2FA({ confirmed: true, type: "fido", authenticated: true });
} else {
showDialog(res.msg, L("Error registering 2FA-Device"));
}
});
} else {
showDialog(JSON.stringify(res), L("Error registering 2FA-Device"));
}
}).catch(ex => {
setDialogData({show: false});
showDialog(ex.toString(), L("Error registering 2FA-Device"));
});
});
}, [api, showDialog, setDialogData, set2FA]);
const disabledStyle = { const disabledStyle = {
background: "gray", background: "gray",

@ -4,7 +4,7 @@ import {LocaleContext} from "shared/locale";
export default function MfaTotp(props) { export default function MfaTotp(props) {
const {setDialogData, api, showDialog, ...other} = props; const {setDialogData, api, showDialog, set2FA, ...other} = props;
const {translate: L} = useContext(LocaleContext); const {translate: L} = useContext(LocaleContext);
const onConfirmTOTP = useCallback((code) => { const onConfirmTOTP = useCallback((code) => {
@ -14,10 +14,11 @@ export default function MfaTotp(props) {
} else { } else {
setDialogData({show: false}); setDialogData({show: false});
showDialog(L("account.confirm_totp_success"), L("general.success")); showDialog(L("account.confirm_totp_success"), L("general.success"));
set2FA({ confirmed: true, type: "totp", authenticated: true });
} }
}); });
return false; return false;
}, [api, showDialog]); }, [api, showDialog, set2FA, setDialogData]);
const openDialog = useCallback(() => { const openDialog = useCallback(() => {
if (api.hasPermission("tfa/generateQR")) { if (api.hasPermission("tfa/generateQR")) {
@ -28,8 +29,8 @@ export default function MfaTotp(props) {
"On Android, you can use the Google Authenticator."), "On Android, you can use the Google Authenticator."),
inputs: [ inputs: [
{ {
type: "custom", element: Box, textAlign: "center", children: type: "custom", element: Box, textAlign: "center", key: "qr-code",
<img src={"/api/tfa/generateQR?nocache=" + Math.random()} alt={"[QR-Code]"}/> children: <img src={"/api/tfa/generateQR?nocache=" + Math.random()} alt={"[QR-Code]"} />
}, },
{ {
type: "number", placeholder: L("account.6_digit_code"), type: "number", placeholder: L("account.6_digit_code"),
@ -37,6 +38,7 @@ export default function MfaTotp(props) {
sx: { "& input": { textAlign: "center", fontFamily: "monospace" } }, sx: { "& input": { textAlign: "center", fontFamily: "monospace" } },
} }
], ],
options: [L("general.ok"), L("general.cancel")],
onOption: (option, data) => option === 0 ? onConfirmTOTP(data.code) : true onOption: (option, data) => option === 0 ? onConfirmTOTP(data.code) : true
}) })
} }

@ -388,8 +388,10 @@ export default function ProfileView(props) {
</Button> </Button>
</Box> : </Box> :
<MFAOptions> <MFAOptions>
<MfaTotp api={api} showDialog={showDialog} setDialogData={setDialogData}/> <MfaTotp api={api} showDialog={showDialog} setDialogData={setDialogData}
<MfaFido api={api} showDialog={showDialog} setDialogData={setDialogData}/> set2FA={token => setProfile({...profile, twoFactorToken: token })} />
<MfaFido api={api} showDialog={showDialog} setDialogData={setDialogData}
set2FA={token => setProfile({...profile, twoFactorToken: token })} />
</MFAOptions> </MFAOptions>
} }
</CollapseBox> </CollapseBox>
@ -409,7 +411,7 @@ export default function ProfileView(props) {
message={dialogData.message} message={dialogData.message}
inputs={dialogData.inputs} inputs={dialogData.inputs}
onClose={() => setDialogData({show: false})} onClose={() => setDialogData({show: false})}
options={[L("general.ok"), L("general.cancel")]} options={dialogData.options}
onOption={dialogData.onOption} /> onOption={dialogData.onOption} />
</> </>
} }

@ -47,10 +47,14 @@ export default class API {
} }
let res = await response.json(); let res = await response.json();
if (!res.success && res.loggedIn === false) { if (!res.success) {
this.loggedIn = false; if (res.loggedIn === false) {
this.user = null; this.loggedIn = false;
this.session = null; this.user = null;
this.session = null;
} else if (res.twoFactorToken === true) {
this.user.twoFactorToken = res.twoFactorToken;
}
} }
return res; return res;

@ -138,6 +138,7 @@ export default function LoginForm(props) {
type: "public-key", type: "public-key",
}], }],
userVerification: "discouraged", userVerification: "discouraged",
attestation: "direct",
}, },
signal: abortSignal signal: abortSignal
}).then((res) => { }).then((res) => {
@ -207,7 +208,7 @@ export default function LoginForm(props) {
<Box mt={2} textAlign={"center"}> <Box mt={2} textAlign={"center"}>
{tfaToken.step !== 2 {tfaToken.step !== 2
? <CircularProgress/> ? <CircularProgress/>
: <Box> : <Box mb={2}>
<div><b>{L("general.something_went_wrong")}:</b><br />{tfaToken.error}</div> <div><b>{L("general.something_went_wrong")}:</b><br />{tfaToken.error}</div>
<Button onClick={() => set2FAToken({ ...tfaToken, step: 0, error: "" })} <Button onClick={() => set2FAToken({ ...tfaToken, step: 0, error: "" })}
variant={"outlined"} color={"secondary"} size={"small"}> variant={"outlined"} color={"secondary"} size={"small"}>