nextcloud
/
twofactor_u2f
зеркало из https://github.com/nextcloud/twofactor_u2f.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

quick and dirty U2F registration

This commit is contained in:
Christoph Wurst 2016-08-26 10:58:32 +02:00
Родитель 0ba2cbb6eb
Коммит f0181c5868
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: CC42AC2A7F0E56D8
12 изменённых файлов: 958 добавлений и 10 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
.gitignore поставляемый
Просмотреть файл

@ -1 +1,3 @@
/nbproject/private/
/nbproject/private/
/vendor/

14
appinfo/app.php Normal file
Просмотреть файл

@ -0,0 +1,14 @@
<?php
/**
* Nextcloud - U2F 2FA
*
* This file is licensed under the Affero General Public License version 3 or
* later. See the COPYING file.
*
* @author Christoph Wurst <christoph@winzerhof-wurst.at>
* @copyright Christoph Wurst 2016
*/
OC_App::registerPersonal('twofactor_u2f', 'settings/personal');

11
appinfo/autoload.php
Просмотреть файл

@ -1,4 +1,5 @@
<?php
/**
* Nextcloud - U2F 2FA
*
@ -8,12 +9,4 @@
* @author Christoph Wurst <christoph@winzerhof-wurst.at>
* @copyright Christoph Wurst 2016
*/
namespace OCA\TwoFactorUf\AppInfo;
use OCP\AppFramework\App;
/**
* Additional autoloader registration, e.g. registering composer autoloaders
*/
// require_once __DIR__ . '/../vendor/autoload.php';
require_once __DIR__ . '/../vendor/autoload.php';

34
appinfo/routes.php Normal file
Просмотреть файл

@ -0,0 +1,34 @@
<?php
/**
* @author Christoph Wurst <christoph@winzerhof-wurst.at>
*
* Two-factor TOTP
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
return [
'routes' => [
[
'name' => 'settings#startRegister',
'url' => '/settings/startregister',
'verb' => 'POST'
],
[
'name' => 'settings#finishRegister',
'url' => '/settings/finishregister',
'verb' => 'POST'
],
]
];

15
composer.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"name": "christophwurst/twofactor_u2f",
"description": "A two factor provider for U2F devices for Nextcloud",
"type": "project",
"license": "agplv3",
"authors": [
{
"name": "Christoph Wurst",
"email": "christoph@winzerhof-wurst.at"
}
],
"require": {
"yubico/u2flib-server": "^1.0"
}
}

50
composer.lock сгенерированный Normal file
Просмотреть файл

@ -0,0 +1,50 @@
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"hash": "901e1b2c0ead1ebd56edbe3b05f81ad1",
"content-hash": "869de9edf8a8cc8838b095308dd980ce",
"packages": [
{
"name": "yubico/u2flib-server",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/Yubico/php-u2flib-server.git",
"reference": "407eb21da24150aad30bcd8cc0ee72963eac5e9d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/Yubico/php-u2flib-server/zipball/407eb21da24150aad30bcd8cc0ee72963eac5e9d",
"reference": "407eb21da24150aad30bcd8cc0ee72963eac5e9d",
"shasum": ""
},
"require": {
"ext-openssl": "*"
},
"type": "library",
"autoload": {
"classmap": [
"src/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-2-Clause"
],
"description": "Library for U2F implementation",
"homepage": "https://developers.yubico.com/php-u2flib-server",
"time": "2016-02-19 09:47:51"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}

16
js/settings.js Normal file
Просмотреть файл

@ -0,0 +1,16 @@
/* global OC */
(function (OC) {
'use strict';
OC.Settings = OC.Settings || {};
OC.Settings.TwoFactorU2F = OC.Settings.TwoFactorU2F || {};
$(function () {
var view = new OC.Settings.TwoFactorU2F.View({
el: $('#twofactor-u2f-settings')
});
view.render();
});
})(OC);

59
js/settingsview.js Normal file
Просмотреть файл

@ -0,0 +1,59 @@
/* global Backbone, Handlebars, OC, u2f */
(function (OC, Backbone, Handlebars, $, u2f) {
'use strict';
OC.Settings = OC.Settings || {};
OC.Settings.TwoFactorU2F = OC.Settings.TwoFactorU2F || {};
var TEMPLATE = '<div>'
+ ' <button id="u2f-register">Register</button>'
+ '</div>';
var View = Backbone.View.extend({
template: Handlebars.compile(TEMPLATE),
events: {
'click #u2f-register': 'onRegister'
},
initialize: function () {
},
render: function (data) {
this.$el.html(this.template(data));
},
onRegister: function () {
console.log('start register…');
var url = OC.generateUrl('apps/twofactor_u2f/settings/startregister');
$.ajax(url, {
method: 'POST'
}).done(function (data) {
this.doRegister(data.req, data.sigs);
}.bind(this));
},
doRegister: function (req, sigs) {
console.log('doRegister', req, sigs);
u2f.register([req], sigs, function (data) {
console.log(data.errorCode);
if (data.errorCode && data.errorCode !== 0) {
alert("registration failed with errror: " + data.errorCode);
return;
}
this.finishRegister(data);
}.bind(this));
},
finishRegister: function (data) {
console.log('finish register…', data);
var url = OC.generateUrl('apps/twofactor_u2f/settings/finishregister');
$.ajax(url, {
method: 'POST',
data: data
}).then(function() {
OC.Notification.showTemporary('U2F device successfully registered');
console.log('registration finished');
});
}
});
OC.Settings.TwoFactorU2F.View = View;
})(OC, Backbone, Handlebars, $, u2f);

651
js/vendor/u2f-api.js поставляемый Normal file
Просмотреть файл

@ -0,0 +1,651 @@
// Copyright 2014-2015 Google Inc. All rights reserved.
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file or at
// https://developers.google.com/open-source/licenses/bsd
/**
* @fileoverview The U2F api.
*/
'use strict';
/** Namespace for the U2F api.
* @type {Object}
*/
var u2f = u2f || {};
/**
* The U2F extension id
* @type {string}
* @const
*/
u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
/**
* Message types for messsages to/from the extension
* @const
* @enum {string}
*/
u2f.MessageTypes = {
'U2F_REGISTER_REQUEST': 'u2f_register_request',
'U2F_SIGN_REQUEST': 'u2f_sign_request',
'U2F_REGISTER_RESPONSE': 'u2f_register_response',
'U2F_SIGN_RESPONSE': 'u2f_sign_response'
};
/**
* Response status codes
* @const
* @enum {number}
*/
u2f.ErrorCodes = {
'OK': 0,
'OTHER_ERROR': 1,
'BAD_REQUEST': 2,
'CONFIGURATION_UNSUPPORTED': 3,
'DEVICE_INELIGIBLE': 4,
'TIMEOUT': 5
};
/**
* A message type for registration requests
* @typedef {{
* type: u2f.MessageTypes,
* signRequests: Array<u2f.SignRequest>,
* registerRequests: ?Array<u2f.RegisterRequest>,
* timeoutSeconds: ?number,
* requestId: ?number
* }}
*/
u2f.Request;
/**
* A message for registration responses
* @typedef {{
* type: u2f.MessageTypes,
* responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
* requestId: ?number
* }}
*/
u2f.Response;
/**
* An error object for responses
* @typedef {{
* errorCode: u2f.ErrorCodes,
* errorMessage: ?string
* }}
*/
u2f.Error;
/**
* Data object for a single sign request.
* @typedef {{
* version: string,
* challenge: string,
* keyHandle: string,
* appId: string
* }}
*/
u2f.SignRequest;
/**
* Data object for a sign response.
* @typedef {{
* keyHandle: string,
* signatureData: string,
* clientData: string
* }}
*/
u2f.SignResponse;
/**
* Data object for a registration request.
* @typedef {{
* version: string,
* challenge: string,
* appId: string
* }}
*/
u2f.RegisterRequest;
/**
* Data object for a registration response.
* @typedef {{
* registrationData: string,
* clientData: string
* }}
*/
u2f.RegisterResponse;
// Low level MessagePort API support
/**
* Sets up a MessagePort to the U2F extension using the
* available mechanisms.
* @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
*/
u2f.getMessagePort = function(callback) {
if (typeof chrome != 'undefined' && chrome.runtime) {
// The actual message here does not matter, but we need to get a reply
// for the callback to run. Thus, send an empty signature request
// in order to get a failure response.
var msg = {
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
signRequests: []
};
chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
if (!chrome.runtime.lastError) {
// We are on a whitelisted origin and can talk directly
// with the extension.
u2f.getChromeRuntimePort_(callback);
} else {
// chrome.runtime was available, but we couldn't message
// the extension directly, use iframe
u2f.getIframePort_(callback);
}
});
} else if (u2f.isAndroidChrome_()) {
u2f.getAuthenticatorPort_(callback);
} else {
// chrome.runtime was not available at all, which is normal
// when this origin doesn't have access to any extensions.
u2f.getIframePort_(callback);
}
};
/**
* Detect chrome running on android based on the browser's useragent.
* @private
*/
u2f.isAndroidChrome_ = function() {
var userAgent = navigator.userAgent;
return userAgent.indexOf('Chrome') != -1 &&
userAgent.indexOf('Android') != -1;
};
/**
* Connects directly to the extension via chrome.runtime.connect
* @param {function(u2f.WrappedChromeRuntimePort_)} callback
* @private
*/
u2f.getChromeRuntimePort_ = function(callback) {
var port = chrome.runtime.connect(u2f.EXTENSION_ID,
{'includeTlsChannelId': true});
setTimeout(function() {
callback(new u2f.WrappedChromeRuntimePort_(port));
}, 0);
};
/**
* Return a 'port' abstraction to the Authenticator app.
* @param {function(u2f.WrappedAuthenticatorPort_)} callback
* @private
*/
u2f.getAuthenticatorPort_ = function(callback) {
setTimeout(function() {
callback(new u2f.WrappedAuthenticatorPort_());
}, 0);
};
/**
* A wrapper for chrome.runtime.Port that is compatible with MessagePort.
* @param {Port} port
* @constructor
* @private
*/
u2f.WrappedChromeRuntimePort_ = function(port) {
this.port_ = port;
};
/**
* Format a return a sign request.
* @param {Array<u2f.SignRequest>} signRequests
* @param {number} timeoutSeconds
* @param {number} reqId
* @return {Object}
*/
u2f.WrappedChromeRuntimePort_.prototype.formatSignRequest_ =
function(signRequests, timeoutSeconds, reqId) {
return {
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
signRequests: signRequests,
timeoutSeconds: timeoutSeconds,
requestId: reqId
};
};
/**
* Format a return a register request.
* @param {Array<u2f.SignRequest>} signRequests
* @param {Array<u2f.RegisterRequest>} signRequests
* @param {number} timeoutSeconds
* @param {number} reqId
* @return {Object}
*/
u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ =
function(signRequests, registerRequests, timeoutSeconds, reqId) {
return {
type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
signRequests: signRequests,
registerRequests: registerRequests,
timeoutSeconds: timeoutSeconds,
requestId: reqId
};
};
/**
* Posts a message on the underlying channel.
* @param {Object} message
*/
u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
this.port_.postMessage(message);
};
/**
* Emulates the HTML 5 addEventListener interface. Works only for the
* onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
* @param {string} eventName
* @param {function({data: Object})} handler
*/
u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
function(eventName, handler) {
var name = eventName.toLowerCase();
if (name == 'message' || name == 'onmessage') {
this.port_.onMessage.addListener(function(message) {
// Emulate a minimal MessageEvent object
handler({'data': message});
});
} else {
console.error('WrappedChromeRuntimePort only supports onMessage');
}
};
/**
* Wrap the Authenticator app with a MessagePort interface.
* @constructor
* @private
*/
u2f.WrappedAuthenticatorPort_ = function() {
this.requestId_ = -1;
this.requestObject_ = null;
}
/**
* Launch the Authenticator intent.
* @param {Object} message
*/
u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
var intentLocation = /** @type {string} */ (message);
document.location = intentLocation;
};
/**
* Emulates the HTML 5 addEventListener interface.
* @param {string} eventName
* @param {function({data: Object})} handler
*/
u2f.WrappedAuthenticatorPort_.prototype.addEventListener =
function(eventName, handler) {
var name = eventName.toLowerCase();
if (name == 'message') {
var self = this;
/* Register a callback to that executes when
* chrome injects the response. */
window.addEventListener(
'message', self.onRequestUpdate_.bind(self, handler), false);
} else {
console.error('WrappedAuthenticatorPort only supports message');
}
};
/**
* Callback invoked when a response is received from the Authenticator.
* @param function({data: Object}) callback
* @param {Object} message message Object
*/
u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
function(callback, message) {
var messageObject = JSON.parse(message.data);
var intentUrl = messageObject['intentURL'];
var errorCode = messageObject['errorCode'];
var responseObject = null;
if (messageObject.hasOwnProperty('data')) {
responseObject = /** @type {Object} */ (
JSON.parse(messageObject['data']));
responseObject['requestId'] = this.requestId_;
}
/* Sign responses from the authenticator do not conform to U2F,
* convert to U2F here. */
responseObject = this.doResponseFixups_(responseObject);
callback({'data': responseObject});
};
/**
* Fixup the response provided by the Authenticator to conform with
* the U2F spec.
* @param {Object} responseData
* @return {Object} the U2F compliant response object
*/
u2f.WrappedAuthenticatorPort_.prototype.doResponseFixups_ =
function(responseObject) {
if (responseObject.hasOwnProperty('responseData')) {
return responseObject;
} else if (this.requestObject_['type'] != u2f.MessageTypes.U2F_SIGN_REQUEST) {
// Only sign responses require fixups. If this is not a response
// to a sign request, then an internal error has occurred.
return {
'type': u2f.MessageTypes.U2F_REGISTER_RESPONSE,
'responseData': {
'errorCode': u2f.ErrorCodes.OTHER_ERROR,
'errorMessage': 'Internal error: invalid response from Authenticator'
}
};
}
/* Non-conformant sign response, do fixups. */
var encodedChallengeObject = responseObject['challenge'];
if (typeof encodedChallengeObject !== 'undefined') {
var challengeObject = JSON.parse(atob(encodedChallengeObject));
var serverChallenge = challengeObject['challenge'];
var challengesList = this.requestObject_['signData'];
var requestChallengeObject = null;
for (var i = 0; i < challengesList.length; i++) {
var challengeObject = challengesList[i];
if (challengeObject['keyHandle'] == responseObject['keyHandle']) {
requestChallengeObject = challengeObject;
break;
}
}
}
var responseData = {
'errorCode': responseObject['resultCode'],
'keyHandle': responseObject['keyHandle'],
'signatureData': responseObject['signature'],
'clientData': encodedChallengeObject
};
return {
'type': u2f.MessageTypes.U2F_SIGN_RESPONSE,
'responseData': responseData,
'requestId': responseObject['requestId']
}
};
/**
* Base URL for intents to Authenticator.
* @const
* @private
*/
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
/**
* Format a return a sign request.
* @param {Array<u2f.SignRequest>} signRequests
* @param {number} timeoutSeconds (ignored for now)
* @param {number} reqId
* @return {string}
*/
u2f.WrappedAuthenticatorPort_.prototype.formatSignRequest_ =
function(signRequests, timeoutSeconds, reqId) {
if (!signRequests || signRequests.length == 0) {
return null;
}
/* TODO(fixme): stash away requestId, as the authenticator app does
* not return it for sign responses. */
this.requestId_ = reqId;
/* TODO(fixme): stash away the signRequests, to deal with the legacy
* response format returned by the Authenticator app. */
this.requestObject_ = {
'type': u2f.MessageTypes.U2F_SIGN_REQUEST,
'signData': signRequests,
'requestId': reqId,
'timeout': timeoutSeconds
};
var appId = signRequests[0]['appId'];
var intentUrl =
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
';S.appId=' + encodeURIComponent(appId) +
';S.eventId=' + reqId +
';S.challenges=' +
encodeURIComponent(
JSON.stringify(this.getBrowserDataList_(signRequests))) + ';end';
return intentUrl;
};
/**
* Get the browser data objects from the challenge list
* @param {Array} challenges list of challenges
* @return {Array} list of browser data objects
* @private
*/
u2f.WrappedAuthenticatorPort_
.prototype.getBrowserDataList_ = function(challenges) {
return challenges
.map(function(challenge) {
var browserData = {
'typ': 'navigator.id.getAssertion',
'challenge': challenge['challenge']
};
var challengeObject = {
'challenge' : browserData,
'keyHandle' : challenge['keyHandle']
};
return challengeObject;
});
};
/**
* Format a return a register request.
* @param {Array<u2f.SignRequest>} signRequests
* @param {Array<u2f.RegisterRequest>} enrollChallenges
* @param {number} timeoutSeconds (ignored for now)
* @param {number} reqId
* @return {Object}
*/
u2f.WrappedAuthenticatorPort_.prototype.formatRegisterRequest_ =
function(signRequests, enrollChallenges, timeoutSeconds, reqId) {
if (!enrollChallenges || enrollChallenges.length == 0) {
return null;
}
// Assume the appId is the same for all enroll challenges.
var appId = enrollChallenges[0]['appId'];
var registerRequests = [];
for (var i = 0; i < enrollChallenges.length; i++) {
var registerRequest = {
'challenge': enrollChallenges[i]['challenge'],
'version': enrollChallenges[i]['version']
};
if (enrollChallenges[i]['appId'] != appId) {
// Only include the appId when it differs from the first appId.
registerRequest['appId'] = enrollChallenges[i]['appId'];
}
registerRequests.push(registerRequest);
}
var registeredKeys = [];
if (signRequests) {
for (i = 0; i < signRequests.length; i++) {
var key = {
'keyHandle': signRequests[i]['keyHandle'],
'version': signRequests[i]['version']
};
// Only include the appId when it differs from the appId that's
// being registered now.
if (signRequests[i]['appId'] != appId) {
key['appId'] = signRequests[i]['appId'];
}
registeredKeys.push(key);
}
}
var request = {
'type': u2f.MessageTypes.U2F_REGISTER_REQUEST,
'appId': appId,
'registerRequests': registerRequests,
'registeredKeys': registeredKeys,
'requestId': reqId,
'timeoutSeconds': timeoutSeconds
};
var intentUrl =
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
';S.request=' + encodeURIComponent(JSON.stringify(request)) +
';end';
/* TODO(fixme): stash away requestId, this is is not necessary for
* register requests, but here to keep parity with sign.
*/
this.requestId_ = reqId;
return intentUrl;
};
/**
* Sets up an embedded trampoline iframe, sourced from the extension.
* @param {function(MessagePort)} callback
* @private
*/
u2f.getIframePort_ = function(callback) {
// Create the iframe
var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
var iframe = document.createElement('iframe');
iframe.src = iframeOrigin + '/u2f-comms.html';
iframe.setAttribute('style', 'display:none');
document.body.appendChild(iframe);
var channel = new MessageChannel();
var ready = function(message) {
if (message.data == 'ready') {
channel.port1.removeEventListener('message', ready);
callback(channel.port1);
} else {
console.error('First event on iframe port was not "ready"');
}
};
channel.port1.addEventListener('message', ready);
channel.port1.start();
iframe.addEventListener('load', function() {
// Deliver the port to the iframe and initialize
iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
});
};
// High-level JS API
/**
* Default extension response timeout in seconds.
* @const
*/
u2f.EXTENSION_TIMEOUT_SEC = 30;
/**
* A singleton instance for a MessagePort to the extension.
* @type {MessagePort|u2f.WrappedChromeRuntimePort_}
* @private
*/
u2f.port_ = null;
/**
* Callbacks waiting for a port
* @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
* @private
*/
u2f.waitingForPort_ = [];
/**
* A counter for requestIds.
* @type {number}
* @private
*/
u2f.reqCounter_ = 0;
/**
* A map from requestIds to client callbacks
* @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
* |function((u2f.Error|u2f.SignResponse)))>}
* @private
*/
u2f.callbackMap_ = {};
/**
* Creates or retrieves the MessagePort singleton to use.
* @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
* @private
*/
u2f.getPortSingleton_ = function(callback) {
if (u2f.port_) {
callback(u2f.port_);
} else {
if (u2f.waitingForPort_.length == 0) {
u2f.getMessagePort(function(port) {
u2f.port_ = port;
u2f.port_.addEventListener('message',
/** @type {function(Event)} */ (u2f.responseHandler_));
// Careful, here be async callbacks. Maybe.
while (u2f.waitingForPort_.length)
u2f.waitingForPort_.shift()(u2f.port_);
});
}
u2f.waitingForPort_.push(callback);
}
};
/**
* Handles response messages from the extension.
* @param {MessageEvent.<u2f.Response>} message
* @private
*/
u2f.responseHandler_ = function(message) {
var response = message.data;
var reqId = response['requestId'];
if (!reqId || !u2f.callbackMap_[reqId]) {
console.error('Unknown or missing requestId in response.');
return;
}
var cb = u2f.callbackMap_[reqId];
delete u2f.callbackMap_[reqId];
cb(response['responseData']);
};
/**
* Dispatches an array of sign requests to available U2F tokens.
* @param {Array<u2f.SignRequest>} signRequests
* @param {function((u2f.Error|u2f.SignResponse))} callback
* @param {number=} opt_timeoutSeconds
*/
u2f.sign = function(signRequests, callback, opt_timeoutSeconds) {
u2f.getPortSingleton_(function(port) {
var reqId = ++u2f.reqCounter_;
u2f.callbackMap_[reqId] = callback;
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
var req = port.formatSignRequest_(signRequests, timeoutSeconds, reqId);
port.postMessage(req);
});
};
/**
* Dispatches register requests to available U2F tokens. An array of sign
* requests identifies already registered tokens.
* @param {Array<u2f.RegisterRequest>} registerRequests
* @param {Array<u2f.SignRequest>} signRequests
* @param {function((u2f.Error|u2f.RegisterResponse))} callback
* @param {number=} opt_timeoutSeconds
*/
u2f.register = function(registerRequests, signRequests,
callback, opt_timeoutSeconds) {
u2f.getPortSingleton_(function(port) {
var reqId = ++u2f.reqCounter_;
u2f.callbackMap_[reqId] = callback;
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
var req = port.formatRegisterRequest_(
signRequests, registerRequests, timeoutSeconds, reqId);
port.postMessage(req);
});
};

97
lib/Controller/SettingsController.php Normal file
Просмотреть файл

@ -0,0 +1,97 @@
<?php
/**
* Nextcloud - U2F 2FA
*
* This file is licensed under the Affero General Public License version 3 or
* later. See the COPYING file.
*
* @author Christoph Wurst <christoph@winzerhof-wurst.at>
* @copyright Christoph Wurst 2016
*/
namespace OCA\TwoFactor_U2F\Controller;
require_once(__DIR__ . '/../../vendor/yubico/u2flib-server/src/u2flib_server/U2F.php');
use OC;
use OCP\AppFramework\Controller;
use OCP\ILogger;
use OCP\IRequest;
use OCP\ISession;
use u2flib_server\U2F;
class SettingsController extends Controller {
/** @var ISession */
private $session;
/** @var ILogger */
private $logger;
public function __construct($appName, IRequest $request, ISession $session, ILogger $logger) {
parent::__construct($appName, $request);
$this->session = $session;
$this->logger = $logger;
}
private function getU2f() {
return new U2F(OC::$server->getURLGenerator()->getAbsoluteURL('/'));
}
private function getRegs() {
if (!file_exists('/tmp/yubi')) {
return [];
}
return [json_decode(file_get_contents('/tmp/yubi'))];
}
private function setReg($data) {
file_put_contents('/tmp/yubi', json_encode($data));
}
/**
* @NoAdminRequired
* @UseSession
*/
public function startRegister() {
$u2f = $this->getU2f();
$data = $u2f->getRegisterData($this->getRegs());
list($req, $sigs) = $data;
$this->logger->debug(json_encode($req));
$this->logger->debug(json_encode($sigs));
$this->session->set('twofactor_u2f_regReq', json_encode($req));
return [
'req' => $req,
'sigs' => $sigs,
'username' => 'user', // TODO
];
}
/**
* @NoAdminRequired
*
* @param string $registrationData
* @param string $clientData
*/
public function finishRegister($registrationData, $clientData) {
$this->logger->debug($registrationData);
$this->logger->debug($clientData);
$u2f = $this->getU2f();
$regReq = json_decode($this->session->get('twofactor_u2f_regReq'));
$regResp = [
'registrationData' => $registrationData,
'clientData' => $clientData,
];
$reg = $u2f->doRegister($regReq, (object) $regResp);
$this->setReg($reg);
$this->logger->debug(json_encode($reg));
}
}

5
settings/personal.php Normal file
Просмотреть файл

@ -0,0 +1,5 @@
<?php
$tmpl = new \OCP\Template('twofactor_u2f', 'personal');
return $tmpl->fetchPage();

12
templates/personal.php Normal file
Просмотреть файл

@ -0,0 +1,12 @@
<?php
script('twofactor_u2f', 'settings');
script('twofactor_u2f', 'settingsview');
script('twofactor_u2f', 'vendor/u2f-api');
?>
<div class="section">
<h2><?php p($l->t('U2F Second-factor Auth')); ?></h2>
<div id="twofactor-u2f-settings"></div>
</div>