Updated CHANGELOG

CHANGELOG.md

@@ -1,4 +1,11 @@
 # Change Log
+## 2.5.0
+
+   * Fixed: issue in the 'Authorize' button don't show on Firefox and Chrome on iOS.
+     Note: It seems Firefox doesn't support WebAuthn on iOS
+   * Fixed: Support for bootstrap5
+Thanks to @ezrajrice
+
 ## 2.4.0
 
    * Fixed: issue in the 'Authorize' button don't show on Safari Mobile.

README.md

@@ -12,7 +12,7 @@ A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Web Authn), Ema
 
 Web Authencation API (WebAuthn) is state-of-the art techology that is expected to replace passwords.
 
-![Android Fingerprint](https://cdn-images-1.medium.com/max/800/1*1FWkRE8D7NTA2Kn1DrPjPA.png)
+![Andriod Fingerprint](https://cdn-images-1.medium.com/max/800/1*1FWkRE8D7NTA2Kn1DrPjPA.png)
 
 For FIDO2, the following are supported
  * **security keys** (Firefox 60+, Chrome 67+, Edge 18+, Safari 13 on Mac OS, Chrome on Andriod, Safari on iOS 13.3+),
@@ -75,7 +75,6 @@ Depends on
    MFA_RECHECK_MIN=10         # Minimum interval in seconds
    MFA_RECHECK_MAX=30         # Maximum in seconds
    MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide only their 2FA
-   MFA_RESIDENT_KEY = None    # Use Resident Key (Only supported in Chromimum based browsers)
    MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).
    MFA_OWNED_BY_ENTERPRISE = FALSE  # Who owns security keys   
 
@@ -188,6 +187,7 @@ function some_func() {
 * [willingham](https://github.com/willingham)
 * [AndreasDickow](https://github.com/AndreasDickow)
 * [mnelson4](https://github.com/mnelson4)
+* [ezrajrice](https://github.com/ezrajrice)
 
 
  # Security contact information

example/example/auth.py

@@ -3,7 +3,6 @@ from django.http import HttpResponseRedirect
 from django.urls import reverse
 from django.contrib.auth import authenticate,login,logout
 from django.contrib.auth.models import User
-
 def loginView(request):
     context={}
     if request.method=="POST":

example/example/settings.py

@@ -142,10 +142,9 @@ MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide on
 MFA_HIDE_DISABLE=('',)     # Can the user disable his key (Added in 1.2.0).
 MFA_REDIRECT_AFTER_REGISTRATION="registered"
 MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
-MFA_RESIDENT_KEY = True
 
 TOKEN_ISSUER_NAME="PROJECT_NAME"      #TOTP Issuer name
 
 U2F_APPID="https://localhost"    #URL For U2F
-FIDO_SERVER_ID=u"localhost"      # Server rp id for FIDO2, it the full domain of your project
+FIDO_SERVER_ID=u"local.mkalioby.com"      # Server rp id for FIDO2, it the full domain of your project
 FIDO_SERVER_NAME=u"TestApp"

example/example/templates/login.html

@@ -45,10 +45,6 @@
           </div>
 
           <button class="btn btn-primary btn-block" type="submit">Login</button>
-            <br/>
-            OR
-            <br/>
-            <a href="{% url 'fido2_auth' %}"><button class="btn btn-primary btn-block" type="button">Login By Security Key</button></a>
         </form>
       </div>
     </div>

mfa/FIDO2.py

@@ -39,7 +39,7 @@ def begin_registeration(request):
         u'id': request.user.username.encode("utf8"),
         u'name': (request.user.first_name + " " + request.user.last_name),
         u'displayName': request.user.username,
-    }, getUserCredentials(request.user.username),resident_key=getattr(settings,'MFA_RESIDENT_KEY',None))
+    }, getUserCredentials(request.user.username))
     request.session['fido_state'] = state
 
     return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')
@@ -63,8 +63,6 @@ def complete_reg(request):
         uk = User_Keys()
         uk.username = request.user.username
         uk.properties = {"device": encoded, "type": att_obj.fmt, }
-        if data.get('userHandle'):
-            uk.properties["userHandle"] = data['userHandle']
         uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
         uk.key_type = "FIDO2"
         uk.save()
@@ -99,9 +97,7 @@ def auth(request):
 
 def authenticate_begin(request):
     server = getServer()
-    credentials=None
+    credentials = getUserCredentials(request.session.get("base_username", request.user.username))
-    if not getattr(settings,'MFA_RESIDENT_KEY',None):
-        credentials = getUserCredentials(request.session.get("base_username", request.user.username))
     auth_data, state = server.authenticate_begin(credentials)
     request.session['fido_state'] = state
     return HttpResponse(cbor.encode(auth_data), content_type = "application/octet-stream")
@@ -111,26 +107,13 @@ def authenticate_begin(request):
 def authenticate_complete(request):
     try:
         credentials = []
-        data = cbor.decode(request.body)
+        username = request.session.get("base_username", request.user.username)
-
-        if data.get("userHandle"):
-            keys = User_Keys.objects.filter(key_type="FIDO2", properties__icontains='"userHandle": "%s"'%data["userHandle"])
-            if keys.count()==1:
-                username = keys[0].username
-                request.session["base_username"]=username
-                request.session.update = 1
-
-        else:
-            username = request.session.get("base_username", request.user.username)
-
-
         server = getServer()
         credentials = getUserCredentials(username)
-        auth_data = AuthenticatorData(data['authenticatorData'])
+        data = cbor.decode(request.body)
-
         credential_id = data['credentialId']
         client_data = ClientData(data['clientDataJSON'])
-        
+        auth_data = AuthenticatorData(data['authenticatorData'])
         signature = data['signature']
         try:
             cred = server.authenticate_complete(

mfa/templates/FIDO2/Add.html

@@ -17,12 +17,10 @@
 
       return navigator.credentials.create(options);
     }).then(function(attestation) {
-        console.log(attestation)
       return fetch('{% url 'fido2_complete_reg' %}', {
         method: 'POST',
         headers: {'Content-Type': 'application/cbor'},
         body: CBOR.encode({
-            "userHandle":attestation.id,
           "attestationObject": new Uint8Array(attestation.response.attestationObject),
           "clientDataJSON": new Uint8Array(attestation.response.clientDataJSON),
         })

mfa/templates/FIDO2/recheck.html

@@ -58,11 +58,8 @@
     }).then(CBOR.decode).then(function(options) {
         console.log(options)
       return navigator.credentials.get(options);
-
     }).then(function(assertion) {
-        console.log(assertion)
         res=CBOR.encode({
-            "userHandle":assertion.id,
           "credentialId": new Uint8Array(assertion.rawId),
           "authenticatorData": new Uint8Array(assertion.response.authenticatorData),
           "clientDataJSON": new Uint8Array(assertion.response.clientDataJSON),
@@ -108,7 +105,7 @@
             $("#main_paragraph").html("FIDO2 must work under secure context")
         } else {
             ua=new UAParser().getResult()
-            if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" )
+            if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" || ua.os.name == "iOS" || ua.os.name == "iPadOS")
                 $("#res").html("<button class='btn btn-success' onclick='authen()'>Authenticate...</button>")
             else
                 authen()

mfa/templates/MFA.html

@@ -47,24 +47,24 @@
     <div class="row">
         <div align="center">
             <div class="btn-group">
-            <button class="btn btn-success dropdown-toggle" data-toggle="dropdown">
+            <button class="btn btn-success dropdown-toggle" data-toggle="dropdown" data-bs-toggle="dropdown">
                 Add Method&nbsp;<span class="caret"></span>
             </button>
             <ul class="dropdown-menu">
                 {% if not 'TOTP' in UNALLOWED_AUTHEN_METHODS %}
-                    <li><a href="{% url 'start_new_otop' %}">Authenticator app</a></li>
+                    <li><a class="dropdown-item" href="{% url 'start_new_otop' %}">Authenticator app</a></li>
                 {% endif %}
                 {% if not 'Email' in UNALLOWED_AUTHEN_METHODS %}
-                    <li><a href="{% url 'start_email' %}">Email Token</a></li>
+                    <li><a class="dropdown-item" href="{% url 'start_email' %}">Email Token</a></li>
                 {% endif %}
                 {% if not 'U2F' in UNALLOWED_AUTHEN_METHODS %}
-                    <li><a href="{% url 'start_u2f' %}">Security Key</a></li>
+                    <li><a class="dropdown-item" href="{% url 'start_u2f' %}">Security Key</a></li>
                 {% endif %}
             {% if not 'FIDO2' in UNALLOWED_AUTHEN_METHODS %}
-                    <li><a href="{% url 'start_fido2' %}">FIDO2 Security Key</a></li>
+                    <li><a class="dropdown-item" href="{% url 'start_fido2' %}">FIDO2 Security Key</a></li>
                 {% endif %}
             {% if not 'Trusted_Devices' in UNALLOWED_AUTHEN_METHODS %}
-                    <li><a href="{% url 'start_td' %}">Trusted Device</a></li>
+                    <li><a class="dropdown-item" href="{% url 'start_td' %}">Trusted Device</a></li>
                 {% endif %}
             </ul>
             </div>