Resident Key Done #58

CHANGELOG.md

@@ -1,7 +1,14 @@
 # Change Log
+## 2.4.0
+
+   * Fixed: issue in the 'Authorize' button don't show on Safari Mobile.
+   * Upgrade to FIDO2 0.9.2, to fix issue with Windows 11.
+   * Fixed: Minor Typos.
+
+
 ## 2.3.0
    * Fixed: A missing import Thanks @AndreasDickow
-   * Fixed: `MFA.html` now call `{{block.super}}` for head and content blocks
+   * Fixed: `MFA.html` now call `{{block.super}}` for head and content blocks, thanks @mnelson4
    * Added: #55 introduced `mfa_base.html` which will be extended by `MFA.html` for better styling 
 
 ## 2.2.0

README.md

@@ -12,7 +12,7 @@ A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Web Authn), Ema
 
 Web Authencation API (WebAuthn) is state-of-the art techology that is expected to replace passwords.
 
-![Andriod Fingerprint](https://cdn-images-1.medium.com/max/800/1*1FWkRE8D7NTA2Kn1DrPjPA.png)
+![Android Fingerprint](https://cdn-images-1.medium.com/max/800/1*1FWkRE8D7NTA2Kn1DrPjPA.png)
 
 For FIDO2, the following are supported
  * **security keys** (Firefox 60+, Chrome 67+, Edge 18+, Safari 13 on Mac OS, Chrome on Andriod, Safari on iOS 13.3+),
@@ -20,6 +20,8 @@ For FIDO2, the following are supported
  * **Apple's Touch ID/Face ID** (Chrome 70+ on Mac OS X, Safari on macOS Big Sur, Safari on iOS 14.0+ ),
  * **android-safetynet** (Chrome 70+, Firefox 68+)
  * **NFC devices using PCSC** (Not Tested, but as supported in fido2)
+ * **Soft Tokens** 
+    * [krypt.co](https://krypt.co/): Login by a notification on your phone.
 
 In English :), It allows you to verify the user by security keys on PC, Laptops or Mobiles, Windows Hello (Fingerprint, PIN) on Windows 10 Build 1903+ (May 2019 Update) Touch/Face ID on Macbooks (Chrome, Safari), Touch/Face ID on iPhone and iPad and Fingerprint/Face/Iris/PIN on Android Phones.
 
@@ -73,6 +75,7 @@ Depends on
    MFA_RECHECK_MIN=10         # Minimum interval in seconds
    MFA_RECHECK_MAX=30         # Maximum in seconds
    MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide only their 2FA
+   MFA_RESIDENT_KEY = None    # Use Resident Key (Only supported in Chromimum based browsers)
    MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).
    MFA_OWNED_BY_ENTERPRISE = FALSE  # Who owns security keys   
 

example/example/auth.py

@@ -3,6 +3,7 @@ from django.http import HttpResponseRedirect
 from django.urls import reverse
 from django.contrib.auth import authenticate,login,logout
 from django.contrib.auth.models import User
+
 def loginView(request):
     context={}
     if request.method=="POST":

example/example/settings.py

@@ -25,7 +25,7 @@ SECRET_KEY = '#9)q!_i3@pr-^3oda(e^3$x!kq3b4f33#5l@+=+&vuz+p6gb3g'
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['*']
 
 
 # Application definition
@@ -142,9 +142,10 @@ MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide on
 MFA_HIDE_DISABLE=('',)     # Can the user disable his key (Added in 1.2.0).
 MFA_REDIRECT_AFTER_REGISTRATION="registered"
 MFA_SUCCESS_REGISTRATION_MSG="Go to Home"
+MFA_RESIDENT_KEY = True
 
 TOKEN_ISSUER_NAME="PROJECT_NAME"      #TOTP Issuer name
 
 U2F_APPID="https://localhost"    #URL For U2F
 FIDO_SERVER_ID=u"localhost"      # Server rp id for FIDO2, it the full domain of your project
-FIDO_SERVER_NAME=u"PROJECT_NAME"
+FIDO_SERVER_NAME=u"TestApp"

example/example/templates/login.html

@@ -45,6 +45,10 @@
           </div>
 
           <button class="btn btn-primary btn-block" type="submit">Login</button>
+            <br/>
+            OR
+            <br/>
+            <a href="{% url 'fido2_auth' %}"><button class="btn btn-primary btn-block" type="button">Login By Security Key</button></a>
         </form>
       </div>
     </div>

mfa/FIDO2.py

@@ -39,7 +39,7 @@ def begin_registeration(request):
         u'id': request.user.username.encode("utf8"),
         u'name': (request.user.first_name + " " + request.user.last_name),
         u'displayName': request.user.username,
-    }, getUserCredentials(request.user.username))
+    }, getUserCredentials(request.user.username),resident_key=getattr(settings,'MFA_RESIDENT_KEY',None))
     request.session['fido_state'] = state
 
     return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')
@@ -63,6 +63,8 @@ def complete_reg(request):
         uk = User_Keys()
         uk.username = request.user.username
         uk.properties = {"device": encoded, "type": att_obj.fmt, }
+        if data.get('userHandle'):
+            uk.properties["userHandle"] = data['userHandle']
         uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
         uk.key_type = "FIDO2"
         uk.save()
@@ -97,7 +99,9 @@ def auth(request):
 
 def authenticate_begin(request):
     server = getServer()
-    credentials = getUserCredentials(request.session.get("base_username", request.user.username))
+    credentials=None
+    if not getattr(settings,'MFA_RESIDENT_KEY',None):
+        credentials = getUserCredentials(request.session.get("base_username", request.user.username))
     auth_data, state = server.authenticate_begin(credentials)
     request.session['fido_state'] = state
     return HttpResponse(cbor.encode(auth_data), content_type = "application/octet-stream")
@@ -107,13 +111,26 @@ def authenticate_begin(request):
 def authenticate_complete(request):
     try:
         credentials = []
-        username = request.session.get("base_username", request.user.username)
+        data = cbor.decode(request.body)
+
+        if data.get("userHandle"):
+            keys = User_Keys.objects.filter(key_type="FIDO2", properties__icontains='"userHandle": "%s"'%data["userHandle"])
+            if keys.count()==1:
+                username = keys[0].username
+                request.session["base_username"]=username
+                request.session.update = 1
+
+        else:
+            username = request.session.get("base_username", request.user.username)
+
+
         server = getServer()
         credentials = getUserCredentials(username)
-        data = cbor.decode(request.body)
+        auth_data = AuthenticatorData(data['authenticatorData'])
+
         credential_id = data['credentialId']
         client_data = ClientData(data['clientDataJSON'])
-        auth_data = AuthenticatorData(data['authenticatorData'])
+        
         signature = data['signature']
         try:
             cred = server.authenticate_complete(

mfa/templates/FIDO2/Add.html

@@ -17,10 +17,12 @@
 
       return navigator.credentials.create(options);
     }).then(function(attestation) {
+        console.log(attestation)
       return fetch('{% url 'fido2_complete_reg' %}', {
         method: 'POST',
         headers: {'Content-Type': 'application/cbor'},
         body: CBOR.encode({
+            "userHandle":attestation.id,
           "attestationObject": new Uint8Array(attestation.response.attestationObject),
           "clientDataJSON": new Uint8Array(attestation.response.clientDataJSON),
         })
@@ -34,16 +36,16 @@
       if (res["status"] =='OK')
             $("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='{{redirect_html}}'> {{reg_success_msg}}</a></div>")
         else
-            $("#res").html("<div class='alert alert-danger'>Registeration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
+            $("#res").html("<div class='alert alert-danger'>Registration Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='begin_reg()'> try again or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
 
 
     }, function(reason) {
-       $("#res").html("<div class='alert alert-danger'>Registeration Failed as " +reason +", <a href='javascript:void(0)' onclick='begin_reg()'> try again </a> or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
+       $("#res").html("<div class='alert alert-danger'>Registration Failed as " +reason +", <a href='javascript:void(0)' onclick='begin_reg()'> try again </a> or <a href='{% url 'mfa_home' %}'> Go to Security Home</a></div>")
     })
     }
     $(document).ready(function (){
         ua=new UAParser().getResult()
-        if (ua.browser.name == "Safari")
+        if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" )
         {
                 $("#res").html("<button class='btn btn-success' onclick='begin_reg()'>Start...</button>")
         }

mfa/templates/FIDO2/recheck.html

@@ -58,8 +58,11 @@
     }).then(CBOR.decode).then(function(options) {
         console.log(options)
       return navigator.credentials.get(options);
+
     }).then(function(assertion) {
+        console.log(assertion)
         res=CBOR.encode({
+            "userHandle":assertion.id,
           "credentialId": new Uint8Array(assertion.rawId),
           "authenticatorData": new Uint8Array(assertion.response.authenticatorData),
           "clientDataJSON": new Uint8Array(assertion.response.clientDataJSON),
@@ -105,7 +108,7 @@
             $("#main_paragraph").html("FIDO2 must work under secure context")
         } else {
             ua=new UAParser().getResult()
-            if (ua.browser.name == "Safari")
+            if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" )
                 $("#res").html("<button class='btn btn-success' onclick='authen()'>Authenticate...</button>")
             else
                 authen()

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='2.3.0',
+    version='2.4.0',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",
@@ -24,7 +24,7 @@ setup(
         'ua-parser',
         'user-agents',
         'python-jose',
-        'fido2 == 0.9.1',
+        'fido2 == 0.9.2',
         'jsonLookup'
       ],
     python_requires=">=3.5",