josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: josh:v2.5b2
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9
..
compare: josh:v2.5.2
Branches Tags
josh:master josh:black josh:dev josh:dependabot/pip/fido2-1.1.1 josh:ConditionalUI josh:v3.0 josh:MoreOptions josh:CVE-2022-42731 josh:v2.5.2 josh:v2.6.1 josh:v2.5.1 josh:recovery_codes josh:v2.6.0 josh:v2.6.0rc1 josh:v2.5b2 josh:v2.5b1 josh:fido==1.0.0 josh:v2.5 josh:ResidentKey josh:v2.4.0 josh:v2.3.0 josh:v2.2.1 josh:Better_TOTP josh:v2.2.0 josh:passwordless josh:redirect josh:Postgres josh:Issue_37 josh:TouchID_4_1.8 josh:TouchID josh:django-1.8 josh:example
josh:v2.8 josh:v2.6.1-release josh:v2.5.1-release josh:v2.6.0-release josh:v2.6rc1 josh:v2.5 josh:v2.5b1 josh:v2.4.0 josh:v2.3.0 josh:v2.2.0 josh:v2.1.0 josh:v2.1.0b1 josh:v2.0.5 josh:v2.0.3 josh:v2.0.1 josh:v2.0 josh:v1.9 josh:v1.7.11 josh:v1.6 josh:v1.3 josh:v1.1.6 josh:v1.1 josh:v1.0.4 josh:0.9

5 Commits
v2.5b2 ... v2.5.2

Author SHA1 Message Date
Mohamed ElKalioby
90f297d90f Fixing CVE-2022-42731 for v2.5 2022-10-10 17:46:03 +03:00
Mohamed ElKalioby
5fbb505e98 Fixing CVE-2022-42731 2022-10-10 17:07:01 +03:00
Mohamed El-Kalioby
0936ea2533 Update CHANGELOG.md 2022-06-22 16:11:17 +03:00
Mohamed El-Kalioby
383a3e8da6 Update CHANGELOG.md 2022-06-22 16:11:04 +03:00
Mohamed ElKalioby
843a4e676c Merged v2.5 2022-06-22 08:57:28 +03:00
4 changed files with 14 additions and 8 deletions
Expand all files Collapse all files

8
CHANGELOG.md
View File

@@ -1,11 +1,15 @@
# Change Log # Change Log
## 2.5.2
* Fix: CVE-2022-42731: related to possibility of registration replay attack thanks to 'SSE (Secure Systems Engineering)'
## 2.5.0 ## 2.5.0
* Fixed: issue in the 'Authorize' button don't show on Firefox and Chrome on iOS. * Fixed: issue in the 'Authorize' button don't show on Firefox and Chrome on iOS.
Note: It seems Firefox doesn't support WebAuthn on iOS Note: It seems Firefox doesn't support WebAuthn on iOS
* Fixed: Support for bootstrap5 * Fixed: Support for bootstrap5
Thanks to @ezrajrice Thanks to @ezrajrice
* Upgraded to fido2==1.0.0
## 2.4.0 ## 2.4.0
* Fixed: issue in the 'Authorize' button don't show on Safari Mobile. * Fixed: issue in the 'Authorize' button don't show on Safari Mobile.

2
README.md
View File

@@ -38,7 +38,7 @@ Depends on
* ua-parser * ua-parser
* user-agents * user-agents
* python-jose * python-jose
* fido2==0.9.0 * fido2==1.0.0
# Installation # Installation
1. using pip 1. using pip

8
mfa/FIDO2.py
View File

@@ -16,7 +16,7 @@ from .views import login, reset_cookie
import datetime import datetime
from .Common import get_redirect_url from .Common import get_redirect_url
from django.utils import timezone from django.utils import timezone
from django.http import JsonResponse
def recheck(request): def recheck(request):
"""Starts FIDO2 recheck""" """Starts FIDO2 recheck"""
@@ -49,13 +49,15 @@ def begin_registeration(request):
def complete_reg(request): def complete_reg(request):
"""Completes the registeration, called by API""" """Completes the registeration, called by API"""
try: try:
if not "fido_state" in request.session:
return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
data = cbor.decode(request.body) data = cbor.decode(request.body)
client_data = CollectedClientData(data['clientDataJSON']) client_data = CollectedClientData(data['clientDataJSON'])
att_obj = AttestationObject((data['attestationObject'])) att_obj = AttestationObject((data['attestationObject']))
server = getServer() server = getServer()
auth_data = server.register_complete( auth_data = server.register_complete(
request.session['fido_state'], request.session.pop('fido_state'),
client_data, client_data,
att_obj att_obj
) )
@@ -75,7 +77,7 @@ def complete_reg(request):
client.captureException() client.captureException()
except: except:
pass pass
return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"})) return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"})
def start(request): def start(request):

4
setup.py
View File

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
setup( setup(
name='django-mfa2', name='django-mfa2',
version='2.5.0b2', version='2.5.2',
description='Allows user to add 2FA to their accounts', description='Allows user to add 2FA to their accounts',
long_description=open("README.md").read(), long_description=open("README.md").read(),
long_description_content_type="text/markdown", long_description_content_type="text/markdown",
@@ -31,7 +31,7 @@ setup(
include_package_data=True, include_package_data=True,
zip_safe=False, # because we're including static files zip_safe=False, # because we're including static files
classifiers=[ classifiers=[
"Development Status :: 4 - Beta", "Development Status :: 5 - Production/Stable",
"Environment :: Web Environment", "Environment :: Web Environment",
"Framework :: Django", "Framework :: Django",
"Framework :: Django :: 2.0", "Framework :: Django :: 2.0",