Make the U2F AppID configurable

d0ca4be4 · ale · 522bc582 · d0ca4be4 · d0ca4be4 · d0ca4be4
Commit d0ca4be4 authored 6 years ago by ale
--- a/server/config.go
+++ b/server/config.go
@@ -33,6 +33,7 @@ type Config struct {
 	SessionSecrets             []string                  `yaml:"session_secrets"`
 	CSRFSecret                 string                    `yaml:"csrf_secret"`
 	AuthService                string                    `yaml:"auth_service"`
+	U2FAppID                   string                    `yaml:"u2f_app_id"`
 	DeviceManager              *device.Config            `yaml:"device_manager"`
 	KeyStore                   *clientutil.BackendConfig `yaml:"keystore"`


--- a/server/http.go
+++ b/server/http.go
@@ -137,7 +137,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 	if err != nil {
 		return nil, err
 	}
-	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, s.tpl, sessionSecrets...)
+	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, config.U2FAppID, s.tpl, sessionSecrets...)

 	return s, nil
 }

--- a/server/login.go
+++ b/server/login.go
@@ -72,6 +72,7 @@ type loginCallbackFunc func(http.ResponseWriter, *http.Request, string, string,
 type loginHandler struct {
 	authClient        authclient.Client
 	authService       string
+	u2fAppID          string
 	devMgr            *device.Manager
 	loginCallback     loginCallbackFunc
 	loginSessionStore sessions.Store
@@ -80,7 +81,7 @@ type loginHandler struct {

 // NewLoginHandler will wrap an http.Handler with the login workflow,
 // invoking it only on successful login.
-func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
+func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService, u2fAppID string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
 	store := sessions.NewCookieStore(keyPairs...)
 	store.Options = &sessions.Options{
 		HttpOnly: true,
@@ -273,6 +274,10 @@ func (l *loginHandler) handleU2F(w http.ResponseWriter, req *http.Request, sessi

 // Make the auth request to the authentication server.
 func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request, username, password, otp string, u2fResponse *u2f.SignResponse) (*auth.Response, error) {
+	appID := l.u2fAppID
+	if appID == "" {
+		appID = u2fAppIDFromRequest(req)
+	}
 	ar := auth.Request{
 		Service:     l.authService,
 		Username:    username,
@@ -280,7 +285,7 @@ func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request,
 		OTP:         otp,
 		DeviceInfo:  l.devMgr.GetDeviceInfoFromRequest(w, req),
 		U2FResponse: u2fResponse,
-		U2FAppID:    u2fAppIDFromRequest(req),
+		U2FAppID:    appID,
 	}
 	return l.authClient.Authenticate(req.Context(), &ar)
 }