From d0ca4be4e2eead27bc4bf99ee676f7e5e3a51275 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sat, 3 Nov 2018 08:15:03 +0000
Subject: [PATCH] Make the U2F AppID configurable

---
 server/config.go | 1 +
 server/http.go   | 2 +-
 server/login.go  | 9 +++++++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/server/config.go b/server/config.go
index 4750c8c..f63600c 100644
--- a/server/config.go
+++ b/server/config.go
@@ -33,6 +33,7 @@ type Config struct {
 	SessionSecrets             []string                  `yaml:"session_secrets"`
 	CSRFSecret                 string                    `yaml:"csrf_secret"`
 	AuthService                string                    `yaml:"auth_service"`
+	U2FAppID                   string                    `yaml:"u2f_app_id"`
 	DeviceManager              *device.Config            `yaml:"device_manager"`
 	KeyStore                   *clientutil.BackendConfig `yaml:"keystore"`
 
diff --git a/server/http.go b/server/http.go
index 53e8491..d69f263 100644
--- a/server/http.go
+++ b/server/http.go
@@ -137,7 +137,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 	if err != nil {
 		return nil, err
 	}
-	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, s.tpl, sessionSecrets...)
+	s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, config.U2FAppID, s.tpl, sessionSecrets...)
 
 	return s, nil
 }
diff --git a/server/login.go b/server/login.go
index 1007eb2..8b24d64 100644
--- a/server/login.go
+++ b/server/login.go
@@ -72,6 +72,7 @@ type loginCallbackFunc func(http.ResponseWriter, *http.Request, string, string,
 type loginHandler struct {
 	authClient        authclient.Client
 	authService       string
+	u2fAppID          string
 	devMgr            *device.Manager
 	loginCallback     loginCallbackFunc
 	loginSessionStore sessions.Store
@@ -80,7 +81,7 @@ type loginHandler struct {
 
 // NewLoginHandler will wrap an http.Handler with the login workflow,
 // invoking it only on successful login.
-func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
+func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService, u2fAppID string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
 	store := sessions.NewCookieStore(keyPairs...)
 	store.Options = &sessions.Options{
 		HttpOnly: true,
@@ -273,6 +274,10 @@ func (l *loginHandler) handleU2F(w http.ResponseWriter, req *http.Request, sessi
 
 // Make the auth request to the authentication server.
 func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request, username, password, otp string, u2fResponse *u2f.SignResponse) (*auth.Response, error) {
+	appID := l.u2fAppID
+	if appID == "" {
+		appID = u2fAppIDFromRequest(req)
+	}
 	ar := auth.Request{
 		Service:     l.authService,
 		Username:    username,
@@ -280,7 +285,7 @@ func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request,
 		OTP:         otp,
 		DeviceInfo:  l.devMgr.GetDeviceInfoFromRequest(w, req),
 		U2FResponse: u2fResponse,
-		U2FAppID:    u2fAppIDFromRequest(req),
+		U2FAppID:    appID,
 	}
 	return l.authClient.Authenticate(req.Context(), &ar)
 }
-- 
GitLab