Commit d0ca4be4 authored by ale's avatar ale

Make the U2F AppID configurable

parent 522bc582
Pipeline #1474 passed with stages
in 1 minute and 47 seconds
......@@ -33,6 +33,7 @@ type Config struct {
SessionSecrets []string `yaml:"session_secrets"`
CSRFSecret string `yaml:"csrf_secret"`
AuthService string `yaml:"auth_service"`
U2FAppID string `yaml:"u2f_app_id"`
DeviceManager *device.Config `yaml:"device_manager"`
KeyStore *clientutil.BackendConfig `yaml:"keystore"`
......
......@@ -137,7 +137,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
if err != nil {
return nil, err
}
s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, s.tpl, sessionSecrets...)
s.loginHandler = newLoginHandler(s.loginCallback, devMgr, authClient, config.AuthService, config.U2FAppID, s.tpl, sessionSecrets...)
return s, nil
}
......
......@@ -72,6 +72,7 @@ type loginCallbackFunc func(http.ResponseWriter, *http.Request, string, string,
type loginHandler struct {
authClient authclient.Client
authService string
u2fAppID string
devMgr *device.Manager
loginCallback loginCallbackFunc
loginSessionStore sessions.Store
......@@ -80,7 +81,7 @@ type loginHandler struct {
// NewLoginHandler will wrap an http.Handler with the login workflow,
// invoking it only on successful login.
func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
func newLoginHandler(okHandler loginCallbackFunc, devMgr *device.Manager, authClient authclient.Client, authService, u2fAppID string, tpl *template.Template, keyPairs ...[]byte) *loginHandler {
store := sessions.NewCookieStore(keyPairs...)
store.Options = &sessions.Options{
HttpOnly: true,
......@@ -273,6 +274,10 @@ func (l *loginHandler) handleU2F(w http.ResponseWriter, req *http.Request, sessi
// Make the auth request to the authentication server.
func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request, username, password, otp string, u2fResponse *u2f.SignResponse) (*auth.Response, error) {
appID := l.u2fAppID
if appID == "" {
appID = u2fAppIDFromRequest(req)
}
ar := auth.Request{
Service: l.authService,
Username: username,
......@@ -280,7 +285,7 @@ func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request,
OTP: otp,
DeviceInfo: l.devMgr.GetDeviceInfoFromRequest(w, req),
U2FResponse: u2fResponse,
U2FAppID: u2fAppIDFromRequest(req),
U2FAppID: appID,
}
return l.authClient.Authenticate(req.Context(), &ar)
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment