adamxp12
diff --git a/‎LICENSE‎
Lines changed: 674 additions & 0 deletions b/‎LICENSE‎
Lines changed: 674 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 19 additions & 1 deletion b/‎README.md‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎TfaWebAuthn.info.php‎
Lines changed: 8 additions & 0 deletions b/‎TfaWebAuthn.info.php‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎TfaWebAuthn.module‎
Lines changed: 231 additions & 0 deletions b/‎TfaWebAuthn.module‎
Lines changed: 231 additions & 0 deletions
diff --git a/‎WebAuthn.js‎
Lines changed: 95 additions & 0 deletions b/‎WebAuthn.js‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎WebAuthn/.gitignore‎
Lines changed: 8 additions & 0 deletions b/‎WebAuthn/.gitignore‎
Lines changed: 8 additions & 0 deletions
@@ -1 +1,19 @@
-# ProcessWire-TfaWebAuthn
+# Processwire-TfaWebAuthn
+![Security Key](https://raw.githubusercontent.com/adamxp12/Processwire-TfaU2F/master/assets/bluekeyside.png)
+
+This module is essentially an update to my existing [U2F Module](https://github.com/adamxp12/Processwire-TfaU2F) but upgraded to use WebAuthn instead of U2F so it will continue to work in Chrome after Febuary 2022.
+
+
+Note this is very much a proof of concept. it does work but I cant guarantee its reliability. its also sadly limited to a single non cross platform credential (Windows Hello, Apple TouchID/FaceID) due to the Tfa class which only allows one Tfa method at a time and also locks out the options once setup.
+
+Its easy to setup just install the module then enable Tfa under your user profile. Enroll your key then next time you need to login you will be asked to use your WebAuthn Credential. Add as many as you like (though the will be a limit I have tested 4x succesfully)
+
+Unlike the previous U2F libary this has many advantages. Not only do you get on device credentials like Windows Hello but you also get far better cross platform support includng NFC/Bluetooth support. I have tested it with a YubiKey on an iPhone. registered from USB on my laptop and authenticated via NFC on my phone.
+
+This module is not a direct upgrade from the previous U2F module and will require setting up all your keys again but the was no easy way to transistion from the old U2F data. It is also a stop-gap solution until ProcessWire adds native WebAuthn support in the futue.
+
+
+The Yubikey Security Key Graphic was sourced from Pixabay https://pixabay.com/illustrations/google-secure-key-u2f-security-key-3598222/
+
+## Demo
+![Demo](https://adamxp12blob.blob.core.windows.net/sharex-share/2019-08-28_12-06-18.gif)
@@ -0,0 +1,8 @@
+<?php namespace ProcessWire;
+$info = array(
+	'title' => 'WebAuthn two-factor authentication ',
+	'summary' => 'For modern two factor authentication with U2F keys and on device credentials like Fingerprint',
+	'version' => 100,
+	'singular' => true,
+	'requires' => 'ProcessWire>=3.0.109'
+);
@@ -0,0 +1,231 @@
+<?php
+namespace ProcessWire;
+
+/**
+ * TfaWebAuthn (1.0.0)
+ * Adds WebAuthn/FIDO2 as a TFA option
+ *
+ * @author Adam Blunt
+ *
+ * ProcessWire 3.x
+ * Copyright (C) 2011 by Ryan Cramer
+ * Licensed under GNU/GPL v2, see LICENSE.TXT
+ *
+ * http://www.processwire.com
+ * http://www.ryancramer.com
+ *
+ */
+require_once 'WebAuthn/WebAuthn.php';
+//use lbuchs\WebAuthn\Binary\ByteBuffer;
+class TfaWebAuthn extends Tfa implements Module, ConfigurableModule
+{
+    public function __construct()
+    {
+        parent::__construct();
+        $this->WebAuthn = new \lbuchs\WebAuthn\WebAuthn('WebAuthn Library',  $this->wire('config')->httpHost); // $formats
+        $this->userVerification = "discouraged";
+        $this->crossPlatformAttachment = null;  // True only crossplatfrm aka USB keys, False only single device like TPM/Winows Hellow, Null allow both
+        $this->typeUsb = true;
+        $this->typeNfc = true;
+        $this->typeBle = true;
+        $this->typeInt = true;
+    }
+
+    public function init()
+    {
+        if(config()->version('3.0.165')) {
+            // 3.0.165 and newer have an init() function in the Tfa class. previous versions did not
+            // Strangely this init() function while not needed before is now required in new versions even if you dont use the auto-enable feature
+            parent::init();
+        }
+        $this->addHookBefore('Tfa::getUserSettingsInputfields', $this, 'addScripts');
+        $this->addHookBefore('Tfa::render', $this, 'addScripts');
+    }
+    
+
+    public function addScripts()
+    {
+        $this->config->scripts->add($this->wire('config')->urls->$this . "WebAuthn.js");
+    }
+    
+    public function enabledForUser(User $user, array $settings)
+    {
+        return $settings['enabled'] === true;
+    }
+    
+
+    public function isValidUserCode(User $user, $code, array $settings)
+    {
+        if (!strlen($code)) {
+            return false;
+        }
+
+        $authreg = $this->session->authreg;
+        $authreq = $this->session->authreq;
+        $this->session->authreq = null;
+        $this->session->authreg = null;
+
+        $code = json_decode($code);
+
+
+        $clientDataJSON = base64_decode($code->clientDataJSON);
+        $authenticatorData = base64_decode($code->authenticatorData);
+        $signature = base64_decode($code->signature);
+        $userHandle = base64_decode($code->userHandle);
+        $id = base64_decode($code->id);
+        $challenge = $this->session->authchallange;
+        $credentialPublicKey = null;
+        // Get the public key for the given credential 
+        if (is_array($authreg)) {
+            foreach ($authreg as $reg) {
+                $o = (object) $reg;
+                if ($o->credentialId === bin2hex($id)) {
+                    $credentialPublicKey = $o->credentialPublicKey;
+                    break;
+                }
+            }
+        }
+
+        try {
+            if ($credentialPublicKey === null) {
+                exit('Public Key for credential ID not found!');
+            }
+            // process the get request. throws WebAuthnException if it fails
+            $this->WebAuthn->processGet($clientDataJSON, $authenticatorData, $signature, $credentialPublicKey, $challenge, null, $this->userVerification === 'required');
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+
+        return false;
+    }
+
+
+    // Create settings page for server
+    public function ___getUserSettingsInputfields(User $user, InputfieldWrapper $fieldset, $settings)
+    {
+        parent::___getUserSettingsInputfields($user, $fieldset, $settings);
+        
+        if ($this->enabledForUser($user, $settings)) {
+        } elseif ($this->wire('input')->requestMethod('POST')) {
+            $fieldset->new('text', 'regdata')
+                ->attr('maxlength', 20480);
+        } else {
+            $createArgs = $this->WebAuthn->getCreateArgs(\hex2bin($user->id), $user->name, $user->name, 20, false, $this->userVerification, $this->crossPlatformAttachment);
+            $fieldset->new('hidden', 'createData')
+                ->attr('id', 'TfaWebAuthn_createData')
+                ->attr('value', json_encode($createArgs));
+
+            $fieldset->new('hidden', 'regdata')
+                ->attr('id', 'TfaWebAuthn_regdata')
+                ->attr('maxlength', 20480);  
+
+            $fieldset->new('button', 'addKey', 'Enable two-factor authentication')
+                ->attr('id', 'TfaWebAuthn_button')
+                ->attr('onclick', "TfaWebAuthn_addkey()")
+                ->value("Add WebAuthn Credential");
+
+            $fieldset->new('markup')
+                ->attr('value', "<span id='TfaWebAuthn_msg'>Click the button to register a new credential.</span>");
+                $_SESSION["chal"] = (string) $this->WebAuthn->getChallenge();
+        }
+    }
+
+    // Save registration data from the User settings
+    public function ___processUserSettingsInputfields(User $user, InputfieldWrapper $fieldset, $settings, $settingsPrev)
+    {
+        $settings = parent::___processUserSettingsInputfields($user, $fieldset, $settings, $settingsPrev);
+        try {
+            $challenge = $_SESSION["chal"];
+            
+           
+
+            $aryreg = json_decode("[".$settings['regdata']."]");
+            $data = array();
+            foreach ($aryreg as $reg) {
+                
+                $clientdata = base64_decode($reg->clientDataJSON);
+                $attestationObject = base64_decode($reg->attestationObject);
+                $d = $this->WebAuthn->processCreate($clientdata, $attestationObject, $challenge, $this->userVerification === 'required', true, false);
+                array_push($data, (array) $d );
+            }
+            $sd = serialize($data);
+            $settings['regkeys'] =  $sd;
+            $settings['enabled'] = true;
+            $settings['challenge'] = null;
+            $settings['regdata'] = null;
+            $this->message("Success! Your account is now secured with two-factor authentication");
+        } catch (Exception $e) {
+            $settings['enabled'] = false;
+            $this->error("That did not work " . $e);
+        }
+
+        return $settings;
+    }
+
+
+    protected function getDefaultUserSettings(User $user)
+    {
+        return array(
+            'enabled' => false,
+            'regkeys' => ''
+        );
+    }
+
+    // Display the tFA form
+    public function buildAuthCodeForm()
+    {
+        $user = $this->getUser();
+        $settings = $this->getUserSettings($user);
+        
+        $authreg = unserialize($settings['regkeys']);
+        $ids = array();
+        $this->session->authreg = $authreg;
+
+ 
+        $ids = array();
+        if (is_array($authreg)) {
+            foreach ($authreg as $reg) {
+                $o = (object) $reg;
+                array_push($ids, $o->credentialId);
+            }
+        }
+        if (count($ids) === 0) {
+            throw new Exception('no WebAuthn registrations for userId ' . $user->id);
+        }
+
+        
+       /*
+         * Check if the authreq is null. if so make a new challenge
+         * ProcessWire annoingly calls builtAuthCodeForm twice. once to build the form and a 2nd time when the user submits the form
+         * thus validation was failing as the was non-matching challanges
+         */
+        if (is_null($this->session->authreq)) {
+            $req = $this->WebAuthn->getGetArgs($ids, 20, $this->typeUsb, $this->typeNfc, $this->typeBle, $this->typeInt, $this->userVerification);
+            $this->session->authreq = json_encode($req);
+            $this->session->authchallange = (string) $this->WebAuthn->getChallenge();
+        }
+        
+        
+        
+        $form = $this->modules->get('InputfieldForm');
+        $form->attr('action', "./?$this->keyName=" . $this->getSessionKey(true))
+             ->attr('id', "tfaform");
+        $form->new('markup')
+                ->attr('value', "<img style='height:80px' onload='TfaWebAuthn_authKey()' src='" . $this->wire('config')->urls->$this . "assets\bluekeyside.png'><br>
+                 You need to use your security key to login.<br>
+                 Insert it now and tap/click the key to verify its you. If your key does not have a button just unplug it and then plug it back in.<br>
+                 <div uk-alert class='uk-alert-danger' style='display:none' id='TfaWebAuthn_error'></div>");
+        $form->new('hidden', 'authreq')
+                ->attr('id', 'TfaWebAuthn_authreq')
+                ->attr('value', $this->session->authreq);
+        $form->new('hidden', 'tfa_code')
+                ->attr('id', 'TfaWebAuthn_authresponse')
+                ->attr('required', 'required');
+        $form->new('button', 'authKey', 'Start two-factor authentication')
+                ->attr('id', 'TfaWebAuthn_button')
+                ->attr('onclick', "TfaWebAuthn_authKey()")
+                ->value("Use Security Key");
+        return $form;
+    }
+}
@@ -0,0 +1,95 @@
+var Tfa_count = 1;
+
+function TfaWebAuthn_addkey() {
+    var createDataRaw = document.getElementById('TfaWebAuthn_createData').value;
+    var regdata = document.getElementById('TfaWebAuthn_regdata');
+
+    var json = JSON.parse(createDataRaw);
+    
+    recursiveBase64StrToArrayBuffer(json);
+    
+    navigator.credentials.create(json).then(function(f) {
+        console.log(f);
+
+        var data = {
+            clientDataJSON: f.response.clientDataJSON  ? arrayBufferToBase64(f.response.clientDataJSON) : null,
+            attestationObject: f.response.attestationObject ? arrayBufferToBase64(f.response.attestationObject) : null
+        };
+
+        if(regdata.value === "") {
+            regdata.value = JSON.stringify(data);
+            document.getElementById('TfaWebAuthn_msg').textContent = 'Credential added. You can add more now or save this page to finish setup';
+        } else {
+            regdata.value = regdata.value+", "+JSON.stringify(data);
+            document.getElementById('TfaWebAuthn_msg').textContent = 'Credential '+Tfa_count+' added. You can add even more or save this page to finish setup';
+        }    
+        Tfa_count++;
+        document.getElementById('TfaWebAuthn_button').classList.remove('ui-state-active');  
+
+        console.log(regdata.value);
+    });
+
+}
+
+function TfaWebAuthn_authKey() {
+    var authreq = JSON.parse(document.getElementById('TfaWebAuthn_authreq').value);
+    recursiveBase64StrToArrayBuffer(authreq);
+    navigator.credentials.get(authreq).then(function(f){
+
+        var data =  {
+            id: f.rawId ? arrayBufferToBase64(f.rawId) : null,
+            clientDataJSON: f.response.clientDataJSON  ? arrayBufferToBase64(f.response.clientDataJSON) : null,
+            authenticatorData: f.response.authenticatorData ? arrayBufferToBase64(f.response.authenticatorData) : null,
+            signature: f.response.signature ? arrayBufferToBase64(f.response.signature) : null,
+            userHandle: f.response.userHandle ? arrayBufferToBase64(f.response.userHandle) : null
+        };
+
+        console.log(data);
+        document.getElementById('TfaWebAuthn_error').style.display = "none";
+        document.getElementById('TfaWebAuthn_authresponse').value = JSON.stringify(data);
+        document.getElementById('tfaform').submit();
+    }).catch(function(err) {
+        document.getElementById('TfaWebAuthn_error').textContent = "authentication failed with error: " + err;
+        document.getElementById('TfaWebAuthn_error').style.display = "block";
+    });
+}
+
+
+
+
+
+function recursiveBase64StrToArrayBuffer(obj) {
+    let prefix = '=?BINARY?B?';
+    let suffix = '?=';
+    if (typeof obj === 'object') {
+        console.log("object");
+        for (let key in obj) {
+            if (typeof obj[key] === 'string') {
+                let str = obj[key];
+                if (str.substring(0, prefix.length) === prefix && str.substring(str.length - suffix.length) === suffix) {
+                    str = str.substring(prefix.length, str.length - suffix.length);
+
+                    let binary_string = window.atob(str);
+                    let len = binary_string.length;
+                    let bytes = new Uint8Array(len);
+                    for (let i = 0; i < len; i++)        {
+                        bytes[i] = binary_string.charCodeAt(i);
+                    }
+                    obj[key] = bytes.buffer;
+                }
+            } else {
+                recursiveBase64StrToArrayBuffer(obj[key]);
+            }
+        }
+    }
+}
+
+function arrayBufferToBase64(buffer) {
+    let binary = '';
+    let bytes = new Uint8Array(buffer);
+    let len = bytes.byteLength;
+    for (let i = 0; i < len; i++) {
+        binary += String.fromCharCode( bytes[ i ] );
+    }
+    return window.btoa(binary);
+}
@@ -0,0 +1,8 @@
+# Netbeans project
+nbproject/
+/index.php
+
+
+# .pem files from FIDO Alliance Metadata Service (MDS)
+_test/rootCertificates/mds/*.pem
+_test/rootCertificates/mds/lastMdsFetch.txt