def webauthn_begin_assertion():
username = request.form.get('username')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
user = User.query.filter_by(username=username).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
if not user.credential_id:
return make_response(jsonify({'fail': 'Unknown credential ID.'}), 401)
if 'challenge' in session:
del session['challenge']
challenge = util.generate_challenge(32)
session['challenge'] = challenge
webauthn_user = webauthn.WebAuthnUser(
user.ukey,
user.username,
user.display_name,
user.icon_url,
user.credential_id,
user.pub_key,
user.sign_count,
user.rp_id)
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_user,
challenge)
return jsonify(webauthn_assertion_options.assertion_dict)
def webauthn_begin_assertion():
'''
This url is called when the authentication process begins
'''
username = request.form.get('login_username')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
credentials = database.get_credentials(username)
user = database.get_user(username)
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
session.pop('challenge', None)
challenge = util.generate_challenge(32)
session['challenge'] = challenge.rstrip('=')
webauthn_users = []
for credential in credentials:
webauthn_users.append(
webauthn.WebAuthnUser(credential.ukey, credential.username,
credential.display_name, credential.icon_url,
credential.credential_id, credential.pub_key,
credential.sign_count, credential.rp_id))
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_users, challenge)
return jsonify(webauthn_assertion_options.assertion_dict)
def verify_assertion():
challenge = session.get('challenge')
assertion_response = request.form
credential_id = assertion_response.get('id')
user = User.query.filter_by(credential_id=credential_id).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
webauthn_user = webauthn.WebAuthnUser(user.ukey, user.username,
user.display_name, user.icon_url,
user.credential_id, user.pub_key,
user.sign_count, user.rp_id)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
uv_required=False) # User Verification
try:
sign_count = webauthn_assertion_response.verify()
except Exception as e:
return jsonify({'fail': 'Assertion failed. Error: {}'.format(e)})
# Update counter.
user.sign_count = sign_count
db.session.add(user)
db.session.commit()
login_user(user)
return jsonify(
{'success': 'Successfully authenticated as {}'.format(user.username)})
def webauthn_begin_assertion():
username = request.form.get('login_username')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
user = User.query.filter_by(username=username).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
if not user.credential_id:
return make_response(jsonify({'fail': 'Unknown credential ID.'}), 401)
session.pop('challenge', None)
challenge = util.generate_challenge(32)
# We strip the padding from the challenge stored in the session
# for the reasons outlined in the comment in webauthn_begin_activate.
session['challenge'] = challenge.rstrip('=')
webauthn_user = webauthn.WebAuthnUser(user.ukey, user.username,
user.display_name, user.icon_url,
user.credential_id, user.pub_key,
user.sign_count, user.rp_id)
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_user, challenge)
return jsonify(webauthn_assertion_options.assertion_dict)
def verify_assertion():
challenge = session.get('challenge')
assertion_response = request.form
credential_id = assertion_response.get('id')
user = mitglieder.query.filter_by(credential_id=credential_id).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
webauthn_user = webauthn.WebAuthnUser(
user.ukey, user.id, user.vorname + " " + user.name, "",
user.credential_id, user.pub_key, 0, RP_ID)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
uv_required=False) # User Verification
login_user(user,remember=False,duration=timedelta(minutes=session_ttl))
return jsonify({
'success':
'Successfully authenticated as {}'.format(user.vorname + " " + user.name)
})
def webauthn_begin_assertion():
username = request.form.get('login_username')
user = mitglieder.query.filter_by(id=username).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
if not user.credential_id:
return make_response(jsonify({'fail': 'Unknown credential ID.'}), 401)
session.pop('challenge', None)
challenge = util.generate_challenge(32)
# We strip the padding from the challenge stored in the session
# for the reasons outlined in the comment in webauthn_begin_activate.
session['challenge'] = challenge.rstrip('=')
webauthn_user = webauthn.WebAuthnUser(
user.ukey, user.id, user.vorname + " " + user.name, "",
user.credential_id, user.pub_key, 0, RP_ID)
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_user, challenge)
return jsonify(webauthn_assertion_options.assertion_dict)
def verify_assertion():
print("[ENTER] complete authentcation")
# import pdb;pdb.set_trace()
challenge = session.get('challenge')
assertion_response = request.form
import pdb
pdb.set_trace()
credential_id = assertion_response.get('id')
print("assertion_response ", assertion_response)
user = User.query.filter_by(credential_id=credential_id).first()
if not user:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
webauthn_user = webauthn.WebAuthnUser(user.ukey, user.username,
user.display_name, user.icon_url,
user.credential_id, user.pub_key,
user.sign_count, user.rp_id)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
uv_required=False) # User Verification
try:
sign_count = webauthn_assertion_response.verify()
except Exception as e:
print("[ERROR] ", e)
return jsonify({'fail': 'Assertion failed. Error: {}'.format(e)})
# Update counter.
user.sign_count = sign_count
db.session.add(user)
db.session.commit()
login_user(user)
msg = 'Successfully authenticated as ' + user.username + \
'\n\tCredential Id: ' + credential_id
print(msg)
print("[EXIT] complete authentcation\n")
return jsonify(
{'success': 'Successfully authenticated as {}'.format(user.username)})
def webauthn_begin_assertion():
username = request.form.get('login_username')
print("[ENTER] begin authentcation for user ", username)
import pdb
pdb.set_trace()
if not util.validate_username(username):
print("[ERROR] Invalid username.")
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
user = User.query.filter_by(username=username).first()
if not user:
print("[ERROR] User does not exist.")
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
if not user.credential_id:
print("[ERROR] Unknown credential ID.")
return make_response(jsonify({'fail': 'Unknown credential ID.'}), 401)
session.pop('challenge', None)
challenge = util.generate_challenge(32, True)
print("[INFO] authentication challenge ", challenge)
# print("[INFO] challenge type ", type(challenge))
# We strip the padding from the challenge stored in the session
# for the reasons outlined in the comment in webauthn_begin_activate.
session['challenge'] = challenge.rstrip('=')
webauthn_user = webauthn.WebAuthnUser(user.ukey, user.username,
user.display_name, user.icon_url,
user.credential_id, user.pub_key,
user.sign_count, user.rp_id)
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_user, challenge)
ad = webauthn_assertion_options.assertion_dict
pprint.pprint(ad)
print("[EXIT] begin authentcation\n")
return jsonify(ad)
def verify_assertion():
'''
This url is called to authenticate the user
'''
challenge = session.get('challenge')
assertion_response = request.form
credential_id = assertion_response.get('id')
credential = database.get_credential(credential_id)
if not credential:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
webauthn_user = webauthn.WebAuthnUser(
credential.ukey, credential.username, credential.display_name,
credential.icon_url, credential.credential_id, credential.pub_key,
credential.sign_count, credential.rp_id)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
uv_required=False) # User Verification
try:
sign_count = webauthn_assertion_response.verify()
except Exception as e:
raise e
return jsonify({'fail': 'Assertion failed. Error: {}'.format(e)})
# Update counter.
credential.sign_count = sign_count
database.increment_sign_count(credential)
satosa_request = Request()
satosa_request.userId = credential.username
database.make_success(satosa_request)
user = User()
user.id = credential.username
login_user(user)
return jsonify({'success': 'User successfully logged in.'})
def assertion_verify_response():
logger = webauthn.WebAuthnLogger()
app.logger.debug(
'----- [Authentication] Authenticator Response (Native) from Authenticator/Client -----'
)
app.logger.debug(str(request.form.to_dict()))
app.logger.debug('----- End -----')
challenge = session.get('challenge')
assertion_response = request.form
credential_id = assertion_response.get('id')
user = Users.query.filter_by(credential_id=credential_id).first()
if not user:
app.logger.debug('Credential ID is not found.')
return make_response(jsonify({'fail': 'Credential ID is not found.'}),
404)
webauthn_user = webauthn.WebAuthnUser(user.ukey, user.username,
user.display_name, user.icon_url,
user.credential_id, user.pub_key,
user.sign_count, user.rp_id)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
allow_credentials=None,
uv_required=False) # User Verification
logger.add('----- [Authentication] Received Data -----')
try:
logger.add(
'----- [Authentication] Authenticator Response (Decoded) from Authenticator/Client -----'
)
webauthn_tools = webauthn.WebAuthnTools()
decoded_assertion_response = webauthn_tools.view_assertion(
assertion_response)
logger.add(json.dumps(decoded_assertion_response, indent=4))
logger.add('----- End -----')
except Exception as e:
app.logger.debug('Assertion view failed. Error: {}'.format(e))
logger.add('Attestation view failed. Error: {}'.format(e))
return make_response(
jsonify({
'fail': 'Attestation view failed. Error: {}'.format(e),
'debug_log': logger.get()
}), 500)
try:
logger.add('----- [Authentication] [Verify] Start -----')
sign_count = webauthn_assertion_response.verify()
logger.add(webauthn_assertion_response.getLog())
logger.add('----- [Authentication] [Verify] End -----')
except Exception as e:
app.logger.debug('Assertion failed. Error: {}'.format(e))
logger.add('Assertion failed. Error: {}'.format(e))
return jsonify({
'fail': 'Assertion failed. Error: {}'.format(e),
'debug_log': logger.get()
})
# Update counter.
user.sign_count = sign_count
db.session.add(user)
db.session.commit()
logger.add('----- [Authentication] Server Successfully Return. -----')
return make_response(
jsonify({
'success':
u'Successfully Authenticate as {}'.format(user.username),
'debug_log':
logger.get()
}), 200)
