def webauthn_begin_activate():
'''
This url is called when the registration process starts
'''
username = request.form.get('register_username')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
display_name = request.form.get('register_display_name')
user_exists = database.user_exists(username)
if not user_exists or not current_user.is_authenticated or not username == current_user.id:
return make_response(jsonify({'fail': 'User not logged in.'}), 401)
if not util.validate_token_name(display_name):
return make_response(jsonify({'fail': 'Invalid display name.'}), 401)
# clear session variables prior to starting a new registration
session.pop('register_ukey', None)
session.pop('register_username', None)
session.pop('register_display_name', None)
session.pop('challenge', None)
session['register_username'] = username
session['register_display_name'] = display_name
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
session['challenge'] = challenge.rstrip('=')
session['register_ukey'] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, RP_NAME, RP_ID, ukey, username, display_name,
cfg['host']['origin'])
return jsonify(make_credential_options.registration_dict)
def webauthn_begin_activate():
#clear session variables prior to starting a new registration
session.pop('register_ukey', None)
session.pop('register_id', None)
session.pop('challenge', None)
session['register_username'] = current_user.id
session['register_display_name'] = current_user.vorname + " " + current_user.name
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
# We strip the saved challenge of padding, so that we can do a byte
# comparison on the URL-safe-without-padding challenge we get back
# from the browser.
# We will still pass the padded version down to the browser so that the JS
# can decode the challenge into binary without too much trouble.
session['challenge'] = challenge.rstrip('=')
session['register_ukey'] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, RP_NAME, RP_ID, ukey, current_user.id, current_user.vorname + " " + current_user.name,
ORIGIN)
return jsonify(make_credential_options.registration_dict)
def webauthn_begin_activate():
print("[ENTER] begin registration")
import pdb
pdb.set_trace()
# MakeCredentialOptions
username = request.form.get('register_username')
display_name = request.form.get('register_display_name')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
if not util.validate_display_name(display_name):
return make_response(jsonify({'fail': 'Invalid display name.'}), 401)
if User.query.filter_by(username=username).first():
return make_response(jsonify({'fail': 'User already exists.'}), 401)
#clear session variables prior to starting a new registration
session.pop('register_ukey', None)
session.pop('register_username', None)
session.pop('register_display_name', None)
session.pop('challenge', None)
session['register_username'] = username
session['register_display_name'] = display_name
challenge = util.generate_challenge(32)
print("[INFO] registration challenge ", challenge)
ukey = util.generate_ukey()
# We strip the saved challenge of padding, so that we can do a byte
# comparison on the URL-safe-without-padding challenge we get back
# from the browser.
# We will still pass the padded version down to the browser so that the JS
# can decode the challenge into binary without too much trouble.
session['challenge'] = challenge.rstrip('=')
print("[INFO] challenge.rstrip('=') ", session['challenge'])
session['register_ukey'] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, RP_NAME, RP_ID, ukey, username, display_name,
'https://example.com')
js = make_credential_options.registration_dict
pprint.pprint(js)
print("[EXIT] begin registration\n")
return jsonify(js)
def webauthn_begin_activate():
# MakeCredentialOptions
username = request.form.get('username')
display_name = request.form.get('displayName')
if not util.validate_username(username):
return make_response(jsonify({'fail': 'Invalid username.'}), 401)
if not util.validate_display_name(display_name):
return make_response(jsonify({'fail': 'Invalid display name.'}), 401)
if User.query.filter_by(username=username).first():
return make_response(jsonify({'fail': 'User already exists.'}), 401)
if 'register_ukey' in session:
del session['register_ukey']
if 'register_username' in session:
del session['register_username']
if 'register_display_name' in session:
del session['register_display_name']
if 'challenge' in session:
del session['challenge']
session['register_username'] = username
session['register_display_name'] = display_name
rp_name = 'localhost'
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
session['challenge'] = challenge
session['register_ukey'] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge,
rp_name,
RP_ID,
ukey,
username,
display_name,
'https://example.com')
return jsonify(make_credential_options.registration_dict)
def attestation_get_options():
username = request.form.get('username')
display_name = request.form.get('displayName')
if 'register_ukey' in session:
del session['register_ukey']
if 'register_username' in session:
del session['register_username']
if 'register_display_name' in session:
del session['register_display_name']
if 'challenge' in session:
del session['challenge']
if 'att_option' in session:
del session['att_option']
if username == "" or username is None:
username = util.random_username(8)
if display_name == "" or display_name is None:
display_name = username
session['register_username'] = username
session['register_display_name'] = display_name
rp_name = RP_ID
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
session['challenge'] = challenge
session['register_ukey'] = ukey
exclude_credentialids = []
webauthn_options = webauthn.WebAuthnOptions()
try:
options = Options.query.filter_by(rp_id=RP_ID).first()
if options is None:
options = Options()
options.rp_id = RP_ID
options.version = CURRENT_OPTIONS_TBL_VERSION
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
else:
if options.version != CURRENT_OPTIONS_TBL_VERSION:
return make_response(
jsonify({'fail': 'Options Table Version Error.'}), 400)
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
webauthn_options.set(json.loads(options.option_content))
if webauthn_options.enableAttestationExcludeCredentials == 'true' and len(
webauthn_options.attestationExcludeCredentialsUsers):
users = Users.query.filter(
Users.id.in_(
webauthn_options.attestationExcludeCredentialsUsers)).all()
for user in users:
if not user.credential_id:
app.logger.debug('Unknown credential ID.')
return make_response(
jsonify({'fail': 'Unknown credential ID.'}), 401)
exclude_credentialids.append(str(user.credential_id))
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
webauthn_options, exclude_credentialids, challenge, rp_name, RP_ID,
ukey, username, display_name, 'https://example.com')
reg_dict = json.dumps(make_credential_options.registration_dict, indent=2)
session['att_option'] = reg_dict
return make_response(jsonify(make_credential_options.registration_dict),
200)