mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-05-03 07:31:28 -04:00
e2cf3e2c70
This adds Yubico's FIDO2 library and two APIs for working with the "navigator.credentials.create()" function in JavaScript. The GET API uses the library to generate options for the "create()" function, and the POST API decodes and verifies the resulting credential. While the options and response are dict-like, CBOR is necessary to encode some of the byte-level values, which can't be represented in JSON. Much of the code here is based on the Yubico library example [1][2]. Implementation notes: - There are definitely better ways to alert the user about failure, but window.alert() will do for the time being. Using location.reload() is also a bit jarring if the page scrolls, but not a major issue. - Ideally we would use window.fetch() to do AJAX calls, but we don't have a polyfill for this, and we use $.ajax() elsewhere [3]. We need to do a few weird tricks [6] to stop jQuery trashing the data. - The FIDO2 server doesn't serve web requests; it's just a "server" in the sense of WebAuthn terminology. It lives in its own module, since it needs to be initialised with the app / config. - $.ajax returns a promise-like object. Although we've used ".fail()" elsewhere [3], I couldn't find a stub object that supports it, so I've gone for ".catch()", and used a Promise stub object in tests. - WebAuthn only works over HTTPS, but there's an exception for "localhost" [4]. However, the library is a bit too strict [5], so we have to disable origin verification to avoid needing HTTPS for dev work. [1]:c42d9628a4/examples/server/server.py[2]:c42d9628a4/examples/server/static/register.html[3]:91453d3639/app/assets/javascripts/updateContent.js (L33)[4]: https://stackoverflow.com/questions/55971593/navigator-credentials-is-null-on-local-server [5]:c42d9628a4/fido2/rpid.py (L69)[6]: https://stackoverflow.com/questions/12394622/does-jquery-ajax-or-load-allow-for-responsetype-arraybuffer
226 lines
4.5 KiB
Plaintext
226 lines
4.5 KiB
Plaintext
#
|
|
# This file is autogenerated by pip-compile
|
|
# To update, run:
|
|
#
|
|
# pip-compile requirements.in
|
|
#
|
|
ago==0.0.93
|
|
# via -r requirements.in
|
|
awscli-cwlogs==1.4.6
|
|
# via -r requirements.in
|
|
awscli==1.19.51
|
|
# via
|
|
# awscli-cwlogs
|
|
# notifications-utils
|
|
bleach==3.3.0
|
|
# via notifications-utils
|
|
blinker==1.4
|
|
# via
|
|
# -r requirements.in
|
|
# gds-metrics
|
|
boto3==1.17.51
|
|
# via notifications-utils
|
|
botocore==1.20.51
|
|
# via
|
|
# awscli
|
|
# boto3
|
|
# s3transfer
|
|
cachetools==4.2.1
|
|
# via notifications-utils
|
|
certifi==2020.12.5
|
|
# via requests
|
|
cffi==1.14.5
|
|
# via cryptography
|
|
chardet==4.0.0
|
|
# via requests
|
|
click==7.1.2
|
|
# via flask
|
|
colorama==0.4.3
|
|
# via awscli
|
|
cryptography==3.3.2
|
|
# via
|
|
# -r requirements.in
|
|
# fido2
|
|
dnspython==1.16.0
|
|
# via eventlet
|
|
docopt==0.6.2
|
|
# via notifications-python-client
|
|
docutils==0.15.2
|
|
# via awscli
|
|
et-xmlfile==1.0.1
|
|
# via openpyxl
|
|
eventlet==0.30.2
|
|
# via -r requirements.in
|
|
fido2==0.9.1
|
|
# via -r requirements.in
|
|
flask-login==0.5.0
|
|
# via -r requirements.in
|
|
flask-redis==0.4.0
|
|
# via notifications-utils
|
|
flask-wtf==0.14.3
|
|
# via -r requirements.in
|
|
flask==1.1.2
|
|
# via
|
|
# -r requirements.in
|
|
# flask-login
|
|
# flask-redis
|
|
# flask-wtf
|
|
# gds-metrics
|
|
# notifications-utils
|
|
gds-metrics==0.2.4
|
|
# via -r requirements.in
|
|
geojson==2.5.0
|
|
# via notifications-utils
|
|
govuk-bank-holidays==0.8
|
|
# via
|
|
# -r requirements.in
|
|
# notifications-utils
|
|
git+https://github.com/alphagov/govuk-frontend-jinja.git@v0.5.8-alpha#egg=govuk-frontend-jinja==0.5.8-alpha
|
|
# via -r requirements.in
|
|
greenlet==1.0.0
|
|
# via eventlet
|
|
gunicorn==20.1.0
|
|
# via -r requirements.in
|
|
humanize==3.4.0
|
|
# via -r requirements.in
|
|
idna==2.10
|
|
# via requests
|
|
itsdangerous==1.1.0
|
|
# via
|
|
# -r requirements.in
|
|
# flask
|
|
# flask-wtf
|
|
# notifications-utils
|
|
jinja2==2.11.3
|
|
# via
|
|
# flask
|
|
# govuk-frontend-jinja
|
|
# notifications-utils
|
|
jmespath==0.10.0
|
|
# via
|
|
# boto3
|
|
# botocore
|
|
lml==0.1.0
|
|
# via
|
|
# pyexcel
|
|
# pyexcel-io
|
|
lxml==4.6.3
|
|
# via
|
|
# pyexcel-ezodf
|
|
# pyexcel-ods3
|
|
markupsafe==1.1.1
|
|
# via
|
|
# jinja2
|
|
# wtforms
|
|
mistune==0.8.4
|
|
# via notifications-utils
|
|
notifications-python-client==6.0.2
|
|
# via -r requirements.in
|
|
git+https://github.com/alphagov/notifications-utils.git@44.2.0#egg=notifications-utils==44.2.0
|
|
# via -r requirements.in
|
|
openpyxl==3.0.7
|
|
# via pyexcel-xlsx
|
|
orderedset==2.0.3
|
|
# via notifications-utils
|
|
packaging==20.9
|
|
# via bleach
|
|
phonenumbers==8.12.21
|
|
# via notifications-utils
|
|
prometheus-client==0.10.1
|
|
# via
|
|
# -r requirements.in
|
|
# gds-metrics
|
|
pyasn1==0.4.8
|
|
# via rsa
|
|
pycparser==2.20
|
|
# via cffi
|
|
pyexcel-ezodf==0.3.4
|
|
# via pyexcel-ods3
|
|
pyexcel-io==0.6.4
|
|
# via
|
|
# -r requirements.in
|
|
# pyexcel
|
|
# pyexcel-ods3
|
|
# pyexcel-xls
|
|
# pyexcel-xlsx
|
|
pyexcel-ods3==0.6.0
|
|
# via -r requirements.in
|
|
pyexcel-xls==0.6.2
|
|
# via -r requirements.in
|
|
pyexcel-xlsx==0.6.0
|
|
# via -r requirements.in
|
|
pyexcel==0.6.6
|
|
# via -r requirements.in
|
|
pyjwt==2.0.1
|
|
# via notifications-python-client
|
|
pyparsing==2.4.7
|
|
# via packaging
|
|
pypdf2==1.26.0
|
|
# via notifications-utils
|
|
python-dateutil==2.8.1
|
|
# via
|
|
# awscli-cwlogs
|
|
# botocore
|
|
python-json-logger==2.0.1
|
|
# via notifications-utils
|
|
pytz==2021.1
|
|
# via
|
|
# -r requirements.in
|
|
# notifications-utils
|
|
pyyaml==5.4.1
|
|
# via
|
|
# awscli
|
|
# notifications-utils
|
|
redis==3.5.3
|
|
# via flask-redis
|
|
requests==2.25.1
|
|
# via
|
|
# awscli-cwlogs
|
|
# govuk-bank-holidays
|
|
# notifications-python-client
|
|
# notifications-utils
|
|
rsa==4.7.2
|
|
# via awscli
|
|
rtreelib==0.2.0
|
|
# via -r requirements.in
|
|
s3transfer==0.3.7
|
|
# via
|
|
# awscli
|
|
# boto3
|
|
shapely==1.7.1
|
|
# via
|
|
# -r requirements.in
|
|
# notifications-utils
|
|
six==1.15.0
|
|
# via
|
|
# awscli-cwlogs
|
|
# bleach
|
|
# cryptography
|
|
# eventlet
|
|
# fido2
|
|
# govuk-bank-holidays
|
|
# python-dateutil
|
|
smartypants==2.0.1
|
|
# via notifications-utils
|
|
statsd==3.3.0
|
|
# via notifications-utils
|
|
texttable==1.6.3
|
|
# via pyexcel
|
|
urllib3==1.26.4
|
|
# via
|
|
# botocore
|
|
# requests
|
|
webencodings==0.5.1
|
|
# via bleach
|
|
werkzeug==1.0.1
|
|
# via flask
|
|
wtforms==2.3.3
|
|
# via flask-wtf
|
|
xlrd==1.2.0
|
|
# via pyexcel-xls
|
|
xlwt==1.3.0
|
|
# via pyexcel-xls
|
|
|
|
# The following packages are considered to be unsafe in a requirements file:
|
|
# setuptools
|