Files
notifications-admin/app/main/views/webauthn_credentials.py
Ben Thorner 957dba4356 Avoid registering the same authenticator twice
This passes existing credentials in the server response, to allow
the browser to prevent re-registering the same key for the same
user. Registering the same key multiple times doesn't seem to be
an issue technically; the user has likely got their keys mixed up.

- Chrome says "you don't need to register it again".
- Safari exits with an InvalidStateError.
- Firefox exits with a DOMException.
2021-05-13 10:22:24 +01:00

47 lines
1.4 KiB
Python

from fido2 import cbor
from flask import current_app, request, session
from flask_login import current_user
from app.main import main
from app.models.webauthn_credential import WebAuthnCredential
from app.notify_client.user_api_client import user_api_client
from app.utils import user_is_platform_admin
@main.route('/webauthn/register')
@user_is_platform_admin
def webauthn_begin_register():
server = current_app.webauthn_server
registration_data, state = server.register_begin(
{
"id": bytes(current_user.id, 'utf-8'),
"name": current_user.email_address,
"displayName": current_user.name,
},
credentials=[
credential.to_credential_data()
for credential in current_user.webauthn_credentials
],
user_verification="discouraged", # don't ask for PIN
authenticator_attachment="cross-platform",
)
session["webauthn_registration_state"] = state
return cbor.encode(registration_data)
@main.route('/webauthn/register', methods=['POST'])
@user_is_platform_admin
def webauthn_complete_register():
credential = WebAuthnCredential.from_registration(
session.pop("webauthn_registration_state"),
cbor.decode(request.get_data()),
)
user_api_client.create_webauthn_credential_for_user(
current_user.id, credential
)
return ''