mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-16 11:20:12 -04:00
This passes existing credentials in the server response, to allow the browser to prevent re-registering the same key for the same user. Registering the same key multiple times doesn't seem to be an issue technically; the user has likely got their keys mixed up. - Chrome says "you don't need to register it again". - Safari exits with an InvalidStateError. - Firefox exits with a DOMException.
47 lines
1.4 KiB
Python
47 lines
1.4 KiB
Python
from fido2 import cbor
|
|
from flask import current_app, request, session
|
|
from flask_login import current_user
|
|
|
|
from app.main import main
|
|
from app.models.webauthn_credential import WebAuthnCredential
|
|
from app.notify_client.user_api_client import user_api_client
|
|
from app.utils import user_is_platform_admin
|
|
|
|
|
|
@main.route('/webauthn/register')
|
|
@user_is_platform_admin
|
|
def webauthn_begin_register():
|
|
server = current_app.webauthn_server
|
|
|
|
registration_data, state = server.register_begin(
|
|
{
|
|
"id": bytes(current_user.id, 'utf-8'),
|
|
"name": current_user.email_address,
|
|
"displayName": current_user.name,
|
|
},
|
|
credentials=[
|
|
credential.to_credential_data()
|
|
for credential in current_user.webauthn_credentials
|
|
],
|
|
user_verification="discouraged", # don't ask for PIN
|
|
authenticator_attachment="cross-platform",
|
|
)
|
|
|
|
session["webauthn_registration_state"] = state
|
|
return cbor.encode(registration_data)
|
|
|
|
|
|
@main.route('/webauthn/register', methods=['POST'])
|
|
@user_is_platform_admin
|
|
def webauthn_complete_register():
|
|
credential = WebAuthnCredential.from_registration(
|
|
session.pop("webauthn_registration_state"),
|
|
cbor.decode(request.get_data()),
|
|
)
|
|
|
|
user_api_client.create_webauthn_credential_for_user(
|
|
current_user.id, credential
|
|
)
|
|
|
|
return ''
|