Fix the user provider not honoring the useWebauthnOnly option

2023-03-02 15:07:46 +01:00 · 2023-03-02 15:07:46 +01:00 · 4006deb1e0
parent 47be24b60f
commit 4006deb1e0
2 changed files with 33 additions and 7 deletions
--- a/app/Extensions/WebauthnTwoFAuthUserProvider.php
+++ b/app/Extensions/WebauthnTwoFAuthUserProvider.php
@ -0,0 +1,28 @@
+<?php
+
+namespace App\Extensions;
+
+use Illuminate\Auth\EloquentUserProvider;
+use App\Models\WebAuthnAuthenticatable;
+use Laragear\WebAuthn\Auth\WebAuthnUserProvider;
+
+class WebauthnTwoFAuthUserProvider extends WebAuthnUserProvider
+{
+    /**
+     * Validate a user against the given credentials.
+     *
+     * @param  \Illuminate\Contracts\Auth\Authenticatable|\App\Models\WebAuthnAuthenticatable|\App\Models\User  $user
+     * @param  array  $credentials
+     *
+     * @return bool
+     */
+    public function validateCredentials($user, array $credentials): bool
+    {
+        if ($user instanceof WebAuthnAuthenticatable && $this->isSignedChallenge($credentials)) {
+            return $this->validateWebAuthn();
+        }
+
+        // If the user disabled the fallback is enabled, we will validate the credential password.
+        return $user->preferences['useWebauthnOnly'] == false && EloquentUserProvider::validateCredentials($user, $credentials);
+    }
+}
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@ -88,19 +88,17 @@ class AuthServiceProvider extends ServiceProvider
            return new ReverseProxyGuard(Auth::createUserProvider($config['provider']));
        });

-        // Previously we were using a custom user provider derived from the Larapass user provider
-        // in order to honor the "useWebauthnOnly" user option.
-        // Since Laragear\WebAuthn now replaces DarkGhostHunter\Larapass, the new approach is
-        // simplier: We overload the 'eloquent-webauthn' registration from Laragear\WebAuthn\WebAuthnServiceProvider
-        // with a custom closure that uses the "useWebauthnOnly" user option
+        // We use a custom user provider derivated from the Laragear\WebAuthn one to honor the "useWebauthnOnly" user option.
+        // As this option is now available in the $user->preferences array it is no more possible to overload the $fallback
+        // value here because $user is not available at registration.
        Auth::provider(
            'eloquent-webauthn',
            static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider {
-                return new \Laragear\WebAuthn\Auth\WebAuthnUserProvider(
+                return new \App\Extensions\WebauthnTwoFAuthUserProvider(
                    $app->make('hash'),
                    $config['model'],
                    $app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class),
-                    Settings::get('useWebauthnOnly') ? false : true
+                    true
                );
            }
        );