diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2016-07-11 13:02:24 +0530 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2016-07-14 08:19:09 +0530 |
| commit | 3572582dd2568cd473676563077ab3985b9803f7 (patch) | |
| tree | 768bfcee1284ee7f9e71d0036c6cc6ccecc3da96 /app/assets/javascripts/u2f | |
| parent | 4b33c4c6d1aa529ec22606995123cfa3a151ccee (diff) | |
| download | gitlab-ce-3572582dd2568cd473676563077ab3985b9803f7.tar.gz | |
Use a single challenge for U2F authentication.
1. According to the spec, either we have a single challenge with
a number of `signRequests`, or a number of `signRequests`, each with
it's own challenge.
2. Previously, we had both these - per-request challenges, as well as a
single extra challenge.
3. This commit changes this so that the per-request challenges are
removed, leaving only a single challenge, as per the v1.1 U2F API.
4. The existing implementation didn't work in Firefox, because the
Firefox (extension) implementation is less flexible with regard to
the inputs.
5. Fix teaspoon specs.
6. References: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#h2_background
Diffstat (limited to 'app/assets/javascripts/u2f')
| -rw-r--r-- | app/assets/javascripts/u2f/authenticate.js.coffee | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/app/assets/javascripts/u2f/authenticate.js.coffee b/app/assets/javascripts/u2f/authenticate.js.coffee index 6deb902c8de..be10e911c83 100644 --- a/app/assets/javascripts/u2f/authenticate.js.coffee +++ b/app/assets/javascripts/u2f/authenticate.js.coffee @@ -6,8 +6,17 @@ class @U2FAuthenticate constructor: (@container, u2fParams) -> @appId = u2fParams.app_id - @challenges = u2fParams.challenges - @signRequests = u2fParams.sign_requests + @challenge = u2fParams.challenge + + # The U2F Javascript API v1.1 requires a single challenge, with _no + # challenges per-request_. + # + # The U2F Javascript API v1.0 requires a challenge per-request, which + # is done by copying the single challenge into every request. + # + # In either case, we don't need the per-request challenges that the server + # has generated, so we can remove them. + @signRequests = u2fParams.sign_requests.map (request) -> _(request).omit('challenge') start: () => if U2FUtil.isU2FSupported() @@ -16,7 +25,7 @@ class @U2FAuthenticate @renderNotSupported() authenticate: () => - u2f.sign(@appId, @challenges, @signRequests, (response) => + u2f.sign(@appId, @challenge, @signRequests, (response) => if response.errorCode error = new U2FError(response.errorCode) @renderError(error); |