MC-22950: Enable 2FA by default for Admins

- Refactored configure process

Author: nathanjosiah

TwoFactorAuth/Block/Provider/U2fKey/Configure.php

@@ -58,9 +58,16 @@ public function getJsLayout()
         $this->jsLayout['components']['tfa-configure']['touchImageUrl'] =
             $this->getViewFileUrl('Magento_TwoFactorAuth::images/u2f/touch.png');
 
-        $this->jsLayout['components']['tfa-configure']['registerData'] =
-            $this->u2fKey->getRegisterData($this->session->getUser());
+        $this->jsLayout['components']['tfa-configure']['registerData'] = $this->getRegisterData();
 
         return parent::getJsLayout();
     }
+
+    public function getRegisterData(): array
+    {
+        $registerData = $this->u2fKey->getRegisterData($this->session->getUser());
+        $this->session->setTfaU2fChallenge($registerData['publicKey']['challenge']);
+
+        return $registerData;
+    }
 }

TwoFactorAuth/Controller/Adminhtml/U2f/Configurepost.php

@@ -94,19 +94,28 @@ public function execute()
         $result = $this->jsonFactory->create();
 
         try {
-            $data = $this->getRequest()->getParam('publicKeyCredential');
+            $challenge = $this->session->getTfaU2fChallenge();
+            if (!empty($challenge)) {
+                $data = [
+                   'publicKeyCredential' => $this->getRequest()->getParam('publicKeyCredential'),
+                   'challenge' => $challenge
+                ];
+
+                $this->u2fKey->registerDevice($this->getUser(), $data);
+                $this->tfaSession->grantAccess();
+                $this->session->unsTfaU2fChallenge();
+
+                $this->alert->event(
+                    'Magento_TwoFactorAuth',
+                    'U2F New device registered',
+                    AlertInterface::LEVEL_INFO,
+                    $this->getUser()->getUserName()
+                );
+                $res = ['success' => true];
+            } else {
+                $res = ['success' => false];
+            }
 
-            $this->u2fKey->registerDevice($this->getUser(), $data);
-            $this->tfaSession->grantAccess();
-
-            $this->alert->event(
-                'Magento_TwoFactorAuth',
-                'U2F New device registered',
-                AlertInterface::LEVEL_INFO,
-                $this->getUser()->getUserName()
-            );
-
-            $res = ['success' => true];
         } catch (\Throwable $e) {
             $this->alert->event(
                 'Magento_TwoFactorAuth',

TwoFactorAuth/Model/Provider/Engine/U2fKey/WebAuthn.php

@@ -214,18 +214,30 @@ public function getRegisterData(UserInterface $user): array
      */
     public function getPublicKeyFromRegistrationData(array $data): array
     {
-        // Remaining steps (8+) of @see https://www.w3.org/TR/webauthn/#registering-a-new-credential
-        if (empty($data['response']['attestationObject']) || empty($data['id'])) {
-            throw new ValidationException(__('Invalid U2F key data'));
+        // Verification process as defined by w3 @see https://www.w3.org/TR/webauthn/#registering-a-new-credential
+
+        $credentialData = $data['publicKeyCredential'];
+        $domain = $this->getDomainName();
+
+        if (rtrim(strtr(base64_encode($this->convertArrayToBytes($data['challenge'])), '+/', '-_'), '=')
+            !== $credentialData['response']['clientData']['challenge']
+            || 'https://' . $domain !== $credentialData['response']['clientData']['origin']
+            || $credentialData['response']['clientData']['type'] !== 'webauthn.create'
+        ) {
+            throw new LocalizedException(__('Invalid U2F key.'));
         }
 
-        $byteString = base64_decode($data['response']['attestationObject']);
+        if (empty($credentialData['response']['attestationObject']) || empty($credentialData['id'])) {
+            throw new ValidationException(__('Invalid U2F key data'));
+        }
+        $byteString = base64_decode($credentialData['response']['attestationObject']);
         $attestationObject = CBOREncoder::decode($byteString);
         if (empty($attestationObject['fmt'])
             || empty($attestationObject['authData'])
         ) {
             throw new ValidationException(__('Invalid U2F key data'));
         }
+
         $byteString = $attestationObject['authData']->get_byte_string();
 
         // @see https://www.w3.org/TR/webauthn/#sec-authenticator-data
@@ -257,14 +269,14 @@ public function getPublicKeyFromRegistrationData(array $data): array
         $attestationObject['attestationData']['keyBytes'] = $this->COSEECDHAtoPKCS($cborPublicKey);
 
         if (empty($attestationObject['attestationData']['keyBytes'])
-            || $attestationObject['attestationData']['credId'] !== base64_decode($data['id'])
+            || $attestationObject['attestationData']['credId'] !== base64_decode($credentialData['id'])
         ) {
             throw new ValidationException(__('Invalid U2F key data'));
         }
 
         return [
             'key' => $attestationObject['attestationData']['keyBytes'],
-            'id' => $data['id'],
+            'id' => $credentialData['id'],
             'aaguid' => $attestationObject['attestationData']['aaguid'] ?? null
         ];
     }

TwoFactorAuth/view/adminhtml/web/js/u2fkey/configure.js

@@ -107,25 +107,6 @@ define([
          * @private
          */
         _processCredentialData: function (credentialData) {
-            // Steps 1-5 of @see https://www.w3.org/TR/webauthn/#registering-a-new-credential
-            var b64Challenge = window.btoa(
-                    String.fromCharCode.apply(null, new Uint8Array(this.registerData.publicKey.challenge))
-                )
-                .replace(/=+$/g, '')
-                .replace(/\+/g, '-')
-                .replace(/\//g, '_');
-
-            if (b64Challenge !== credentialData.clientData.challenge ||
-                'https://' + this.registerData.publicKey.rp.name !== credentialData.clientData.origin ||
-                !('type' in credentialData.clientData) ||
-                credentialData.clientData.type !== 'webauthn.create'
-            ) {
-                error.display($t('Invalid key'));
-                this.idle(true);
-
-                return;
-            }
-
             this.loading(true);
             $.post(this.getPostUrl(), {
                 publicKeyCredential: {