Lvanbuiten csp compliances (#97)

* HTML compliant - Stylesheets (CSS) and reformatting

* HTML compliant - JavaScript

+ fix reference to `sb-admin.min.css` in `logout.html`

* HTML compliant - JavaScript

Fix typo

* HTML compliant - JavaScript

Fix HTML inline `onclick` events and `onsubmit` for forms

* Merged CSP

---------

Co-authored-by: Lex van Buiten <l.vanbuiten@20face.com>

Author: mkalioby

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 3.1
 
 * Upgraded to fido==1.2.0
+* Added: CSP Compliance (optional), thanks to @lvanbuiten, to under CSP refer to [van Buiten](https://github.com/mkalioby/django-mfa2/pull/93#issuecomment-2847112870)
 * Fix: issue when finding the user based on credential id.
 * Fix: Move key delete to be POST call. Thanks to @AndreasDickow
 

README.md

@@ -224,6 +224,7 @@ function some_func() {
 * [ezrajrice](https://github.com/ezrajrice)
 * [Spitfireap](https://github.com/Spitfireap)
 * [peterthomassen](https://github.com/peterthomassen)
+* [lvanbuiten](https://github.com/lvanbuiten)
 
 
  # Security contact information

example/example-ssl-requirements.txt

@@ -1 +1,2 @@
 django-sslserver
+django-csp~=3.8

example/example/settings.py

@@ -41,6 +41,7 @@
     "django.contrib.messages",
     "django.contrib.staticfiles",
     "mfa",
+    'csp',
     "sslserver",
 ]
 
@@ -49,6 +50,7 @@
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
+    "csp.middleware.CSPMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
@@ -168,3 +170,13 @@
     "localhost"  # Server rp id for FIDO2, it the full domain of your project
 )
 FIDO_SERVER_NAME = "TestApp"
+
+
+CSP = ("'self'", f'*.localhost')
+CSP_DEFAULT_SRC = CSP
+CSP_IMG_SRC = CSP + ('data:', 'blob:')
+CSP_FONT_SRC = CSP + ('data:',)
+CSP_SCRIPT_SRC = CSP
+CSP_STYLE_SRC = CSP
+CSP_CONNECT_SRC = CSP
+CSP_FORM_ACTION = CSP

example/example/templates/logout.html

@@ -16,7 +16,7 @@
   <link href="{% static  'vendor/fontawesome-free/css/all.min.css'%}" rel="stylesheet" type="text/css">
 
   <!-- Custom styles for this template-->
-  <link href="{% static 'css/sb-admin.css'%}" rel="stylesheet">
+  <link href="{% static 'css/sb-admin.min.css'%}" rel="stylesheet">
 
 </head>
 

example/example/urls.py

@@ -20,7 +20,7 @@
 
 urlpatterns = [
     path("admin/", admin.site.urls),
-    path("mfa/", include("mfa.urls")),
+    path("mfa2/", include("mfa.urls")),
     path("auth/login", auth.loginView, name="login"),
     path("auth/logout", auth.logoutView, name="logout"),
     path("devices/add/", TrustedDevice.add, name="add_trusted_device"),

mfa/static/mfa/css/mfa.css

@@ -0,0 +1,126 @@
+.text-center {
+    text-align: center;
+}
+
+.text-right {
+    text-align: right;
+}
+
+.padding-10 {
+    padding: 10px;
+}
+
+.padding-left-0 {
+    padding-left: 0;
+}
+
+.padding-left-15 {
+    padding-left: 15px;
+}
+
+.padding-left-25 {
+    padding-left: 25px;
+}
+
+.padding-top-10 {
+    padding-top: 10px;
+}
+
+.padding-right-30 {
+    padding-right: 30px;
+}
+
+#popUpModal {
+    top: 40px;
+
+    & .modal-dialog {
+        height: 80%;
+        width: 80%;
+    }
+}
+
+.img-circle {
+    padding: 3px;
+    height: 50px;
+}
+
+.success-message {
+    color: green;
+}
+.error-message {
+    color: red;
+}
+
+.font-10 {
+    font-size: 10px;
+}
+
+.color-gray {
+    color: #333333;
+}
+
+.bg-white {
+    background-color: #f0f0f0;
+}
+
+.institution-code {
+    font-size: 10pt;
+    font-family: Calibri;
+    height: 34px;width: 230px
+}
+
+.td-digits {
+    font-size: 16px;
+    font-weight: bold;
+    margin-left: 50px;
+}
+
+#two-factor-steps {
+    border: 1px solid #ccc;
+    border-radius: 3px;
+    padding: 15px;
+
+    & .row {
+        margin: 0;
+        align-items: center;
+    }
+
+    & .toolbtn {
+        border-radius: 7px;
+        cursor: pointer;
+
+        & :hover {
+            background-color: gray;
+            transition: 0.2s;
+        }
+
+        & :active {
+            background-color: green;
+            transition: 0.2s;
+        }
+    }
+
+    & #answer {
+        display: inline;
+        width: 95%
+    }
+
+    & #second_step {
+        display: none;
+        text-align: center;
+        align-content: center
+    }
+
+    & .tokenrow {
+        margin-top: 10px;
+        margin-left: 5px;
+    }
+}
+
+.row.margin-3 {
+    margin: 3px;
+}
+
+.row.margin-left-15, .auth-card .row {
+    margin-left: 15px;
+}

mfa/static/mfa/js/Email/recheck.js

@@ -0,0 +1,6 @@
+$(document).ready(function () {
+    const mode = JSON.parse(document.getElementById('mode').textContent);
+    if (mode == "recheck") {
+        $("#send_totp").click(function () {send_totp()});
+    }
+})

mfa/static/mfa/js/FIDO2/add.js

@@ -0,0 +1,64 @@
+var MakeCredReq = (makeCredReq) => {
+    makeCredReq.publicKey.challenge = base64url.decode(makeCredReq.publicKey.challenge);
+    makeCredReq.publicKey.user.id = base64url.decode(makeCredReq.publicKey.user.id);
+
+    for (let excludeCred of makeCredReq.publicKey.excludeCredentials) {
+        excludeCred.id = base64url.decode(excludeCred.id);
+    }
+
+    return makeCredReq
+}
+
+function begin_reg() {
+    const fido2_begin_reg = JSON.parse(document.getElementById('fido2_begin_reg').textContent);
+    const fido2_complete_reg = JSON.parse(document.getElementById('fido2_complete_reg').textContent);
+    const redirect_html = JSON.parse(document.getElementById('redirect_html').textContent);
+    const reg_success_msg = JSON.parse(document.getElementById('reg_success_msg').textContent);
+    const manage_recovery_codes = JSON.parse(document.getElementById('manage_recovery_codes').textContent);
+    const RECOVERY_METHOD = JSON.parse(document.getElementById('RECOVERY_METHOD').textContent);
+    const mfa_home = JSON.parse(document.getElementById('mfa_home').textContent);
+    fetch(fido2_begin_reg, {}).then(function (response) {
+        if (response.ok) {
+            return response.json().then(function (req) {
+                return MakeCredReq(req)
+            });
+        }
+        throw new Error('Error getting registration data!');
+    }).then(function (options) {
+        //options.publicKey.attestation="direct"
+        console.log(options)
+        return navigator.credentials.create(options);
+    }).then(function (attestation) {
+        return fetch(fido2_complete_reg, {
+            method: 'POST',
+            body: JSON.stringify(publicKeyCredentialToJSON(attestation))
+        });
+    }).then(function (response) {
+        var stat = response.ok ? 'successful' : 'unsuccessful';
+        return response.json()
+    }).then(function (res) {
+        if (res["status"] == 'OK')
+            $("#res").html("<div class='alert alert-success'>Registered Successfully, <a href='"+redirect_html+"'>"+reg_success_msg+"</a></div>")
+        else if (res['status'] = "RECOVERY") {
+            setTimeout(function () {
+                location.href = manage_recovery_codes
+            }, 2500)
+            $("#res").html("<div class='alert alert-success'>Registered Successfully, but <a href='"+manage_recovery_codes+"'>redirecting to "+RECOVERY_METHOD+" method</a></div>")
+        } else
+            $("#res").html("<div class='alert alert-danger'>Registration Failed as " + res["message"] + ", <a href='#' id='failed_begin_reg'> try again or <a href='"+mfa_home+"'> Go to Security Home</a></div>")
+            $("#failed_begin_reg").click(function() {begin_reg()});
+    }, function (reason) {
+        $("#res").html("<div class='alert alert-danger'>Registration Failed as " + reason + ", <a href='#' id='failed_begin_reg'> try again </a> or <a href='"+mfa_home+"'> Go to Security Home</a></div>")
+        $("#failed_begin_reg").click(function() {begin_reg()});
+    })
+}
+
+$(document).ready(function () {
+    ua = new UAParser().getResult()
+    if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari") {
+        $("#res").html("<button class='btn btn-success' id='ua_begin_reg'>Start...</button>")
+        $("#ua_begin_reg").click(function() { begin_reg(); });
+    } else {
+        setTimeout(begin_reg, 500)
+    }
+})

mfa/static/mfa/js/FIDO2/auth_js.js

@@ -0,0 +1,96 @@
+window.conditionalUI = false;
+window.conditionUIAbortController = new AbortController();
+window.conditionUIAbortSignal = conditionUIAbortController.signal;
+
+function checkConditionalUI(form) {
+    if (window.PublicKeyCredential && PublicKeyCredential.isConditionalMediationAvailable) {
+        // Check if conditional mediation is available.
+        PublicKeyCredential.isConditionalMediationAvailable().then((result) => {
+            window.conditionalUI = result;
+            if (window.conditionalUI) {
+                authen(true)
+            }
+        });
+    }
+}
+
+var GetAssertReq = (getAssert) => {
+    getAssert.publicKey.challenge = base64url.decode(getAssert.publicKey.challenge);
+    for (let allowCred of getAssert.publicKey.allowCredentials) {
+        allowCred.id = base64url.decode(allowCred.id);
+    }
+    return getAssert
+}
+
+function authen(conditionalUI = false) {
+    const fido2_begin_auth = JSON.parse(document.getElementById('fido2_begin_auth').textContent);
+    const fido2_complete_auth = JSON.parse(document.getElementById('fido2_complete_auth').textContent);
+    const mode = JSON.parse(document.getElementById('mode').textContent);
+    fetch(fido2_begin_auth, {
+        method: 'GET',
+    }).then(function (response) {
+        if (response.ok) {
+            return response.json().then(function (req) {
+                return GetAssertReq(req)
+            });
+        }
+        throw new Error('No credential available to authenticate!');
+    }).then(function (options) {
+        if (conditionalUI) {
+            options.mediation = 'conditional';
+            options.signal = window.conditionUIAbortSignal;
+        } else {
+            window.conditionUIAbortController.abort()
+        }
+        console.log(options)
+        return navigator.credentials.get(options);
+    }).then(function (assertion) {
+        return fetch(fido2_complete_auth, {
+                method: 'POST',
+                headers: {'Content-Type': 'application/json'},
+                body: JSON.stringify(publicKeyCredentialToJSON(assertion)),
+            }
+        ).then(function (response) {
+            if (response.ok) return res = response.json()
+        }).then(function (res) {
+            if (res.status == "OK") {
+                $("#msgdiv").addClass("alert alert-success").removeClass("alert-danger")
+                $("#msgdiv").html("Verified....please wait")
+                if (mode === "auth" || !mode) {
+                    window.location.href = res.redirect;
+                }
+                else if (mode === "recheck") {
+                    mfa_success_function();
+                }
+            } else {
+                $("#msgdiv").addClass("alert alert-danger").removeClass("alert-success")
+                $("#msgdiv").html("Verification Failed as " + res.message + ", <a href='#' id='failed_authen'> try again</a> or <a href='#' id='failed_history_back'> Go Back</a>")
+                $("#failed_history_back").click(function() { history.back() });
+                $("#failed_authen").click(function() { authen(); });
+
+                if (mode === "auth") {
+                    // do nothing
+                }
+                else if (mode === "recheck") {
+                    mfa_failed_function();
+                }
+            }
+        })
+    })
+}
+
+$(document).ready(function () {
+    if (location.protocol != 'https:') {
+        $("#main_paragraph").addClass("alert alert-danger")
+        $("#main_paragraph").html("FIDO2 must work under secure context")
+    } else {
+        ua = new UAParser().getResult()
+        if (ua.browser.name == "Safari" || ua.browser.name == "Mobile Safari" || ua.os.name == "iOS" || ua.os.name == "iPadOS") {
+            $("#res").html("<button class='btn btn-success' id='ua_authen'>Authenticate...</button>");
+            $("#ua_authen").click(function () { authen(); });
+        }
+        else {
+            authen()
+        }
+    }
+});