Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing @login_required decorator #31

Open
rafaelurben opened this issue Sep 3, 2024 · 3 comments · May be fixed by #32
Open

Missing @login_required decorator #31

rafaelurben opened this issue Sep 3, 2024 · 3 comments · May be fixed by #32

Comments

@rafaelurben
Copy link

The views reg_begin and reg_complete both reference request.user without having the @login_required decorator. Opening these URLs leads to unwanted Internal Server Errors, if the user is not logged in.

django-passkeys/passkeys/FIDO2.py

Lines 60 to 99 in 310b4f4

def reg_begin(request):
"""Starts registering a new FIDO Device, called from API"""
enable_json_mapping()
server = getServer(request)
auth_attachment = getattr(settings,'KEY_ATTACHMENT', None)
registration_data, state = server.register_begin({
u'id': urlsafe_b64encode(request.user.username.encode("utf8")),
u'name': request.user.get_username(),
u'displayName': request.user.get_full_name()
}, getUserCredentials(request.user), authenticator_attachment = auth_attachment, resident_key_requirement=fido2.webauthn.ResidentKeyRequirement.PREFERRED)
request.session['fido2_state'] = state
return JsonResponse(dict(registration_data))
#return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')
@csrf_exempt
def reg_complete(request):
"""Completes the registeration, called by API"""
try:
if not "fido2_state" in request.session:
return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
enable_json_mapping()
data = json.loads(request.body)
name = data.pop("key_name",'')
server = getServer(request)
auth_data = server.register_complete(request.session.pop("fido2_state"), response = data)
encoded = websafe_encode(auth_data.credential_data)
platform = get_current_platform(request)
if name == "":
name = platform
uk = UserPasskey(user=request.user, token=encoded, name = name,platform=platform)
if data.get("id"):
uk.credential_id = data.get('id')
uk.save()
return JsonResponse({'status': 'OK'})
except Exception as exp: # pragma: no cover
print(traceback.format_exc()) # pragma: no cover
return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"}) # pragma: no cover

(Technically, it wouldn't be needed on reg_complete, but I think for the sake of completeness, it should be added nonetheless.)
@mkalioby
Copy link
Owner

mkalioby commented Sep 3, 2024

Nice catch

@rafaelurben
Copy link
Author

@mkalioby Do you intend to fix this as part of upcoming merges or may I make a PR together with fixes for #21?

@mkalioby
Copy link
Owner

mkalioby commented Sep 3, 2024

Let's do this in a single PR if you can, as this applies to version v1.2 as with the template naming, we will move to v2.0 as it is a breaking change

@rafaelurben rafaelurben linked a pull request Sep 3, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mkalioby @rafaelurben