From 9c688e22dc82ba4de88eab8d5cbbd209511f77e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Tue, 4 Oct 2022 00:16:10 +0200 Subject: [PATCH] Allow to delete Webauthn Keys --- src/Controller/UserSettingsController.php | 31 +++++++++++++++++++++-- src/Services/TFA/BackupCodeManager.php | 4 +++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php index 0fa35881..27d80c66 100644 --- a/src/Controller/UserSettingsController.php +++ b/src/Controller/UserSettingsController.php @@ -44,6 +44,7 @@ namespace App\Controller; use App\Entity\UserSystem\U2FKey; use App\Entity\UserSystem\User; +use App\Entity\UserSystem\WebauthnKey; use App\Events\SecurityEvent; use App\Events\SecurityEvents; use App\Form\TFAGoogleSettingsType; @@ -130,6 +131,7 @@ class UserSettingsController extends AbstractController } if ($this->isCsrfTokenValid('delete'.$user->getId(), $request->request->get('_token'))) { + //Handle U2F key removal if ($request->request->has('key_id')) { $key_id = $request->request->get('key_id'); $key_repo = $entityManager->getRepository(U2FKey::class); @@ -138,14 +140,14 @@ class UserSettingsController extends AbstractController if (null === $u2f) { $this->addFlash('danger', 'tfa_u2f.u2f_delete.not_existing'); - throw new RuntimeException('Key not existing!'); + return $this->redirectToRoute('user_settings'); } //User can only delete its own U2F keys if ($u2f->getUser() !== $user) { $this->addFlash('danger', 'tfa_u2f.u2f_delete.access_denied'); - throw new RuntimeException('You can only delete your own U2F keys!'); + return $this->redirectToRoute('user_settings'); } $backupCodeManager->disableBackupCodesIfUnused($user); @@ -153,6 +155,31 @@ class UserSettingsController extends AbstractController $entityManager->flush(); $this->addFlash('success', 'tfa.u2f.u2f_delete.success'); + $security_event = new SecurityEvent($user); + $this->eventDispatcher->dispatch($security_event, SecurityEvents::U2F_REMOVED); + } else if ($request->request->has('webauthn_key_id')) { + $key_id = $request->request->get('webauthn_key_id'); + $key_repo = $entityManager->getRepository(WebauthnKey::class); + /** @var WebauthnKey|null $key */ + $key = $key_repo->find($key_id); + if (null === $key) { + $this->addFlash('error', 'tfa_u2f.u2f_delete.not_existing'); + + return $this->redirectToRoute('user_settings'); + } + + //User can only delete its own U2F keys + if ($key->getUser() !== $user) { + $this->addFlash('error', 'tfa_u2f.u2f_delete.access_denied'); + + return $this->redirectToRoute('user_settings'); + } + + $backupCodeManager->disableBackupCodesIfUnused($user); + $entityManager->remove($key); + $entityManager->flush(); + $this->addFlash('success', 'tfa.u2f.u2f_delete.success'); + $security_event = new SecurityEvent($user); $this->eventDispatcher->dispatch($security_event, SecurityEvents::U2F_REMOVED); } diff --git a/src/Services/TFA/BackupCodeManager.php b/src/Services/TFA/BackupCodeManager.php index 4447c211..ae3cae17 100644 --- a/src/Services/TFA/BackupCodeManager.php +++ b/src/Services/TFA/BackupCodeManager.php @@ -76,6 +76,10 @@ class BackupCodeManager return; } + if ($user->isWebAuthnAuthenticatorEnabled()) { + return; + } + $user->setBackupCodes([]); }