From 356574e2e9edc874605aaed6902f9f5df4a783ae Mon Sep 17 00:00:00 2001 From: vnugent Date: Sun, 19 May 2024 12:10:16 -0400 Subject: Squashed commit of the following: commit 1e8b4296d3a2093dbddcfd8479f162d077606f71 Author: vnugent Date: Sun May 19 11:43:27 2024 -0400 refactor: Preparing for WebAuthn and core updates commit 34ca3d09a96fb615d00e14abb4a70fe787fe1965 Author: vnugent Date: Thu May 2 15:40:59 2024 -0400 feat: Allow config to toggle strict user-agent checking commit f4b1086b4a406c759f5a0c44ade63ee9bb79c60d Merge: 3df7bdb dfbb88e Author: vnugent Date: Sat Apr 27 18:43:14 2024 -0400 Merge branch 'master' into develop commit 3df7bdbaa9371f552c71162022c6ccc618be8bac Author: vnugent Date: Sat Apr 27 18:42:26 2024 -0400 chore: fix missing !, cleanup project files commit 6ec4156fb5c996d00a027f767fee7e6314e91582 Merge: 377c8a5 a74cd04 Author: vnugent Date: Sat Apr 27 17:40:30 2024 -0400 Merge branch 'master' into develop commit 377c8a5f8bb272eff5089094f5b764eb043b728f Author: vnugent Date: Sat Apr 27 17:28:25 2024 -0400 fix: Missing cookie set on cred regen commit a12873dceecc72c9af3966002bfca9faefc5aac7 Merge: 2963bf6 8d57b05 Author: vnugent Date: Sat Apr 20 12:07:42 2024 -0400 Merge branch 'master' into develop commit 2963bf62919b3bfac4aa5055d57fe91f93ca8a0b Author: vnugent Date: Sat Apr 20 11:59:45 2024 -0400 chore: Package updates commit 9539717a751baae762498a2cadfe94ef8fda5830 Merge: 44803e0 a7cf7c8 Author: vnugent Date: Mon Apr 8 22:04:26 2024 -0400 Merge branch 'master' into develop commit 44803e06d1aa45496c04127930aa8897272d42f6 Author: vnugent Date: Mon Apr 8 21:41:38 2024 -0400 fix: dangling/expired session security check and cookie cleanup commit 1082bd146549a1aff47877bcd28e6be1ce0ef5e9 Author: vnugent Date: Sat Mar 30 22:20:29 2024 -0400 feat(app): Add AppData client plugin and browser library updated commit ec9b42f4cacbeae8a0b4d96e48bd9e522b3a9145 Merge: 2a11454 27b487b Author: vnugent Date: Sun Mar 24 21:16:05 2024 -0400 Merge branch 'master' into develop commit 2a114541a3bfddae887adaa98c1ed326b125d511 Author: vnugent Date: Sun Mar 24 20:53:38 2024 -0400 refactor: pull apart session authorization for future dev commit f8aea6453ddb2d56c1ce2ecb6a9e67d1af523c2e Author: vnugent Date: Thu Mar 21 14:33:21 2024 -0400 feat: Add optional svg base64 icons for social OAuth2 connections commit cc29bed99dc9e151315cce75e50d55dca306b532 Author: vnugent Date: Sun Mar 10 21:58:27 2024 -0400 source tree project location updated --- .../src/MFA/Fido/FidoAuthenticatorSelection.cs | 40 ++++++++++++++++ .../src/MFA/Fido/FidoPubkeyAlgorithm.cs | 37 ++++++++++++++ .../src/MFA/Fido/FidoRegClientData.cs | 40 ++++++++++++++++ .../src/MFA/Fido/FidoRegistrationMessage.cs | 56 ++++++++++++++++++++++ .../src/MFA/Fido/FidoRelyingParty.cs | 37 ++++++++++++++ .../src/MFA/Fido/FidoUserData.cs | 54 +++++++++++++++++++++ .../src/MFA/FidoAuthenticatorSelection.cs | 38 --------------- .../src/MFA/FidoRegClientData.cs | 40 ---------------- .../src/MFA/FidoRegistrationMessage.cs | 52 -------------------- .../src/MFA/MFAConfig.cs | 3 +- .../src/SecurityProvider/AccountSecConfig.cs | 6 +++ .../src/SecurityProvider/AccountSecProvider.cs | 2 +- .../src/LoginUriBuilder.cs | 14 +++--- 13 files changed, 280 insertions(+), 139 deletions(-) create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs create mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs delete mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs delete mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs delete mode 100644 plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs new file mode 100644 index 0000000..301113c --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs @@ -0,0 +1,40 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoAuthenticatorSelection.cs +* +* FidoAuthenticatorSelection.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoAuthenticatorSelection + { + [JsonPropertyName("requireResidentKey")] + public bool RequireResidentKey { get; set; } = false; + + [JsonPropertyName("authenticatorAttachment")] + public string? AuthenticatorAttachment { get; set; } = "cross-platform"; + + [JsonPropertyName("userVerification")] + public string? UserVerification { get; set; } = "required"; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs new file mode 100644 index 0000000..0bdd563 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoPubkeyAlgorithm.cs +* +* FidoPubkeyAlgorithm.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoPubkeyAlgorithm + { + [JsonPropertyName("alg")] + public int AlgId { get; set; } + + [JsonPropertyName("type")] + public string Type { get; set; } = "public-key"; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs new file mode 100644 index 0000000..3ad17f3 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs @@ -0,0 +1,40 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRegClientData.cs +* +* FidoRegClientData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoRegClientData + { + [JsonPropertyName("challenge")] + public string? Challenge { get; set; } + + [JsonPropertyName("origin")] + public string? Origin { get; set; } + + [JsonPropertyName("type")] + public string? Type { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs new file mode 100644 index 0000000..4dfa036 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs @@ -0,0 +1,56 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRegistrationMessage.cs +* +* FidoRegistrationMessage.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + /// + /// Represents a fido device registration message to be sent + /// to a currently signed in user + /// + sealed class FidoRegistrationMessage + { + [JsonPropertyName("challenge")] + public string? Base64Challenge { get; set; } = null; + + [JsonPropertyName("timeout")] + public int Timeout { get; set; } = 60000; + + [JsonPropertyName("rp")] + public FidoRelyingParty RelyingParty { get; set; } = new(); + + [JsonPropertyName("attestation")] + public string AttestationType { get; set; } = "none"; + + [JsonPropertyName("user")] + public FidoUserData User { get; set; } = new(); + + [JsonPropertyName("pubKeyCredParams")] + public FidoPubkeyAlgorithm[]? PubKeyCredParams { get; set; } + + [JsonPropertyName("authenticatorSelection")] + public FidoAuthenticatorSelection AuthSelection { get; set; } = new(); + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs new file mode 100644 index 0000000..d259ac6 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRelyingParty.cs +* +* FidoRelyingParty.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoRelyingParty + { + [JsonPropertyName("id")] + public string? Id { get; set; } + + [JsonPropertyName("name")] + public string? Name { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs new file mode 100644 index 0000000..aadef29 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs @@ -0,0 +1,54 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoUserData.cs +* +* FidoUserData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Buffers.Binary; +using System.Formats.Cbor; +using System.Text.Json.Serialization; + +using VNLib.Hashing.IdentityUtility; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoAuthenticatorResponse + { + [JsonPropertyName("client_data")] + public string? Base64ClientDataJson { get; set; } + + [JsonPropertyName("attestation_object")] + public string? Base64AttestationObject { get; set; } + } + + internal sealed class FidoUserData + { + [JsonPropertyName("id")] + public string? UserId { get; set; } + + [JsonPropertyName("name")] + public string? UserName { get; set; } + + [JsonPropertyName("displayName")] + public string? DisplayName { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs deleted file mode 100644 index 6db41af..0000000 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs +++ /dev/null @@ -1,38 +0,0 @@ -/* -* Copyright (c) 2022 Vaughn Nugent -* -* Library: VNLib -* Package: VNLib.Plugins.Essentials.Accounts -* File: FidoAuthenticatorSelection.cs -* -* FidoAuthenticatorSelection.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger -* VNLib collection of libraries and utilities. -* -* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify -* it under the terms of the GNU Affero General Public License as -* published by the Free Software Foundation, either version 3 of the -* License, or (at your option) any later version. -* -* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU Affero General Public License for more details. -* -* You should have received a copy of the GNU Affero General Public License -* along with this program. If not, see https://www.gnu.org/licenses/. -*/ - -using System.Text.Json.Serialization; - -namespace VNLib.Plugins.Essentials.Accounts.MFA -{ - class FidoAuthenticatorSelection - { - [JsonPropertyName("requireResidentKey")] - public bool RequireResidentKey { get; set; } = false; - [JsonPropertyName("authenticatorAttachment")] - public string? AuthenticatorAttachment { get; set; } = "cross-platform"; - [JsonPropertyName("userVerification")] - public string? UserVerification { get; set; } = "required"; - } -} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs deleted file mode 100644 index 1ef7d59..0000000 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs +++ /dev/null @@ -1,40 +0,0 @@ -/* -* Copyright (c) 2022 Vaughn Nugent -* -* Library: VNLib -* Package: VNLib.Plugins.Essentials.Accounts -* File: FidoRegClientData.cs -* -* FidoRegClientData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger -* VNLib collection of libraries and utilities. -* -* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify -* it under the terms of the GNU Affero General Public License as -* published by the Free Software Foundation, either version 3 of the -* License, or (at your option) any later version. -* -* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU Affero General Public License for more details. -* -* You should have received a copy of the GNU Affero General Public License -* along with this program. If not, see https://www.gnu.org/licenses/. -*/ - -using System.Text.Json.Serialization; - -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA -{ - internal class FidoRegClientData - { - [JsonPropertyName("challenge")] - public string? Challenge { get; set; } - [JsonPropertyName("origin")] - public string? Origin { get; set; } - [JsonPropertyName("type")] - public string? Type { get; set; } - } -} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs deleted file mode 100644 index e8fbcc4..0000000 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs +++ /dev/null @@ -1,52 +0,0 @@ -/* -* Copyright (c) 2022 Vaughn Nugent -* -* Library: VNLib -* Package: VNLib.Plugins.Essentials.Accounts -* File: FidoRegistrationMessage.cs -* -* FidoRegistrationMessage.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger -* VNLib collection of libraries and utilities. -* -* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify -* it under the terms of the GNU Affero General Public License as -* published by the Free Software Foundation, either version 3 of the -* License, or (at your option) any later version. -* -* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU Affero General Public License for more details. -* -* You should have received a copy of the GNU Affero General Public License -* along with this program. If not, see https://www.gnu.org/licenses/. -*/ - -using System.Text.Json.Serialization; - -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA -{ - /// - /// Represents a fido device registration message to be sent - /// to a currently signed in user - /// - class FidoRegistrationMessage - { - [JsonPropertyName("id")] - public string? GuidUserId { get; set; } - [JsonPropertyName("challenge")] - public string? Base64Challenge { get; set; } = null; - [JsonPropertyName("timeout")] - public int Timeout { get; set; } = 60000; - [JsonPropertyName("cose_alg")] - public int CoseAlgNumber { get; set; } - [JsonPropertyName("rp_name")] - public string? SiteName { get; set; } - [JsonPropertyName("attestation")] - public string? AttestationType { get; set; } = "none"; - [JsonPropertyName("authenticatorSelection")] - public FidoAuthenticatorSelection? AuthSelection { get; set; } = new(); - } -} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs index bb86a3f..9dfd183 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs @@ -29,9 +29,10 @@ using FluentValidation; using VNLib.Hashing; using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Essentials.Accounts.MFA.Fido; namespace VNLib.Plugins.Essentials.Accounts.MFA -{ +{ [ConfigurationName("mfa")] internal class MFAConfig : IOnConfigValidation diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs index 180e30e..4c80eac 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs @@ -184,6 +184,12 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider [JsonPropertyName("strict_path")] public bool VerifyPath { get; set; } = true; + /// + /// Enforce strict user-agent strings for authorized users + /// + [JsonPropertyName("strict_user_agent")] + public bool StrictUserAgent { get; set; } = true; + void IOnConfigValidation.Validate() { //Validate the current instance diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs index e20ec9f..d800e3e 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs @@ -120,7 +120,7 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider else if (ClientWebAuthManager.IsSessionElevated(in session)) { //If the session stored a user-agent, make sure it matches the connection - if (!string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) + if (_config.StrictUserAgent && !string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) { _logger.Debug("Denied authorized connection from {ip} because user-agent changed", entity.TrustedRemoteIp); return ValueTask.FromResult(FileProcessArgs.Deny); diff --git a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs index da37fb7..4ed6ffd 100644 --- a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs +++ b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs @@ -56,11 +56,11 @@ namespace VNLib.Plugins.Essentials.Auth.Social //buffer writer for easier syntax ForwardOnlyWriter writer = new(buffer); //first build the redirect url to re-encode it - writer.Append(scheme); - writer.Append("://"); + writer.AppendSmall(scheme); + writer.AppendSmall("://"); //Create redirect url (current page, default action is to authorize the client) - writer.Append(authority); - writer.Append(path); + writer.AppendSmall(authority); + writer.AppendSmall(path); //url encode the redirect path and save it for later redirectUrl = Uri.EscapeDataString(writer.ToString()); @@ -98,13 +98,13 @@ namespace VNLib.Plugins.Essentials.Auth.Social //Append the config redirect path writer.Append(Config.AccessCodeUrl.OriginalString); //begin query arguments - writer.Append("&client_id="); + writer.AppendSmall("&client_id="); writer.Append(Config.ClientID.Value); //add the redirect url - writer.Append("&redirect_uri="); + writer.AppendSmall("&redirect_uri="); writer.Append(redirectUrl); //Append the state parameter - writer.Append("&state="); + writer.AppendSmall("&state="); writer.Append(nonce); //Collect the written character data -- cgit