interface/usergroup/mfa_u2f.php

   1 <?php
   2 /**
   3  * FIDO U2F Support Module
   4  *
   5  * @package   OpenEMR
   6  * @link      http://www.open-emr.org
   7  * @author    Rod Roark <rod@sunsetsystems.com>
   8  * @copyright Copyright (c) 2018 Rod Roark <rod@sunsetsystems.com>
   9  * @license   https://github.com/openemr/openemr/blob/master/LICENSE CNU General Public License 3
  10  */
  11
  12 require_once('../globals.php');
  13
  14 use OpenEMR\Core\Header;
  15
  16 // https is required, and with a proxy the server might not see it.
  17 $scheme = "https://"; // isset($_SERVER['HTTPS']) ? "https://" : "http://";
  18 $appId = $scheme . $_SERVER['HTTP_HOST'];
  19 $u2f = new u2flib_server\U2F($appId);
  20
  21 $userid = $_SESSION['authId'];
  22 $action = $_REQUEST['action'];
  23 ?>
  24 <html>
  25 <head>
  26 <?php Header::setupHeader(); ?>
  27 <title><?php echo xlt('U2F Registration'); ?></title>
  28 <script src="<?php echo $GLOBALS['webroot'] ?>/library/js/u2f-api.js"></script>
  29 <script>
  30
  31 function doregister() {
  32   var f = document.forms[0];
  33   if (f.form_name.value.trim() == '') {
  34     alert('<?php echo xls("Please enter a name for this key."); ?>');
  35     return;
  36   }
  37   var request = JSON.parse(f.form_request.value);
  38   u2f.register(
  39     '<?php echo addslashes($appId); ?>',
  40     [request],
  41     [],
  42     function(data) {
  43       if(data.errorCode && data.errorCode != 0) {
  44         alert('<?php echo xls("Registration failed with error"); ?> ' + data.errorCode);
  45         return;
  46       }
  47       f.form_registration.value = JSON.stringify(data);
  48       f.action.value = 'reg2';
  49       top.restoreSession();
  50       f.submit();
  51     },
  52     60
  53   );
  54 }
  55
  56 function docancel() {
  57   window.location.href = 'mfa_registrations.php';
  58 }
  59
  60 </script>
  61 </head>
  62 <body class="body_top">
  63 <form method='post' action='mfa_u2f.php' onsubmit='return top.restoreSession()'>
  64 <input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
  65
  66 <?php
  67
  68 ///////////////////////////////////////////////////////////////////////
  69
  70 if ($action == 'reg1') {
  71     list ($request, $signs) = $u2f->getRegisterData();
  72     ?>
  73 <div class="container">
  74   <div class="row">
  75     <div class="col-xs-12">
  76       <div class="page-header">
  77         <h3><?php echo xlt('Register U2F Key'); ?></h3>
  78       </div>
  79     </div>
  80   </div>
  81   <div class="row">
  82     <div class="col-xs-12">
  83       <p>
  84         <?php echo xlt('This will register a new U2F USB key.'); ?>
  85         <?php echo xlt('Type a name for your key, insert it into a USB port and click the Register button below.'); ?>
  86         <?php echo xlt('Then press the flashing button on your key within 1 minute to complete registration.'); ?>
  87       </p>
  88       <table><tr><td>
  89         <?php echo xlt('Please give this key a name'); ?>:
  90       <input type='text' name='form_name' value='' size='16' />&nbsp;</td>
  91       <td><input type='button' value='<?php echo xla('Register'); ?>' onclick='doregister()' />
  92       <input type='button' value='<?php echo xla('Cancel'); ?>' onclick='docancel()'   />
  93       <input type='hidden' name='form_request' value='<?php echo attr(json_encode($request)); ?>' />
  94       <input type='hidden' name='form_signs'   value='<?php echo attr(json_encode($signs)); ?>' />
  95       <input type='hidden' name='form_registration' value='' />
  96       </td></tr></table>
  97       &nbsp;<br />
  98       <p>
  99         <?php echo xlt('A secure (HTTPS) web connection is required for U2F. Firefox and Chrome are known to work.'); ?>
 100       </p>
 101       <p>
 102         <?php echo xlt('For U2F support on Linux see'); ?>:
 103       <a href='https://www.key-id.com/enable-fido-u2f-linux/' target='_blank'>
 104       https://www.key-id.com/enable-fido-u2f-linux/</a>
 105       </p>
 106       <p>
 107         <?php echo xlt('For Firefox see'); ?>:
 108       <a href='https://www.trishtech.com/2018/07/enable-fido-u2f-security-key-yubikey-in-mozilla-firefox/' target='_blank'>
 109       https://www.trishtech.com/2018/07/enable-fido-u2f-security-key-yubikey-in-mozilla-firefox/</a>
 110       </p>
 111     </div>
 112   </div>
 113 </div>
 114     <?php
 115 } else if ($action == 'reg2') {
 116     if (!verifyCsrfToken($_POST["csrf_token_form"])) {
 117         csrfNotVerified();
 118     }
 119     try {
 120         $data = $u2f->doRegister(json_decode($_POST['form_request']), json_decode($_POST['form_registration']));
 121     } catch (u2flib_server\Error $e) {
 122         die(xlt('Registration error') . ': ' . text($e->getMessage()));
 123     }
 124     echo "<script>\n";
 125     $row = sqlQuery(
 126         "SELECT COUNT(*) AS count FROM login_mfa_registrations WHERE " .
 127         "`user_id` = ? AND `name` = ?",
 128         array($userid, $_POST['form_name'])
 129     );
 130     if (empty($row['count'])) {
 131         sqlStatement(
 132             "INSERT INTO login_mfa_registrations " .
 133             "(`user_id`, `method`, `name`, `var1`, `var2`) VALUES " .
 134             "(?, 'U2F', ?, ?, ?)",
 135             array($userid, $_POST['form_name'], json_encode($data), '')
 136         );
 137     } else {
 138         echo " alert('" . xls('This key name is already in use by you. Try again.') . "');\n";
 139     }
 140     echo " window.location.href = 'mfa_registrations.php';\n";
 141     echo "</script>\n";
 142 }
 143
 144 ///////////////////////////////////////////////////////////////////////
 145
 146 ?>
 147
 148 <input type='hidden' name='action' value='' />
 149 </form>
 150 </body>
 151 </html>