move the password_authsource parameter into the authsource config

restena-sw · restena-sw · commit 499df4d538af · 2023-07-19T11:55:26.000+02:00
it is misplaced in the general module config because only needed
specifically in the Supercharged context
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ You can install this module with composer:
 
 If you are using PHP 7, you also need to install either the GMP extension (recommended) or the BCMath extension.
 
-## How to setup the webauthn module as an authprocfilter
+## How to setup the webauthn module as a second-factor (an authprocfilter)
 
 You need to enable the module's authprocfilter at a priority level
 so that it takes place AFTER the first-factor authentication. E.g. at 100 and
@@ -100,7 +100,7 @@ will be forced into 2FA.
 Then you need to copy config-templates/module_webauthn.php to your config directory
 and adjust settings accordingly. See the file for parameters description.
 
-## How to set up Passwordless authentication
+## How to set up (pure) Passwordless authentication
 
 In passwordless mode, the module provides an AuthSource, to be configured as
 usual in simpleSAMLphp's config/authsources.php
@@ -131,6 +131,27 @@ The authsource takes the following parameters in authsources.php:
 ],
 ```
 
+## How to set up simultaneous Passwordless and traditional two-factor
+
+In this mode, the authentication prompt simultaneously allows for either 
+triggering a Passwordless auth, or to enter a username/password as traditional
+first-factor.
+
+The configuration is almost identical to Passwordless above, but requires one
+extra required configuration parameter: the authsource that should be used to 
+validate the username/password, if supplied by the user.
+
+The authsource takes the following parameters in authsources.php:
+
+```php
+'name-your-source' => [
+    'webauthn:Supercharged',
+    'password_authsource' => 'whatever-authsource',
+    // 'authncontextclassref' => 'https://refeds.org/profile/mfa',
+
+],
+```
+
 ## Using storage
 
 The database schema sets itself up on first use automatically. The schema can be
diff --git a/src/Auth/Source/Supercharged.php b/src/Auth/Source/Supercharged.php
@@ -22,13 +22,23 @@
 class Supercharged extends Passwordless
 {
 
+    /**
+     * The AuthSource to use when someone enters a username/password
+     * 
+     * @var string
+     */
+    private $pushbackAuthsource;
+    
     public function __construct(array $info, array $config)
     {
         parent::__construct($info, $config);
+        
+        $this->pushbackAuthsource = $this->authSourceConfig->getString("password_authsource");
     }
     public function authenticate(array &$state): void
     {
         $state['saml:AuthnContextClassRef'] = $this->authnContextClassRef;
+        $state['pushbackAuthsource'] = $this->pushbackAuthsource;
 
         StaticProcessHelper::prepareStatePasswordlessAuth($this->stateData, $state);
         StaticProcessHelper::saveStateAndRedirectSupercharged($state);
diff --git a/src/Controller/PushbackUserPass.php b/src/Controller/PushbackUserPass.php
@@ -100,9 +100,10 @@ public function main(Request $request): Response {
             throw new Error\BadRequest('Missing required StateId query parameter.');
         }
 
-        $moduleConfig = Configuration::getOptionalConfig('module_webauthn.php');
+        $state = $this->authState::loadState($stateId, 'webauthn:request');
+                
         $authsources = Configuration::getConfig('authsources.php')->toArray();
-        $authsourceString = $moduleConfig->getString('password_authsource');
+        $authsourceString = $state['pushbackAuthsource'];
         $classname = get_class(Source::getById($authsourceString));
         class_alias($classname, 'AuthSourceOverloader');
         $overrideSource = new class(['AuthId' => $authsourceString], $authsources[$authsourceString]) extends \AuthSourceOverloader {
@@ -112,9 +113,7 @@ public function loginOverload(string $username, string $password): array {
         };
 
         $attribs = $overrideSource->loginOverload($request->request->get("username"), $request->request->get("password"));
-        
-        $state = $this->authState::loadState($stateId, 'webauthn:request');
-        
+       
         // this is the confirmed username, we store it just like the Passwordless
         // one would have been
         
@@ -123,6 +122,7 @@ public function loginOverload(string $username, string $password): array {
         // we deliberately do not store any additional attributes - these have
         // to be retrieved from the same authproc that would retrieve them
         // in Passwordless mode
+        unset($attribs);
 
         // now properly return our final state to the framework
         Source::completeAuth($state);

Original file line number	Diff line number	Diff line change
`@@ -22,13 +22,23 @@`
`22`	`22`	`class Supercharged extends Passwordless`
`23`	`23`	`{`
`24`	`24`
	`25`	`+ /**`
	`26`	`+ * The AuthSource to use when someone enters a username/password`
	`27`	`+ *`
	`28`	`+ * @var string`
	`29`	`+ */`
	`30`	`+ private $pushbackAuthsource;`
	`31`	`+`
`25`	`32`	`public function __construct(array $info, array $config)`
`26`	`33`	`{`
`27`	`34`	`parent::__construct($info, $config);`
	`35`	`+`
	`36`	`+ $this->pushbackAuthsource = $this->authSourceConfig->getString("password_authsource");`
`28`	`37`	`}`
`29`	`38`	`public function authenticate(array &$state): void`
`30`	`39`	`{`
`31`	`40`	`$state['saml:AuthnContextClassRef'] = $this->authnContextClassRef;`
	`41`	`+ $state['pushbackAuthsource'] = $this->pushbackAuthsource;`
`32`	`42`
`33`	`43`	`StaticProcessHelper::prepareStatePasswordlessAuth($this->stateData, $state);`
`34`	`44`	`StaticProcessHelper::saveStateAndRedirectSupercharged($state);`