move the password_authsource parameter into the authsource config

it is misplaced in the general module config because only needed specifically in the Supercharged context
simplesamlphp · Jul 19, 2023 · 499df4d · 499df4d
1 parent 06d95e0
commit 499df4d
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ You can install this module with composer:
 
 If you are using PHP 7, you also need to install either the GMP extension (recommended) or the BCMath extension.
 
-## How to setup the webauthn module as an authprocfilter
+## How to setup the webauthn module as a second-factor (an authprocfilter)
 
 You need to enable the module's authprocfilter at a priority level
 so that it takes place AFTER the first-factor authentication. E.g. at 100 and
@@ -100,7 +100,7 @@ will be forced into 2FA.
 Then you need to copy config-templates/module_webauthn.php to your config directory
 and adjust settings accordingly. See the file for parameters description.
 
-## How to set up Passwordless authentication
+## How to set up (pure) Passwordless authentication
 
 In passwordless mode, the module provides an AuthSource, to be configured as
 usual in simpleSAMLphp's config/authsources.php
@@ -131,6 +131,27 @@ The authsource takes the following parameters in authsources.php:
 ],
 ```
 
+## How to set up simultaneous Passwordless and traditional two-factor
+
+In this mode, the authentication prompt simultaneously allows for either 
+triggering a Passwordless auth, or to enter a username/password as traditional
+first-factor.
+
+The configuration is almost identical to Passwordless above, but requires one
+extra required configuration parameter: the authsource that should be used to 
+validate the username/password, if supplied by the user.
+
+The authsource takes the following parameters in authsources.php:
+
+```php
+'name-your-source' => [
+    'webauthn:Supercharged',
+    'password_authsource' => 'whatever-authsource',
+    // 'authncontextclassref' => 'https://refeds.org/profile/mfa',
+
+],
+```
+
 ## Using storage
 
 The database schema sets itself up on first use automatically. The schema can be

diff --git a/src/Auth/Source/Supercharged.php b/src/Auth/Source/Supercharged.php
@@ -22,13 +22,23 @@
 class Supercharged extends Passwordless
 {
 
+    /**
+     * The AuthSource to use when someone enters a username/password
+     * 
+     * @var string
+     */
+    private $pushbackAuthsource;
+
     public function __construct(array $info, array $config)
     {
         parent::__construct($info, $config);
+
+        $this->pushbackAuthsource = $this->authSourceConfig->getString("password_authsource");
     }
     public function authenticate(array &$state): void
     {
         $state['saml:AuthnContextClassRef'] = $this->authnContextClassRef;
+        $state['pushbackAuthsource'] = $this->pushbackAuthsource;
 
         StaticProcessHelper::prepareStatePasswordlessAuth($this->stateData, $state);
         StaticProcessHelper::saveStateAndRedirectSupercharged($state);

diff --git a/src/Controller/PushbackUserPass.php b/src/Controller/PushbackUserPass.php
@@ -100,9 +100,10 @@ public function main(Request $request): Response {
             throw new Error\BadRequest('Missing required StateId query parameter.');
         }
 
-        $moduleConfig = Configuration::getOptionalConfig('module_webauthn.php');
+        $state = $this->authState::loadState($stateId, 'webauthn:request');
+
         $authsources = Configuration::getConfig('authsources.php')->toArray();
-        $authsourceString = $moduleConfig->getString('password_authsource');
+        $authsourceString = $state['pushbackAuthsource'];
         $classname = get_class(Source::getById($authsourceString));
         class_alias($classname, 'AuthSourceOverloader');
         $overrideSource = new class(['AuthId' => $authsourceString], $authsources[$authsourceString]) extends \AuthSourceOverloader {
@@ -112,9 +113,7 @@ public function loginOverload(string $username, string $password): array {
         };
 
         $attribs = $overrideSource->loginOverload($request->request->get("username"), $request->request->get("password"));
-
-        $state = $this->authState::loadState($stateId, 'webauthn:request');
-
+
         // this is the confirmed username, we store it just like the Passwordless
         // one would have been
 
@@ -123,6 +122,7 @@ public function loginOverload(string $username, string $password): array {
         // we deliberately do not store any additional attributes - these have
         // to be retrieved from the same authproc that would retrieve them
         // in Passwordless mode
+        unset($attribs);
 
         // now properly return our final state to the framework
         Source::completeAuth($state);