NFC-102 Web eID for mobile support#46
NFC-102 Web eID for mobile support#46SanderKondratjevNortal wants to merge 7 commits intoweb-eid-mobilefrom
Conversation
SanderKondratjevNortal
force-pushed
the
NFC-102
branch
3 times, most recently
from
363add3 to
1d5a80e
Compare
example/src/AuthContext.php
Outdated
| $base64ChallengeNonce | ||
| ); | ||
|
|
||
| session_regenerate_id(); |
There was a problem hiding this comment.
Session is regenerated twice, see Auth.validate() line 80.
example/src/AuthContext.php
Outdated
| session_regenerate_id(); | ||
|
|
||
| $subjectName = $this->getPrincipalNameFromCertificate($cert); | ||
| $_SESSION["auth-user"] = $subjectName; |
There was a problem hiding this comment.
I would suggest to move all session-related logic either up into Auth.validate() (along with session regeneration) or here for consistency.
example/src/MobileAuth.php
Outdated
| if (str_starts_with($baseUrl, 'http')) { | ||
| $authUri = rtrim($baseUrl, '/') . '/auth#' . $encodedPayload; | ||
| } else { | ||
| $authUri = rtrim($baseUrl, '/') . '//auth#' . $encodedPayload; | ||
| } |
There was a problem hiding this comment.
Maybe ternary conditional would be more clear:
| if (str_starts_with($baseUrl, 'http')) { | |
| $authUri = rtrim($baseUrl, '/') . '/auth#' . $encodedPayload; | |
| } else { | |
| $authUri = rtrim($baseUrl, '/') . '//auth#' . $encodedPayload; | |
| } | |
| $fragment = (str_starts_with($baseUrl, 'http') ? '//' : '/') . 'auth#'; | |
| $authUri = rtrim($baseUrl, '/') . $fragment . $encodedPayload; |
example/src/AuthContext.php
Outdated
|
|
||
| public function assertCsrf(bool $jsonError = true): void | ||
| { | ||
| $headers = array_change_key_case(getallheaders()); |
There was a problem hiding this comment.
Explicit is better than implicit:
| $headers = array_change_key_case(getallheaders()); | |
| $headers = array_change_key_case(getallheaders(), CASE_LOWER); |
SanderKondratjevNortal
force-pushed
the
NFC-102
branch
from
4f22693 to
a21b41c
Compare
example/src/AuthContext.php
Outdated
| return (new AuthTokenValidatorBuilder($logger)) | ||
| ->withSiteOrigin(new Uri($this->config->get('origin_url'))) | ||
| ->withTrustedCertificateAuthorities(...$this->trustedIntermediateCACertificates()) | ||
| ->withOcspRequestTimeout(5) |
There was a problem hiding this comment.
Is explicit OCSP timeout required here, can we omit this and rely on the default instead?
There was a problem hiding this comment.
Yes, we can, removed. Default: src/validator/AuthTokenValidatorBuilder.php:125
There was a problem hiding this comment.
Also used prettier
example/tpl/index.phtml
Outdated
| <code | ||
| >~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\ | ||
| Support/RIA/web-eid/web-eid.log</code | ||
| > |
There was a problem hiding this comment.
Formatting issue, remove line breaks from HTML tags:
| <code | |
| >~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\ | |
| Support/RIA/web-eid/web-eid.log</code | |
| > | |
| <code> | |
| ~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\ | |
| Support/RIA/web-eid/web-eid.log | |
| </code> |
Reformat with a HTML formatting tool for consistent formatting.
example/tpl/index.phtml
Outdated
| in macOS | ||
| </li> | ||
| <li> | ||
| <code |
There was a problem hiding this comment.
Formatting issue here as well, tags have line breaks inside.
example/tpl/index.phtml
Outdated
| of Safari in macOS | ||
| </li> | ||
| <li> | ||
| <code |
There was a problem hiding this comment.
Formatting issue here as well, tags have line breaks inside.
example/tpl/index.phtml
Outdated
| <p> | ||
| Technical overview of the solution is available in the project | ||
| <a href="https://github.com/web-eid/web-eid-system-architecture-doc" | ||
| >system architecture document</a |
There was a problem hiding this comment.
Formatting issue here as well, tags have line breaks inside.
| } catch (Throwable) { | ||
| throw new CertificateDecodingException("'{$fieldName}' decode failed"); |
There was a problem hiding this comment.
Generally the recommendation is that lower layers like current library code should catch Exceptions, not Throwables. Throwables should be caught at the outer application layer.
Also, would it help to include the original exception?
| } catch (Throwable) { | |
| throw new CertificateDecodingException("'{$fieldName}' decode failed"); | |
| } catch (Throwable $e) { | |
| throw new CertificateDecodingException($e, "'{$fieldName}' decode failed"); |
There was a problem hiding this comment.
Also used prettier
| } | ||
| } catch (UserCertificateOCSPCheckFailedException $e) { | ||
| throw $e; | ||
| } catch (Throwable $e) { |
There was a problem hiding this comment.
Same Throwable problem in existing code.
| } | ||
|
|
||
| private static function checkNonce(OcspRequest $request, OcspBasicResponse $basicResponse): void | ||
| { |
There was a problem hiding this comment.
Broken indents, reformat with PHP formatting tool.
|
|
||
| if ($signingCertificates === null || empty($signingCertificates)) { | ||
| throw new AuthTokenParseException( | ||
| "'unverifiedSigningCertificates' field is missing, null or empty for format 'web-eid:1.1'" |
There was a problem hiding this comment.
Can unverifiedSigningCertificates legitimately be empty, for example when the signing certificate does not exist on the eID token or the reader cannot read the signing cert etc? How did you specify this? (This applies to .NET and Java, too.)
There was a problem hiding this comment.
In the current web-eid:1.1, unverifiedSigningCertificates is expected to be present and contain at least one entry. The PHP, Java and .NET validators all enforce that intentionally.
This is based on the current token format definition (will be also in the readme).
|
|
||
| try { | ||
| $loaded = $subjectCertificate->loadX509($authToken->getUnverifiedCertificate()); | ||
| } catch (Throwable $e) { |
There was a problem hiding this comment.
Also used prettier
…ort for web-eid example Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
…bile auth error layout Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
SanderKondratjevNortal
force-pushed
the
NFC-102
branch
from
a21b41c to
871c0fa
Compare
Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
2 participants
Signed-off-by: Sander Kondratjev sander.kondratjev@nortal.com