From a31088b002f61abcf8bfb4d183e529a43900a970 Mon Sep 17 00:00:00 2001 From: gaby Date: Mon, 20 Apr 2026 14:07:21 +0200 Subject: [PATCH] mistral vibe --- config/config.php | 6 ++- include/Database.php | 16 +++++- include/WebAuthnManager.php | 31 ++++++++++- public/index.php | 2 +- public/login.php | 4 +- public/register.php | 105 ++++++++++++++++++++++++++---------- 6 files changed, 129 insertions(+), 35 deletions(-) diff --git a/config/config.php b/config/config.php index 9d46fdd..634b436 100644 --- a/config/config.php +++ b/config/config.php @@ -9,8 +9,10 @@ define('DB_PASS', 'Sr7FEaj2SK'); // Configuration WebAuthn define('WEBAUTHN_RP_NAME', 'Diary-web'); -define('WEBAUTHN_RP_ID', parse_url($_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST)); -define('WEBAUTHN_ORIGIN', $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']); +$rpId = isset($_SERVER['HTTP_HOST']) ? parse_url((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST) : 'nothing2do.fr'; +$origin = isset($_SERVER['HTTP_HOST']) ? (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' ? 'https' : 'http') . '://' . $_SERVER['HTTP_HOST'] : 'https://www.nothing2do.fr'; +define('WEBAUTHN_RP_ID', $rpId); +define('WEBAUTHN_ORIGIN', $origin); // Initialisation de la base de données try { diff --git a/include/Database.php b/include/Database.php index e63c0e3..b90a1af 100644 --- a/include/Database.php +++ b/include/Database.php @@ -15,11 +15,25 @@ class Database { try { // Use the global $db connection from config.php global $db; - return $db; + if ($db instanceof PDO) { + return $db; + } else { + // If global $db is not available, create a new connection + $conn = new PDO("pgsql:host=" . DB_HOST . ";dbname=" . DB_NAME, DB_USER, DB_PASS); + $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + return $conn; + } } catch(Exception $exception) { + error_log("Erreur de connexion à la base de données : " . $exception->getMessage()); echo "Erreur de connexion à la base de données : " . $exception->getMessage(); exit; } } + + // Add prepare method for compatibility + public function prepare($sql) { + $pdo = $this->connect(); + return $pdo->prepare($sql); + } } ?> diff --git a/include/WebAuthnManager.php b/include/WebAuthnManager.php index 3db0d5b..70fbf62 100644 --- a/include/WebAuthnManager.php +++ b/include/WebAuthnManager.php @@ -69,7 +69,10 @@ class WebAuthnManager { } public function register($attestationResponse) { + error_log("WebAuthn register called with: " . substr($attestationResponse, 0, 200)); + if (!isset($_SESSION['challenge']) || !isset($_SESSION['username'])) { + error_log("WebAuthn register: missing challenge or username in session"); return false; } @@ -79,7 +82,33 @@ class WebAuthnManager { unset($_SESSION['username']); try { - $publicKeyCredentialSource = PublicKeyCredentialSource::createFromString($attestationResponse); + error_log("WebAuthn register: decoding JSON response"); + // Decode the JSON response from JavaScript + $attestationData = json_decode($attestationResponse, true); + + if ($attestationData === null) { + error_log("WebAuthn register: JSON decode failed. Error: " . json_last_error_msg()); + return false; + } + + error_log("WebAuthn register: JSON decoded successfully"); + + // Convert base64 back to binary + $attestationObject = base64_decode($attestationData['response']['attestationObject']); + $clientDataJSON = base64_decode($attestationData['response']['clientDataJSON']); + $rawId = base64_decode($attestationData['rawId']); + + // Create the credential source from the components + $publicKeyCredentialSource = PublicKeyCredentialSource::createFromString( + json_encode([ + 'attestationObject' => base64_encode($attestationObject), + 'clientDataJSON' => base64_encode($clientDataJSON), + 'id' => $attestationData['id'], + 'rawId' => base64_encode($rawId), + 'type' => $attestationData['type'] + ]) + ); + $publicKeyCredential = $publicKeyCredentialSource->getPublicKeyCredential(); if (!$publicKeyCredential->verify($challenge, $this->origin)) { diff --git a/public/index.php b/public/index.php index 1f4686f..8e1d836 100644 --- a/public/index.php +++ b/public/index.php @@ -220,7 +220,7 @@ if (empty($triplets)) {
-

Bienvenue,

+

Bienvenue,

diff --git a/public/login.php b/public/login.php index 95fd185..837b4de 100644 --- a/public/login.php +++ b/public/login.php @@ -21,7 +21,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $username = trim($_POST['username']); if (!empty($username)) { - $stmt = $pdo->prepare("SELECT user_id, yubikey_id FROM users WHERE username = ?"); + $stmt = $pdo->prepare("SELECT id, yubikey_id FROM users WHERE username = ?"); $stmt->execute([$username]); $user = $stmt->fetch(PDO::FETCH_ASSOC); @@ -34,7 +34,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Generate authentication options $authenticationOptions = $webAuthnManager->generateAuthenticationOptions(); $_SESSION['authentication_username'] = $username; - $_SESSION['authentication_user_id'] = $user['user_id']; + $_SESSION['authentication_user_id'] = $user['id']; $_SESSION['authentication_public_key'] = $yubikey['public_key']; header('Content-Type: application/json'); diff --git a/public/register.php b/public/register.php index a1b872c..67179eb 100644 --- a/public/register.php +++ b/public/register.php @@ -22,7 +22,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (!empty($username)) { // Vérifier si le nom d'utilisateur existe déjà - $stmt = $pdo->prepare("SELECT user_id FROM users WHERE username = ?"); + $stmt = $pdo->prepare("SELECT id FROM users WHERE username = ?"); $stmt->execute([$username]); if ($stmt->fetch()) { $error = "Ce nom d'utilisateur est déjà pris."; @@ -56,17 +56,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { // Enregistrer l'utilisateur et la YubiKey dans la base de données $pdo->beginTransaction(); try { - // Insérer l'utilisateur - $stmt = $pdo->prepare("INSERT INTO users (username) VALUES (?)"); - $stmt->execute([$username]); - $userId = $pdo->lastInsertId(); + // Insérer l'utilisateur (avec yubikey vide car la colonne est requise) + $stmt = $pdo->prepare("INSERT INTO users (username, yubikey) VALUES (?, ?) RETURNING id"); + $stmt->execute([$username, '']); // yubikey vide pour l'instant + $userId = $stmt->fetchColumn(); // Insérer la YubiKey $stmt = $pdo->prepare("INSERT INTO yubikeys (user_id, key_data, public_key) VALUES (?, ?, ?)"); $stmt->execute([$userId, $registrationData['credentialId'], $registrationData['publicKey']]); // Mettre à jour l'utilisateur avec l'ID de la YubiKey - $stmt = $pdo->prepare("UPDATE users SET yubikey_id = ? WHERE user_id = ?"); + $stmt = $pdo->prepare("UPDATE users SET yubikey_id = ? WHERE id = ?"); $stmt->execute([$pdo->lastInsertId(), $userId]); $pdo->commit(); @@ -172,6 +172,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {