Completed Basic Non AJAX authentication

Author: Samyoul

PDO Without AJAX/authenticate.php

@@ -30,9 +30,12 @@
     // Store the request for later
     $_SESSION['authenticationRequest'] = $authenticationRequest;
 
+    // Store the user attempting to authenticate
+    $_SESSION['authenticatingUser'] = $user;
+
     // now pass the data to the U2F authentication view.
     $templates = new League\Plates\Engine(__DIR__.'/views');
-    echo $templates->render('u2f-authenticate', ['authenticationRequest' => $authenticationRequest]);
+    echo $templates->render('u2f-authentication', ['authenticationRequest' => json_encode($authenticationRequest)]);
 
 }
 

PDO Without AJAX/database/database.sqlite

@@ -59,17 +59,24 @@ function getU2FRegistrations(stdClass $user)
 function storeU2FRegistration(stdClass $user, Registration $registration)
 {
     $pdo = getDBConnection();
-    $ins = $pdo->prepare("
+    $statement = $pdo->prepare("
         INSERT INTO registrations
         (user_id, keyHandle, publicKey, certificate, counter)
         VALUES (?, ?, ?, ?, ?)
     ");
-    $ins->execute([
+    $statement->execute([
         $user->id,
         $registration->getKeyHandle(),
         $registration->getPublicKey(),
         $registration->getCertificate(),
         $registration->getCounter()
     ]);
 
+}
+
+function updateU2FRegistration(stdClass $registration)
+{
+    $pdo = getDBConnection();
+    $statement = $pdo->prepare("UPDATE registrations SET counter = ? WHERE id = ?");
+    $statement->execute([$registration->counter, $registration->id]);
 }

PDO Without AJAX/functions.php

@@ -0,0 +1,39 @@
+<?php
+require("../vendor/autoload.php");
+require("functions.php");
+
+use Samyoul\U2F\U2FServer\U2FServer as U2F;
+session_start();
+
+$user = $_SESSION['authenticatingUser'];
+
+// Get any U2F registrations associated with the user
+$registrations = getU2FRegistrations($user);
+
+try {
+
+    // Validate the registration response against the registration request.
+    // The output are the credentials you need to store for U2F authentication.
+    $validatedAuthentication = U2F::authenticate(
+        $_SESSION['authenticationRequest'],
+        $registrations,
+        json_decode($_POST['authentication_response'])
+    );
+
+    // Store of the validated U2F registration data against the authenticated user.
+    updateU2FRegistration($validatedAuthentication);
+
+    // Set authenticated user
+    $_SESSION['authenticatedUser'] = $user;
+
+    // Then let your user know what happened
+    $_SESSION['message'] = "You have successfully authenticated with a U2F key.";
+
+} catch( Exception $e ) {
+    $_SESSION['error'] = "We had an error: ". $e->getMessage();
+    redirect("index.php");
+}
+
+unset($_SESSION['authenticatingUser']);
+unset($_SESSION['authenticationRequest']);
+redirect("dashboard.php");

PDO Without AJAX/u2f-authentication-validation.php

@@ -5,6 +5,7 @@
     <p>Hello <?=$this->e($user->name)?> welcome to your super secure dashboard.</p>
     <hr/>
     <a class="btn btn-danger" href="logout.php">Log Out</a>
+    <a class="btn btn-danger" href="database/reset.php">Reset Database</a>
 </div>
 
 <h3>U2F Registrations</h3>

PDO Without AJAX/views/dashboard.php

@@ -4,20 +4,21 @@
 <h2>Please enter your FIDO U2F device into your computer's USB port. Then confirm authentication on the device.</h2>
 
 <div style="display:none;">
-    <form id="u2f_submission" method="post" action="u2f-authentication.php">
+    <form id="u2f_submission" method="post" action="u2f-authentication-validation.php">
         <input id="u2f_authentication_response" name="authentication_response" value="" />
     </form>
 </div>
 
-<script type="javascript" src="https://raw.githubusercontent.com/google/u2f-ref-code/master/u2f-gae-demo/war/js/u2f-api.js"></script>
-<script>
-    window.u2f || document.write('%3Cscript src="../js/u2f-api.js"%3E%3C/script%3E');
-</script>
+<script src="../js/u2f-api.js"></script>
 <script>
     setTimeout(function() {
 
+        var authentication_request = <?=$authenticationRequest?>;
+
+        console.log("Authentication Request: ", authentication_request);
+
         // Magic JavaScript talking to your HID
-        u2f.sign(<?=$this->e($authenticationRequest)?>, function(data) {
+        u2f.sign(authentication_request, function(data) {
 
             // Handle returning error data
             if(data.errorCode && errorCode != 0) {
@@ -35,7 +36,7 @@
             var response = document.getElementById('u2f_authentication_response');
 
             // Fill and submit form.
-            response.value = JSON.stringify(authentication_response);
+            response.value = authentication_response;
             form.submit();
         });
     }, 1000);