allow fido to not ask for pin (fidopininput) #7115

Signed-off-by: si458 <simonsmith5521@gmail.com>
2025-07-08 16:42:14 -04:00 · 2025-07-02 16:11:36 +01:00 · 2025-07-02 16:11:36 +01:00 · 11eee2f5eb
commit 11eee2f5eb
parent 1383df3f4e
5 changed files with 11 additions and 2 deletions
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@ -1793,6 +1793,12 @@
                "default": null,
                "description": "Maximum number of FIDO/YubikeyOTP hardware 2FA keys that can be setup in a user account."
              },
+              "fidopininput": {  
+                "type": "string",  
+                "default": "preferred",  
+                "enum": ["preferred", "required", "discouraged"],
+                "description": "Controls FIDO PIN prompt behavior: 'preferred' (asks only if key requires PIN), 'required' (always asks for PIN), or 'discouraged' (never asks for PIN). Default: 'preferred'."  
+              },
              "allowaccountreset": {
                "type": "boolean",
                "default": true,
--- a/meshuser.js
+++ b/meshuser.js
@ -4017,6 +4017,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    // Send the registration request
                    var registrationOptions = parent.webauthn.generateRegistrationChallenge("Anonymous Service", { id: Buffer.from(user._id, 'binary').toString('base64'), name: user._id, displayName: user._id.split('/')[2] });
                    //console.log('registrationOptions', registrationOptions);
+                    registrationOptions.userVerification = (domain.passwordrequirements && domain.passwordrequirements.fidopininput) ? domain.passwordrequirements.fidopininput : 'preferred'; // Use the domain setting if it exists, otherwise use 'preferred'.
                    obj.webAuthnReqistrationRequest = { action: 'webauthn-startregister', keyname: command.name, request: registrationOptions };
                    ws.send(JSON.stringify(obj.webAuthnReqistrationRequest));
                    break;
--- a/views/login.handlebars
+++ b/views/login.handlebars
@ -539,7 +539,7 @@
            if ((hardwareKeyChallenge != null) && (hardwareKeyChallenge.type == 'webAuthn')) {
                if (typeof hardwareKeyChallenge.challenge == 'string') { hardwareKeyChallenge.challenge = Uint8Array.from(atob(hardwareKeyChallenge.challenge), function (c) { return c.charCodeAt(0) }).buffer; }

-                publicKeyCredentialRequestOptions = { challenge: hardwareKeyChallenge.challenge, allowCredentials: [], timeout: hardwareKeyChallenge.timeout }
+                publicKeyCredentialRequestOptions = { challenge: hardwareKeyChallenge.challenge, allowCredentials: [], timeout: hardwareKeyChallenge.timeout, userVerification: hardwareKeyChallenge.userVerification ? hardwareKeyChallenge.userVerification : 'preferred' }
                for (var i = 0; i < hardwareKeyChallenge.keyIds.length; i++) {
                    publicKeyCredentialRequestOptions.allowCredentials.push(
                        { id: Uint8Array.from(atob(hardwareKeyChallenge.keyIds[i]), function (c) { return c.charCodeAt(0) }), type: 'public-key', transports: ['usb', 'ble', 'nfc', 'internal'] }
--- a/views/login2.handlebars
+++ b/views/login2.handlebars
@ -635,7 +635,7 @@
            if ((hardwareKeyChallenge != null) && (hardwareKeyChallenge.type == 'webAuthn')) {
                if (typeof hardwareKeyChallenge.challenge == 'string') { hardwareKeyChallenge.challenge = Uint8Array.from(atob(hardwareKeyChallenge.challenge), function (c) { return c.charCodeAt(0) }).buffer; }

-                publicKeyCredentialRequestOptions = { challenge: hardwareKeyChallenge.challenge, allowCredentials: [], timeout: hardwareKeyChallenge.timeout }
+                publicKeyCredentialRequestOptions = { challenge: hardwareKeyChallenge.challenge, allowCredentials: [], timeout: hardwareKeyChallenge.timeout, userVerification: hardwareKeyChallenge.userVerification ? hardwareKeyChallenge.userVerification : 'preferred' }
                for (var i = 0; i < hardwareKeyChallenge.keyIds.length; i++) {
                    publicKeyCredentialRequestOptions.allowCredentials.push(
                        { id: Uint8Array.from(atob(hardwareKeyChallenge.keyIds[i]), function (c) { return c.charCodeAt(0) }), type: 'public-key', transports: ['usb', 'ble', 'nfc', 'internal'] }
--- a/webserver.js
+++ b/webserver.js
@ -1105,6 +1105,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
            if (webAuthnKeys.length > 0) {
                // Generate a Webauthn challenge, this is really easy, no need to call any modules to do this.
                var authnOptions = { type: 'webAuthn', keyIds: [], timeout: 60000, challenge: obj.crypto.randomBytes(64).toString('base64') };
+                // userVerification: 'preferred' use security pin if possible (default), 'required' always use security pin, 'discouraged' do not use security pin.
+                authnOptions.userVerification = (domain.passwordrequirements && domain.passwordrequirements.fidopininput) ? domain.passwordrequirements.fidopininput : 'preferred'; // Use the domain setting if it exists, otherwise use 'preferred'.{
                for (var i = 0; i < webAuthnKeys.length; i++) { authnOptions.keyIds.push(webAuthnKeys[i].keyId); }
                sec.u2f = authnOptions.challenge;
                req.session.e = parent.encryptSessionData(sec);