From 4e41927c48e12458bcadcd98c30d5bd33864fd74 Mon Sep 17 00:00:00 2001
From: Nils Behlen <29949516+nilsbehlen@users.noreply.github.com>
Date: Thu, 10 Aug 2023 14:08:38 +0200
Subject: [PATCH] Poll in browser message (#157)

* small fixes

* When doing poll-in-browser, set the message to both OTP+Push messages
* Added helper function to js
* Simplified some code
* Upped keycloak dependency version for security fix

* provide default if value is missing

* Update privacyIDEA.ftl
---
 pom.xml                                       |  10 +-
 .../org/privacyidea/authenticator/Const.java  |   1 -
 .../PrivacyIDEAAuthenticator.java             |  47 ++--
 .../theme-resources/templates/privacyIDEA.ftl | 211 +++++++++---------
 4 files changed, 126 insertions(+), 143 deletions(-)

diff --git a/pom.xml b/pom.xml
index dba621c..bae026f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -116,31 +116,31 @@
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core</artifactId>
-            <version>22.0.0</version>
+            <version>22.0.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-server-spi</artifactId>
-            <version>22.0.0</version>
+            <version>22.0.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-server-spi-private</artifactId>
-            <version>22.0.0</version>
+            <version>22.0.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-services</artifactId>
-            <version>22.0.0</version>
+            <version>22.0.1</version>
         </dependency>
 
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-common</artifactId>
-            <version>22.0.0</version>
+            <version>22.0.1</version>
         </dependency>
 
         <dependency>
diff --git a/src/main/java/org/privacyidea/authenticator/Const.java b/src/main/java/org/privacyidea/authenticator/Const.java
index 9097d6b..a03f299 100644
--- a/src/main/java/org/privacyidea/authenticator/Const.java
+++ b/src/main/java/org/privacyidea/authenticator/Const.java
@@ -49,7 +49,6 @@ private Const()
     static final String FORM_IMAGE_PUSH = "pushImage";
     static final String FORM_IMAGE_OTP = "otpImage";
     static final String FORM_IMAGE_WEBAUTHN = "webauthnImage";
-    static final String FORM_POLL_IN_BROWSER = "pollInBrowser";
     static final String FORM_POLL_IN_BROWSER_FAILED = "pollInBrowserFailed";
     static final String FORM_ERROR_MESSAGE = "errorMsg";
     static final String FORM_TRANSACTION_ID = "transactionID";
diff --git a/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java b/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java
index 20d67f6..75b7be5 100644
--- a/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java
+++ b/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java
@@ -28,19 +28,18 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.stream.Collectors;
 import org.jboss.logging.Logger;
 import org.keycloak.authentication.AuthenticationFlowContext;
 import org.keycloak.authentication.AuthenticationFlowError;
 import org.keycloak.authentication.AuthenticationFlowException;
+import org.keycloak.common.Version;
 import org.keycloak.forms.login.LoginFormsProvider;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
-import org.keycloak.common.Version;
 import org.privacyidea.Challenge;
 import org.privacyidea.IPILogger;
 import org.privacyidea.PIResponse;
@@ -71,9 +70,7 @@
 import static org.privacyidea.authenticator.Const.FORM_OTP_AVAILABLE;
 import static org.privacyidea.authenticator.Const.FORM_OTP_MESSAGE;
 import static org.privacyidea.authenticator.Const.FORM_PI_POLL_IN_BROWSER_URL;
-import static org.privacyidea.authenticator.Const.FORM_PI_SERVER_URL;
 import static org.privacyidea.authenticator.Const.FORM_POLL_INTERVAL;
-import static org.privacyidea.authenticator.Const.FORM_POLL_IN_BROWSER;
 import static org.privacyidea.authenticator.Const.FORM_POLL_IN_BROWSER_FAILED;
 import static org.privacyidea.authenticator.Const.FORM_PUSH_AVAILABLE;
 import static org.privacyidea.authenticator.Const.FORM_PUSH_MESSAGE;
@@ -206,7 +203,6 @@ else if (!config.excludedGroups().isEmpty())
                .setAttribute(FORM_IMAGE_PUSH, "")
                .setAttribute(FORM_IMAGE_OTP, "")
                .setAttribute(FORM_IMAGE_WEBAUTHN, "")
-               .setAttribute(FORM_POLL_IN_BROWSER, false)
                .setAttribute(FORM_POLL_IN_BROWSER_FAILED, false)
                .setAttribute(FORM_POLL_INTERVAL, config.pollingInterval().get(0));
 
@@ -465,7 +461,7 @@ private void extractChallengeDataToForm(PIResponse response, AuthenticationFlowC
         String webAuthnSignRequest = "";
         String u2fSignRequest = "";
         String mode = "otp";
-
+        String newOtpMessage = response.otpMessage();
         if (response.transactionID != null && !response.transactionID.isEmpty())
         {
             context.getAuthenticationSession().setAuthNote(AUTH_NOTE_TRANSACTION_ID, response.transactionID);
@@ -493,14 +489,10 @@ else if ("interactive".equals(c.getClientMode()))
         if (config.pollInBrowser())
         {
             context.form().setAttribute(FORM_TRANSACTION_ID, response.transactionID);
-            if (config.pollInBrowserUrl().isEmpty())
-            {
-                context.form().setAttribute(FORM_PI_POLL_IN_BROWSER_URL, config.serverURL());
-            }
-            else
-            {
-                context.form().setAttribute(FORM_PI_POLL_IN_BROWSER_URL, config.pollInBrowserUrl());
-            }
+            newOtpMessage = response.otpMessage() + "\n" + response.pushMessage();
+            context.form()
+                   .setAttribute(FORM_PI_POLL_IN_BROWSER_URL,
+                                 config.pollInBrowserUrl().isEmpty() ? config.serverURL() : config.pollInBrowserUrl());
         }
 
         // Check for Push
@@ -528,36 +520,27 @@ else if ("interactive".equals(c.getClientMode()))
         // Check if response from server contains preferred client mode
         if (response.preferredClientMode != null && !response.preferredClientMode.isEmpty())
         {
-            if (response.preferredClientMode.equals("push") && config.pollInBrowser())
-            {
-                mode = "otp";
-            }
-            else
-            {
-                mode = response.preferredClientMode;
-            }
+            mode = response.preferredClientMode;
         }
         else
         {
-            // Check if any triggered token matches the preferred token type
+            // Alternatively check if any triggered token matches the local preferred token type
             if (response.triggeredTokenTypes().contains(config.prefTokenType()))
             {
-                if (config.prefTokenType().equals("push") && config.pollInBrowser())
-                {
-                    mode = "otp";
-                }
-                else
-                {
-                    mode = config.prefTokenType();
-                }
+                mode = config.prefTokenType();
             }
         }
+        // Using poll in browser does not require push mode
+        if (mode.equals("push") && config.pollInBrowser())
+        {
+            mode = "otp";
+        }
 
         context.form()
                .setAttribute(FORM_MODE, mode)
                .setAttribute(FORM_WEBAUTHN_SIGN_REQUEST, webAuthnSignRequest)
                .setAttribute(FORM_U2F_SIGN_REQUEST, u2fSignRequest)
-               .setAttribute(FORM_OTP_MESSAGE, response.otpMessage());
+               .setAttribute(FORM_OTP_MESSAGE, newOtpMessage);
     }
 
     /**
diff --git a/src/main/resources/theme-resources/templates/privacyIDEA.ftl b/src/main/resources/theme-resources/templates/privacyIDEA.ftl
index f7efd1a..fbeef87 100644
--- a/src/main/resources/theme-resources/templates/privacyIDEA.ftl
+++ b/src/main/resources/theme-resources/templates/privacyIDEA.ftl
@@ -5,7 +5,8 @@
     <#elseif section = "header">
         ${msg("loginTitleHtml",realm.name)}
     <#elseif section = "form">
-        <form id="kc-otp-login-form" onsubmit="login.disabled = true; return true;" class="${properties.kcFormClass!}" action="${url.loginAction}"
+        <form id="kc-otp-login-form" onsubmit="login.disabled = true; return true;" class="${properties.kcFormClass!}"
+              action="${url.loginAction}"
               method="post">
             <div class="${properties.kcFormGroupClass!}">
                 <div class="${properties.kcInputWrapperClass!}">
@@ -57,7 +58,8 @@
                     <input id="otpImage" name="otpImage" value="${otpImage!""}" type="hidden">
                     <input id="webauthnImage" name="webauthnImage" value="${webauthnImage!""}" type="hidden">
                     <input id="modeChanged" name="modeChanged" value="false" type="hidden">
-                    <input id="pollInBrowserFailed" name="pollInBrowserFailed" value="${pollInBrowserFailed?c}" type="hidden">
+                    <input id="pollInBrowserFailed" name="pollInBrowserFailed" value="${pollInBrowserFailed?c}"
+                           type="hidden">
                     <input id="errorMsg" name="errorMsg" value="" type="hidden">
 
                     <input id="webauthnsignrequest" name="webauthnsignrequest" value="${webauthnsignrequest!""}"
@@ -80,82 +82,108 @@
                         <div class="${properties.kcFormButtonsWrapperClass!}">
                             <script>
                                 'use strict';
+                                // Helper functions
+                                function disable(id) {
+                                    const element = document.getElementById(id)
+                                    if (element != null) {
+                                        element.style.display = "none";
+                                    } else {
+                                        console.log(id + " is null!");
+                                    }
+                                }
 
-                                if (document.getElementById("uilanguage").value === "de")
-                                {
-                                    document.getElementById("alternateTokenHeader").innerText = "Alternative Anmeldeoptionen";
-                                    document.getElementById("kc-login").value = "Anmelden";
+                                function enable(id) {
+                                    const element = document.getElementById(id);
+                                    if (element != null) {
+                                        element.style.display = "initial";
+                                    } else {
+                                        console.log(id + " is null!");
+                                    }
+                                }
+
+                                function value(id) {
+                                    const element = document.getElementById(id);
+                                    if (element != null) {
+                                        return element.value;
+                                    } else {
+                                        console.log(id + " is null!");
+                                    }
+                                    return "";
+                                }
+
+                                function set(id, value) {
+                                    const element = document.getElementById(id);
+                                    if (element != null) {
+                                        element.value = value;
+                                    } else {
+                                        console.log(id + " is null!");
+                                    }
                                 }
+                                // End helper functions
 
-                                function changeMode(newMode)
-                                {
+                                function changeMode(newMode) {
                                     // Submit the form to pass the change to the authenticator
-                                    document.getElementById("mode").value = newMode;
-                                    document.getElementById("modeChanged").value = "true";
+                                    set("mode", newMode);
+                                    set("modeChanged", "true");
                                     document.forms["kc-otp-login-form"].submit();
                                 }
+
+                                if (value("uilanguage") === "de") {
+                                    document.getElementById("alternateTokenHeader").innerText = "Alternative Anmeldeoptionen";
+                                    set("kc-login", "Anmelden");
+                                }
                             </script>
 
                             <!-- Poll in browser section. If poll in browser is enabled in config,
                                  the following script will process it in the background. -->
                             <#if transactionID?? && !(transactionID = "") && !(piPollInBrowserUrl = "") && (pollInBrowserFailed = false)>
                                 <script>
-                                    window.onload = () =>
-                                    {
-                                        document.getElementById("pushButton").style.display = "none";
+                                    function workerError(message) {
+                                        console.log("Poll in browser error: " + message);
+                                        set("errorMsg", ("Poll in browser error: " + message));
+                                        set("pollInBrowserFailed", true);
+                                        enable("pushButton");
+                                    }
+
+                                    window.onload = () => {
+                                        disable("pushButton");
                                         let worker;
-                                        if (typeof (Worker) !== "undefined")
-                                        {
-                                            if (typeof (worker) == "undefined")
-                                            {
+                                        if (typeof (Worker) !== "undefined") {
+                                            if (typeof (worker) == "undefined") {
                                                 worker = new Worker("${url.resourcesPath}/pi-pollTransaction.worker.js");
-                                                document.getElementById("kc-otp-login-form").addEventListener('submit', function (e)
-                                                {
+                                                document.getElementById("kc-otp-login-form").addEventListener('submit', function (e) {
                                                     worker.terminate();
                                                     worker = undefined;
                                                 })
                                                 worker.postMessage({'cmd': 'url', 'msg': '${piPollInBrowserUrl}'});
                                                 worker.postMessage({'cmd': 'transactionID', 'msg': '${transactionID}'});
                                                 worker.postMessage({'cmd': 'start'});
-                                                worker.addEventListener('message', function (e)
-                                                {
+                                                worker.addEventListener('message', function (e) {
                                                     let data = e.data;
-                                                    switch (data.status)
-                                                    {
+                                                    switch (data.status) {
                                                         case 'success':
                                                             document.forms["kc-otp-login-form"].submit();
                                                             break;
                                                         case 'error':
-                                                            console.log("Poll in browser error: " + data.message);
-                                                            document.getElementById("errorMsg").value = "Poll in browser error: " + data.message;
-                                                            document.getElementById("pollInBrowserFailed").value = true;
-                                                            document.getElementById("pushButton").style.display = "initial";
+                                                            workerError(data.message);
                                                             worker = undefined;
                                                     }
                                                 })
                                             }
-                                        }
-                                        else
-                                        {
-                                            console.log("Sorry! No Web Worker support.");
+                                        } else {
                                             worker.terminate();
-                                            document.getElementById("errorMsg").value = "Poll in browser error: The browser doesn't support the Web Worker.";
-                                            document.getElementById("pollInBrowserFailed").value = true;
-                                            document.getElementById("pushButton").style.display = "initial";
+                                            workerError("The browser does not support Web Worker.")
                                         }
                                     };
                                 </script>
                             </#if>
 
                             <#if mode = "push">
-                            <#--The form will be reloaded if push token is enabled to check if it is confirmed.
-                            The interval can be set in the configuration-->
-                                <script>document.getElementById("kc-login").style.display = "none";</script>
+                            <#-- Polling for push by reloading every X seconds -->
                                 <script>
-                                    window.onload = () =>
-                                    {
-                                        window.setTimeout(() =>
-                                        {
+                                    disable("kc-login");
+                                    window.onload = () => {
+                                        window.setTimeout(() => {
                                             document.forms["kc-otp-login-form"].submit()
                                         }, parseInt(${pollingInterval}) * 1000);
                                     };
@@ -169,7 +197,7 @@
                             <#else>
                             <#--If token type is not push, an input field and login button is needed-->
                                 <script>
-                                    document.getElementById("kc-login").style.display = "initial";
+                                    enable("kc-login");
                                     document.getElementById("otp").type = "password";
                                     document.getElementById("otp").required = true;
                                 </script>
@@ -191,49 +219,38 @@
                                 <script type="text/javascript" src="${url.resourcesPath}/pi-webauthn.js"></script>
                                 <script>
                                     'use strict';
-                                    if (document.getElementById("webauthnsignrequest").value === "")
-                                    {
-                                        document.getElementById("useWebAuthnButton").style.display = "none";
+                                    if (value("webauthnsignrequest") === "") {
+                                        disable("useWebAuthnButton");
                                     }
 
-                                    if (document.getElementById("mode").value === "webauthn")
-                                    {
-                                        window.onload = () =>
-                                        {
+                                    if (value("mode") === "webauthn") {
+                                        window.onload = () => {
                                             doWebAuthn();
                                         }
                                     }
 
-                                    if (!window.location.origin)
-                                    {
+                                    if (!window.location.origin) {
                                         window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port : '');
                                     }
-                                    document.getElementById("origin").value = window.origin;
+                                    set("origin", window.origin);
 
-                                    function doWebAuthn()
-                                    {
+                                    function doWebAuthn() {
                                         // If we are in push mode, reload the page because in push mode the page refreshes every x seconds which could interrupt webauthn
                                         // Afterward, webauthn is started directly
-                                        if (document.getElementById("mode").value === "push")
-                                        {
+                                        if (value("mode") === "push") {
                                             changeMode("webauthn");
                                         }
-                                        try
-                                        {
-                                            const requestStr = document.getElementById("webauthnsignrequest").value;
+                                        try {
+                                            const requestStr = value("webauthnsignrequest");
                                             const requestjson = JSON.parse(requestStr);
 
                                             const webAuthnSignResponse = window.pi_webauthn.sign(requestjson);
-                                            webAuthnSignResponse.then((webauthnresponse) =>
-                                            {
-                                                document.getElementById("webauthnsignresponse").value = JSON.stringify(webauthnresponse);
+                                            webAuthnSignResponse.then((webauthnresponse) => {
+                                                set("webauthnsignresponse", JSON.stringify(webauthnresponse));
                                                 document.forms["kc-otp-login-form"].submit();
                                             });
-                                        }
-                                        catch (err)
-                                        {
+                                        } catch (err) {
                                             console.log("Error while trying WebAuthn: " + err);
-                                            alert("Error while trying WebAuthn: " + err);
                                         }
                                     }
                                 </script>
@@ -250,59 +267,46 @@
 
                                 <script>
                                     'use strict';
-                                    if (document.getElementById("u2fsignrequest").value === "")
-                                    {
-                                        document.getElementById("useU2FButton").style.display = "none";
+                                    if (value("u2fsignrequest") === "") {
+                                        disable("useU2FButton");
                                     }
 
-                                    if (document.getElementById("mode").value === "u2f")
-                                    {
-                                        window.onload = () =>
-                                        {
+                                    if (value("mode") === "u2f") {
+                                        window.onload = () => {
                                             doU2F();
                                         }
                                     }
 
-                                    function doU2F()
-                                    {
+                                    function doU2F() {
                                         // If we are in push mode, reload the page because in push mode the page refreshes every x seconds which could interrupt U2F
                                         // Afterward, U2F is started directly
-                                        if (document.getElementById("mode").value === "push")
-                                        {
+                                        if (value("mode") === "push") {
                                             changeMode("u2f");
                                         }
 
-                                        if (!window.isSecureContext)
-                                        {
-                                            alert("Unable to proceed with U2F because the context is insecure!");
+                                        if (!window.isSecureContext) {
                                             console.log("Insecure context detected: Aborting U2F authentication!")
                                             changeMode("otp");
                                             return;
                                         }
 
-                                        const requestStr = document.getElementById("u2fsignrequest").value;
+                                        const requestStr = value("u2fsignrequest");
 
-                                        if (requestStr === null)
-                                        {
+                                        if (requestStr === null) {
                                             alert("Could not load U2F library. Please try again or use other token.");
                                             changeMode("otp");
                                             return;
                                         }
 
-                                        try
-                                        {
+                                        try {
                                             const requestjson = JSON.parse(requestStr);
                                             sign_u2f_request(requestjson);
-                                        }
-                                        catch (err)
-                                        {
+                                        } catch (err) {
                                             console.log("Error while trying U2FSignRequest: " + err);
-                                            alert("Error while trying U2FSignRequest: " + err);
                                         }
                                     }
 
-                                    function sign_u2f_request(signRequest)
-                                    {
+                                    function sign_u2f_request(signRequest) {
                                         let appId = signRequest["appId"];
                                         let challenge = signRequest["challenge"];
                                         let registeredKeys = [];
@@ -312,17 +316,13 @@
                                             keyHandle: signRequest["keyHandle"]
                                         });
 
-                                        u2f.sign(appId, challenge, registeredKeys, function (result)
-                                        {
+                                        u2f.sign(appId, challenge, registeredKeys, function (result) {
                                             const stringResult = JSON.stringify(result);
-                                            if (stringResult.includes("clientData") && stringResult.includes("signatureData"))
-                                            {
-                                                document.getElementById("u2fsignresponse").value = stringResult;
+                                            if (stringResult.includes("clientData") && stringResult.includes("signatureData")) {
+                                                set("u2fsignresponse", stringResult);
                                                 changeMode("u2f");
                                                 document.forms["kc-otp-login-form"].submit();
-                                            }
-                                            else
-                                            {
+                                            } else {
                                                 console.log("Malformed U2F signing result: " + stringResult);
                                             }
                                         })
@@ -330,7 +330,8 @@
                                 </script>
                             </#if>
 
-                            <#if !push_available && (u2fsignrequest = "") && (webauthnsignrequest = "")>
+                            <!-- Check if the alternate token options section should be displayed -->
+                            <#if (!push_available || !(piPollInBrowserUrl! == "") && pollInBrowserFailed == false) && (u2fsignrequest == "") && (webauthnsignrequest == "")>
                                 <script>
                                     document.getElementById("alternateToken").style.display = "none";
                                 </script>
@@ -338,10 +339,10 @@
 
                             <#if hasError!false>
                                 <script>
-                                    document.getElementById("alternateToken").style.display = "none";
-                                    document.getElementById("kc-login").style.display = "none";
-                                    document.getElementById("otp").style.display = "none";
-                                    document.getElementById("otpMessage").value = "";
+                                    disable("alternateToken");
+                                    disable("kc-login");
+                                    disable("otp");
+                                    set("otpMessage", "");
                                 </script>
                             </#if>
                         </div>
@@ -350,4 +351,4 @@
             </div>
         </form>
     </#if>
-</@layout.registrationLayout>
+</@layout.registrationLayout>
\ No newline at end of file