Move to issuing cookie for challenge, rather than header

internal/mfaportal/authenticators/pam.go

@@ -84,7 +84,7 @@ func (t *Pam) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 			log.Println(user.Username, clientTunnelIp, "failed to enforce mfa: ", err)
 		}
 
-		w.Header().Set("WAG-CHALLENGE", challenge)
+		IssueChallengeTokenCookie(w, r, challenge)
 
 	default:
 		http.NotFound(w, r)
@@ -121,7 +121,7 @@ func (t *Pam) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	challenge, err := user.Authenticate(clientTunnelIp.String(), t.Type(), t.AuthoriseFunc(w, r))
 
 	msg, status := resultMessage(err)
-	w.Header().Set("WAG-CHALLENGE", challenge)
+	IssueChallengeTokenCookie(w, r, challenge)
 
 	jsonResponse(w, msg, status)
 

internal/mfaportal/authenticators/totp.go

@@ -140,7 +140,7 @@ func (t *Totp) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 
 		log.Println(user.Username, clientTunnelIp, "authorised")
 
-		w.Header().Set("WAG-CHALLENGE", challenge)
+		IssueChallengeTokenCookie(w, r, challenge)
 
 		if err := user.EnforceMFA(); err != nil {
 			log.Println(user.Username, clientTunnelIp, "enforce mfa failed:", err)
@@ -180,7 +180,7 @@ func (t *Totp) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	}
 
 	challenge, err := user.Authenticate(clientTunnelIp.String(), t.Type(), t.AuthoriseFunc(w, r))
-	w.Header().Set("WAG-CHALLENGE", challenge)
+	IssueChallengeTokenCookie(w, r, challenge)
 
 	msg, status := resultMessage(err)
 	jsonResponse(w, msg, status)

internal/mfaportal/authenticators/webauthn.go

@@ -160,7 +160,7 @@ func (wa *Webauthn) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 
 				return nil
 			})
-		w.Header().Set("WAG-CHALLENGE", challenge)
+		IssueChallengeTokenCookie(w, r, challenge)
 
 		msg, status := resultMessage(err)
 		jsonResponse(w, msg, status) // Send back an error message before we do the server side of handling it
@@ -285,7 +285,7 @@ func (wa *Webauthn) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		w.Header().Set("WAG-CHALLENGE", challenge)
+		IssueChallengeTokenCookie(w, r, challenge)
 
 		log.Println(user.Username, clientTunnelIp, "authorised")
 

internal/mfaportal/resources/static/js/challenge.js

@@ -65,7 +65,7 @@ function getCookie(name) {
 
 function deleteCookie(name) {
     document.cookie = name +'=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
-  }
+}
 
 
 if(challenge !== null) {

internal/mfaportal/resources/static/js/pam.js

@@ -72,9 +72,6 @@ async function loginUser(location) {
             document.getElementById("error").hidden = false;
             return
         }
-        if (send.headers.get("WAG-CHALLENGE") !== null) {
-            localStorage.setItem("challenge", send.headers.get("WAG-CHALLENGE"))
-        }
     } catch (e) {
         console.log("logging in user failed")
         document.getElementById("errorMsg").textContent = e.message;
@@ -84,4 +81,4 @@ async function loginUser(location) {
 
 
     window.location.href = "/";
-}
+}

internal/mfaportal/resources/static/js/totp.js

@@ -80,11 +80,6 @@ async function loginUser(location) {
             return
         }
 
-
-        if (send.headers.get("WAG-CHALLENGE") !== null) {
-            localStorage.setItem("challenge", send.headers.get("WAG-CHALLENGE"))
-        }
-
     } catch (e) {
         console.log("logging in user failed")
         document.getElementById("errorMsg").textContent = e.message;
@@ -94,4 +89,4 @@ async function loginUser(location) {
 
 
     window.location.href = "/";
-}
+}

internal/mfaportal/resources/static/js/webauthn.js

@@ -214,10 +214,6 @@ async function loginUser(event) {
             return
         }
 
-        if (finalise.headers.get("WAG-CHALLENGE") !== null) {
-            localStorage.setItem("challenge", send.headers.get("WAG-CHALLENGE"))
-        }
-
     } catch (e) {
         console.log("logging in failed: ", e)
         document.getElementById("errorMsg").textContent = e.message;