CHANGELOG.md

+## [5.5.1](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/compare/v5.5.0...v5.5.1) (2023-07-18)
+
+
+### Bug Fixes
+
+* mfa skipping after logout ([419ce58](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/commit/419ce58781f613e45dd5dcc5ccf4f492dc9a4fa0))
+
 # [5.5.0](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/compare/v5.4.2...v5.5.0) (2023-06-27)
 
 

lib/Auth/Utils.php

@@ -188,7 +188,7 @@ class Utils
     public static function handleLogout()
     {
         Logger::debug('privacyIDEA: Logout handler called. Removing SSO data.');
-        Session::getSessionFromRequest()->deleteData('privacyidea:privacyidea:sso', '2FA-success');
+        Session::getSessionFromRequest()->deleteData('privacyidea:privacyidea', '2FA-success');
     }
 
     /**

www/js/loginform.js

@@ -119,7 +119,7 @@ function doWebAuthn() {
     enable("useWebAuthnButton");
     setMessage(t("webauthn_insecure_context"));
     console.log(
-      "Insecure context detected: Aborting Web Authn authentication!"
+      "Insecure context detected: Aborting Web Authn authentication!",
     );
     fallbackToOTP();
     return;

www/js/pi-webauthn.js

@@ -172,7 +172,7 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
           uint6ToB64((nUint24 >>> 18) & 63),
           uint6ToB64((nUint24 >>> 12) & 63),
           uint6ToB64((nUint24 >>> 6) & 63),
-          uint6ToB64(nUint24 & 63)
+          uint6ToB64(nUint24 & 63),
         );
         nUint24 = 0;
       }
@@ -198,7 +198,7 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
       sBase64
         .replace(/-/g, "+")
         .replace(/_/g, "/")
-        .padEnd((sBase64.length | 3) + 1, "=")
+        .padEnd((sBase64.length | 3) + 1, "="),
     );
   };
 
@@ -264,7 +264,7 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
             128
           : nPart > 191 && nPart < 224 && nIdx + 1 < nLen
           ? ((nPart - 192) << 6) + aBytes[++nIdx] - 128
-          : nPart
+          : nPart,
       );
     }
 
@@ -409,7 +409,7 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
     };
     if (webAuthnRegisterRequest.alternativeAlgorithm) {
       publicKeyCredentialCreationOptions.pubKeyCredParams.push(
-        webAuthnRegisterRequest.alternativeAlgorithm
+        webAuthnRegisterRequest.alternativeAlgorithm,
       );
     }
     if (webAuthnRegisterRequest.authenticatorSelection) {
@@ -442,7 +442,7 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
         ) {
           webAuthnRegisterResponse.registrationclientextensions =
             webAuthnBase64EncArr(
-              strToUtf8Arr(JSON.stringify(clientExtensionResults))
+              strToUtf8Arr(JSON.stringify(clientExtensionResults)),
             );
         }
 
@@ -509,20 +509,20 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
           clientdata: webAuthnBase64EncArr(assertion.response.clientDataJSON),
           signaturedata: webAuthnBase64EncArr(assertion.response.signature),
           authenticatordata: webAuthnBase64EncArr(
-            assertion.response.authenticatorData
+            assertion.response.authenticatorData,
           ),
         };
 
         if (assertion.response.userHandle) {
           webAuthnSignResponse.userhandle = utf8ArrToStr(
-            assertion.response.userHandle
+            assertion.response.userHandle,
           );
         }
         if (assertion.response.assertionClientExtensions) {
           webAuthnSignResponse.assertionclientextensions = webAuthnBase64EncArr(
             strToUtf8Arr(
-              JSON.stringify(assertion.response.assertionClientExtensions)
-            )
+              JSON.stringify(assertion.response.assertionClientExtensions),
+            ),
           );
         }
 

www/js/u2f-api.js

@@ -303,7 +303,7 @@ u2f.formatSignRequest_ = function (
   challenge,
   registeredKeys,
   timeoutSeconds,
-  reqId
+  reqId,
 ) {
   if (js_api_version === undefined || js_api_version < 1.1) {
     // Adapt request to the 1.0 JS API
@@ -348,7 +348,7 @@ u2f.formatRegisterRequest_ = function (
   registeredKeys,
   registerRequests,
   timeoutSeconds,
-  reqId
+  reqId,
 ) {
   if (js_api_version === undefined || js_api_version < 1.1) {
     // Adapt request to the 1.0 JS API
@@ -401,7 +401,7 @@ u2f.WrappedChromeRuntimePort_.prototype.postMessage = function (message) {
  */
 u2f.WrappedChromeRuntimePort_.prototype.addEventListener = function (
   eventName,
-  handler
+  handler,
 ) {
   var name = eventName.toLowerCase();
   if (name == "message" || name == "onmessage") {
@@ -456,7 +456,7 @@ u2f.WrappedAuthenticatorPort_.prototype.getPortType = function () {
  */
 u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function (
   eventName,
-  handler
+  handler,
 ) {
   var name = eventName.toLowerCase();
   if (name == "message") {
@@ -466,7 +466,7 @@ u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function (
     window.addEventListener(
       "message",
       self.onRequestUpdate_.bind(self, handler),
-      false
+      false,
     );
   } else {
     console.error("WrappedAuthenticatorPort only supports message");
@@ -481,7 +481,7 @@ u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function (
  */
 u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ = function (
   callback,
-  message
+  message,
 ) {
   var messageObject = JSON.parse(message.data);
   var intentUrl = messageObject["intentURL"];
@@ -638,7 +638,7 @@ u2f.getPortSingleton_ = function (callback) {
           "message",
           /**
            * @type {function(Event)}
-           */ (u2f.responseHandler_)
+           */ (u2f.responseHandler_),
         );
 
         // Careful, here be async callbacks. Maybe.
@@ -686,7 +686,7 @@ u2f.sign = function (
   challenge,
   registeredKeys,
   callback,
-  opt_timeoutSeconds
+  opt_timeoutSeconds,
 ) {
   if (js_api_version === undefined) {
     // Send a message to get the extension to JS API version, then send the actual sign request.
@@ -701,7 +701,7 @@ u2f.sign = function (
         challenge,
         registeredKeys,
         callback,
-        opt_timeoutSeconds
+        opt_timeoutSeconds,
       );
     });
   } else {
@@ -711,7 +711,7 @@ u2f.sign = function (
       challenge,
       registeredKeys,
       callback,
-      opt_timeoutSeconds
+      opt_timeoutSeconds,
     );
   }
 };
@@ -730,7 +730,7 @@ u2f.sendSignRequest = function (
   challenge,
   registeredKeys,
   callback,
-  opt_timeoutSeconds
+  opt_timeoutSeconds,
 ) {
   u2f.getPortSingleton_(function (port) {
     var reqId = ++u2f.reqCounter_;
@@ -744,7 +744,7 @@ u2f.sendSignRequest = function (
       challenge,
       registeredKeys,
       timeoutSeconds,
-      reqId
+      reqId,
     );
     port.postMessage(req);
   });
@@ -768,7 +768,7 @@ u2f.register = function (
   registerRequests,
   registeredKeys,
   callback,
-  opt_timeoutSeconds
+  opt_timeoutSeconds,
 ) {
   if (js_api_version === undefined) {
     // Send a message to get the extension to JS API version, then send the actual register request.
@@ -783,7 +783,7 @@ u2f.register = function (
         registerRequests,
         registeredKeys,
         callback,
-        opt_timeoutSeconds
+        opt_timeoutSeconds,
       );
     });
   } else {
@@ -793,7 +793,7 @@ u2f.register = function (
       registerRequests,
       registeredKeys,
       callback,
-      opt_timeoutSeconds
+      opt_timeoutSeconds,
     );
   }
 };
@@ -813,7 +813,7 @@ u2f.sendRegisterRequest = function (
   registerRequests,
   registeredKeys,
   callback,
-  opt_timeoutSeconds
+  opt_timeoutSeconds,
 ) {
   u2f.getPortSingleton_(function (port) {
     var reqId = ++u2f.reqCounter_;
@@ -827,7 +827,7 @@ u2f.sendRegisterRequest = function (
       registeredKeys,
       registerRequests,
       timeoutSeconds,
-      reqId
+      reqId,
     );
     port.postMessage(req);
   });