CHANGELOG.md

+## [5.5.3](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/compare/v5.5.2...v5.5.3) (2024-01-03)
+
+
+### Bug Fixes
+
+* enable backup code checking ([a4e16a1](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/commit/a4e16a1095a99a39180d1c1b158c4a3662aafa05))
+* failcounter handling ([61c3876](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/commit/61c3876fa5da17edb2222cbb980c38cb596c866d))
+
 ## [5.5.2](https://gitlab.ics.muni.cz/perun-proxy-aai/simplesamlphp/simplesamlphp-module-privacyidea/compare/v5.5.1...v5.5.2) (2023-08-31)
 
 

dictionaries/privacyidea.definition.json

@@ -92,6 +92,9 @@
   "error_message": {
     "en": "Verification was not successful. Please try again."
   },
+  "failcounter_error_message": {
+    "en": "Verification code you have entered is either incorrect or this method of authentication has been deactivated for your account due to numerous failed login attempts. If your login attempts using verification codes keep failing, please use a recovery code or a security key."
+  },
   "error": {
     "en": "Error"
   }

dictionaries/privacyidea.translation.json

@@ -138,6 +138,9 @@
   "error_message": {
     "cs": "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu."
   },
+  "failcounter_error_message": {
+    "cs": "Zadaný ověřovací kód je nesprávný, nebo byly ověřovací kódy ve Vašem účtu zablokovány (např. kvůli velkému počtu neúspěšných pokusů). Pokud se Vám opakovaně nedaří použít ověřovací kód, prosím použijte bezpečnostní klíč nebo záložní kód."
+  },
   "error": {
     "cs": "Chyba"
   }

lib/Auth/Utils.php

@@ -103,7 +103,28 @@ class Utils
                     self::handlePrivacyIDEAException($e, $state);
                 }
             }
+        } elseif ($formParams['mode'] === 'totp') {
+            try {
+                // limit otp validation to totp tokens to prevent incrementing of webauthn failcounter
+                $params["type"] = "totp";
+                $params["user"] = $username;
+                $params["pass"] = $formParams['otp'];
+                $headers = [];
+
+                $rawResponse = $pi->sendRequest($params, $headers, 'POST', '/validate/check');
+                $response = PIResponse::fromJSON($rawResponse, $pi);
+
+                $isAuthUnuccessful = $response->value === false;
+                if ($isAuthUnuccessful) {
+                    // prepare custom error message placeholder - failcounter might have been exceeded
+                    Logger::debug("Original TOTP validation response error message: " . $response->errorMessage);
+                    $response->errorMessage = "possible failcounter exceeded";
+                }
+            } catch (\Exception $e) {
+                self::handlePrivacyIDEAException($e, $state);
+            }
         } else {
+            // Backup code validation
             try {
                 $response = $pi->validateCheck($username, $formParams['otp'], $transactionID);
             } catch (\Exception $e) {
@@ -150,6 +171,7 @@ class Utils
 
         $session->registerLogoutHandler($authority, self::class, 'handleLogout');
         $session->setData('privacyidea:privacyidea', '2FA-success', true, Session::DATA_TIMEOUT_SESSION_END);
+        Logger::info('privacyIDEA: saved 2FA-success');
         Logger::debug('privacyIDEA: SSO data written and logout handler registered.');
     }
 
@@ -317,7 +339,7 @@ class Utils
         } else {
             // Unexpected response
             Logger::error('privacyIDEA: ' . $response->message);
-            $state['privacyidea:privacyidea']['errorMessage'] = $response->message;
+            $state['privacyidea:privacyidea']['errorMessage'] = $response->errorMessage;
         }
 
         return State::saveState($state, 'privacyidea:privacyidea');
@@ -331,7 +353,7 @@ class Utils
     public static function getClientIP()
     {
         $result = ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? null) ?: ($_SERVER['REMOTE_ADDR'] ?? null)
-        ?: ($_SERVER['HTTP_CLIENT_IP'] ?? null);
+            ?: ($_SERVER['HTTP_CLIENT_IP'] ?? null);
         Logger::debug('privacyIDEA: client ip: ' . $result);
 
         return $result;

locales/cs/LC_MESSAGES/privacyidea.po

@@ -119,6 +119,9 @@ msgstr "Zkusit znovu"
 msgid "{privacyidea:privacyidea:error_message}"
 msgstr "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu."
 
+msgid "{privacyidea:privacyidea:failcounter_error_message}"
+msgstr "Zadaný kód ověřovací kód je nesprávný nebo byly ověřovací kódy ve Vašem účtu zablokovány (např. kvůli velkému počtu neúspěšných pokusů). Pokud se Vám opakovaně nedaří použít ověřovací kód, prosím použijte bezpečnostní klíč nebo záložní kód."
+
 msgid "{privacyidea:privacyidea:error}"
 msgstr "Chyba"
 

locales/en/LC_MESSAGES/privacyidea.po

@@ -117,6 +117,9 @@ msgstr "Try Again"
 msgid "{privacyidea:privacyidea:error_message}"
 msgstr "Verification was not successful. Please try again."
 
+msgid "{privacyidea:privacyidea:failcounter_error_message}"
+msgstr "Verification code you have entered is either incorrect or this method of authentication has been deactivated for your account due to numerous failed login attempts. If your login attempts using verification codes keep failing, please use a recovery code or a security key."
+
 msgid "{privacyidea:privacyidea:error}"
 msgstr "Error"
 

www/FormBuilder.php

@@ -45,6 +45,13 @@ if (
     $tpl->data['errorCode'] = ($state['privacyidea:privacyidea']['errorCode'] ?? null) ?: '';
     $state['privacyidea:privacyidea']['errorCode'] = '';
     $tpl->data['errorMessage'] = $tpl->t('{privacyidea:privacyidea:error_message}');
+
+    // replace custom error message placeholder
+    $errorMessage = $state['privacyidea:privacyidea']['errorMessage'];
+    if (stripos($errorMessage, "possible failcounter exceeded") !== false) {
+        $tpl->data['errorMessage'] = $tpl->t('{privacyidea:privacyidea:failcounter_error_message}');
+    }
+
     $state['privacyidea:privacyidea']['errorMessage'] = '';
     $stateId = State::saveState($state, 'privacyidea:privacyidea');
 }

www/js/pi-webauthn.js

@@ -53,14 +53,14 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
     return nChr > 64 && nChr < 91
       ? nChr - 65
       : nChr > 96 && nChr < 123
-      ? nChr - 71
-      : nChr > 47 && nChr < 58
-      ? nChr + 4
-      : nChr === 43
-      ? 62
-      : nChr === 47
-      ? 63
-      : 0;
+        ? nChr - 71
+        : nChr > 47 && nChr < 58
+          ? nChr + 4
+          : nChr === 43
+            ? 62
+            : nChr === 47
+              ? 63
+              : 0;
   };
 
   /**
@@ -80,14 +80,14 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
     return nUint6 < 26
       ? nUint6 + 65
       : nUint6 < 52
-      ? nUint6 + 71
-      : nUint6 < 62
-      ? nUint6 - 4
-      : nUint6 === 62
-      ? 43
-      : nUint6 === 63
-      ? 47
-      : 65;
+        ? nUint6 + 71
+        : nUint6 < 62
+          ? nUint6 - 4
+          : nUint6 === 62
+            ? 43
+            : nUint6 === 63
+              ? 47
+              : 65;
   };
 
   /**
@@ -245,26 +245,26 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
               aBytes[++nIdx] -
               128
           : nPart > 247 && nPart < 252 && nIdx + 4 < nLen
-          ? ((nPart - 248) << 24) +
-            ((aBytes[++nIdx] - 128) << 18) +
-            ((aBytes[++nIdx] - 128) << 12) +
-            ((aBytes[++nIdx] - 128) << 6) +
-            aBytes[++nIdx] -
-            128
-          : nPart > 239 && nPart < 248 && nIdx + 3 < nLen
-          ? ((nPart - 240) << 18) +
-            ((aBytes[++nIdx] - 128) << 12) +
-            ((aBytes[++nIdx] - 128) << 6) +
-            aBytes[++nIdx] -
-            128
-          : nPart > 223 && nPart < 240 && nIdx + 2 < nLen
-          ? ((nPart - 224) << 12) +
-            ((aBytes[++nIdx] - 128) << 6) +
-            aBytes[++nIdx] -
-            128
-          : nPart > 191 && nPart < 224 && nIdx + 1 < nLen
-          ? ((nPart - 192) << 6) + aBytes[++nIdx] - 128
-          : nPart,
+            ? ((nPart - 248) << 24) +
+              ((aBytes[++nIdx] - 128) << 18) +
+              ((aBytes[++nIdx] - 128) << 12) +
+              ((aBytes[++nIdx] - 128) << 6) +
+              aBytes[++nIdx] -
+              128
+            : nPart > 239 && nPart < 248 && nIdx + 3 < nLen
+              ? ((nPart - 240) << 18) +
+                ((aBytes[++nIdx] - 128) << 12) +
+                ((aBytes[++nIdx] - 128) << 6) +
+                aBytes[++nIdx] -
+                128
+              : nPart > 223 && nPart < 240 && nIdx + 2 < nLen
+                ? ((nPart - 224) << 12) +
+                  ((aBytes[++nIdx] - 128) << 6) +
+                  aBytes[++nIdx] -
+                  128
+                : nPart > 191 && nPart < 224 && nIdx + 1 < nLen
+                  ? ((nPart - 192) << 6) + aBytes[++nIdx] - 128
+                  : nPart,
       );
     }
 
@@ -297,14 +297,14 @@ var pi_webauthn = navigator.credentials ? window.pi_webauthn || {} : null;
         nChr < 0x80
           ? 1
           : nChr < 0x800
-          ? 2
-          : nChr < 0x10000
-          ? 3
-          : nChr < 0x200000
-          ? 4
-          : nChr < 0x4000000
-          ? 5
-          : 6;
+            ? 2
+            : nChr < 0x10000
+              ? 3
+              : nChr < 0x200000
+                ? 4
+                : nChr < 0x4000000
+                  ? 5
+                  : 6;
     }
 
     aBytes = new Uint8Array(nArrLen);