privacyidea · lukasmatusiewicz · Nov 26, 2024 · Nov 26, 2024 · Nov 27, 2024 · Dec 2, 2024
diff --git a/java-client b/java-client
diff --git a/src/main/java/org/privacyidea/authenticator/Const.java b/src/main/java/org/privacyidea/authenticator/Const.java
@@ -47,6 +47,7 @@ private Const()
     static final String FORM_TRANSACTION_ID = "transactionID";
     static final String FORM_AUTO_SUBMIT_OTP_LENGTH = "AutoSubmitOtpLength";
     static final String FORM_POLL_IN_BROWSER_URL = "pollInBrowserUrl";
+    static final String FORM_POLL_IN_BROWSER_DECLINED = "pollInBrowserDeclined";
     static final String FORM_PUSH_AVAILABLE = "pushAvailable";
     static final String FORM_OTP_AVAILABLE = "otpAvailable";
     static final String FORM_PUSH_MESSAGE = "pushMessage";

diff --git a/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java b/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java
@@ -35,10 +35,7 @@
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
-import org.privacyidea.Challenge;
-import org.privacyidea.IPILogger;
-import org.privacyidea.PIResponse;
-import org.privacyidea.PrivacyIDEA;
+import org.privacyidea.*;
 
 import java.io.IOException;
 import java.util.LinkedHashMap;
@@ -174,6 +171,7 @@ else if (!config.excludedGroups().isEmpty())
                .setAttribute(FORM_IMAGE_WEBAUTHN, "")
                .setAttribute(FORM_AUTO_SUBMIT_OTP_LENGTH, config.otpLength())
                .setAttribute(FORM_POLL_IN_BROWSER_FAILED, false)
+               .setAttribute(FORM_POLL_IN_BROWSER_DECLINED, false)
                .setAttribute(FORM_POLL_IN_BROWSER_URL, "")
                .setAttribute(FORM_TRANSACTION_ID, "")
                .setAttribute(FORM_POLL_INTERVAL, config.pollingInterval().get(0));
@@ -253,7 +251,7 @@ public void action(AuthenticationFlowContext context)
         }
 
         MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
-        if (formData.containsKey("cancel"))
+        if (formData.containsKey("cancel") || TRUE.equals(formData.getFirst(FORM_POLL_IN_BROWSER_DECLINED)))
         {
             context.cancelLogin();
             return;
@@ -267,6 +265,7 @@ public void action(AuthenticationFlowContext context)
         boolean pushAvailable = TRUE.equals(formData.getFirst(FORM_PUSH_AVAILABLE));
         boolean otpAvailable = TRUE.equals(formData.getFirst(FORM_OTP_AVAILABLE));
         boolean pollInBrowserFailed = TRUE.equals(formData.getFirst(FORM_POLL_IN_BROWSER_FAILED));
+        boolean pollInBrowserDeclined = TRUE.equals(formData.getFirst(FORM_POLL_IN_BROWSER_DECLINED));
         String pollInBrowserUrl = formData.getFirst(FORM_POLL_IN_BROWSER_URL);
         String pushMessage = formData.getFirst(FORM_PUSH_MESSAGE);
         String otpMessage = formData.getFirst(FORM_OTP_MESSAGE);
@@ -296,6 +295,7 @@ public void action(AuthenticationFlowContext context)
             .setAttribute(FORM_AUTO_SUBMIT_OTP_LENGTH, otpLength)
             .setAttribute(FORM_POLL_IN_BROWSER_FAILED, pollInBrowserFailed)
             .setAttribute(FORM_POLL_IN_BROWSER_URL, pollInBrowserUrl)
+            .setAttribute(FORM_POLL_IN_BROWSER_DECLINED, pollInBrowserDeclined)
             .setAttribute(FORM_TRANSACTION_ID, transactionID)
             .setAttribute(FORM_PUSH_MESSAGE, pushMessage)
             .setAttribute(FORM_OTP_MESSAGE, otpMessage);
@@ -304,7 +304,7 @@ public void action(AuthenticationFlowContext context)
         String error = formData.getFirst(FORM_ERROR_MESSAGE);
         if (error != null && !error.isEmpty())
         {
-            logger.error(error);
+            error(error);
         }
 
         Map<String, String> headers = getHeadersToForward(context, config);
@@ -316,17 +316,36 @@ public void action(AuthenticationFlowContext context)
         if (TOKEN_TYPE_PUSH.equals(currentMode))
         {
             // In push mode, poll for the transaction id to see if the challenge has been answered
-            if (privacyIDEA.pollTransaction(transactionID))
+            ChallengeStatus pollTransactionStatus = privacyIDEA.pollTransaction(transactionID);
+            if (pollTransactionStatus == ChallengeStatus.accept)
             {
-                // If the challenge has been answered, finalize with a call to validate check
+                // If challenge has been answered, finalize with a call to validate check
                 response = privacyIDEA.validateCheck(currentUserName, "", transactionID, headers);
             }
+            else if (pollTransactionStatus == ChallengeStatus.declined)
+            {
+                // If challenge has been declined, show the error message
+                log("Poll transaction: Authentication declined by a user.");
+                context.cancelLogin();
+            }
+            else if (pollTransactionStatus == ChallengeStatus.pending)
+            {
+                // If challenge is still pending, show the error message
+                log("Push not verified yet.");
+            }
+            else
+            {
+                // If poll transaction failed, show the error message and fallback to otp mode.
+                form.setError("Push authentication failed. Please use another token. Fallback to OTP mode.");
+                error("Poll transaction failed.");
+                form.setAttribute(FORM_MODE, "otp");
+            }
         }
         else if (webAuthnSignResponse != null && !webAuthnSignResponse.isEmpty())
         {
             if (origin == null || origin.isEmpty())
             {
-                logger.error("Origin is missing for WebAuthn authentication!");
+                error("Origin is missing for WebAuthn authentication!");
             }
             else
             {
@@ -395,8 +414,8 @@ else if (!TRUE.equals(tokenTypeChanged))
      * Extract the challenge data from the response and put it into the form.
      *
      * @param response PIResponse
-     * @param context AuthenticationFlowContext
-     * @param config Configuration
+     * @param context  AuthenticationFlowContext
+     * @param config   Configuration
      */
     private void extractChallengeDataToForm(PIResponse response, AuthenticationFlowContext context, Configuration config)
     {

diff --git a/src/main/resources/theme-resources/resources/js/pi-eventListeners.js b/src/main/resources/theme-resources/resources/js/pi-eventListeners.js
@@ -46,6 +46,11 @@ function eventListeners ()
                         case 'success':
                             piSubmit();
                             break;
+                        case 'cancel':
+                            piSetValue("pollInBrowserDeclined", true);
+                            worker = undefined;
+                            piSubmit();
+                            break;
                         case 'error':
                             console.log(piGetValue("pollInBrowserErrorMsg") + data.message);
                             piSetValue("errorMessage", "Poll in browser error: " + data.message);

diff --git a/src/main/resources/theme-resources/resources/js/pi-pollTransaction.worker.js b/src/main/resources/theme-resources/resources/js/pi-pollTransaction.worker.js
@@ -22,14 +22,22 @@ self.addEventListener('message', function (e) {
                             {
                                 r.text().then(result => {
                                     const resultJson = JSON.parse(result);
-                                    if (resultJson['result']['authentication'] === "ACCEPT")
+                                    if (resultJson['detail']['challenge_status'] === "accept")
                                     {
                                         self.postMessage({
                                                              'message': 'Polling in browser: Push message confirmed!',
                                                              'status': 'success'
                                                          });
                                         self.close();
                                     }
+                                    else if (resultJson['detail']['challenge_status'] === "declined")
+                                    {
+                                        self.postMessage({
+                                                             'message': 'Polling in browser: Authentication declined!',
+                                                             'status': 'cancel'
+                                                         });
+                                        self.close();
+                                    }
                                 });
                             }
                             else

diff --git a/src/main/resources/theme-resources/templates/privacyIDEA.ftl b/src/main/resources/theme-resources/templates/privacyIDEA.ftl
@@ -63,20 +63,18 @@
                     <input id="modeChanged" name="modeChanged" value="false" type="hidden">
                     <input id="resourcesPath" name="resourcesPath" value="${url.resourcesPath}" type="hidden">
                     <input id="pollInBrowserUrl" name="pollInBrowserUrl" value="${pollInBrowserUrl}" type="hidden">
-                    <input id="pollInBrowserFailed" name="pollInBrowserFailed" value="${pollInBrowserFailed?c}"
-                           type="hidden">
+                    <input id="pollInBrowserFailed" name="pollInBrowserFailed" value="${pollInBrowserFailed?c}" type="hidden">
+                    <input id="pollInBrowserDeclined" name="pollInBrowserDeclined" value="${pollInBrowserDeclined?c}" type="hidden">
                     <input id="transactionID" name="transactionID" value="${transactionID}" type="hidden">
                     <input id="errorMsg" name="errorMsg" value="" type="hidden">
-                    <input id="webauthnSignRequest" name="webauthnSignRequest" value="${webauthnSignRequest!""}"
-                           type="hidden">
+                    <input id="webauthnSignRequest" name="webauthnSignRequest" value="${webauthnSignRequest!""}" type="hidden">
                     <input id="webauthnSignResponse" name="webauthnSignResponse" value="" type="hidden">
                     <input id="origin" name="origin" value="" type="hidden">
                     <input id="pollInBrowserErrorMsg" name="pollInBrowserErrorMsg"
                            value="${msg('privacyidea.pollInBrowserError')}" type="hidden">
                     <input id="noWebWorkerSupportMsg" name="noWebWorkerSupportMsg"
                            value="${msg('privacyidea.noWebWorkerSupport')}" type="hidden">
-                    <input id="webauthnErrorMsg" name="webauthnErrorMsg" value="${msg('privacyidea.webauthnError')}"
-                           type="hidden">
+                    <input id="webauthnErrorMsg" name="webauthnErrorMsg" value="${msg('privacyidea.webauthnError')}" type="hidden">
 
                     <input class="pf-c-button pf-m-primary pf-m-block btn-lg" name="login" id="kc-login" type="submit"
                            value="${msg('privacyidea.signIn')}"/>
@@ -88,20 +86,17 @@
                         <div class="${properties.kcFormButtonsWrapperClass!}">
                             <#if otpAvailable>
                                 <input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}"
-                                       name="otpButton" id="otpButton" type="button"
-                                       value="${msg('privacyidea.otpButton')}"/>
+                                       name="otpButton" id="otpButton" type="button" value="${msg('privacyidea.otpButton')}"/>
                             </#if>
 
                             <#if pushAvailable>
                                 <input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}"
-                                       name="pushButton" id="pushButton"
-                                       type="button" value="${msg('privacyidea.pushButton')}"/>
+                                       name="pushButton" id="pushButton" type="button" value="${msg('privacyidea.pushButton')}"/>
                             </#if>
 
                             <#if !(webauthnSignRequest = "")>
                                 <input class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}"
-                                       name="webauthnButton" id="webAuthnButton"
-                                       type="button" value="${msg('privacyidea.webauthnButton')}"/>
+                                       name="webauthnButton" id="webAuthnButton" type="button" value="${msg('privacyidea.webauthnButton')}"/>
                             </#if>
                         </div>
                     </div>
+1 −1		.github/badges/branches.svg
+1 −1		.github/badges/coverage-summary.json
+1 −1		.github/badges/jacoco.svg
+20 −0		src/main/java/org/privacyidea/ChallengeStatus.java
+12 −3		src/main/java/org/privacyidea/JSONParser.java
+1 −0		src/main/java/org/privacyidea/PIConstants.java
+1 −0		src/main/java/org/privacyidea/PIResponse.java
+3 −3		src/main/java/org/privacyidea/PrivacyIDEA.java
+40 −16		src/test/java/org/privacyidea/TestPollTransaction.java