A2F using Own Development in NodeJS

A2F: In a previous article, we talked about Swivel as an external tool to integrate our applications into Scriptcase, however, it is likely that it is possible to have a less robust application such as its own development, in this example, an application was developed in NodeJS a system of double authentication where not only can have double authentication through an OTC (On Time Code) (Soft Token) but also with a device (Hard Token), in this case in particular that of the FIDO family of FEITIAN (https: //www.ftsafe.com/products/FIDO). In the case of OTC, this could be generated for example with Google Authenticator.

This document focuses on how Scriptcase uses those services. This implementation, although it was its own, special care was taken in the interfaces, for this reason, they were clearly documented for each of these options, PHP,.Net and Angular.

In the PHP documentation, we were given the following information:


php_sdk

v1.2.0

auth2factor PHP Integration SDK

Requirements

  • sudo apt-get install php5-curl
  • sudo apt-get install composer

Use Firebase JWT to sign HMAC. If you do not use Composer, copy the JWT Firebase libraries to your solution.


API

Setup hostname, API key, and secret

$HOST = “https://localhost”;

$API_KEY = “…”;

$API_SECRET = “…”;

$a2f_client = new auth2factor($HOST, $API_KEY, $API_SECRET);


Authentication

delegate

Returns a temporary login token. Used to request an OTC/U2F verification.

$tokens = $a2f_client->delegate(“user@me.com”);

$req_token = $tokens[“x-app-sign-request”];

$u2f_req = $tokens[“x-u2f-sign-request”];

validate_otc

Verifies OTC. Returns a bearer token, otherwise false.

$sid = $a2f_client->validate_otc(“…temporary token”, “001122”);

validate_u2f

Verifies U2F. Returns a bearer token, otherwise false. Must be called once successfully signed with u2f.sign.

$client_data = “eyJ0eXAiO…”;

$signature_data = “AQAAADUw…”;

$sid = $a2f_client->validate_u2f(“…temporary token”, $client_data, $signature_data);


Request_challenge

Requests a U2F challenge to initiate key registration.

$challenge = $a2f_client->request_challenge(“a valid bearer token”);

register_key

Registers a U2F security key. Must be called once u2f.register returns successfully.

$client_data = “eyJ0eXAiO…”;

$registration_data = “AQAAADUw…”;

$a2f_client->register_key(“a valid bearer token”, $client_data, $registration_data);


Implementation U2F

FIDO U2F – Enrollment

One time authenticated, the user login in a configuration of the account in the solution and offereted a user enroll a key.

cookbook/register.php

  • Give a U2F challenge: API request_challenge
  • Call a library client u2f.register with a challenge and call request sign
  • If proceed to join the key
  • If stores the successful confirmation in register_key.php: API register_key

FIDO U2F – Authentication

If the user has registered keys in the domain where he was authenticated in the 1st step.

cookbook/sign.php

  • Get a set of sign requests
  • Call client library u2f.sign with the sign requests and request sign
  • We proceed to enter the key
  • It is validated in sign_key.php and gets a bearer token: API validate_u2f

Library Javascript para U2F

Include minified library 

<head>

<script src=”js/a2f.js”></script>

</head>

Have:

  • Axios para AJAX / REST axios.min.js
  • Axios config axios-config.js
  • U2F u2f-api.js
  • U2F utils u2f-utils.js

Based on the above, it was analyzed and defined the next Macro Algorithm, so the program should:

  1. Define connection parameters.
  2. With the user logged on the 1st authentication (email), it connects to the server to request a Token.
  3. Upon receipt of the Token, the OTC is requested from the user.
  4. The OTC is sent.
  5. The response is received if the second authentication is authorized or not.
  6. If successful, redirect the application to the Menu.

codigo_scriptcase_a2f

I wish you served these 3 articles of this interesting topic of 2 Factor Authentication, and whatever the method to use don’t forget to always review the documentation, make tests and finally implement it in Scriptcase.

You might also like…

Do they pay for your system or code?

For all those who develop systems and softwares every day at work: Have you ever wondered what make...

Key Features to become a good Web Developer

Perhaps at some point you have wondered what skills would be required to become a web developer. ...

Disabling autofill and autocomplete Chrome browser in login screens

Hello, here I want to show an alternative to disable the autofill and autocomplete of the chrome bro...

You might also like…

Get new posts, resources, offers and more each week.

We will use the information you provide to update you about our Newsletter and Special Offers. You can unsubscribe any time you want by clinck in a link in the footer of any email you receive from us, or by contacting us at sales@scriptcase.net. Learn more about our Privacy Police.