feat: new privacyIDEA template

BREAKING CHANGE: requires cesnet/simplesamlphp-module-privacyidea v5

Author: melanger

composer.json

@@ -62,5 +62,8 @@
     },
     "require-dev": {
         "symplify/easy-coding-standard": "^10.0"
+    },
+    "suggest": {
+        "cesnet/simplesamlphp-module-privacyidea": "included privacyIDEA template is for this module"
     }
 }

dictionaries/privacyidea.definition.json

@@ -7,24 +7,8 @@
     "en": "The service you are trying to access has requested authentication using multiple factors. Use one of your registered additional authentication token using the buttons below.",
     "cs": "Služba ke které přistupujete vyžádala vícefaktorovout autentizaci. Použijte jednu z vašich zaregistrovaných metod kliknutím na jedno z tlačítek nížě."
   },
-  "otp": {
-    "en": "Security code",
-    "cs": "Bezpečnostní kód"
-  },
   "otp_help": {
     "en": "Enter the 6 digit one time password from the smartphone application.",
     "cs": "Vložte jednorázový kód, například z TOTP aplikace."
-  },
-  "otp_submit_btn": {
-    "en": "Submit",
-    "cs": "Potvrdit"
-  },
-  "webauthn": {
-    "en": "Web Authentication",
-    "cs": "Web Authentication"
-  },
-  "webauthn_btn": {
-    "en": "Trigger authentication",
-    "cs": "Spustit autentizaci"
   }
 }

themes/perun/privacyidea/LoginForm.php

@@ -4,11 +4,9 @@
 
 $this->data['u2fAvailable'] = !empty($this->data['u2fSignRequest']);
 $this->data['webauthnAvailable'] = !empty($this->data['webAuthnSignRequest']);
-$this->data['pushAvailable'] = $this->data['pushAvailable'] ?? false;
-
 $this->data['mode'] = ($this->data['mode'] ?? null) ?: 'otp';
 $this->data['noAlternatives'] = true;
-foreach (['webauthn', 'otp', 'push', 'u2f'] as $mode) {
+foreach (['otp', 'push', 'u2f', 'webauthn'] as $mode) {
     if ($mode !== $this->data['mode'] && $this->data[$mode . 'Available']) {
         $this->data['noAlternatives'] = false;
         break;
@@ -25,8 +23,16 @@
 }
 
 // Set the right text shown in otp/pass field(s)
-$otpHint = $this->data['otpFieldHint'] ?? $this->t('{privacyidea:privacyidea:otp}');
-$passHint = $this->data['passFieldHint'] ?? $this->t('{privacyidea:privacyidea:password}');
+if (isset($this->data['otpFieldHint'])) {
+    $otpHint = $this->data['otpFieldHint'];
+} else {
+    $otpHint = $this->t('{privacyidea:privacyidea:otp}');
+}
+if (isset($this->data['passFieldHint'])) {
+    $passHint = $this->data['passFieldHint'];
+} else {
+    $passHint = $this->t('{privacyidea:privacyidea:password}');
+}
 
 $this->data['header'] = $this->t('{privacyidea:privacyidea:login_title_challenge}');
 
@@ -40,20 +46,24 @@
 $this->data['head'] .= '<link rel="stylesheet" href="'
     . htmlspecialchars(Module::getModuleUrl('privacyidea/css/loginform.css'), ENT_QUOTES)
     . '" media="screen" />';
+$this->data['head'] .= '<link rel="stylesheet" href="'
+    . htmlspecialchars(Module::getModuleUrl('perun/res/css/privacyidea.css'), ENT_QUOTES)
+    . '" media="screen" />';
 
 $this->includeAtTemplateBase('includes/header.php');
 
 // Prepare error case to show it in UI if needed
 if (null !== $this->data['errorCode']) {
     ?>
+
     <div class="alert alert-dismissable alert-danger" role="alert">
-        <button type="button" class="close" data-dismiss="alert" aria-label="Close">
+        <button type="button" class="close" data-dismiss="alert" aria-label="<?php echo $this->t('{perun:privacyidea:close}'); ?>">
             <span aria-hidden="true">&times;</span>
         </button>
         <h2 class="alert-heading"><?php echo $this->t('{login:error_header}'); ?></h2>
         <p>
-            <?php
-            echo htmlspecialchars(
+    <?php
+    echo htmlspecialchars(
         sprintf('%s%s: %s', $this->t(
             '{privacyidea:privacyidea:error}'
         ), $this->data['errorCode'] ? (' ' . $this->data['errorCode']) : '', $this->data['errorMessage'])
@@ -64,61 +74,81 @@
     <?php
 }  // end of errorcode
 ?>
+
 <p><?php echo $this->t('{perun:privacyidea:info_text}'); ?></p>
 <form action="FormReceiver.php" method="POST" id="piLoginForm" name="piLoginForm" class="loginForm">
     <div class="row">
         <?php if ($this->data['webauthnAvailable']) { ?>
-            <div class="<?php echo (!$this->data['noAlternatives']) ? 'col-md-6' : 'col-sm-12'; ?>">
-            <h2><?php echo $this->t('{perun:privacyidea:webauthn}'); ?></h2>
-            <div>
-                <button id="useWebAuthnButton" name="useWebAuthnButton" class="btn btn-primary btn-block text-nowrap" type="button"><?php echo $this->t('{perun:privacyidea:webauthn_btn}'); ?></button>
-            </div>
-            <div id="message" role="alert">
-            <?php
+        <div class="col-md-6">
+            <h2><?php echo $this->t('{privacyidea:privacyidea:webauthn}'); ?></h2>
+            <p id="message" role="alert"><?php
                 $messageOverride = $this->data['messageOverride'] ?? null;
                 if (null === $messageOverride || is_string($messageOverride)) {
                     echo htmlspecialchars($messageOverride ?? $this->data['message'] ?? '', ENT_QUOTES);
                 } elseif (is_callable($messageOverride)) {
                     echo call_user_func($messageOverride, $this->data['message'] ?? '');
                 }
-            ?>
-            </div>
+            ?></p>
+            <p>
+                <button id="useWebAuthnButton" name="useWebAuthnButton" class="btn btn-primary btn-s" type="button">
+                    <span><?php echo $this->t('{privacyidea:privacyidea:webauthn}'); ?></span>
+                </button>
+            </p>
         </div>
         <?php } ?>
 
         <?php if ($this->data['otpAvailable'] ?? true) { ?>
-        <div class="<?php echo (!$this->data['noAlternatives']) ? 'col-md-6' : 'col-sm-12'; ?>">
+        <div class="col-md-6">
             <h2><?php echo $this->t('{privacyidea:privacyidea:otp}'); ?></h2>
             <p><?php echo $this->t('{perun:privacyidea:otp_help}'); ?></p>
             <div class="form-row">
-                <div class="form-group col-sm-12 <?php echo (!$this->data['noAlternatives']) ? '' : 'col-md-6'; ?>">
-                    <label for="otp" class="sr-only"><?php echo $this->t('{perun:privacyidea:otp}'); ?></label>
-                    <input id="otp" name="otp" tabindex="1" value="" class="form-control" autocomplete="one-time-code" type="text" inputmode="numeric" pattern="[0-9]{6,}" required placeholder="<?php echo htmlspecialchars($otpHint, ENT_QUOTES); ?>"/>
+                <div class="form-group col-sm-12 col-md-6">
+                    <label for="otp" class="sr-only"><?php echo $this->t('{privacyidea:privacyidea:otp}'); ?></label>
+                    <input id="otp" name="otp" tabindex="1" value="" class="form-control" autocomplete="one-time-code" type="text" inputmode="numeric" pattern="[0-9]{6,}" required placeholder="<?php echo htmlspecialchars($otpHint, ENT_QUOTES); ?>"<?php if ($this->data['noAlternatives']) {
+                echo ' autofocus';
+            } ?> />
                 </div>
-                <div class="form-group col-sm-12 <?php echo (!$this->data['noAlternatives']) ? '' : 'col-md-6'; ?>">
-                    <button id="submitButton" tabindex="1" class="btn btn-primary btn-block text-nowrap" type="submit" name="Submit"><?php echo htmlspecialchars($this->t('{perun:privacyidea:otp_submit_btn}'), ENT_QUOTES); ?></button>
+                <div class="form-group col-sm-12 col-md-6">
+                    <button id="submitButton" tabindex="1" class="btn btn-primary btn-block text-nowrap" type="submit" name="Submit">
+                        <span><?php echo htmlspecialchars($this->t('{login:login_button}'), ENT_QUOTES); ?></span>
+                    </button>
                 </div>
             </div>
         </div>
         <?php } ?>
-    </div>
 
-    <!-- Undefined index is suppressed and the default is used for these values -->
-    <input id="mode" type="hidden" name="mode" value="otp" data-preferred="<?php echo htmlspecialchars($this->data['mode'], ENT_QUOTES); ?>"/>
-    <input id="pushAvailable" type="hidden" name="pushAvailable" value="<?php echo ($this->data['pushAvailable'] ?? false) ? 'true' : ''; ?>"/>
-    <input id="otpAvailable" type="hidden" name="otpAvailable" value="<?php echo ($this->data['otpAvailable'] ?? true) ? 'true' : ''; ?>"/>
-    <input id="webAuthnSignRequest" type="hidden" name="webAuthnSignRequest" value='<?php echo htmlspecialchars($this->data['webAuthnSignRequest'] ?? '', ENT_QUOTES); ?>'/>
-    <input id="u2fSignRequest" type="hidden" name="u2fSignRequest" value='<?php echo htmlspecialchars($this->data['u2fSignRequest'] ?? '', ENT_QUOTES); ?>'/>
-    <input id="modeChanged" type="hidden" name="modeChanged" value=""/>
-    <input id="step" type="hidden" name="step" value="<?php echo htmlspecialchars(strval(($this->data['step'] ?? null) ?: 2), ENT_QUOTES); ?>"/>
-    <input id="webAuthnSignResponse" type="hidden" name="webAuthnSignResponse" value=""/>
-    <input id="u2fSignResponse" type="hidden" name="u2fSignResponse" value=""/>
-    <input id="origin" type="hidden" name="origin" value=""/>
-    <input id="loadCounter" type="hidden" name="loadCounter" value="<?php echo htmlspecialchars(strval(($this->data['loadCounter'] ?? null) ?: 1), ENT_QUOTES); ?>"/>
-
-    <!-- Additional input to persist the message -->
-    <input type="hidden" name="message" value="<?php echo htmlspecialchars($this->data['message'] ?? '', ENT_QUOTES); ?>"/>
+        <!-- Undefined index is suppressed and the default is used for these values -->
+        <input id="mode" type="hidden" name="mode" value="otp"
+               data-preferred="<?php echo htmlspecialchars($this->data['mode'], ENT_QUOTES); ?>"/>
+
+        <input id="pushAvailable" type="hidden" name="pushAvailable"
+               value="<?php echo ($this->data['pushAvailable'] ?? false) ? 'true' : ''; ?>"/>
+
+        <input id="otpAvailable" type="hidden" name="otpAvailable"
+               value="<?php echo ($this->data['otpAvailable'] ?? true) ? 'true' : ''; ?>"/>
+
+        <input id="webAuthnSignRequest" type="hidden" name="webAuthnSignRequest"
+               value='<?php echo htmlspecialchars($this->data['webAuthnSignRequest'] ?? '', ENT_QUOTES); ?>'/>
+
+        <input id="u2fSignRequest" type="hidden" name="u2fSignRequest"
+               value='<?php echo htmlspecialchars($this->data['u2fSignRequest'] ?? '', ENT_QUOTES); ?>'/>
+
+        <input id="modeChanged" type="hidden" name="modeChanged" value=""/>
+        <input id="step" type="hidden" name="step"
+               value="<?php echo htmlspecialchars(strval(($this->data['step'] ?? null) ?: 2), ENT_QUOTES); ?>"/>
+
+        <input id="webAuthnSignResponse" type="hidden" name="webAuthnSignResponse" value=""/>
+        <input id="u2fSignResponse" type="hidden" name="u2fSignResponse" value=""/>
+        <input id="origin" type="hidden" name="origin" value=""/>
+        <input id="loadCounter" type="hidden" name="loadCounter"
+               value="<?php echo htmlspecialchars(strval(($this->data['loadCounter'] ?? null) ?: 1), ENT_QUOTES); ?>"/>
+
+        <!-- Additional input to persist the message -->
+        <input type="hidden" name="message"
+               value="<?php echo htmlspecialchars($this->data['message'] ?? '', ENT_QUOTES); ?>"/>
+    </div> <!-- row -->
 </form>
+
 <script src="<?php echo htmlspecialchars(Module::getModuleUrl('privacyidea/js/pi-webauthn.js'), ENT_QUOTES); ?>">
 </script>
 
@@ -151,8 +181,10 @@
 echo htmlspecialchars(json_encode($translations));
 ?>">
 
-<script src="<?php echo htmlspecialchars(Module::getModuleUrl('privacyidea/js/loginform.js'), ENT_QUOTES); ?>"></script>
-<script src="<?php echo htmlspecialchars(Module::getModuleUrl('perun/js/privacy-idea-loginform.js'), ENT_QUOTES); ?>"></script>
+<script src="<?php echo htmlspecialchars(Module::getModuleUrl('privacyidea/js/loginform.js'), ENT_QUOTES); ?>">
+</script>
+<script src="<?php echo htmlspecialchars(Module::getModuleUrl('perun/res/js/privacyidea.js'), ENT_QUOTES); ?>">
+</script>
 
 <?php
 $this->includeAtTemplateBase('includes/footer.php');

www/res/css/privacyidea.css

@@ -1,34 +1,13 @@
-.message--common-error {
-    margin-left: 18px;
-    width: 520px;
-}
-
-.btn-wrap {
-    text-align: center;
-}
-
-.alternate-btn {
-    margin-top: 1rem;
-}
-
-.identifier-shown {
-    margin-bottom: 5rem;
-}
-
-#otp {
-    margin-top: 0;
-}
-
-#submitButton {
-    margin-top: 1rem;
-}
-
-@media (max-width: 576px) {
-    .col-12 {
-        width: 100%;
-    }
-
-    .col-offset-0 {
-        margin-left: 1%;
-    }
+html #useWebAuthnButton,
+html #usePushButton,
+html #useOTPButton,
+html #useU2FButton,
+html #submitButton {
+  margin: 0;
+  width: auto;
+}
+
+html #otp {
+  margin: 0;
+  width: 100%;
 }

www/res/js/privacyidea.js

@@ -0,0 +1,16 @@
+// privacyIDEA - allow WebAuthn and OTP on one page
+document.addEventListener("DOMContentLoaded", () => {
+  ["otp", "submitButton"].forEach((id) => {
+    const el = document.getElementById(id);
+    if (el) {
+      el.classList.remove("hidden");
+    }
+  });
+
+  const piLoginForm = document.getElementById("piLoginForm");
+  if (piLoginForm) {
+    piLoginForm.addEventListener("submit", () => {
+      document.getElementById("mode").value = "otp";
+    });
+  }
+});