authenticate: add device-enrolled page (#2892)

* authenticate: add device-enrolled page * remove device credential id from page
2025-05-31 09:57:17 +02:00 · 2022-01-06 10:01:12 -07:00 · 2022-01-06 10:01:12 -07:00 · 9330f6b0ac
commit 9330f6b0ac
parent 6ed3fa20bc
7 changed files with 61 additions and 3 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -137,7 +137,7 @@ func (a *Authenticate) getWebAuthnURL(values url.Values) (*url.URL, error) {
 			urlutil.QueryDeviceType:      {webauthnutil.DefaultDeviceType},
 			urlutil.QueryEnrollmentToken: nil,
 			urlutil.QueryRedirectURI: {uri.ResolveReference(&url.URL{
-				Path: "/.pomerium/",
+				Path: "/.pomerium/device-enrolled",
 			}).String()},
 		}).Encode(),
 	})
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -18,6 +18,7 @@ import (
 	"golang.org/x/oauth2"
 	"google.golang.org/protobuf/types/known/timestamppb"

+	"github.com/pomerium/pomerium/authenticate/handlers"
 	"github.com/pomerium/pomerium/authenticate/handlers/webauthn"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity"
@ -98,6 +99,7 @@ func (a *Authenticate) mountDashboard(r *mux.Router) {
 	sr.Path("/sign_in").Handler(a.requireValidSignature(a.SignIn))
 	sr.Path("/sign_out").Handler(a.requireValidSignature(a.SignOut))
 	sr.Path("/webauthn").Handler(webauthn.New(a.getWebauthnState))
+	sr.Path("/device-enrolled").Handler(handlers.DeviceEnrolled())
 }

 func (a *Authenticate) mountWellKnown(r *mux.Router) {
--- a/authenticate/handlers/device-enrolled.go
+++ b/authenticate/handlers/device-enrolled.go
@ -0,0 +1,18 @@
+package handlers
+
+import (
+	"html/template"
+	"net/http"
+
+	"github.com/pomerium/pomerium/internal/frontend"
+	"github.com/pomerium/pomerium/internal/httputil"
+)
+
+// DeviceEnrolled displays an HTML page informing the user that they've successfully enrolled a device.
+func DeviceEnrolled() http.Handler {
+	tpl := template.Must(frontend.NewTemplates())
+	type TemplateData struct{}
+	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+		return tpl.ExecuteTemplate(w, "device-enrolled.html", TemplateData{})
+	})
+}
--- a/authenticate/handlers/handlers.go
+++ b/authenticate/handlers/handlers.go
@ -0,0 +1,2 @@
+// Package handlers contains various web handlers for the authenticate service.
+package handlers
--- a/authenticate/handlers/webauthn/webauthn.go
+++ b/authenticate/handlers/webauthn/webauthn.go
@ -302,6 +302,7 @@ func (h *Handler) handleRegister(w http.ResponseWriter, r *http.Request, state *
 			Id: webauthnutil.GetDeviceCredentialID(serverCredential.ID),
 		},
 	})
+
 	return h.saveSessionAndRedirect(w, r, state, redirectURIParam)
 }

@ -432,7 +433,7 @@ func (h *Handler) saveSessionAndRedirect(w http.ResponseWriter, r *http.Request,
 	encodedJWT := base64.URLEncoding.EncodeToString(encryptedJWT)

 	// redirect to the proxy callback URL with the session
-	callbackURL, err := urlutil.GetCallbackURL(r, encodedJWT)
+	callbackURL, err := urlutil.GetCallbackURLForRedirectURI(r, encodedJWT, rawRedirectURI)
 	if err != nil {
 		return err
 	}
--- a/internal/frontend/assets/html/device-enrolled.go.html
+++ b/internal/frontend/assets/html/device-enrolled.go.html
@ -0,0 +1,30 @@
+{{define "device-enrolled.html"}}<!DOCTYPE html>
+<html lang="en" charset="utf-8">
+  <head>
+    <title>Device Successfully Enrolled</title>
+    {{template "header.html"}}
+  </head>
+
+  <body>
+    <div class="inner">
+      <div class="header clearfix">
+        <div class="heading"></div>
+      </div>
+      <div class="content">
+        <div class="white box">
+          <div class="largestatus">
+            <div class="title-wrapper">
+              <span class="title">Device Successfully Enrolled</span>
+              <label class="status-time">
+                <span>
+                  Device was successfully enrolled.
+                </span>
+              </label>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>
+{{end}}
--- a/internal/urlutil/proxy.go
+++ b/internal/urlutil/proxy.go
@ -11,7 +11,12 @@ var ErrMissingRedirectURI = errors.New("missing " + QueryRedirectURI)

 // GetCallbackURL gets the proxy's callback URL from a request and a base64url encoded + encrypted session state JWT.
 func GetCallbackURL(r *http.Request, encodedSessionJWT string) (*url.URL, error) {
-	rawRedirectURI := r.FormValue(QueryRedirectURI)
+	return GetCallbackURLForRedirectURI(r, encodedSessionJWT, r.FormValue(QueryRedirectURI))
+}
+
+// GetCallbackURLForRedirectURI gets the proxy's callback URL from a request and a base64url encoded + encrypted session
+// state JWT.
+func GetCallbackURLForRedirectURI(r *http.Request, encodedSessionJWT, rawRedirectURI string) (*url.URL, error) {
 	if rawRedirectURI == "" {
 		return nil, ErrMissingRedirectURI
 	}