Merge pull request #42 from nextcloud/http-warning

Show warning if u2f is used via HTTP
author: Christoph Wurst <ChristophWurst@users.noreply.github.com> 2017-10-30 17:11:50 +0300
committer: GitHub <noreply@github.com> 2017-10-30 17:11:50 +0300
commit: ce01e4a30753739415539d607f7f462be5eedd87 (patch)
tree: c1ae4347540db97c1b0792da4fdf59581f093f6b
parent: 0836a91a651f8c510ab3c7836331ec7160aa2902 (diff)
parent: 74740f65c431301bf20a4ff38311aca69692833a (diff)
4 files changed, 44 insertions, 9 deletions
diff --git a/js/challenge.js b/js/challenge.js
index dd7e7e7..f6cadfd 100644
--- a/js/challenge.js
+++ b/js/challenge.js
@@ -1,6 +1,6 @@
 /* global OCA, u2f */
 
-(function(OCA, u2f) {
+(function(OCA, u2f, document) {
 	'use strict';
 
 	OCA.TwoFactorU2F = OCA.TwoFactorU2F || {};
@@ -32,7 +32,14 @@
 		$form.submit();
 	}
 
+	function checkHTTPS() {
+		if (document.location.protocol !== 'https:') {
+			$('#u2f-http-warning').show();
+		}
+	}
+
 	function sign() {
+		checkHTTPS();
 		var req = JSON.parse($('#u2f-auth').val());
 
 		toggleError(false);
@@ -46,4 +53,4 @@
 
 	$(sign);
 
-})(OCA || {}, u2f);
+})(OCA || {}, u2f, document);
diff --git a/js/settingsview.js b/js/settingsview.js
index 0488776..efd0993 100644
--- a/js/settingsview.js
+++ b/js/settingsview.js
@@ -1,6 +1,6 @@
 /* global Backbone, Handlebars, OC, u2f, Promise, _ */
 
-(function (OC, OCA, Backbone, Handlebars, $, _, u2f) {
+(function (OC, OCA, Backbone, Handlebars, $, _, u2f, document) {
 	'use strict';
 
 	OCA.TwoFactorU2F = OCA.TwoFactorU2F || {};
@@ -81,6 +81,8 @@
 		 * @returns {undefined}
 		 */
 		render: function () {
+			this._checkHTTPS();
+
 			this._devices = _.sortBy(this._devices, function (device) {
 				// Underscore's stable sort requires a value for each item
 				return device.name || '';
@@ -99,6 +101,12 @@
 			return this;
 		},
 
+		_checkHTTPS: function () {
+			if (document.location.protocol !== 'https:') {
+				$('#u2f-http-warning').show();
+			}
+		},
+
 		/**
 		 * @private
 		 * @returns {Promise}
@@ -328,4 +336,4 @@
 
 	OCA.TwoFactorU2F.SettingsView = SettingsView;
 
-})(OC, OCA, OC.Backbone, Handlebars, $, _, u2f);
+})(OC, OCA, OC.Backbone, Handlebars, $, _, u2f, document);
diff --git a/templates/challenge.php b/templates/challenge.php
index 801d421..1077348 100644
--- a/templates/challenge.php
+++ b/templates/challenge.php
@@ -14,10 +14,18 @@ style('twofactor_u2f', 'style');
 
 <img src="<?php print_unescaped(image_path('twofactor_u2f', 'app.svg')); ?>">
 <p id="u2f-info">
-	<?php p($l->t('Please plug in your U2F device and press the device button to authorize.')) ?>
+<?php p($l->t('Please plug in your U2F device and press the device button to authorize.')) ?>
 </p>
 <p id="u2f-error"
    style="display: none">
 	<strong><?php p($l->t('An error occurred. Please try again.')) ?></strong>
 </p>
-<p><em><?php p($l->t('Install the "U2F Support Add-on" on Firefox to use U2F, this is not needed on Chrome.')) ?></em></p>
+<p>
+	<em>
+		<?php p($l->t('Install the "U2F Support Add-on" on Firefox to use U2F, this is not needed on Chrome.')) ?>
+		<p id="u2f-http-warning"
+		      style="display: none">
+			<?php p($l->t('You are accessing this site via an insecure connection. Browsers might therefore refuse the U2F authentication.')) ?>
+		</p>
+	</em>
+</p>
diff --git a/templates/personal.php b/templates/personal.php
index 457c8f3..bd77496 100644
--- a/templates/personal.php
+++ b/templates/personal.php
@@ -11,7 +11,19 @@ style('twofactor_u2f', 'style');
 		<span class="icon-loading-small u2f-loading"></span>
 		<span><?php p($l->t('Loading your devices …')); ?></span>
 	</div>
-	<p class="utf-register-info" style="display: none;"><?php p($l->t('Please plug in your U2F device and press the device button to authorize.')) ?></p>
-	<p class="utf-register-info" style="display: none;"><em><?php p($l->t('Chrome is the only browser that supports U2F devices. You need to install the "U2F Support Add-on" on Firefox to use U2F.')) ?></em></p>
-	<p class="utf-register-success" style="display: none;"><span class="icon-checkmark-color" style="width: 16px;"></span><?php p($l->t('U2F device successfully registered.')) ?></p>
+	<p class="utf-register-info" style="display: none;">
+		<?php p($l->t('Please plug in your U2F device and press the device button to authorize.')) ?>
+	</p>
+	<p class="utf-register-info" style="display: none;">
+		<em>
+			<?php p($l->t('Chrome is the only browser that supports U2F devices. You need to install the "U2F Support Add-on" on Firefox to use U2F.')) ?>
+			<p id="u2f-http-warning"
+			   style="display: none">
+				   <?php p($l->t('You are accessing this site via an insecure connection. Browsers might therefore refuse the U2F authentication.')) ?>
+			</p>
+		</em>
+	</p>
+	<p class="utf-register-success" style="display: none;">
+		<span class="icon-checkmark-color" style="width: 16px;"></span><?php p($l->t('U2F device successfully registered.')) ?>
+	</p>
 </div>
author	Christoph Wurst <ChristophWurst@users.noreply.github.com>	2017-10-30 17:11:50 +0300
committer	GitHub <noreply@github.com>	2017-10-30 17:11:50 +0300
commit	ce01e4a30753739415539d607f7f462be5eedd87 (patch)
tree	c1ae4347540db97c1b0792da4fdf59581f093f6b
parent	0836a91a651f8c510ab3c7836331ec7160aa2902 (diff)
parent	74740f65c431301bf20a4ff38311aca69692833a (diff)