remove browser check for webauthn support

composer.json

@@ -22,7 +22,6 @@
     "silinternational/psr3-adapters": "v4.0.0",
     "silinternational/yii2-json-log-targets": "^2.0",
     "silinternational/idp-id-broker-php-client": "^4.3",
-    "sinergi/browser-detector": "^6.1",
     "yiisoft/yii2": "~2.0.12",
     "yiisoft/yii2-gii": "^2.0",
     "google/recaptcha": "^1.1",

features/bootstrap/MfaContext.php

@@ -2,20 +2,15 @@
 
 use Behat\Mink\Element\DocumentElement;
 use Behat\Mink\Element\NodeElement;
-use Behat\Mink\Exception\ElementNotFoundException;
 use PHPUnit\Framework\Assert;
 use Sil\PhpEnv\Env;
 use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
-use SimpleSAML\Module\mfa\LoginBrowser;
 
 /**
  * Defines application features from the specific context.
  */
 class MfaContext extends FeatureContext
 {
-    const USER_AGENT_WITHOUT_WEBAUTHN_SUPPORT = 'Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko';
-    const USER_AGENT_WITH_WEBAUTHN_SUPPORT = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36';
-
     /**
      * Assert that the given page has a form that contains the given text.
      *
@@ -433,20 +428,6 @@ public function iProvideCredentialsThatHaveUf()
         $this->iProvideCredentialsThatNeedMfaAndHaveUfAvailable();
     }
 
-    /**
-     * @Given the user's browser supports WebAuthn
-     */
-    public function theUsersBrowserSupportsUf()
-    {
-        $userAgentWithWebAuthn = self::USER_AGENT_WITH_WEBAUTHN_SUPPORT;
-        Assert::assertTrue(
-            LoginBrowser::supportsWebAuthn($userAgentWithWebAuthn),
-            'Update USER_AGENT_WITH_WEBAUTHN_SUPPORT to a User Agent with WebAuthn support'
-        );
-
-//        $this->driver->getClient()->setServerParameter('HTTP_USER_AGENT', $userAgentWithWebAuthn);
-    }
-
     /**
      * @Given I provide credentials that have WebAuthn, TOTP
      */
@@ -567,38 +548,6 @@ public function IHaveMoreRecentlyUsedBackupCode()
         $this->password = 'a';
     }
 
-    /**
-     * @Given the user's browser does not support WebAuthn
-     */
-    public function theUsersBrowserDoesNotSupportUf()
-    {
-        $userAgentWithoutWebAuthn = self::USER_AGENT_WITHOUT_WEBAUTHN_SUPPORT;
-        Assert::assertFalse(
-            LoginBrowser::supportsWebAuthn($userAgentWithoutWebAuthn),
-            'Update USER_AGENT_WITHOUT_WEBAUTHN_SUPPORT to a User Agent without WebAuthn support'
-        );
-
-//        $this->driver->getClient()->setServerParameter('HTTP_USER_AGENT', $userAgentWithoutWebAuthn);
-    }
-
-    /**
-     * @Then I should not see an error message about WebAuthn being unsupported
-     */
-    public function iShouldNotSeeAnErrorMessageAboutUfBeingUnsupported()
-    {
-        $page = $this->session->getPage();
-        Assert::assertNotContains('USB Security Keys are not supported', $page->getContent());
-    }
-
-    /**
-     * @Then I should see an error message about WebAuthn being unsupported
-     */
-    public function iShouldSeeAnErrorMessageAboutUfBeingUnsupported()
-    {
-        $page = $this->session->getPage();
-        Assert::assertContains('USB Security Keys are not supported', $page->getContent());
-    }
-
     /**
      * @Given the user has a manager email
      */

features/mfa.feature

@@ -35,7 +35,6 @@ Feature: Prompt for MFA credentials
 
   Scenario: Needs MFA, has WebAuthn option available
     Given I provide credentials that need MFA and have WebAuthn available
-    And the user's browser supports WebAuthn
     When I log in
     Then I should see a prompt for a WebAuthn security key
 
@@ -126,65 +125,24 @@ Feature: Prompt for MFA credentials
     When I click the remind-me-later button
     Then I should end up at my intended destination
 
-  Scenario Outline: Defaulting to another option when WebAuthn is not supported
-    Given I provide credentials that have <WebAuthn?><TOTP?><backup codes?>
-    And the user's browser <supports WebAuthn or not>
-    When I log in
-    Then I should see a prompt for a <default MFA type>
-
-    Examples:
-      | WebAuthn? | TOTP?  | backup codes?  | supports WebAuthn or not | default MFA type |
-      | WebAuthn  |        |                | supports WebAuthn        | WebAuthn         |
-      | WebAuthn  | , TOTP |                | supports WebAuthn        | WebAuthn         |
-      | WebAuthn  |        | , backup codes | supports WebAuthn        | WebAuthn         |
-      | WebAuthn  | , TOTP | , backup codes | supports WebAuthn        | WebAuthn         |
-      |           | TOTP   |                | supports WebAuthn        | TOTP             |
-      |           | TOTP   | , backup codes | supports WebAuthn        | TOTP             |
-      |           |        | backup codes   | supports WebAuthn        | backup code      |
-# The following cases are disabled due to lack of test support for changing web client user agent
-#      | WebAuthn  |          |                | does not support WebAuthn | WebAuthn         |
-#      | WebAuthn  | , TOTP   |                | does not support WebAuthn |   TOTP           |
-#      | WebAuthn  |          | , backup codes | does not support WebAuthn |      backup code |
-#      | WebAuthn  | , TOTP   | , backup codes | does not support WebAuthn |   TOTP           |
-#      |           |   TOTP   |                | does not support WebAuthn |   TOTP           |
-#      |           |   TOTP   | , backup codes | does not support WebAuthn |   TOTP           |
-#      |           |          |   backup codes | does not support WebAuthn |      backup code |
-
-
   Scenario Outline: Defaulting to the most recently used mfa option
     Given I provide credentials that have a used <MFA type>
     And and I have a more recently used <recent MFA type>
-    And the user's browser <supports WebAuthn or not>
     When I log in
     Then I should see a prompt for a <default MFA type>
 
     Examples:
-      | MFA type    | recent MFA type | supports WebAuthn or not | default MFA type |
-      | WebAuthn    | TOTP            | supports WebAuthn        | TOTP             |
-      | TOTP        | WebAuthn        | supports WebAuthn        | WebAuthn         |
-      | TOTP        | backup code     | supports WebAuthn        | backup code      |
-      | backup code | TOTP            | supports WebAuthn        | TOTP             |
-# The following case is disabled due to lack of test support for changing web client user agent
-#      | TOTP        |  WebAuthn         |  does not support WebAuthn  |  TOTP             |
+      | MFA type    | recent MFA type | default MFA type |
+      | WebAuthn    | TOTP            | TOTP             |
+      | TOTP        | WebAuthn        | WebAuthn         |
+      | TOTP        | backup code     | backup code      |
+      | backup code | TOTP            | TOTP             |
 
   Scenario: Defaulting to the manager code despite having a used mfa
     Given I provide credentials that have a manager code, a WebAuthn and a more recently used TOTP
-    And the user's browser supports WebAuthn
     When I log in
     Then I should see a prompt for a manager rescue code
 
-  Scenario Outline: When to show the WebAuthn-not-supported error message
-    Given I provide credentials that have WebAuthn
-    And the user's browser <supports WebAuthn or not>
-    When I log in
-    Then I <should or not> see an error message about WebAuthn being unsupported
-
-    Examples:
-      | supports WebAuthn or not | should or not |
-      | supports WebAuthn        | should not    |
-# The following case is disabled due to lack of test support for changing web client user agent
-#      | does not support WebAuthn | should        |
-
   Scenario Outline: When to show the link to send a manager rescue code
     Given I provide credentials that have <WebAuthn?><TOTP?><backup codes?>
     And the user <has or does not have> a manager email

modules/material/locales/en/LC_MESSAGES/material.po

@@ -137,9 +137,6 @@ msgstr "USB key icon"
 msgid "{mfa:webauthn_instructions}"
 msgstr "You may now insert your security key and press its button."
 
-msgid "{mfa:webauthn_unsupported}"
-msgstr "Unsupported in your current browser. Please consider a more secure browser like <a href='https://www.google.com/chrome/browser' target='_blank' rel=noopener'>Google Chrome</a>."
-
 msgid "{mfa:webauthn_error_unknown}"
 msgstr "Something went wrong with that request, unable to verify at this time."
 

modules/material/locales/es/LC_MESSAGES/material.po

@@ -137,9 +137,6 @@ msgstr "Icono de la llave USB"
 msgid "{mfa:webauthn_instructions}"
 msgstr "Ahora puede insertar su clave de seguridad y presionar su botón."
 
-msgid "{mfa:webauthn_unsupported}"
-msgstr "No compatible en su navegador actual. Considere un navegador más seguro como <a href='https://www.google.com/chrome/browser' target='_blank' rel='noopener'>Google Chrome</a>."
-
 msgid "{mfa:webauthn_error_unknown}"
 msgstr "Algo salió mal con esa solicitud, no se pudo verificar en este momento."
 

modules/material/locales/fr/LC_MESSAGES/material.po

@@ -137,9 +137,6 @@ msgstr "Icône de clé USB"
 msgid "{mfa:webauthn_instructions}"
 msgstr "Vous pouvez maintenant insérer votre clé de sécurité et appuyer sur le bouton."
 
-msgid "{mfa:webauthn_unsupported}"
-msgstr "Non compatible avec votre navigateur actuel. Veuillez considérer un navigateur plus sûr comme <a href='https://www.google.com/chrome/browser' target='_blank' rel='noopener'>Google Chrome</a>."
-
 msgid "{mfa:webauthn_error_unknown}"
 msgstr "Quelque chose s'est mal passé avec cette demande, impossible de vérifier pour le moment."
 

modules/material/locales/ko/LC_MESSAGES/material.po

@@ -137,9 +137,6 @@ msgstr "USB 키 아이콘"
 msgid "{mfa:webauthn_instructions}"
 msgstr "이제 보안 키를 삽입하고 단추를 누를 수 있습니다."
 
-msgid "{mfa:webauthn_unsupported}"
-msgstr "현재 브라우저에서 지원되지 않습니다. <a href='https://www.google.com/chrome/browser' target='_blank' rel='noopener'>Chrome과</a> 같은 보다 안전한 브라우저를 고려하십시오."
-
 msgid "{mfa:webauthn_error_unknown}"
 msgstr "요청에 문제가 발생하여 지금은 확인할 수 없습니다."
 

modules/material/themes/material/mfa/prompt-for-mfa-webauthn.twig

@@ -65,7 +65,7 @@
   </script>
 </head>
 
-<body class="gradient-bg" onload="{{ supports_web_authn ? 'verifyWebAuthn()' : '' }}">
+<body class="gradient-bg" onload="verifyWebAuthn()">
 <div class="mdl-layout mdl-layout--fixed-header fill-viewport">
   <header class="mdl-layout__header">
     <div class="mdl-layout__header-row">
@@ -88,19 +88,11 @@
           </h1>
         </div>
 
-        {% if supports_web_authn %}
-          <div class="mdl-card__title">
-            <p class="mdl-card__subtitle-text">
-              {{ '{mfa:webauthn_instructions}'|trans }}
-            </p>
-          </div>
-        {% else %}
-          <div class="mdl-card__title">
-            <p class="mdl-typography--text-center mdl-color-text--red">
-              {{ '{mfa:webauthn_unsupported}'|trans|raw }}
-            </p>
-          </div>
-        {% endif %}
+        <div class="mdl-card__title">
+          <p class="mdl-card__subtitle-text">
+            {{ '{mfa:webauthn_instructions}'|trans }}
+          </p>
+        </div>
 
         {% if error_message is not empty %}
           <script>

modules/mfa/public/prompt-for-mfa.php

@@ -13,7 +13,6 @@
 use SimpleSAML\Error\BadRequest;
 use SimpleSAML\Module\mfa\Auth\Process\Mfa;
 use SimpleSAML\Module\mfa\LoggerFactory;
-use SimpleSAML\Module\mfa\LoginBrowser;
 use SimpleSAML\Utils\HTTP;
 use SimpleSAML\XHTML\Template;
 
@@ -46,7 +45,6 @@
 }
 
 $mfaId = filter_input(INPUT_GET, 'mfaId');
-$userAgent = LoginBrowser::getUserAgent();
 
 if (empty($mfaId)) {
     $logger->critical(json_encode([
@@ -55,7 +53,7 @@
     ]));
 
     // Pick an MFA ID and do a redirect to put that into the URL.
-    $mfaOption = Mfa::getMfaOptionToUse($mfaOptions, $userAgent);
+    $mfaOption = Mfa::getMfaOptionToUse($mfaOptions);
     $moduleUrl = SimpleSAML\Module::getModuleURL('mfa/prompt-for-mfa.php', [
         'mfaId' => $mfaOption['id'],
         'StateId' => $stateId,
@@ -123,7 +121,6 @@
 $t->data['error_message'] = $errorMessage ?? null;
 $t->data['mfa_option_data'] = json_encode($mfaOption['data']);
 $t->data['mfa_options'] = $mfaOptions;
-$t->data['supports_web_authn'] = LoginBrowser::supportsWebAuthn($userAgent);
 $browserJsHash = md5_file(__DIR__ . '/simplewebauthn/browser.js');
 $t->data['browser_js_path'] = '/module.php/mfa/simplewebauthn/browser.js?v=' . $browserJsHash;
 $t->data['manager_email'] = $state['managerEmail'];