fixes mfa escape from form

2024-09-19 15:55:13 +00:00 · 2023-03-08 22:33:33 +11:00 · 2023-03-08 22:33:33 +11:00 · d9e1de7832
commit d9e1de7832
parent ee09d848cb
4 changed files with 31 additions and 20 deletions
--- a/Code/Module/Totp_check.php
+++ b/Code/Module/Totp_check.php
@ -14,10 +14,6 @@ class Totp_check extends Controller
    {
        $retval = ['status' => false];

-        if (!local_channel()) {
-            json_return_and_die($retval);
-        }
-
        $account = App::get_account();
        if (!$account) {
            json_return_and_die($retval);
--- a/include/auth.php
+++ b/include/auth.php
@ -309,6 +309,13 @@ if (
            $atoken  = $verify['xchan'];
            $channel = $verify['channel'];
            $account = App::$account = $verify['account'];
+            $multiFactor = AConfig::Get(App::$account['account_id'], 'system', 'mfa_enabled');
+            if ($multiFactor) {
+                $_SESSION['2FA_REQUIRED'] = true;
+            }
+            else {
+                unset($_SESSION['2FA_REQUIRED']);
+            }
        }

        if (App::$account) {
--- a/include/security.php
+++ b/include/security.php
@ -30,19 +30,27 @@ function authenticate_success($user_record, $channel = false, $login_initial = f
        $_SESSION['account_id'] = $user_record['account_id'];
        $_SESSION['authenticated'] = 1;

-        if ($channel) {
-            $uid_to_load = $channel['channel_id'];
+        $canChangeChannel = empty($_SESSION['2FA_REQUIRED']);
+        if (!empty($_SESSION['2FA_VERIFIED'])) {
+            $canChangeChannel = true;
        }

-        if (! isset($uid_to_load)) {
-            $uid_to_load = (((x($_SESSION, 'uid')) && (intval($_SESSION['uid'])))
-                ? intval($_SESSION['uid'])
-                : intval(App::$account['account_default_channel'])
-            );
-        }
+        if ($canChangeChannel) {

-        if ($uid_to_load) {
-            change_channel($uid_to_load);
+            if ($channel) {
+                $uid_to_load = $channel['channel_id'];
+            }
+
+            if (!isset($uid_to_load)) {
+                $uid_to_load = (((x($_SESSION, 'uid')) && (intval($_SESSION['uid'])))
+                    ? intval($_SESSION['uid'])
+                    : intval(App::$account['account_default_channel'])
+                );
+            }
+
+            if ($uid_to_load) {
+                change_channel($uid_to_load);
+            }
        }

        if (($login_initial || $update_lastlog) && (! (isset($_SESSION['sudo']) && $_SESSION['sudo']))) {
@ -59,13 +67,13 @@ function authenticate_success($user_record, $channel = false, $login_initial = f

    if ($login_initial && $interactive) {
        Hook::call('logged_in', $user_record);
-        $multiFactor  =  AConfig::Get(App::$account['account_id'], 'system', 'mfa_enabled');
-        if ($multiFactor && empty($_SESSION['2FA_VERIFIED'])) {
-            goaway(z_root() . '/totp_check');
-        }
        // might want to log success here
    }

+    if ($_SESSION['2FA_REQUIRED'] && !$_SESSION['2FA_VERIFIED'] && App::$module !== 'totp_check') {
+        goaway(z_root() . '/totp_check');
+    }
+
    if ($return || x($_SESSION, 'workflow')) {
        unset($_SESSION['workflow']);
        return;
--- a/view/tpl/totp.tpl
+++ b/view/tpl/totp.tpl
@ -46,13 +46,13 @@ function hitkey(ev) {
 <div class="generic-content-wrapper">
    <div class="section-content-tools-wrapper">
        <h3 style="text-align: center;">{{$header}}</h3>
-
        <div>{{$desc}}</div>
-
+        <br>
        <div class="form-group">
            <input type="text" class="form-control" style="width: 10em" id="totp-code" onkeydown="hitkey(event)"/>
            <div id="feedback"></div>
        </div>
+        <br>
        <div>
            <input type="button" class="btn btn-primary" value={{$submit}} onclick="totp_verify()"/>
        </div>