mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-26 18:03:39 +01:00
missing changes in Session class for 2FA
This commit is contained in:
parent
ea2e9775ea
commit
eb286c6144
@ -21,6 +21,9 @@
|
|||||||
|
|
||||||
namespace EGroupware\Api;
|
namespace EGroupware\Api;
|
||||||
|
|
||||||
|
use PragmaRX\Google2FA;
|
||||||
|
use EGroupware\Api\Mail\Credentials;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create, verifies or destroys an EGroupware session
|
* Create, verifies or destroys an EGroupware session
|
||||||
*
|
*
|
||||||
@ -444,9 +447,10 @@ class Session
|
|||||||
* @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support
|
* @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support
|
||||||
* @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true
|
* @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true
|
||||||
* @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested
|
* @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested
|
||||||
|
* @param string|boolean $check_2fa =false string: 2fa-code to check (only if exists) and fail if wrong, false: do NOT check 2fa
|
||||||
* @return string|boolean session id or false if session was not created, $this->(cd_)reason contains cause
|
* @return string|boolean session id or false if session was not created, $this->(cd_)reason contains cause
|
||||||
*/
|
*/
|
||||||
function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false)
|
function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false,$check_2fa=false)
|
||||||
{
|
{
|
||||||
try {
|
try {
|
||||||
if (is_array($login))
|
if (is_array($login))
|
||||||
@ -509,11 +513,7 @@ class Session
|
|||||||
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check) UNSUCCESSFULL ($this->reason)");
|
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check) UNSUCCESSFULL ($this->reason)");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ($fail_on_forced_password_change && Auth::check_password_change($this->reason) === false)
|
|
||||||
{
|
|
||||||
$this->cd_reason = self::CD_FORCE_PASSWORD_CHANGE;
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'])
|
if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'])
|
||||||
{
|
{
|
||||||
if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase')
|
if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase')
|
||||||
@ -562,6 +562,31 @@ class Session
|
|||||||
|
|
||||||
Cache::setSession('phpgwapi', 'password', base64_encode($this->passwd));
|
Cache::setSession('phpgwapi', 'password', base64_encode($this->passwd));
|
||||||
|
|
||||||
|
// if we have a second factor, check it before forced password change
|
||||||
|
if ($check_2fa !== false &&
|
||||||
|
($creds = Credentials::read(0, Credentials::TWOFA, $this->account_id)))
|
||||||
|
{
|
||||||
|
$google2fa = new Google2FA\Google2FA();
|
||||||
|
try {
|
||||||
|
if (!$google2fa->verify($check_2fa, $creds['2fa_password']))
|
||||||
|
{
|
||||||
|
throw new \Exception('Invalid 2-Factor Authentication code!');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch(\Exception $e) {
|
||||||
|
$this->cd_reason = $this->reason = $e->getMessage();
|
||||||
|
$this->log_access($this->reason, $login, $user_ip, 0); // log unsuccessfull login
|
||||||
|
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check,$fail_on_forced_password_change,'$check_2fa') UNSUCCESSFULL ($this->reason)");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($fail_on_forced_password_change && Auth::check_password_change($this->reason) === false)
|
||||||
|
{
|
||||||
|
$this->cd_reason = self::CD_FORCE_PASSWORD_CHANGE;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if ($GLOBALS['egw']->acl->check('anonymous',1,'phpgwapi'))
|
if ($GLOBALS['egw']->acl->check('anonymous',1,'phpgwapi'))
|
||||||
{
|
{
|
||||||
$this->session_flags = 'A';
|
$this->session_flags = 'A';
|
||||||
|
Loading…
Reference in New Issue
Block a user