extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-23 00:13:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

missing changes in Session class for 2FA

Browse Source
This commit is contained in:
Ralf Becker 2019-06-05 15:29:44 +02:00
parent ea2e9775ea
commit eb286c6144
1 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
api/src/Session.php
View File

@ -21,6 +21,9 @@
namespace EGroupware\Api; namespace EGroupware\Api;
use PragmaRX\Google2FA;
use EGroupware\Api\Mail\Credentials;
/** /**
* Create, verifies or destroys an EGroupware session * Create, verifies or destroys an EGroupware session
* *
@ -444,9 +447,10 @@ class Session
* @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support * @param boolean $no_session =false dont create a real session, eg. for GroupDAV clients using only basic auth, no cookie support
* @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true * @param boolean $auth_check =true if false, the user is loged in without checking his password (eg. for single sign on), default = true
* @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested * @param boolean $fail_on_forced_password_change =false true: do NOT create session, if password change requested
* @param string|boolean $check_2fa =false string: 2fa-code to check (only if exists) and fail if wrong, false: do NOT check 2fa
* @return string|boolean session id or false if session was not created, $this->(cd_)reason contains cause * @return string|boolean session id or false if session was not created, $this->(cd_)reason contains cause
*/ */
function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false) function create($login,$passwd = '',$passwd_type = '',$no_session=false,$auth_check=true,$fail_on_forced_password_change=false,$check_2fa=false)
{ {
try { try {
if (is_array($login)) if (is_array($login))
@ -509,11 +513,7 @@ class Session
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check) UNSUCCESSFULL ($this->reason)"); if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check) UNSUCCESSFULL ($this->reason)");
return false; return false;
} }
if ($fail_on_forced_password_change && Auth::check_password_change($this->reason) === false)
{
$this->cd_reason = self::CD_FORCE_PASSWORD_CHANGE;
return false;
}
if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct']) if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'])
{ {
if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase') if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase')
@ -562,6 +562,31 @@ class Session
Cache::setSession('phpgwapi', 'password', base64_encode($this->passwd)); Cache::setSession('phpgwapi', 'password', base64_encode($this->passwd));
// if we have a second factor, check it before forced password change
if ($check_2fa !== false &&
($creds = Credentials::read(0, Credentials::TWOFA, $this->account_id)))
{
$google2fa = new Google2FA\Google2FA();
try {
if (!$google2fa->verify($check_2fa, $creds['2fa_password']))
{
throw new \Exception('Invalid 2-Factor Authentication code!');
}
}
catch(\Exception $e) {
$this->cd_reason = $this->reason = $e->getMessage();
$this->log_access($this->reason, $login, $user_ip, 0); // log unsuccessfull login
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check,$fail_on_forced_password_change,'$check_2fa') UNSUCCESSFULL ($this->reason)");
return false;
}
}
if ($fail_on_forced_password_change && Auth::check_password_change($this->reason) === false)
{
$this->cd_reason = self::CD_FORCE_PASSWORD_CHANGE;
return false;
}
if ($GLOBALS['egw']->acl->check('anonymous',1,'phpgwapi')) if ($GLOBALS['egw']->acl->check('anonymous',1,'phpgwapi'))
{ {
$this->session_flags = 'A'; $this->session_flags = 'A';