From 31ce583743e1a18ecdb213f91e8fb7d6609444c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Sun, 4 Apr 2021 17:30:33 -0700 Subject: [PATCH] Write RememberMe cookie only after 2FA has been validated --- app/Controller/TwoFactorController.php | 8 +++++++- app/Core/User/UserSession.php | 2 +- app/Subscriber/AuthSubscriber.php | 4 ++-- tests/units/Core/User/UserSessionTest.php | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/app/Controller/TwoFactorController.php b/app/Controller/TwoFactorController.php index 473838ef2..116b72d5c 100644 --- a/app/Controller/TwoFactorController.php +++ b/app/Controller/TwoFactorController.php @@ -153,8 +153,14 @@ class TwoFactorController extends UserViewController $provider->setSecret($user['twofactor_secret']); if ($provider->authenticate()) { - $this->userSession->validatePostAuthentication(); + $this->userSession->setPostAuthenticationAsValidated(); $this->flash->success(t('The two factor authentication code is valid.')); + + if (session_is_true('hasRememberMe')) { + $session = $this->rememberMeSessionModel->create($this->userSession->getId(), $this->request->getIpAddress(), $this->request->getUserAgent()); + $this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']); + } + $this->response->redirect($this->helper->url->to('DashboardController', 'show')); } else { $this->flash->failure(t('The two factor authentication code is not valid.')); diff --git a/app/Core/User/UserSession.php b/app/Core/User/UserSession.php index 911f7ab03..9c49850ab 100644 --- a/app/Core/User/UserSession.php +++ b/app/Core/User/UserSession.php @@ -90,7 +90,7 @@ class UserSession extends Base * * @access public */ - public function validatePostAuthentication() + public function setPostAuthenticationAsValidated() { session_set('postAuthenticationValidated', true); } diff --git a/app/Subscriber/AuthSubscriber.php b/app/Subscriber/AuthSubscriber.php index 2305a6aa1..f971af9b7 100644 --- a/app/Subscriber/AuthSubscriber.php +++ b/app/Subscriber/AuthSubscriber.php @@ -55,10 +55,10 @@ class AuthSubscriber extends BaseSubscriber implements EventSubscriberInterface ); if ($event->getAuthType() === 'RememberMe') { - $this->userSession->validatePostAuthentication(); + $this->userSession->setPostAuthenticationAsValidated(); } - if (session_is_true('hasRememberMe')) { + if (session_is_true('hasRememberMe') && ! $this->userSession->hasPostAuthentication()) { $session = $this->rememberMeSessionModel->create($this->userSession->getId(), $ipAddress, $userAgent); $this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']); } diff --git a/tests/units/Core/User/UserSessionTest.php b/tests/units/Core/User/UserSessionTest.php index 650107b7e..b5b150f9d 100644 --- a/tests/units/Core/User/UserSessionTest.php +++ b/tests/units/Core/User/UserSessionTest.php @@ -127,7 +127,7 @@ class UserSessionTest extends Base $_SESSION['postAuthenticationValidated'] = false; $this->assertFalse($userSession->isPostAuthenticationValidated()); - $userSession->validatePostAuthentication(); + $userSession->setPostAuthenticationAsValidated(); $this->assertTrue($userSession->isPostAuthenticationValidated()); $_SESSION['user'] = array();