AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Write RememberMe cookie only after 2FA has been validated

Browse Source
This commit is contained in:
Frédéric Guillot
2021-04-04 17:30:33 -07:00
committed by fguillot
parent b08760c5fc
commit 31ce583743
4 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Controller/TwoFactorController.php
View File

@@ -153,8 +153,14 @@ class TwoFactorController extends UserViewController
$provider->setSecret($user['twofactor_secret']);
if ($provider->authenticate()) {
$this->userSession->validatePostAuthentication();
$this->userSession->setPostAuthenticationAsValidated();
$this->flash->success(t('The two factor authentication code is valid.'));
if (session_is_true('hasRememberMe')) {
$session = $this->rememberMeSessionModel->create($this->userSession->getId(), $this->request->getIpAddress(), $this->request->getUserAgent());
$this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
}
$this->response->redirect($this->helper->url->to('DashboardController', 'show'));
} else {
$this->flash->failure(t('The two factor authentication code is not valid.'));

2
app/Core/User/UserSession.php
View File

@@ -90,7 +90,7 @@ class UserSession extends Base
*
* @access public
*/
public function validatePostAuthentication()
public function setPostAuthenticationAsValidated()
{
session_set('postAuthenticationValidated', true);
}

4
app/Subscriber/AuthSubscriber.php
View File

@@ -55,10 +55,10 @@ class AuthSubscriber extends BaseSubscriber implements EventSubscriberInterface
);
if ($event->getAuthType() === 'RememberMe') {
$this->userSession->validatePostAuthentication();
$this->userSession->setPostAuthenticationAsValidated();
}
if (session_is_true('hasRememberMe')) {
if (session_is_true('hasRememberMe') && ! $this->userSession->hasPostAuthentication()) {
$session = $this->rememberMeSessionModel->create($this->userSession->getId(), $ipAddress, $userAgent);
$this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
}