AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Write RememberMe cookie only after 2FA has been validated

This commit is contained in:
Frédéric Guillot 2021-04-04 17:30:33 -07:00 committed by fguillot
parent b08760c5fc
commit 31ce583743
4 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Controller/TwoFactorController.php
View File

@ -153,8 +153,14 @@ class TwoFactorController extends UserViewController
$provider->setSecret($user['twofactor_secret']); $provider->setSecret($user['twofactor_secret']);
if ($provider->authenticate()) { if ($provider->authenticate()) {
$this->userSession->validatePostAuthentication(); $this->userSession->setPostAuthenticationAsValidated();
$this->flash->success(t('The two factor authentication code is valid.')); $this->flash->success(t('The two factor authentication code is valid.'));
if (session_is_true('hasRememberMe')) {
$session = $this->rememberMeSessionModel->create($this->userSession->getId(), $this->request->getIpAddress(), $this->request->getUserAgent());
$this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
}
$this->response->redirect($this->helper->url->to('DashboardController', 'show')); $this->response->redirect($this->helper->url->to('DashboardController', 'show'));
} else { } else {
$this->flash->failure(t('The two factor authentication code is not valid.')); $this->flash->failure(t('The two factor authentication code is not valid.'));

2
app/Core/User/UserSession.php
View File

@ -90,7 +90,7 @@ class UserSession extends Base
* *
* @access public * @access public
*/ */
public function validatePostAuthentication() public function setPostAuthenticationAsValidated()
{ {
session_set('postAuthenticationValidated', true); session_set('postAuthenticationValidated', true);
} }

4
app/Subscriber/AuthSubscriber.php
View File

@ -55,10 +55,10 @@ class AuthSubscriber extends BaseSubscriber implements EventSubscriberInterface
); );
if ($event->getAuthType() === 'RememberMe') { if ($event->getAuthType() === 'RememberMe') {
$this->userSession->validatePostAuthentication(); $this->userSession->setPostAuthenticationAsValidated();
} }
if (session_is_true('hasRememberMe')) { if (session_is_true('hasRememberMe') && ! $this->userSession->hasPostAuthentication()) {
$session = $this->rememberMeSessionModel->create($this->userSession->getId(), $ipAddress, $userAgent); $session = $this->rememberMeSessionModel->create($this->userSession->getId(), $ipAddress, $userAgent);
$this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']); $this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
} }

2
tests/units/Core/User/UserSessionTest.php
View File

@ -127,7 +127,7 @@ class UserSessionTest extends Base
$_SESSION['postAuthenticationValidated'] = false; $_SESSION['postAuthenticationValidated'] = false;
$this->assertFalse($userSession->isPostAuthenticationValidated()); $this->assertFalse($userSession->isPostAuthenticationValidated());
$userSession->validatePostAuthentication(); $userSession->setPostAuthenticationAsValidated();
$this->assertTrue($userSession->isPostAuthenticationValidated()); $this->assertTrue($userSession->isPostAuthenticationValidated());
$_SESSION['user'] = array(); $_SESSION['user'] = array();