Write RememberMe cookie only after 2FA has been validated

2021-04-04 17:30:33 -07:00 · 2021-04-04 17:30:33 -07:00 · 31ce583743
parent b08760c5fc
commit 31ce583743
4 changed files with 11 additions and 5 deletions
--- a/app/Controller/TwoFactorController.php
+++ b/app/Controller/TwoFactorController.php
@ -153,8 +153,14 @@ class TwoFactorController extends UserViewController
        $provider->setSecret($user['twofactor_secret']);

        if ($provider->authenticate()) {
-            $this->userSession->validatePostAuthentication();
+            $this->userSession->setPostAuthenticationAsValidated();
            $this->flash->success(t('The two factor authentication code is valid.'));
+
+            if (session_is_true('hasRememberMe')) {
+                $session = $this->rememberMeSessionModel->create($this->userSession->getId(), $this->request->getIpAddress(), $this->request->getUserAgent());
+                $this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
+            }
+
            $this->response->redirect($this->helper->url->to('DashboardController', 'show'));
        } else {
            $this->flash->failure(t('The two factor authentication code is not valid.'));
--- a/app/Core/User/UserSession.php
+++ b/app/Core/User/UserSession.php
@ -90,7 +90,7 @@ class UserSession extends Base
     *
     * @access public
     */
-    public function validatePostAuthentication()
+    public function setPostAuthenticationAsValidated()
    {
        session_set('postAuthenticationValidated', true);
    }
--- a/app/Subscriber/AuthSubscriber.php
+++ b/app/Subscriber/AuthSubscriber.php
@ -55,10 +55,10 @@ class AuthSubscriber extends BaseSubscriber implements EventSubscriberInterface
        );

        if ($event->getAuthType() === 'RememberMe') {
-            $this->userSession->validatePostAuthentication();
+            $this->userSession->setPostAuthenticationAsValidated();
        }

-        if (session_is_true('hasRememberMe')) {
+        if (session_is_true('hasRememberMe') && ! $this->userSession->hasPostAuthentication()) {
            $session = $this->rememberMeSessionModel->create($this->userSession->getId(), $ipAddress, $userAgent);
            $this->rememberMeCookie->write($session['token'], $session['sequence'], $session['expiration']);
        }
--- a/tests/units/Core/User/UserSessionTest.php
+++ b/tests/units/Core/User/UserSessionTest.php
@ -127,7 +127,7 @@ class UserSessionTest extends Base
        $_SESSION['postAuthenticationValidated'] = false;
        $this->assertFalse($userSession->isPostAuthenticationValidated());

-        $userSession->validatePostAuthentication();
+        $userSession->setPostAuthenticationAsValidated();
        $this->assertTrue($userSession->isPostAuthenticationValidated());

        $_SESSION['user'] = array();