AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Force setup of MFA on login

This commit is contained in:
wrongecho 2024-10-28 21:01:55 +00:00
parent 9491643a4b
commit 334829c23e
2 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
login.php
View File

@ -119,10 +119,6 @@ if (isset($_POST['login'])) {
$user_role = intval($row['user_role']);
$user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
$user_extension_key = $row['user_extension_key'];
if($force_mfa == 1 && $token == NULL) {
$config_start_page = "user_security.php";
$_SESSION['alert_message'] = "Please set up MFA.";
}
$mfa_is_complete = false; // Default to requiring MFA
$extended_log = ''; // Default value
@ -202,8 +198,14 @@ if (isset($_POST['login'])) {
$_SESSION['csrf_token'] = randomString(156);
$_SESSION['logged'] = true;
// Forcing MFA
if ($force_mfa == 1 && $token == NULL) {
$secretMFA = key32gen();
$config_start_page = "post.php?enable_2fa_force&token=$secretMFA&csrf_token=$_SESSION[csrf_token]";
}
// Setup encryption session key
if (isset($user_encryption_ciphertext) && $user_role > 1) {
if (isset($user_encryption_ciphertext)) {
$site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
generateUserSessionKey($site_encryption_master_key);

23
post/user/profile.php
View File

@ -207,12 +207,23 @@ if (isset($_POST['verify'])) {
}
if (isset($_POST['enable_2fa'])){
if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) {
// CSRF Check
validateCSRFToken($_POST['csrf_token']);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
validateCSRFToken($_POST['csrf_token']);
$extended_log_description = "";
$token = sanitizeInput($_POST['token']);
} else {
// If this is a GET request then we forced MFA as part of login
validateCSRFToken($_GET['csrf_token']);
$extended_log_description = "(forced)";
$token = sanitizeInput($_GET['token']);
}
$token = sanitizeInput($_POST['token']);
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
@ -220,11 +231,11 @@ if (isset($_POST['enable_2fa'])){
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
$_SESSION['alert_message'] = "Two-factor authentication enabled";
$_SESSION['alert_message'] = "Two-factor authentication enabled $extended_log_description";
header("Location: " . $_SERVER["HTTP_REFERER"]);
header("Location: user_security.php");
}