diff --git a/check_login.php b/check_login.php index bd9570df..36cd2b34 100644 --- a/check_login.php +++ b/check_login.php @@ -54,7 +54,7 @@ $row = mysqli_fetch_array($sql); $session_name = sanitizeInput($row['user_name']); $session_email = $row['user_email']; $session_avatar = $row['user_avatar']; -$session_token = $row['user_token']; +$session_token = $row['user_token']; // MFA Token $session_user_role = intval($row['user_role']); $session_user_role_display = sanitizeInput($row['user_role_name']); if (isset($row['user_role_is_admin']) && $row['user_role_is_admin'] == 1) { @@ -128,8 +128,3 @@ $session_mobile = isMobile(); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('notification_id') AS num FROM notifications WHERE (notification_user_id = $session_user_id OR notification_user_id = 0) AND notification_dismissed_at IS NULL")); $num_notifications = $row['num']; - -// FORCE MFA Setup -//if ($session_user_config_force_mfa == 1 && $session_token == NULL) { -// header("Location: force_mfa.php"); -//} diff --git a/login.php b/login.php index 901ccab0..89d6a673 100644 --- a/login.php +++ b/login.php @@ -145,7 +145,7 @@ if (isset($_POST['login'])) { // Validate MFA code if (!empty($current_code) && TokenAuth6238::verify($token, $current_code)) { $mfa_is_complete = true; - $extended_log = 'with 2FA'; + $extended_log = 'with MFA'; } if ($mfa_is_complete) { @@ -201,8 +201,8 @@ if (isset($_POST['login'])) { // Forcing MFA if ($force_mfa == 1 && $token == NULL) { - $secretMFA = key32gen(); - $config_start_page = "post.php?enable_2fa_force&token=$secretMFA&csrf_token=$_SESSION[csrf_token]"; + //$secretMFA = key32gen(); + $config_start_page = "mfa_enforcement.php"; } // Setup encryption session key diff --git a/mfa_enforcement.php b/mfa_enforcement.php new file mode 100644 index 00000000..d0ad779c --- /dev/null +++ b/mfa_enforcement.php @@ -0,0 +1,196 @@ + + + + + + + + + + + MFA Enforcement | <?php echo $session_company_name; ?> + + + + + + + + + + + + + + + + + + + + + + +
+
+ + + +
+
+

Multi-Factor Authentication Enforcement

+ +
+ + Logout + +
+
+
+
+ + +
+

Scan this code into your app

+ +
Can't Scan? Copy and paste the secret below +
+
+

Secret: + +

+
+ +
+ +
+
+
+ +
+ +
+ +
+
+
+
+
+
+
+
+ + + + + + + + + + + + + + + + + + diff --git a/post/user/profile.php b/post/user/profile.php index 5f5b51f6..e5c14de4 100644 --- a/post/user/profile.php +++ b/post/user/profile.php @@ -190,24 +190,6 @@ if (isset($_POST['edit_your_user_preferences'])) { header("Location: " . $_SERVER["HTTP_REFERER"]); } - -if (isset($_POST['verify'])) { - - require_once "plugins/totp/totp.php"; - - $currentcode = intval($_POST['code']); //code to validate, for example received from device - - if (TokenAuth6238::verify($session_token, $currentcode)) { - $_SESSION['alert_message'] = "VALID!"; - }else{ - $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "IN-VALID!"; - } - - header("Location: " . $_SERVER["HTTP_REFERER"]); - -} - if (isset($_POST['enable_mfa'])) { validateCSRFToken($_POST['csrf_token']); @@ -230,7 +212,7 @@ if (isset($_POST['enable_mfa'])) { // SUCCESS mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id"); - // Delete any existing 2FA tokens - these browsers should be re-validated + // Delete any existing MFA tokens - these browsers should be re-validated mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id"); // Logging @@ -241,6 +223,16 @@ if (isset($_POST['enable_mfa'])) { // Clear the mfa_token from the session to avoid re-use. unset($_SESSION['mfa_token']); + // Check if the previous page is mfa_enforcement.php + if (isset($_SERVER['HTTP_REFERER'])) { + $previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH)); + if ($previousPage === 'mfa_enforcement.php') { + // Redirect back to mfa_enforcement.php + header("Location: $config_start_page"); + exit; + } + } + } else { // FAILURE $_SESSION['alert_type'] = "error"; @@ -248,7 +240,19 @@ if (isset($_POST['enable_mfa'])) { // Set a flag to automatically open the MFA modal again $_SESSION['show_mfa_modal'] = true; - } + + // Check if the previous page is mfa_enforcement.php + if (isset($_SERVER['HTTP_REFERER'])) { + $previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH)); + if ($previousPage === 'mfa_enforcement.php') { + // Redirect back to mfa_enforcement.php + header("Location: " . $_SERVER['HTTP_REFERER']); + exit; + } + } + } + + header("Location: user_security.php"); exit; @@ -262,6 +266,9 @@ if (isset($_GET['disable_mfa'])){ mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id"); + // Delete any existing MFA tokens - these browsers should be re-validated + mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id"); + // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php $config_mail_from_name = sanitizeInput($config_mail_from_name); $config_mail_from_email = sanitizeInput($config_mail_from_email); @@ -295,78 +302,6 @@ if (isset($_GET['disable_mfa'])){ } -if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) { - - // CSRF Check - if ($_SERVER['REQUEST_METHOD'] === 'POST') { - validateCSRFToken($_POST['csrf_token']); - - $extended_log_description = ""; - $token = sanitizeInput($_POST['token']); - } else { - // If this is a GET request then we forced MFA as part of login - validateCSRFToken($_GET['csrf_token']); - - $extended_log_description = "(forced)"; - $token = sanitizeInput($_GET['token']); - } - - - - mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id"); - - // Delete any existing 2FA tokens - these browsers should be re-validated - mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id"); - - // Logging - logAction("User Account", "Edit", "$session_name enabled MFA on their account $extended_log_description"); - - $_SESSION['alert_message'] = "Two-factor authentication enabled $extended_log_description"; - - header("Location: user_security.php"); - -} - -if (isset($_POST['disable_2fa'])){ - - // CSRF Check - validateCSRFToken($_POST['csrf_token']); - - mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id"); - - // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php - $config_mail_from_name = sanitizeInput($config_mail_from_name); - $config_mail_from_email = sanitizeInput($config_mail_from_email); - $config_app_name = sanitizeInput($config_app_name); - - // Email notification - if (!empty($config_smtp_host)) { - $subject = "$config_app_name account update confirmation for $session_name"; - $body = "Hi $session_name,

Your $config_app_name account has been updated, details below:

2FA was disabled.

If you did not perform this change, contact your $config_app_name administrator immediately.

Thanks,
ITFlow
$session_company_name"; - - $data = [ - [ - 'from' => $config_mail_from_email, - 'from_name' => $config_mail_from_name, - 'recipient' => $session_email, - 'recipient_name' => $session_name, - 'subject' => $subject, - 'body' => $body - ] - ]; - $mail = addToMailQueue($data); - } - - // Logging - logAction("User Account", "Edit", "$session_name disabled MFA on their account"); - - $_SESSION['alert_type'] = "error"; - $_SESSION['alert_message'] = "Two-factor authentication disabled"; - - header("Location: " . $_SERVER["HTTP_REFERER"]); - -} - if (isset($_POST['revoke_your_2fa_remember_tokens'])) { // CSRF