mirror of https://github.com/itflow-org/itflow
Merge pull request #1094 from itflow-org/force-mfa
Force setup of MFA on login
This commit is contained in:
Johnny
GitHub
commit
5f708f6003
12
login.php
12
login.php
|
|
@ -119,10 +119,6 @@ if (isset($_POST['login'])) {
|
|||
$user_role = intval($row['user_role']);
|
||||
$user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
|
||||
$user_extension_key = $row['user_extension_key'];
|
||||
if($force_mfa == 1 && $token == NULL) {
|
||||
$config_start_page = "user_security.php";
|
||||
$_SESSION['alert_message'] = "Please set up MFA.";
|
||||
}
|
||||
|
||||
$mfa_is_complete = false; // Default to requiring MFA
|
||||
$extended_log = ''; // Default value
|
||||
|
|
@ -202,8 +198,14 @@ if (isset($_POST['login'])) {
|
|||
$_SESSION['csrf_token'] = randomString(156);
|
||||
$_SESSION['logged'] = true;
|
||||
|
||||
// Forcing MFA
|
||||
if ($force_mfa == 1 && $token == NULL) {
|
||||
$secretMFA = key32gen();
|
||||
$config_start_page = "post.php?enable_2fa_force&token=$secretMFA&csrf_token=$_SESSION[csrf_token]";
|
||||
}
|
||||
|
||||
// Setup encryption session key
|
||||
if (isset($user_encryption_ciphertext) && $user_role > 1) {
|
||||
if (isset($user_encryption_ciphertext)) {
|
||||
$site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
|
||||
generateUserSessionKey($site_encryption_master_key);
|
||||
|
||||
|
|
|
|||
|
|
@ -207,12 +207,23 @@ if (isset($_POST['verify'])) {
|
|||
|
||||
}
|
||||
|
||||
if (isset($_POST['enable_2fa'])){
|
||||
if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) {
|
||||
|
||||
// CSRF Check
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
$extended_log_description = "";
|
||||
$token = sanitizeInput($_POST['token']);
|
||||
} else {
|
||||
// If this is a GET request then we forced MFA as part of login
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$extended_log_description = "(forced)";
|
||||
$token = sanitizeInput($_GET['token']);
|
||||
}
|
||||
|
||||
|
||||
$token = sanitizeInput($_POST['token']);
|
||||
|
||||
mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
|
||||
|
||||
|
|
@ -220,11 +231,11 @@ if (isset($_POST['enable_2fa'])){
|
|||
mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
|
||||
|
||||
//Logging
|
||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
|
||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
|
||||
|
||||
$_SESSION['alert_message'] = "Two-factor authentication enabled";
|
||||
$_SESSION['alert_message'] = "Two-factor authentication enabled $extended_log_description";
|
||||
|
||||
header("Location: " . $_SERVER["HTTP_REFERER"]);
|
||||
header("Location: user_security.php");
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue