From 5ea3404358ea0ebaa6b9c0b7898691f5e61eebb1 Mon Sep 17 00:00:00 2001 From: Pietro Tarenzi <101387720+taarenz@users.noreply.github.com> Date: Thu, 22 Sep 2022 11:12:38 +0200 Subject: [PATCH] 2FA: clear auth key from db when disabled Co-authored-by: Lorenzo Milesi --- CHANGELOG.md | 1 + src/User/Controller/SettingsController.php | 29 ++++++++++++++++------ 2 files changed, 22 insertions(+), 8 deletions(-) mode change 100755 => 100644 src/User/Controller/SettingsController.php diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fdeb38..b5d28b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ There's a change in flash messages handling, please see #391 - Enh #458: Multiple 2FA channels (email, sms) (acordeddu) - Fix #432: Fix documentation overlap by shortening page names (cgsmith) - Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson) +- Fix: Clear 2FA auth key when feature is disabled by user - Fix: check user before accessing 2FA code ## 1.5.1 April 5, 2020 diff --git a/src/User/Controller/SettingsController.php b/src/User/Controller/SettingsController.php old mode 100755 new mode 100644 index d218626..4cdb8d7 --- a/src/User/Controller/SettingsController.php +++ b/src/User/Controller/SettingsController.php @@ -40,6 +40,7 @@ use Da\User\Validator\TwoFactorEmailValidator; use Da\User\Validator\TwoFactorTextMessageValidator; use Yii; use yii\base\DynamicModel; +use yii\base\InvalidParamException; use yii\filters\AccessControl; use yii\filters\VerbFilter; use yii\helpers\ArrayHelper; @@ -453,6 +454,10 @@ class SettingsController extends Controller public function actionTwoFactor($id) { + if(!$this->module->enableTwoFactorAuthentication){ + throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.')); + } + if($id != Yii::$app->user->id) { throw new ForbiddenHttpException(); } @@ -477,18 +482,20 @@ class SettingsController extends Controller $mobilePhone = $user->getAuthTfMobilePhone(); $smsCode = $this->make(TwoFactorSmsCodeGeneratorService::class, [$user])->run(); return $this->renderAjax('two-factor-sms', ['id' => $id, 'code' => $smsCode, 'mobilePhone' => $mobilePhone]); + default: + throw new InvalidParamException("Invalid 2FA choice"); } } public function actionTwoFactorEnable($id) { + if(!$this->module->enableTwoFactorAuthentication){ + throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.')); + } + Yii::$app->response->format = Response::FORMAT_JSON; - /** - * - * - * @var User $user - */ + /** @var User $user */ $user = $this->userQuery->whereId($id)->one(); if (null === $user) { @@ -518,9 +525,15 @@ class SettingsController extends Controller public function actionTwoFactorDisable($id) { + if(!$this->module->enableTwoFactorAuthentication){ + throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.')); + } + + if($id != Yii::$app->user->id) { + throw new ForbiddenHttpException(); + } + /** - * - * * @var User $user */ $user = $this->userQuery->whereId($id)->one(); @@ -529,7 +542,7 @@ class SettingsController extends Controller throw new NotFoundHttpException(); } - if ($user->updateAttributes(['auth_tf_enabled' => '0'])) { + if ($user->updateAttributes(['auth_tf_enabled' => '0', 'auth_tf_key' => NULL])) { Yii::$app ->getSession() ->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.'));