2FA: clear auth key from db when disabled

Co-authored-by: Lorenzo Milesi <lorenzo.milesi@yetopen.com>
This commit is contained in:
Pietro Tarenzi
2022-09-22 11:12:38 +02:00
committed by GitHub
parent 873b842349
commit 5ea3404358
2 changed files with 22 additions and 8 deletions

View File

@ -36,6 +36,7 @@ There's a change in flash messages handling, please see #391
- Enh #458: Multiple 2FA channels (email, sms) (acordeddu) - Enh #458: Multiple 2FA channels (email, sms) (acordeddu)
- Fix #432: Fix documentation overlap by shortening page names (cgsmith) - Fix #432: Fix documentation overlap by shortening page names (cgsmith)
- Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson) - Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson)
- Fix: Clear 2FA auth key when feature is disabled by user
- Fix: check user before accessing 2FA code - Fix: check user before accessing 2FA code
## 1.5.1 April 5, 2020 ## 1.5.1 April 5, 2020

29
src/User/Controller/SettingsController.php Executable file → Normal file
View File

@ -40,6 +40,7 @@ use Da\User\Validator\TwoFactorEmailValidator;
use Da\User\Validator\TwoFactorTextMessageValidator; use Da\User\Validator\TwoFactorTextMessageValidator;
use Yii; use Yii;
use yii\base\DynamicModel; use yii\base\DynamicModel;
use yii\base\InvalidParamException;
use yii\filters\AccessControl; use yii\filters\AccessControl;
use yii\filters\VerbFilter; use yii\filters\VerbFilter;
use yii\helpers\ArrayHelper; use yii\helpers\ArrayHelper;
@ -453,6 +454,10 @@ class SettingsController extends Controller
public function actionTwoFactor($id) public function actionTwoFactor($id)
{ {
if(!$this->module->enableTwoFactorAuthentication){
throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
}
if($id != Yii::$app->user->id) { if($id != Yii::$app->user->id) {
throw new ForbiddenHttpException(); throw new ForbiddenHttpException();
} }
@ -477,18 +482,20 @@ class SettingsController extends Controller
$mobilePhone = $user->getAuthTfMobilePhone(); $mobilePhone = $user->getAuthTfMobilePhone();
$smsCode = $this->make(TwoFactorSmsCodeGeneratorService::class, [$user])->run(); $smsCode = $this->make(TwoFactorSmsCodeGeneratorService::class, [$user])->run();
return $this->renderAjax('two-factor-sms', ['id' => $id, 'code' => $smsCode, 'mobilePhone' => $mobilePhone]); return $this->renderAjax('two-factor-sms', ['id' => $id, 'code' => $smsCode, 'mobilePhone' => $mobilePhone]);
default:
throw new InvalidParamException("Invalid 2FA choice");
} }
} }
public function actionTwoFactorEnable($id) public function actionTwoFactorEnable($id)
{ {
if(!$this->module->enableTwoFactorAuthentication){
throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
}
Yii::$app->response->format = Response::FORMAT_JSON; Yii::$app->response->format = Response::FORMAT_JSON;
/** /** @var User $user */
*
*
* @var User $user
*/
$user = $this->userQuery->whereId($id)->one(); $user = $this->userQuery->whereId($id)->one();
if (null === $user) { if (null === $user) {
@ -518,9 +525,15 @@ class SettingsController extends Controller
public function actionTwoFactorDisable($id) public function actionTwoFactorDisable($id)
{ {
if(!$this->module->enableTwoFactorAuthentication){
throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
}
if($id != Yii::$app->user->id) {
throw new ForbiddenHttpException();
}
/** /**
*
*
* @var User $user * @var User $user
*/ */
$user = $this->userQuery->whereId($id)->one(); $user = $this->userQuery->whereId($id)->one();
@ -529,7 +542,7 @@ class SettingsController extends Controller
throw new NotFoundHttpException(); throw new NotFoundHttpException();
} }
if ($user->updateAttributes(['auth_tf_enabled' => '0'])) { if ($user->updateAttributes(['auth_tf_enabled' => '0', 'auth_tf_key' => NULL])) {
Yii::$app Yii::$app
->getSession() ->getSession()
->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.')); ->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.'));