wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Clean pending 2FA authentication on password reset

Browse source 
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.

The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-01-28 16:12:06 +01:00
parent 8d52a3ac4a
commit ac8a6e2244
No known key found for this signature in database
GPG key ID: F941078878347C0C
3 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
core/Controller/LostController.php
View file

@ -31,6 +31,7 @@
namespace OC\Core\Controller; namespace OC\Core\Controller;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\HintException; use OC\HintException;
use \OCP\AppFramework\Controller; use \OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\JSONResponse;
@ -58,7 +59,6 @@ use OCP\Security\ISecureRandom;
* @package OC\Core\Controller * @package OC\Core\Controller
*/ */
class LostController extends Controller { class LostController extends Controller {
/** @var IURLGenerator */ /** @var IURLGenerator */
protected $urlGenerator; protected $urlGenerator;
/** @var IUserManager */ /** @var IUserManager */
@ -83,6 +83,8 @@ class LostController extends Controller {
protected $crypto; protected $crypto;
/** @var ILogger */ /** @var ILogger */
private $logger; private $logger;
/** @var Manager */
private $twoFactorManager;
/** /**
* @param string $appName * @param string $appName
@ -112,7 +114,8 @@ class LostController extends Controller {
IMailer $mailer, IMailer $mailer,
ITimeFactory $timeFactory, ITimeFactory $timeFactory,
ICrypto $crypto, ICrypto $crypto,
ILogger $logger) { ILogger $logger,
Manager $twoFactorManager) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->urlGenerator = $urlGenerator; $this->urlGenerator = $urlGenerator;
$this->userManager = $userManager; $this->userManager = $userManager;
@ -126,6 +129,7 @@ class LostController extends Controller {
$this->timeFactory = $timeFactory; $this->timeFactory = $timeFactory;
$this->crypto = $crypto; $this->crypto = $crypto;
$this->logger = $logger; $this->logger = $logger;
$this->twoFactorManager = $twoFactorManager;
} }
/** /**
@ -290,6 +294,8 @@ class LostController extends Controller {
\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password)); \OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
$this->twoFactorManager->clearTwoFactorPending($userId);
$this->config->deleteUserValue($userId, 'core', 'lostpassword'); $this->config->deleteUserValue($userId, 'core', 'lostpassword');
@\OC::$server->getUserSession()->unsetMagicInCookie(); @\OC::$server->getUserSession()->unsetMagicInCookie();
} catch (HintException $e){ } catch (HintException $e){

9
lib/private/Authentication/TwoFactorAuth/Manager.php
View file

@ -31,6 +31,7 @@ use function array_diff;
use function array_filter; use function array_filter;
use BadMethodCallException; use BadMethodCallException;
use Exception; use Exception;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Token\IProvider as TokenProvider; use OC\Authentication\Token\IProvider as TokenProvider;
use OCP\Activity\IManager; use OCP\Activity\IManager;
@ -364,4 +365,12 @@ class Manager {
$this->config->setUserValue($user->getUID(), 'login_token_2fa', $token->getId(), $this->timeFactory->getTime()); $this->config->setUserValue($user->getUID(), 'login_token_2fa', $token->getId(), $this->timeFactory->getTime());
} }
public function clearTwoFactorPending(string $userId) {
$tokensNeeding2FA = $this->config->getUserKeys($userId, 'login_token_2fa');
foreach ($tokensNeeding2FA as $tokenId) {
$this->tokenProvider->invalidateTokenById($userId, $tokenId);
}
}
} }

7
tests/Core/Controller/LostControllerTest.php
View file

@ -21,6 +21,7 @@
namespace Tests\Core\Controller; namespace Tests\Core\Controller;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Core\Controller\LostController; use OC\Core\Controller\LostController;
use OC\Mail\Message; use OC\Mail\Message;
use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\JSONResponse;
@ -77,6 +78,8 @@ class LostControllerTest extends \Test\TestCase {
private $crypto; private $crypto;
/** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */ /** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */
private $logger; private $logger;
/** @var Manager|\PHPUnit_Framework_MockObject_MockObject */
private $twofactorManager;
protected function setUp() { protected function setUp() {
parent::setUp(); parent::setUp();
@ -128,6 +131,7 @@ class LostControllerTest extends \Test\TestCase {
->willReturn(true); ->willReturn(true);
$this->crypto = $this->createMock(ICrypto::class); $this->crypto = $this->createMock(ICrypto::class);
$this->logger = $this->createMock(ILogger::class); $this->logger = $this->createMock(ILogger::class);
$this->twofactorManager = $this->createMock(Manager::class);
$this->lostController = new LostController( $this->lostController = new LostController(
'Core', 'Core',
$this->request, $this->request,
@ -142,7 +146,8 @@ class LostControllerTest extends \Test\TestCase {
$this->mailer, $this->mailer,
$this->timeFactory, $this->timeFactory,
$this->crypto, $this->crypto,
$this->logger $this->logger,
$this->twofactorManager
); );
} }