tobias/friendica
1
0
Fork 0
Code Pull requests Activity

Merge pull request #7425 from MrPetovan/task/2fa-ping-disallowed

Browse source 
2FA: Remove mod/ping from exception list
This commit is contained in:
Philipp 2019-07-25 08:49:20 +02:00 committed by GitHub
commit 56e0a92d83
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 244 additions and 229 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
src/App.php
View file

@ -12,10 +12,12 @@ use Friendica\Core\Config\Cache\ConfigCache;
use Friendica\Core\Config\Configuration; use Friendica\Core\Config\Configuration;
use Friendica\Core\Hook; use Friendica\Core\Hook;
use Friendica\Core\L10n\L10n; use Friendica\Core\L10n\L10n;
use Friendica\Core\System;
use Friendica\Core\Theme; use Friendica\Core\Theme;
use Friendica\Database\Database; use Friendica\Database\Database;
use Friendica\Database\DBA; use Friendica\Database\DBA;
use Friendica\Model\Profile; use Friendica\Model\Profile;
use Friendica\Module\Login;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Util\BaseURL; use Friendica\Util\BaseURL;
use Friendica\Util\ConfigFileLoader; use Friendica\Util\ConfigFileLoader;
@ -1001,11 +1003,10 @@ class App
*/ */
public function runFrontend() public function runFrontend()
{ {
try {
// Missing DB connection: ERROR // Missing DB connection: ERROR
if ($this->getMode()->has(App\Mode::LOCALCONFIGPRESENT) && !$this->getMode()->has(App\Mode::DBAVAILABLE)) { if ($this->getMode()->has(App\Mode::LOCALCONFIGPRESENT) && !$this->getMode()->has(App\Mode::DBAVAILABLE)) {
Module\Special\HTTPException::rawContent( throw new HTTPException\InternalServerErrorException('Apologies but the website is unavailable at the moment.');
new HTTPException\InternalServerErrorException('Apologies but the website is unavailable at the moment.')
);
} }
// Max Load Average reached: ERROR // Max Load Average reached: ERROR
@ -1013,17 +1014,13 @@ class App
header('Retry-After: 120'); header('Retry-After: 120');
header('Refresh: 120; url=' . $this->getBaseURL() . "/" . $this->query_string); header('Refresh: 120; url=' . $this->getBaseURL() . "/" . $this->query_string);
Module\Special\HTTPException::rawContent( throw new HTTPException\ServiceUnavailableException('The node is currently overloaded. Please try again later.');
new HTTPException\ServiceUnavailableException('The node is currently overloaded. Please try again later.')
);
} }
if (!$this->getMode()->isInstall()) { if (!$this->getMode()->isInstall()) {
// Force SSL redirection // Force SSL redirection
if ($this->baseURL->checkRedirectHttps()) { if ($this->baseURL->checkRedirectHttps()) {
header('HTTP/1.1 302 Moved Temporarily'); System::externalRedirect($this->getBaseURL() . '/' . $this->query_string);
header('Location: ' . $this->getBaseURL() . '/' . $this->query_string);
exit();
} }
Core\Session::init(); Core\Session::init();
@ -1067,9 +1064,7 @@ class App
// Someone came with an invalid parameter, maybe as a DDoS attempt // Someone came with an invalid parameter, maybe as a DDoS attempt
// We simply stop processing here // We simply stop processing here
Core\Logger::log("Invalid ZRL parameter " . $_GET['zrl'], Core\Logger::DEBUG); Core\Logger::log("Invalid ZRL parameter " . $_GET['zrl'], Core\Logger::DEBUG);
Module\Special\HTTPException::rawContent( throw new HTTPException\ForbiddenException();
new HTTPException\ForbiddenException()
);
} }
} }
} }
@ -1225,7 +1220,7 @@ class App
// Initialize module that can set the current theme in the init() method, either directly or via App->profile_uid // Initialize module that can set the current theme in the init() method, either directly or via App->profile_uid
$this->page['page_title'] = $this->module; $this->page['page_title'] = $this->module;
try {
$placeholder = ''; $placeholder = '';
Core\Hook::callAll($this->module . '_mod_init', $placeholder); Core\Hook::callAll($this->module . '_mod_init', $placeholder);

7
src/Core/Authentication.php
View file

@ -7,6 +7,7 @@ namespace Friendica\Core;
use Friendica\App; use Friendica\App;
use Friendica\BaseObject; use Friendica\BaseObject;
use Friendica\Network\HTTPException\ForbiddenException;
use Friendica\Util\BaseURL; use Friendica\Util\BaseURL;
/** /**
@ -71,7 +72,7 @@ class Authentication extends BaseObject
} }
// Check current path, if 2fa authentication module return // Check current path, if 2fa authentication module return
if ($a->argc > 0 && in_array($a->argv[0], ['ping', '2fa', 'view', 'help', 'api', 'proxy', 'logout'])) { if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
return; return;
} }
@ -81,7 +82,11 @@ class Authentication extends BaseObject
} }
// Case 2: No valid 2FA session: redirect to code verification page // Case 2: No valid 2FA session: redirect to code verification page
if ($a->isAjax()) {
throw new ForbiddenException();
} else {
$a->internalRedirect('2fa'); $a->internalRedirect('2fa');
} }
}
} }

10
src/Module/TwoFactor/Verify.php
View file

@ -16,18 +16,20 @@ use PragmaRX\Google2FA\Google2FA;
*/ */
class Verify extends BaseModule class Verify extends BaseModule
{ {
private static $errors = [];
public static function post() public static function post()
{ {
if (!local_user()) { if (!local_user()) {
return; return;
} }
if (defaults($_POST, 'action', null) == 'verify') { if (($_POST['action'] ?? '') == 'verify') {
self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_verify'); self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_verify');
$a = self::getApp(); $a = self::getApp();
$code = defaults($_POST, 'verify_code', ''); $code = $_POST['verify_code'] ?? '';
$valid = (new Google2FA())->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), $code); $valid = (new Google2FA())->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), $code);
@ -38,7 +40,7 @@ class Verify extends BaseModule
// Resume normal login workflow // Resume normal login workflow
Session::setAuthenticatedForUser($a, $a->user, true, true); Session::setAuthenticatedForUser($a, $a->user, true, true);
} else { } else {
notice(L10n::t('Invalid code, please retry.')); self::$errors[] = L10n::t('Invalid code, please retry.');
} }
} }
} }
@ -59,6 +61,8 @@ class Verify extends BaseModule
'$title' => L10n::t('Two-factor authentication'), '$title' => L10n::t('Two-factor authentication'),
'$message' => L10n::t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'), '$message' => L10n::t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'),
'$errors_label' => L10n::tt('Error', 'Errors', count(self::$errors)),
'$errors' => self::$errors,
'$recovery_message' => L10n::t('Dont have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'), '$recovery_message' => L10n::t('Dont have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
'$verify_code' => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'], '$verify_code' => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'],
'$verify_label' => L10n::t('Verify code and complete login'), '$verify_label' => L10n::t('Verify code and complete login'),

11
view/templates/twofactor/verify.tpl
View file

@ -2,6 +2,17 @@
<h1>{{$title}}</h1> <h1>{{$title}}</h1>
<div>{{$message nofilter}}</div> <div>{{$message nofilter}}</div>
{{if $errors}}
<div class="panel panel-danger">
<div class="panel-heading">{{$errors_label}}</div>
<ul class="list-group">
{{foreach $errors as $error}}
<li class="list-group-item">{{$error}}</li>
{{/foreach}}
</ul>
</div>
{{/if}}
<form action="" method="post"> <form action="" method="post">
<input type="hidden" name="form_security_token" value="{{$form_security_token}}"> <input type="hidden" name="form_security_token" value="{{$form_security_token}}">