From 7471c49793ea2948e1531cd697c486cf95ed8328 Mon Sep 17 00:00:00 2001 From: slawkens Date: Sat, 31 Jan 2026 20:44:26 +0100 Subject: [PATCH] [WIP] 2fa * Don't allow per get request to disable 2fa * Fix google recaptcha issue * Fix rec key check * Make input auth code required + autofocus --- system/pages/account/2fa/app/disable.php | 12 +++++- system/pages/account/2fa/app/enable.php | 6 +-- system/pages/account/2fa/base.php | 5 --- system/pages/account/2fa/email/disable.php | 41 +++++++++---------- system/pages/account/2fa/email/enable.php | 12 ++++++ .../pages/account/2fa/email/resend-code.php | 21 ++++++++-- system/pages/account/login.php | 4 ++ system/src/TwoFactorAuth/TwoFactorAuth.php | 10 +++-- system/src/global.php | 1 + .../app/enable.already_connected.html.twig | 22 ---------- .../account/2fa/app/enable.warning.html.twig | 2 +- .../templates/account/2fa/app/login.html.twig | 6 +-- .../account/2fa/email/login.html.twig | 19 ++++----- 13 files changed, 86 insertions(+), 75 deletions(-) delete mode 100644 system/templates/account/2fa/app/enable.already_connected.html.twig diff --git a/system/pages/account/2fa/app/disable.php b/system/pages/account/2fa/app/disable.php index 8b820f22..96296eab 100644 --- a/system/pages/account/2fa/app/disable.php +++ b/system/pages/account/2fa/app/disable.php @@ -3,14 +3,24 @@ defined('MYAAC') or die('Direct access not allowed!'); require __DIR__ . '/../base.php'; +if (!isRequestMethod('post')) { + error('This page cannot be accessed directly.'); + return; +} + if (!$account_logged->isLoaded()) { error('Account not found!'); return; } +if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) { + error("Your account does not have Two Factor App Authentication enabled."); + return; +} + $twoFactorAuth->disable(); $twig->display('success.html.twig', [ 'title' => 'Disabled', - 'description' => 'Two Factor Authentication has been disabled.' + 'description' => 'Two Factor App Authentication has been disabled.' ]); diff --git a/system/pages/account/2fa/app/enable.php b/system/pages/account/2fa/app/enable.php index 0916f57a..1be865b9 100644 --- a/system/pages/account/2fa/app/enable.php +++ b/system/pages/account/2fa/app/enable.php @@ -5,9 +5,9 @@ use MyAAC\TwoFactorAuth\TwoFactorAuth; require __DIR__ . '/../base.php'; -if (!empty($account_logged->getCustomField('2fa_secret'))) { - - $twig->display('account/2fa/app/enable.already_connected.html.twig'); +if ($twoFactorAuth->isActive()) { + $errors[] = 'Two-factor authentication is already enabled on your account.'; + $twig->display('error_box.html.twig', ['errors' => $errors]); return; } diff --git a/system/pages/account/2fa/base.php b/system/pages/account/2fa/base.php index e0c50a5b..43bb1576 100644 --- a/system/pages/account/2fa/base.php +++ b/system/pages/account/2fa/base.php @@ -12,11 +12,6 @@ $title = 'Two Factor Authentication'; */ $code = $_REQUEST['auth-code'] ?? ''; -if ((!setting('core.mail_enabled')) && ACTION == 'email-code') { - $twig->display('error_box.html.twig', ['errors' => ['Account two-factor e-mail authentication disabled.']]); - return; -} - if (!$account_logged->isLoaded()) { $current_session = getSession('account'); if($current_session) { diff --git a/system/pages/account/2fa/email/disable.php b/system/pages/account/2fa/email/disable.php index 9ae32b14..41c95871 100644 --- a/system/pages/account/2fa/email/disable.php +++ b/system/pages/account/2fa/email/disable.php @@ -3,14 +3,26 @@ defined('MYAAC') or die('Direct access not allowed!'); require __DIR__ . '/../base.php'; -//if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) { -// $twoFactorAuth->resendEmailCode(); -//} +if ((!setting('core.mail_enabled'))) { + $twig->display('error_box.html.twig', ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]); + return; +} + +if (!isRequestMethod('post')) { + error('This page cannot be accessed directly.'); + return; +} + +if (!$account_logged->isLoaded()) { + error('Account not found!'); + return; +} + +if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_EMAIL)) { + error("Your account does not have Two Factor E-Mail Authentication enabled."); + return; +} -/*if (isset($_POST['save'])) { - if (!empty($code)) { - if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) { -*/ $twoFactorAuth->disable(); $twoFactorAuth->deleteOldCodes(); @@ -20,18 +32,3 @@ $twig->display('success.html.twig', 'description' => 'You have successfully disabled the Email Code Authentication for your account.' ] ); -/* -} -else { -$errors[] = 'Invalid email code!'; -} -} -}*/ - -/* -if (!empty($errors)) { - $twig->display('error_box.html.twig', ['errors' => $errors]); -} - -$twig->display('account/2fa/email/deactivate.html.twig', ['wrongCode' => count($errors) > 0]); -*/ diff --git a/system/pages/account/2fa/email/enable.php b/system/pages/account/2fa/email/enable.php index 53f353ff..820a32ec 100644 --- a/system/pages/account/2fa/email/enable.php +++ b/system/pages/account/2fa/email/enable.php @@ -6,6 +6,18 @@ defined('MYAAC') or die('Direct access not allowed!'); require __DIR__ . '/../base.php'; +if ((!setting('core.mail_enabled'))) { + $twig->display('error_box.html.twig', ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]); + return; +} + +if ($twoFactorAuth->isActive()) { + $errors[] = 'Two-factor authentication is already enabled on your account.'; + $twig->display('error_box.html.twig', ['errors' => $errors]); + + return; +} + if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) { $twoFactorAuth->resendEmailCode(); } diff --git a/system/pages/account/2fa/email/resend-code.php b/system/pages/account/2fa/email/resend-code.php index f44e7513..74c2123c 100644 --- a/system/pages/account/2fa/email/resend-code.php +++ b/system/pages/account/2fa/email/resend-code.php @@ -3,8 +3,23 @@ defined('MYAAC') or die('Direct access not allowed!'); require __DIR__ . '/../base.php'; -if ($twoFactorAuth->hasRecentEmailCode(1 * 60)) { - $errors = ['Sorry, one email per 15 minutes']; +if ((!setting('core.mail_enabled'))) { + $twig->display('error_box.html.twig', ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]); + return; +} + +if (!$account_logged->isLoaded()) { + error('Account not found!'); + return; +} + +if ($twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) { + error('You have to disable the app auth first!'); + return; +} + +if ($twoFactorAuth->hasRecentEmailCode(30 * 60)) { + $errors = ['Sorry, one email per 30 minutes']; } else { $twoFactorAuth->resendEmailCode(); @@ -14,4 +29,4 @@ if (!empty($errors)) { $twig->display('error_box.html.twig', ['errors' => $errors]); } -$twig->display('account/2fa/email/login.html.twig'); +$twig->display('account/2fa/email/enable.html.twig'); diff --git a/system/pages/account/login.php b/system/pages/account/login.php index 312a52a9..b8f5cff6 100644 --- a/system/pages/account/login.php +++ b/system/pages/account/login.php @@ -55,6 +55,10 @@ if(!empty($login_account) && !empty($login_password)) } else { setSession('account', $account_logged->getId()); + if (!$hooks->trigger(HOOK_ACCOUNT_LOGIN_PRE)) { + return; + } + $twoFactorAuth = TwoFactorAuth::getInstance($account_logged); if (!$twoFactorAuth->process($login_account, $login_password, $remember_me, $_POST['auth-code'] ?? '')) { return; diff --git a/system/src/TwoFactorAuth/TwoFactorAuth.php b/system/src/TwoFactorAuth/TwoFactorAuth.php index ae934279..43da8c00 100644 --- a/system/src/TwoFactorAuth/TwoFactorAuth.php +++ b/system/src/TwoFactorAuth/TwoFactorAuth.php @@ -54,7 +54,6 @@ class TwoFactorAuth } $view = 'app'; - if ($this->authType == self::TYPE_EMAIL) { $view = 'email';# } @@ -63,7 +62,6 @@ class TwoFactorAuth if ($this->authType == self::TYPE_EMAIL) { if (!$this->hasRecentEmailCode(15 * 60)) { $this->resendEmailCode(); - //success('Resent email.'); } } @@ -99,7 +97,7 @@ class TwoFactorAuth $errors[] = 'The token is invalid!'; } else { - $errors[] = 'Invalid email code!'; + $errors[] = 'Invalid E-Mail code!'; } $twig->display('error_box.html.twig', ['errors' => $errors]); @@ -161,7 +159,11 @@ class TwoFactorAuth $this->account->setCustomField('2fa_secret', ''); } - public function isActive(): bool { + public function isActive(?int $authType = null): bool { + if ($authType !== null) { + return $this->authType === $authType; + } + return $this->authType != self::TYPE_NONE; } diff --git a/system/src/global.php b/system/src/global.php index 8206945a..2bc806b1 100644 --- a/system/src/global.php +++ b/system/src/global.php @@ -69,6 +69,7 @@ define('HOOK_ACCOUNT_LOGIN_AFTER_PASSWORD', ++$i); define('HOOK_ACCOUNT_LOGIN_AFTER_REMEMBER_ME', ++$i); define('HOOK_ACCOUNT_LOGIN_AFTER_PAGE', ++$i); define('HOOK_ACCOUNT_LOGIN_POST', ++$i); +define('HOOK_ACCOUNT_LOGIN_PRE', ++$i); define('HOOK_ACCOUNT_LOST_CHECK_CODE_FINISH_AFTER_PASSWORD', ++$i); define('HOOK_ACCOUNT_LOST_CHECK_CODE_FINISH_AFTER_PASSWORD_REPEAT', ++$i); define('HOOK_ACCOUNT_LOST_EMAIL_SET_NEW_PASSWORD_POST', ++$i); diff --git a/system/templates/account/2fa/app/enable.already_connected.html.twig b/system/templates/account/2fa/app/enable.already_connected.html.twig deleted file mode 100644 index c6c86682..00000000 --- a/system/templates/account/2fa/app/enable.already_connected.html.twig +++ /dev/null @@ -1,22 +0,0 @@ -{% set title = 'Disable Two Factor App' %} -{% set background = config('darkborder') %} - -{% set content %} - - - - - - -
- Two-factor authentication is already enabled on your account.
- Click the button to disable the two-factor app.

-
- {{ csrf() }} - - {% set button_name = 'Disable' %} - {{ include('buttons.base.html.twig') }} -
-
-{% endset %} -{% include 'tables.headline.html.twig' %} diff --git a/system/templates/account/2fa/app/enable.warning.html.twig b/system/templates/account/2fa/app/enable.warning.html.twig index 5e8089f3..55f4c625 100644 --- a/system/templates/account/2fa/app/enable.warning.html.twig +++ b/system/templates/account/2fa/app/enable.warning.html.twig @@ -38,7 +38,7 @@ {% if newRecoveryKeyFormat %} - - - - + - - {% else %} diff --git a/system/templates/account/2fa/app/login.html.twig b/system/templates/account/2fa/app/login.html.twig index 7af585ea..a532e145 100644 --- a/system/templates/account/2fa/app/login.html.twig +++ b/system/templates/account/2fa/app/login.html.twig @@ -12,10 +12,8 @@ Enter the verification code generated by the app:
-
Authenticator App - Token: -
-
+
Authenticator App Token:
+ diff --git a/system/templates/account/2fa/email/login.html.twig b/system/templates/account/2fa/email/login.html.twig index 3699acb2..be0506a8 100644 --- a/system/templates/account/2fa/email/login.html.twig +++ b/system/templates/account/2fa/email/login.html.twig @@ -17,14 +17,13 @@ > {{ csrf() }} - {% set button_name = 'Resend Email Code' %} + {% set button_name = 'Resend E-Mail Code' %} {{ include('buttons.base.html.twig') }} - An email code has already been sent to the email address assigned to your account. - Please check your email account's spam/junk filter and make sure that your mailbox is not - full.
In case you need a new email code, you can request one by clicking on "Resend Email - Code". + An E-Mail code has already been sent to the E-Mail address assigned to your account. + Please check your E-Mail account's spam/junk filter and make sure that your mailbox is not + full.
In case you need a new E-Mail code, you can request one by clicking on "Resend E-Mail Code". @@ -38,15 +37,15 @@ -
Email code authentication is enabled for your account.

Please enter the most - recent email code you have received in order to log in.
+ 		E-Mail code authentication is enabled for your account.

Please enter the most + recent E-Mail code you have received in order to log in.
-
- +
+ {% if wrongCode %}
 
-
Invalid email code!
+
Invalid E-Mail code!
{% endif %}