forked from wallabag/wallabag
Avoid non-validated OTP to be enabled
The OTP code must be required when enabling OTP. If the provided code is wrong, disable OTP, redirect and notice the user.
This commit is contained in:
Jeremy Benoist
@ -402,12 +402,14 @@ class ConfigController extends AbstractController
|
||||
throw new BadRequestHttpException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
|
||||
$isValid = $googleAuthenticator->checkCode(
|
||||
$this->getUser(),
|
||||
$user,
|
||||
$request->get('_auth_code')
|
||||
);
|
||||
|
||||
if (true === $isValid) {
|
||||
if ($isValid) {
|
||||
$this->addFlash(
|
||||
'notice',
|
||||
'flashes.config.notice.otp_enabled'
|
||||
@ -417,14 +419,14 @@ class ConfigController extends AbstractController
|
||||
}
|
||||
|
||||
$this->addFlash(
|
||||
'two_factor',
|
||||
'scheb_two_factor.code_invalid'
|
||||
'notice',
|
||||
'flashes.config.notice.otp_code_invalid'
|
||||
);
|
||||
|
||||
$this->addFlash(
|
||||
'notice',
|
||||
'scheb_two_factor.code_invalid'
|
||||
);
|
||||
$user->setGoogleAuthenticatorSecret(null);
|
||||
$user->setBackupCodes(null);
|
||||
|
||||
$this->userManager->updateUser($user, true);
|
||||
|
||||
return $this->redirect($this->generateUrl('config') . '#set3');
|
||||
}
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
<div class="row">
|
||||
<div class="input-field col s12">
|
||||
<label for="_auth_code">{{ "auth_code"|trans({}, 'SchebTwoFactorBundle') }}</label>
|
||||
<input id="_auth_code" type="text" autocomplete="off" name="_auth_code" />
|
||||
<input id="_auth_code" type="text" autocomplete="off" name="_auth_code" required="required" />
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user