pierre/wallabag
1
0
Fork 0
forked from wallabag/wallabag
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Avoid non-validated OTP to be enabled

Browse Source 
The OTP code must be required when enabling OTP. If the provided code is wrong, disable OTP, redirect and notice the user.
This commit is contained in:
Jeremy Benoist
2025-04-11 15:46:57 +02:00
parent 01ffc6c3d5
commit 262f674245
4 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
phpstan-baseline.neon
View File

@ -57,5 +57,5 @@ parameters:
- -
message: "#^Method FOS\\\\UserBundle\\\\Model\\\\UserManagerInterface\\:\\:updateUser()#" message: "#^Method FOS\\\\UserBundle\\\\Model\\\\UserManagerInterface\\:\\:updateUser()#"
count: 6 count: 7
path: src/Wallabag/CoreBundle/Controller/ConfigController.php path: src/Wallabag/CoreBundle/Controller/ConfigController.php

18
src/Wallabag/CoreBundle/Controller/ConfigController.php
View File

@ -402,12 +402,14 @@ class ConfigController extends AbstractController
throw new BadRequestHttpException('Bad CSRF token.'); throw new BadRequestHttpException('Bad CSRF token.');
} }
$user = $this->getUser();
$isValid = $googleAuthenticator->checkCode( $isValid = $googleAuthenticator->checkCode(
$this->getUser(), $user,
$request->get('_auth_code') $request->get('_auth_code')
); );
if (true === $isValid) { if ($isValid) {
$this->addFlash( $this->addFlash(
'notice', 'notice',
'flashes.config.notice.otp_enabled' 'flashes.config.notice.otp_enabled'
@ -417,14 +419,14 @@ class ConfigController extends AbstractController
} }
$this->addFlash( $this->addFlash(
'two_factor', 'notice',
'scheb_two_factor.code_invalid' 'flashes.config.notice.otp_code_invalid'
); );
$this->addFlash( $user->setGoogleAuthenticatorSecret(null);
'notice', $user->setBackupCodes(null);
'scheb_two_factor.code_invalid'
); $this->userManager->updateUser($user, true);
return $this->redirect($this->generateUrl('config') . '#set3'); return $this->redirect($this->generateUrl('config') . '#set3');
} }

2
src/Wallabag/CoreBundle/Resources/views/Config/otp_app.html.twig
View File

@ -45,7 +45,7 @@
<div class="row"> <div class="row">
<div class="input-field col s12"> <div class="input-field col s12">
<label for="_auth_code">{{ "auth_code"|trans({}, 'SchebTwoFactorBundle') }}</label> <label for="_auth_code">{{ "auth_code"|trans({}, 'SchebTwoFactorBundle') }}</label>
<input id="_auth_code" type="text" autocomplete="off" name="_auth_code" /> <input id="_auth_code" type="text" autocomplete="off" name="_auth_code" required="required" />
</div> </div>
</div> </div>
</div> </div>

1
translations/messages.en.yml
View File

@ -668,6 +668,7 @@ flashes:
archived_reset: Archived entries deleted archived_reset: Archived entries deleted
otp_enabled: Two-factor authentication enabled otp_enabled: Two-factor authentication enabled
otp_disabled: Two-factor authentication disabled otp_disabled: Two-factor authentication disabled
otp_code_invalid: Invalid two-factor authentication code
tagging_rules_imported: Tagging rules imported tagging_rules_imported: Tagging rules imported
tagging_rules_not_imported: Error while importing tagging rules tagging_rules_not_imported: Error while importing tagging rules
ignore_origin_rules_deleted: 'Ignore origin rule deleted' ignore_origin_rules_deleted: 'Ignore origin rule deleted'