Clean pending 2FA authentication on password reset

When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.

The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-01-28 16:12:06 +01:00
parent 8d52a3ac4a
commit ac8a6e2244
No known key found for this signature in database
GPG Key ID: F941078878347C0C
3 changed files with 23 additions and 3 deletions

View File

@ -31,6 +31,7 @@
namespace OC\Core\Controller;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\HintException;
use \OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
@ -58,7 +59,6 @@ use OCP\Security\ISecureRandom;
* @package OC\Core\Controller
*/
class LostController extends Controller {
/** @var IURLGenerator */
protected $urlGenerator;
/** @var IUserManager */
@ -83,6 +83,8 @@ class LostController extends Controller {
protected $crypto;
/** @var ILogger */
private $logger;
/** @var Manager */
private $twoFactorManager;
/**
* @param string $appName
@ -112,7 +114,8 @@ class LostController extends Controller {
IMailer $mailer,
ITimeFactory $timeFactory,
ICrypto $crypto,
ILogger $logger) {
ILogger $logger,
Manager $twoFactorManager) {
parent::__construct($appName, $request);
$this->urlGenerator = $urlGenerator;
$this->userManager = $userManager;
@ -126,6 +129,7 @@ class LostController extends Controller {
$this->timeFactory = $timeFactory;
$this->crypto = $crypto;
$this->logger = $logger;
$this->twoFactorManager = $twoFactorManager;
}
/**
@ -290,6 +294,8 @@ class LostController extends Controller {
\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
$this->twoFactorManager->clearTwoFactorPending($userId);
$this->config->deleteUserValue($userId, 'core', 'lostpassword');
@\OC::$server->getUserSession()->unsetMagicInCookie();
} catch (HintException $e){

View File

@ -31,6 +31,7 @@ use function array_diff;
use function array_filter;
use BadMethodCallException;
use Exception;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Token\IProvider as TokenProvider;
use OCP\Activity\IManager;
@ -364,4 +365,12 @@ class Manager {
$this->config->setUserValue($user->getUID(), 'login_token_2fa', $token->getId(), $this->timeFactory->getTime());
}
public function clearTwoFactorPending(string $userId) {
$tokensNeeding2FA = $this->config->getUserKeys($userId, 'login_token_2fa');
foreach ($tokensNeeding2FA as $tokenId) {
$this->tokenProvider->invalidateTokenById($userId, $tokenId);
}
}
}

View File

@ -21,6 +21,7 @@
namespace Tests\Core\Controller;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Core\Controller\LostController;
use OC\Mail\Message;
use OCP\AppFramework\Http\JSONResponse;
@ -77,6 +78,8 @@ class LostControllerTest extends \Test\TestCase {
private $crypto;
/** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */
private $logger;
/** @var Manager|\PHPUnit_Framework_MockObject_MockObject */
private $twofactorManager;
protected function setUp() {
parent::setUp();
@ -128,6 +131,7 @@ class LostControllerTest extends \Test\TestCase {
->willReturn(true);
$this->crypto = $this->createMock(ICrypto::class);
$this->logger = $this->createMock(ILogger::class);
$this->twofactorManager = $this->createMock(Manager::class);
$this->lostController = new LostController(
'Core',
$this->request,
@ -142,7 +146,8 @@ class LostControllerTest extends \Test\TestCase {
$this->mailer,
$this->timeFactory,
$this->crypto,
$this->logger
$this->logger,
$this->twofactorManager
);
}