upstream/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2026-06-17 04:19:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
icingaweb2/application/forms/Authentication/TwoFactorChallengeForm.php

178 lines
6.6 KiB
PHP
Raw Permalink Normal View History

Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
<?php
// SPDX-FileCopyrightText: 2026 Icinga GmbH <https://icinga.com>
// SPDX-License-Identifier: GPL-3.0-or-later
namespace Icinga\Forms\Authentication;
use Exception;
use Icinga\Application\Hook\AuthenticationHook;
use Icinga\Application\Hook\TwoFactorHook;
use Icinga\Application\Icinga;
use Icinga\Application\Logger;
use Icinga\Authentication\Auth;
use Icinga\Authentication\TwoFactorState;
Guard hook method call sites against implementation exceptions The `TwoFactor` interface methods that contain logic are implemented by module developers and may contain arbitrary third-party code. Without guards at the call sites, an uncaught exception from a faulty implementation could crash the whole application. Each guard logs the exception with a confidential trace. `isEnrolled()` in `loadEnrolled()` rethrows so the caller aborts rather than silently continuing. `verify()` and `assembleEnrollmentFormElements()` show a user-facing message and call `onError()` to keep the user on the form. The existing `enroll()` and `unenroll()` catches are also updated: two separate `Logger::error()` calls become one, and the user-visible messages gain translation context.
2026-05-26 07:37:01 -04:00
use Icinga\Exception\IcingaException;
Deduplicate redirect logic into `LoginRedirect` element Add `LoginRedirect` that extends `HiddenElement` with a single `getUrl()` method that encapsulates the three-step redirect resolution used in both login and two-factor challenge form: fall back to `LoginForm::REDIRECT_URL` when the value is empty or points to the logout action, then reject external URLs with a 400. `LoginForm` and `TwoFactorChallengeForm` both replace their plain `'hidden'` element with `LoginRedirect` and drop their identical `createRedirectUrl()` methods in favor of `$this->getElement('redirect')->getUrl()`. `AuthenticationController::loginAction()` had a pre-assembly call to `$form->createRedirectUrl()` for the already-authenticated path. At that point `handleRequest()` has not yet been called, so the form is not assembled and the `redirect` element does not exist — calling `getElement()` would throw. That path is also only reached when no `redirect` query param is present (the param is handled explicitly on the line above), so the call always returned the fallback URL anyway. It is replaced with a direct `Url::fromPath(LoginForm::REDIRECT_URL)`.
2026-05-07 09:16:22 -04:00
use Icinga\Web\Form\Element\LoginRedirect;
Avoid storing full remember-me cookie in session during 2FA challenge Previously the `RememberMe` object (containing the AES-encrypted password and the decryption key) was serialized directly into the PHP session while waiting for the user to complete the 2FA challenge. Because PHP sessions are written to disk in plaintext, this exposed the key and ciphertext in the same place, sufficient to recover the user's password. Fix by splitting the secret across the session and the database, mirroring the design of the normal (non-2FA) remember-me flow: - Call `persist()` at login time so the AES key goes to the database immediately, never touching the session. - Store only the cookie value string (ciphertext + IV) in the session. The ciphertext is not exploitable without the key. - After a successful 2FA challenge, reconstruct the `RememberMe` object via a new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and restores the canonical expiry from the database row. - Only then send the browser cookie, so the cookie never reaches the browser unless the second factor was verified. Canceled challenges remove the created DB row, while abandoned challenges leave an orphaned DB row which is cleaned up by the existing `RememberMe::removeExpired()` mechanism. `RememberMe::fromCookieData()` sets `$expiresAt` from the database row so the browser cookie issued after 2FA inherits the expiry stored at login time rather than receiving a fresh 30-day window computed at challenge-completion time. The renewal path in `AuthenticationController::loginAction()` is unaffected, because `renew()` constructs a new object via `fromCredentials()`.
2026-05-08 04:49:16 -04:00
use Icinga\Web\RememberMe;
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
use Icinga\Web\Session;
use Icinga\Web\Url;
use ipl\Html\Attributes;
use ipl\Html\FormDecoration\ErrorsDecorator;
use ipl\Html\FormDecoration\HtmlTagDecorator;
use ipl\Html\FormDecoration\RenderElementDecorator;
use ipl\Html\HtmlElement;
use ipl\Html\Text;
use ipl\Web\Common\CsrfCounterMeasure;
use ipl\Web\Common\FormUid;
use ipl\Web\Compat\CompatForm;
use ipl\Web\Widget\Icon;
Guard hook method call sites against implementation exceptions The `TwoFactor` interface methods that contain logic are implemented by module developers and may contain arbitrary third-party code. Without guards at the call sites, an uncaught exception from a faulty implementation could crash the whole application. Each guard logs the exception with a confidential trace. `isEnrolled()` in `loadEnrolled()` rethrows so the caller aborts rather than silently continuing. `verify()` and `assembleEnrollmentFormElements()` show a user-facing message and call `onError()` to keep the user on the form. The existing `enroll()` and `unenroll()` catches are also updated: two separate `Logger::error()` calls become one, and the user-visible messages gain translation context.
2026-05-26 07:37:01 -04:00
use Throwable;
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
/**
* Form for the two-factor authentication challenge
*/
class TwoFactorChallengeForm extends CompatForm
{
use CsrfCounterMeasure;
use FormUid;
/** @var string Name of the token text input in the verification form */
public const TOKEN = 'twofactor_token';
/** @var string Name of the verify submit button in the verification form */
public const SUBMIT_VERIFY = 'submit_twofactor_verify';
/** @var string Name of the cancel submit button in the verification form */
public const SUBMIT_CANCEL = 'submit_twofactor_cancel';
/**
* Create a new TwoFactorChallengeForm
*/
public function __construct()
{
$this->setAttribute('name', 'form_twofactor_challenge');
Add unique form ids to fix incorrect focus after login form submission Without unique ids, `getCSSPath()` in `loader.js` produces the same path for the submit buttons of both forms. When the login form is submitted and the container transitions to the two-factor challenge form, `renderContentToContainer()` restores focus to that path, incorrectly focusing the challenge form's submit button instead of the token input. Unique ids make the paths differ so no match is found and the autofocus class on the token input takes effect as intended.
2026-05-08 05:14:41 -04:00
// Gives this form a unique CSS path so that loader.js does not incorrectly restore focus to
// this form's submit button after the login form submits and transitions to this view.
$this->setAttribute('id', 'twofactor-challenge-form-focus-anchor');
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
}
protected function assemble(): void
{
$this->addCsrfCounterMeasure(Session::getSession()->getId());
$this->addElement($this->createUidElement());
$this->addElement('text', static::TOKEN, [
'autocomplete' => 'off',
'autofocus' => '',
'class' => 'content-centered',
'decorators' => [
'RenderElement' => new RenderElementDecorator(),
'Errors' => (new ErrorsDecorator())->setClass('errors'),
'ControlGroup' => (new HtmlTagDecorator())->setTag('div')->setClass('control-group')
],
'placeholder' => $this->translate('Please enter your 2FA token'),
'required' => true
]);
$this->addElement('submit', static::SUBMIT_VERIFY, [
'data-progress-label' => $this->translate('Verifying'),
'label' => $this->translate('Verify')
]);
$this->addElement('submitButton', static::SUBMIT_CANCEL, [
'class' => 'btn-back-to-login-link',
'formnovalidate' => true,
'label' => [
new Icon('arrow-left'),
HtmlElement::create('span', Attributes::create(), Text::create($this->translate('Back to login')))
]
]);
Deduplicate redirect logic into `LoginRedirect` element Add `LoginRedirect` that extends `HiddenElement` with a single `getUrl()` method that encapsulates the three-step redirect resolution used in both login and two-factor challenge form: fall back to `LoginForm::REDIRECT_URL` when the value is empty or points to the logout action, then reject external URLs with a 400. `LoginForm` and `TwoFactorChallengeForm` both replace their plain `'hidden'` element with `LoginRedirect` and drop their identical `createRedirectUrl()` methods in favor of `$this->getElement('redirect')->getUrl()`. `AuthenticationController::loginAction()` had a pre-assembly call to `$form->createRedirectUrl()` for the already-authenticated path. At that point `handleRequest()` has not yet been called, so the form is not assembled and the `redirect` element does not exist — calling `getElement()` would throw. That path is also only reached when no `redirect` query param is present (the param is handled explicitly on the line above), so the call always returned the fallback URL anyway. It is replaced with a direct `Url::fromPath(LoginForm::REDIRECT_URL)`.
2026-05-07 09:16:22 -04:00
$this->addElement(new LoginRedirect('redirect', ['value' => Url::fromRequest()->getParam('redirect')]));
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
}
/**
* Verify the submitted two-factor token and complete login on success
*
* Retrieves the challenged user from the session and the enrolled 2FA method.
Handle unavailable 2FA method in `TwoFactorChallengeForm` If the 2FA method a user was challenged for is no longer available when they submit the token — e.g. the module providing it was disabled mid-session — show an informative message instead of a fatal error. The message tells the user that their method is gone, suggests contacting an administrator if unexpected, and points them to 'Back to login' explaining that no second factor will be required once the method is disabled.
2026-05-07 10:07:44 -04:00
* If the enrolled method is no longer available, adds an error message and
* calls {@see onError()}. On a valid token, authenticates the user, optionally
* issues the remember-me cookie stored in the challenge state, clears the
* pending challenge from the session, triggers registered
* {@see AuthenticationHook}s, and sets the post-login redirect URL. On an
* invalid token, adds a validation error to the token field.
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
*
* @return void
*/
protected function onSuccess(): void
{
$twoFactorState = new TwoFactorState();
$user = $twoFactorState->getChallengedUser();
$twoFactorMethod = TwoFactorHook::loadEnrolled($user);
Handle unavailable 2FA method in `TwoFactorChallengeForm` If the 2FA method a user was challenged for is no longer available when they submit the token — e.g. the module providing it was disabled mid-session — show an informative message instead of a fatal error. The message tells the user that their method is gone, suggests contacting an administrator if unexpected, and points them to 'Back to login' explaining that no second factor will be required once the method is disabled.
2026-05-07 10:07:44 -04:00
if ($twoFactorMethod === null) {
// This can happen when another user disables the module that provides the 2FA method,
// while the current user is still on the 2FA challenge form.
$this->addMessage($this->translate(
'Your two-factor authentication method is no longer available.'
. ' If this is unexpected, contact your administrator.'
. ' Otherwise use \'Back to login\' — you will not be prompted for a second factor.'
));
$this->onError();
return;
}
Guard hook method call sites against implementation exceptions The `TwoFactor` interface methods that contain logic are implemented by module developers and may contain arbitrary third-party code. Without guards at the call sites, an uncaught exception from a faulty implementation could crash the whole application. Each guard logs the exception with a confidential trace. `isEnrolled()` in `loadEnrolled()` rethrows so the caller aborts rather than silently continuing. `verify()` and `assembleEnrollmentFormElements()` show a user-facing message and call `onError()` to keep the user on the form. The existing `enroll()` and `unenroll()` catches are also updated: two separate `Logger::error()` calls become one, and the user-visible messages gain translation context.
2026-05-26 07:37:01 -04:00
try {
$verified = $twoFactorMethod->verify($this->getValue(static::TOKEN));
} catch (Throwable $e) {
Logger::error("%s\n%s", $e->getMessage(), IcingaException::getConfidentialTraceAsString($e));
$this->addMessage(
$this->translate('Two-factor verification is currently unavailable: %s'),
$e->getMessage()
);
$this->onError();
return;
}
if ($verified) {
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
Logger::info(
'User "%s" passed two-factor verification using method "%s"',
$user->getUsername(),
$twoFactorMethod->getName()
);
Auth::getInstance()->setAuthenticated($user);
$response = Icinga::app()->getResponse();
Avoid storing full remember-me cookie in session during 2FA challenge Previously the `RememberMe` object (containing the AES-encrypted password and the decryption key) was serialized directly into the PHP session while waiting for the user to complete the 2FA challenge. Because PHP sessions are written to disk in plaintext, this exposed the key and ciphertext in the same place, sufficient to recover the user's password. Fix by splitting the secret across the session and the database, mirroring the design of the normal (non-2FA) remember-me flow: - Call `persist()` at login time so the AES key goes to the database immediately, never touching the session. - Store only the cookie value string (ciphertext + IV) in the session. The ciphertext is not exploitable without the key. - After a successful 2FA challenge, reconstruct the `RememberMe` object via a new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and restores the canonical expiry from the database row. - Only then send the browser cookie, so the cookie never reaches the browser unless the second factor was verified. Canceled challenges remove the created DB row, while abandoned challenges leave an orphaned DB row which is cleaned up by the existing `RememberMe::removeExpired()` mechanism. `RememberMe::fromCookieData()` sets `$expiresAt` from the database row so the browser cookie issued after 2FA inherits the expiry stored at login time rather than receiving a fresh 30-day window computed at challenge-completion time. The renewal path in `AuthenticationController::loginAction()` is unaffected, because `renew()` constructs a new object via `fromCredentials()`.
2026-05-08 04:49:16 -04:00
if ($cookieData = $twoFactorState->getRememberMeCookieData()) {
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
try {
Avoid storing full remember-me cookie in session during 2FA challenge Previously the `RememberMe` object (containing the AES-encrypted password and the decryption key) was serialized directly into the PHP session while waiting for the user to complete the 2FA challenge. Because PHP sessions are written to disk in plaintext, this exposed the key and ciphertext in the same place, sufficient to recover the user's password. Fix by splitting the secret across the session and the database, mirroring the design of the normal (non-2FA) remember-me flow: - Call `persist()` at login time so the AES key goes to the database immediately, never touching the session. - Store only the cookie value string (ciphertext + IV) in the session. The ciphertext is not exploitable without the key. - After a successful 2FA challenge, reconstruct the `RememberMe` object via a new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and restores the canonical expiry from the database row. - Only then send the browser cookie, so the cookie never reaches the browser unless the second factor was verified. Canceled challenges remove the created DB row, while abandoned challenges leave an orphaned DB row which is cleaned up by the existing `RememberMe::removeExpired()` mechanism. `RememberMe::fromCookieData()` sets `$expiresAt` from the database row so the browser cookie issued after 2FA inherits the expiry stored at login time rather than receiving a fresh 30-day window computed at challenge-completion time. The renewal path in `AuthenticationController::loginAction()` is unaffected, because `renew()` constructs a new object via `fromCredentials()`.
2026-05-08 04:49:16 -04:00
$rememberMe = RememberMe::fromCookieData($cookieData);
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
$response->setCookie($rememberMe->getCookie());
} catch (Exception $e) {
Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
}
}
$twoFactorState->completeChallenge();
// Call provided AuthenticationHook(s) after successful login
AuthenticationHook::triggerLogin($user);
$response->setRerenderLayout();
Deduplicate redirect logic into `LoginRedirect` element Add `LoginRedirect` that extends `HiddenElement` with a single `getUrl()` method that encapsulates the three-step redirect resolution used in both login and two-factor challenge form: fall back to `LoginForm::REDIRECT_URL` when the value is empty or points to the logout action, then reject external URLs with a 400. `LoginForm` and `TwoFactorChallengeForm` both replace their plain `'hidden'` element with `LoginRedirect` and drop their identical `createRedirectUrl()` methods in favor of `$this->getElement('redirect')->getUrl()`. `AuthenticationController::loginAction()` had a pre-assembly call to `$form->createRedirectUrl()` for the already-authenticated path. At that point `handleRequest()` has not yet been called, so the form is not assembled and the `redirect` element does not exist — calling `getElement()` would throw. That path is also only reached when no `redirect` query param is present (the param is handled explicitly on the line above), so the call always returned the fallback URL anyway. It is replaced with a direct `Url::fromPath(LoginForm::REDIRECT_URL)`.
2026-05-07 09:16:22 -04:00
/** @var LoginRedirect $redirect */
$redirect = $this->getElement('redirect');
$this->setRedirectUrl($redirect->getUrl());
Add `TwoFactorChallengeForm` and login CSS `TwoFactorChallengeForm` renders the second login step: a token input, a "Verify" submit button, and a "Back to login" link button. `onSuccess()` calls `TwoFactorHook::loadEnrolled()` and `TwoFactor::verify()` to verify the token, calls `Auth::setAuthenticated()`, persists the `RememberMe` cookie if one was stashed, completes the challenge, fires `AuthenticationHook::triggerLogin()`, and redirects. Add `.btn-back-to-login-link` to `login.less`. A link-styled submit button with an arrow to the left with an underline on hover.
2026-05-06 02:24:27 -04:00
return;
}
Logger::warning(
'Two-factor verification failed for user "%s" using method "%s"',
$user->getUsername(),
$twoFactorMethod->getName()
);
$this->getElement(static::TOKEN)->addMessage($this->translate('Token is invalid!'));
}
}
Reference in a new issue Copy permalink