mirror of
https://github.com/Icinga/icingaweb2.git
synced 2026-06-22 15:03:14 -04:00
215d2ec108
Previously the `RememberMe` object (containing the AES-encrypted password and the decryption key) was serialized directly into the PHP session while waiting for the user to complete the 2FA challenge. Because PHP sessions are written to disk in plaintext, this exposed the key and ciphertext in the same place, sufficient to recover the user's password. Fix by splitting the secret across the session and the database, mirroring the design of the normal (non-2FA) remember-me flow: - Call `persist()` at login time so the AES key goes to the database immediately, never touching the session. - Store only the cookie value string (ciphertext + IV) in the session. The ciphertext is not exploitable without the key. - After a successful 2FA challenge, reconstruct the `RememberMe` object via a new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and restores the canonical expiry from the database row. - Only then send the browser cookie, so the cookie never reaches the browser unless the second factor was verified. Canceled challenges remove the created DB row, while abandoned challenges leave an orphaned DB row which is cleaned up by the existing `RememberMe::removeExpired()` mechanism. `RememberMe::fromCookieData()` sets `$expiresAt` from the database row so the browser cookie issued after 2FA inherits the expiry stored at login time rather than receiving a fresh 30-day window computed at challenge-completion time. The renewal path in `AuthenticationController::loginAction()` is unaffected, because `renew()` constructs a new object via `fromCredentials()`.
159 lines
5.9 KiB
PHP
159 lines
5.9 KiB
PHP
<?php
|
|
|
|
// SPDX-FileCopyrightText: 2026 Icinga GmbH <https://icinga.com>
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
namespace Icinga\Forms\Authentication;
|
|
|
|
use Exception;
|
|
use Icinga\Application\Hook\AuthenticationHook;
|
|
use Icinga\Application\Hook\TwoFactorHook;
|
|
use Icinga\Application\Icinga;
|
|
use Icinga\Application\Logger;
|
|
use Icinga\Authentication\Auth;
|
|
use Icinga\Authentication\TwoFactorState;
|
|
use Icinga\Web\Form\Element\LoginRedirect;
|
|
use Icinga\Web\RememberMe;
|
|
use Icinga\Web\Session;
|
|
use Icinga\Web\Url;
|
|
use ipl\Html\Attributes;
|
|
use ipl\Html\FormDecoration\ErrorsDecorator;
|
|
use ipl\Html\FormDecoration\HtmlTagDecorator;
|
|
use ipl\Html\FormDecoration\RenderElementDecorator;
|
|
use ipl\Html\HtmlElement;
|
|
use ipl\Html\Text;
|
|
use ipl\Web\Common\CsrfCounterMeasure;
|
|
use ipl\Web\Common\FormUid;
|
|
use ipl\Web\Compat\CompatForm;
|
|
use ipl\Web\Widget\Icon;
|
|
|
|
/**
|
|
* Form for the two-factor authentication challenge
|
|
*/
|
|
class TwoFactorChallengeForm extends CompatForm
|
|
{
|
|
use CsrfCounterMeasure;
|
|
use FormUid;
|
|
|
|
/** @var string Name of the token text input in the verification form */
|
|
public const TOKEN = 'twofactor_token';
|
|
|
|
/** @var string Name of the verify submit button in the verification form */
|
|
public const SUBMIT_VERIFY = 'submit_twofactor_verify';
|
|
|
|
/** @var string Name of the cancel submit button in the verification form */
|
|
public const SUBMIT_CANCEL = 'submit_twofactor_cancel';
|
|
|
|
/**
|
|
* Create a new TwoFactorChallengeForm
|
|
*/
|
|
public function __construct()
|
|
{
|
|
$this->setAttribute('name', 'form_twofactor_challenge');
|
|
}
|
|
|
|
protected function assemble(): void
|
|
{
|
|
$this->addCsrfCounterMeasure(Session::getSession()->getId());
|
|
$this->addElement($this->createUidElement());
|
|
|
|
$this->addElement('text', static::TOKEN, [
|
|
'autocomplete' => 'off',
|
|
'autofocus' => '',
|
|
'class' => 'content-centered',
|
|
'decorators' => [
|
|
'RenderElement' => new RenderElementDecorator(),
|
|
'Errors' => (new ErrorsDecorator())->setClass('errors'),
|
|
'ControlGroup' => (new HtmlTagDecorator())->setTag('div')->setClass('control-group')
|
|
],
|
|
'placeholder' => $this->translate('Please enter your 2FA token'),
|
|
'required' => true
|
|
]);
|
|
|
|
$this->addElement('submit', static::SUBMIT_VERIFY, [
|
|
'data-progress-label' => $this->translate('Verifying'),
|
|
'label' => $this->translate('Verify')
|
|
]);
|
|
|
|
$this->addElement('submitButton', static::SUBMIT_CANCEL, [
|
|
'class' => 'btn-back-to-login-link',
|
|
'formnovalidate' => true,
|
|
'label' => [
|
|
new Icon('arrow-left'),
|
|
HtmlElement::create('span', Attributes::create(), Text::create($this->translate('Back to login')))
|
|
]
|
|
]);
|
|
|
|
$this->addElement(new LoginRedirect('redirect', ['value' => Url::fromRequest()->getParam('redirect')]));
|
|
}
|
|
|
|
/**
|
|
* Verify the submitted two-factor token and complete login on success
|
|
*
|
|
* Retrieves the challenged user from the session and the enrolled 2FA method.
|
|
* If the enrolled method is no longer available, adds an error message and
|
|
* calls {@see onError()}. On a valid token, authenticates the user, optionally
|
|
* issues the remember-me cookie stored in the challenge state, clears the
|
|
* pending challenge from the session, triggers registered
|
|
* {@see AuthenticationHook}s, and sets the post-login redirect URL. On an
|
|
* invalid token, adds a validation error to the token field.
|
|
*
|
|
* @return void
|
|
*/
|
|
protected function onSuccess(): void
|
|
{
|
|
$twoFactorState = new TwoFactorState();
|
|
$user = $twoFactorState->getChallengedUser();
|
|
$twoFactorMethod = TwoFactorHook::loadEnrolled($user);
|
|
if ($twoFactorMethod === null) {
|
|
// This can happen when another user disables the module that provides the 2FA method,
|
|
// while the current user is still on the 2FA challenge form.
|
|
$this->addMessage($this->translate(
|
|
'Your two-factor authentication method is no longer available.'
|
|
. ' If this is unexpected, contact your administrator.'
|
|
. ' Otherwise use \'Back to login\' — you will not be prompted for a second factor.'
|
|
));
|
|
$this->onError();
|
|
|
|
return;
|
|
}
|
|
if ($twoFactorMethod->verify($this->getValue(static::TOKEN))) {
|
|
Logger::info(
|
|
'User "%s" passed two-factor verification using method "%s"',
|
|
$user->getUsername(),
|
|
$twoFactorMethod->getName()
|
|
);
|
|
Auth::getInstance()->setAuthenticated($user);
|
|
|
|
$response = Icinga::app()->getResponse();
|
|
|
|
if ($cookieData = $twoFactorState->getRememberMeCookieData()) {
|
|
try {
|
|
$rememberMe = RememberMe::fromCookieData($cookieData);
|
|
$response->setCookie($rememberMe->getCookie());
|
|
} catch (Exception $e) {
|
|
Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
|
|
}
|
|
}
|
|
|
|
$twoFactorState->completeChallenge();
|
|
|
|
// Call provided AuthenticationHook(s) after successful login
|
|
AuthenticationHook::triggerLogin($user);
|
|
|
|
$response->setRerenderLayout();
|
|
/** @var LoginRedirect $redirect */
|
|
$redirect = $this->getElement('redirect');
|
|
$this->setRedirectUrl($redirect->getUrl());
|
|
|
|
return;
|
|
}
|
|
|
|
Logger::warning(
|
|
'Two-factor verification failed for user "%s" using method "%s"',
|
|
$user->getUsername(),
|
|
$twoFactorMethod->getName()
|
|
);
|
|
$this->getElement(static::TOKEN)->addMessage($this->translate('Token is invalid!'));
|
|
}
|
|
}
|