Merge pull request #7425 from MrPetovan/task/2fa-ping-disallowed

2FA: Remove mod/ping from exception list
2019-07-25 08:49:20 +02:00 · 2019-07-25 08:49:20 +02:00 · 56e0a92d83
parent d75e3e1650 4ec4a04e49
commit 56e0a92d83
4 changed files with 244 additions and 229 deletions
--- a/src/App.php
+++ b/src/App.php
@ -12,10 +12,12 @@ use Friendica\Core\Config\Cache\ConfigCache;
 use Friendica\Core\Config\Configuration;
 use Friendica\Core\Hook;
 use Friendica\Core\L10n\L10n;
+use Friendica\Core\System;
 use Friendica\Core\Theme;
 use Friendica\Database\Database;
 use Friendica\Database\DBA;
 use Friendica\Model\Profile;
+use Friendica\Module\Login;
 use Friendica\Network\HTTPException;
 use Friendica\Util\BaseURL;
 use Friendica\Util\ConfigFileLoader;
@ -1001,11 +1003,10 @@ class App
 	 */
 	public function runFrontend()
 	{
+		try {
 			// Missing DB connection: ERROR
 			if ($this->getMode()->has(App\Mode::LOCALCONFIGPRESENT) && !$this->getMode()->has(App\Mode::DBAVAILABLE)) {
-			Module\Special\HTTPException::rawContent(
-				new HTTPException\InternalServerErrorException('Apologies but the website is unavailable at the moment.')
-			);
+				throw new HTTPException\InternalServerErrorException('Apologies but the website is unavailable at the moment.');
 			}

 			// Max Load Average reached: ERROR
@ -1013,17 +1014,13 @@ class App
 				header('Retry-After: 120');
 				header('Refresh: 120; url=' . $this->getBaseURL() . "/" . $this->query_string);

-			Module\Special\HTTPException::rawContent(
-				new HTTPException\ServiceUnavailableException('The node is currently overloaded. Please try again later.')
-			);
+				throw new HTTPException\ServiceUnavailableException('The node is currently overloaded. Please try again later.');
 			}

 			if (!$this->getMode()->isInstall()) {
 				// Force SSL redirection
 				if ($this->baseURL->checkRedirectHttps()) {
-				header('HTTP/1.1 302 Moved Temporarily');
-				header('Location: ' . $this->getBaseURL() . '/' . $this->query_string);
-				exit();
+					System::externalRedirect($this->getBaseURL() . '/' . $this->query_string);
 				}

 				Core\Session::init();
@ -1067,9 +1064,7 @@ class App
 						// Someone came with an invalid parameter, maybe as a DDoS attempt
 						// We simply stop processing here
 						Core\Logger::log("Invalid ZRL parameter " . $_GET['zrl'], Core\Logger::DEBUG);
-					Module\Special\HTTPException::rawContent(
-						new HTTPException\ForbiddenException()
-					);
+						throw new HTTPException\ForbiddenException();
 					}
 				}
 			}
@ -1225,7 +1220,7 @@ class App

 			// Initialize module that can set the current theme in the init() method, either directly or via App->profile_uid
 			$this->page['page_title'] = $this->module;
-		try {
+
 			$placeholder = '';

 			Core\Hook::callAll($this->module . '_mod_init', $placeholder);
--- a/src/Core/Authentication.php
+++ b/src/Core/Authentication.php
@ -7,6 +7,7 @@ namespace Friendica\Core;

 use Friendica\App;
 use Friendica\BaseObject;
+use Friendica\Network\HTTPException\ForbiddenException;
 use Friendica\Util\BaseURL;

 /**
@ -71,7 +72,7 @@ class Authentication extends BaseObject
 		}

 		// Check current path, if 2fa authentication module return
-		if ($a->argc > 0 && in_array($a->argv[0], ['ping', '2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
+		if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
 			return;
 		}

@ -81,7 +82,11 @@ class Authentication extends BaseObject
 		}

 		// Case 2: No valid 2FA session: redirect to code verification page
+		if ($a->isAjax()) {
+			throw new ForbiddenException();
+		} else {
 			$a->internalRedirect('2fa');
 		}
+	}
 }

--- a/src/Module/TwoFactor/Verify.php
+++ b/src/Module/TwoFactor/Verify.php
@ -16,18 +16,20 @@ use PragmaRX\Google2FA\Google2FA;
 */
 class Verify extends BaseModule
 {
+	private static $errors = [];
+
 	public static function post()
 	{
 		if (!local_user()) {
 			return;
 		}

-		if (defaults($_POST, 'action', null) == 'verify') {
+		if (($_POST['action'] ?? '') == 'verify') {
 			self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_verify');

 			$a = self::getApp();

-			$code = defaults($_POST, 'verify_code', '');
+			$code = $_POST['verify_code'] ?? '';

 			$valid = (new Google2FA())->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), $code);

@ -38,7 +40,7 @@ class Verify extends BaseModule
 				// Resume normal login workflow
 				Session::setAuthenticatedForUser($a, $a->user, true, true);
 			} else {
-				notice(L10n::t('Invalid code, please retry.'));
+				self::$errors[] = L10n::t('Invalid code, please retry.');
 			}
 		}
 	}
@ -59,6 +61,8 @@ class Verify extends BaseModule

 			'$title'            => L10n::t('Two-factor authentication'),
 			'$message'          => L10n::t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'),
+			'$errors_label'     => L10n::tt('Error', 'Errors', count(self::$errors)),
+			'$errors'           => self::$errors,
 			'$recovery_message' => L10n::t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
 			'$verify_code'      => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'],
 			'$verify_label'     => L10n::t('Verify code and complete login'),
--- a/view/templates/twofactor/verify.tpl
+++ b/view/templates/twofactor/verify.tpl
@ -2,6 +2,17 @@
 	<h1>{{$title}}</h1>
 	<div>{{$message nofilter}}</div>

+{{if $errors}}
+	<div class="panel panel-danger">
+		<div class="panel-heading">{{$errors_label}}</div>
+		<ul class="list-group">
+	{{foreach $errors as $error}}
+			<li class="list-group-item">{{$error}}</li>
+	{{/foreach}}
+		</ul>
+	</div>
+{{/if}}
+
 	<form action="" method="post">
 		<input type="hidden" name="form_security_token" value="{{$form_security_token}}">