wip

2025-07-27 07:44:04 +02:00 · 2025-07-23 14:03:30 +02:00 · 2025-07-23 14:03:30 +02:00 · a1d36202dc
commit a1d36202dc
parent 0070c807a7
4 changed files with 28 additions and 1 deletions
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@ -91,8 +91,13 @@ class AuthenticationController extends Controller
                    ->sendResponse();
                exit;
            }
+            // FORM DOES NOT REDIRECT, IF USER HAS 2FA ENABLED and token hasn't been challenged
            $form->handleRequest();
        }
+//        if ($user->has2FA() && irgendwas_mit_session()) {
+//            // 2 FA form erstellen und zeigen und handeln
+        // in der session speichern ob der token gepasst hat
+//        }
        $this->view->form = $form;
        $this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
        $this->view->requiresSetup = $requiresSetup;
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@ -161,6 +161,18 @@ class LoginForm extends Form

            // Call provided AuthenticationHook(s) after successful login
            AuthenticationHook::triggerLogin($user);
+
+            // If user has 2FA enabled and the token hasn't been validated, redirect to login again, so that
+            // the token is challenged.
+            $redirect = $this->getElement('redirect');
+            $old = $redirect->getValue();
+            $new = [];
+            if ($old) {
+                $new['redirect'] = $old;
+            }
+            $redirect->setValue(Url::fromPath('authentication/login', $new)->getRelativeUrl());
+            return true;
+
            $this->getResponse()->setRerenderLayout(true);
            return true;
        }
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -87,6 +87,9 @@ class Auth
     */
    public function isAuthenticated()
    {
+        // return false just for testing. isAuthenticated must return false if the user is authentiacted but has 2FA enabled and the token hasn't been challenged yet.
+        return false;
+
        if ($this->user !== null) {
            return true;
        }
@ -94,6 +97,9 @@ class Auth
        if ($this->user === null && ! $this->authExternal()) {
            return false;
        }
+
+        // real 2fa check from above must happen here
+
        return true;
    }

@ -129,6 +135,7 @@ class Auth
            $this->persistCurrentUser();
        }

+        // don't log if 2fa hasn't been challenged yet
        AuditHook::logActivity('login', 'User logged in');
    }

@ -449,5 +456,7 @@ class Auth
        // Load the user's roles
        $admissionLoader = new AdmissionLoader();
        $admissionLoader->applyRoles($user);
+
+        // Set 2FA status from the user preferences in the user obect
    }
 }
--- a/library/Icinga/User/Preferences/PreferencesStore.php
+++ b/library/Icinga/User/Preferences/PreferencesStore.php
@ -282,8 +282,9 @@ class PreferencesStore
            }
        } catch (Exception $e) {
            throw new NotWritableError(
-                'Cannot update preferences for user %s in database',
+                'Cannot update preferences for user %s in database: %s',
                $this->getUser()->getUsername(),
+                $e->getMessage(),
                $e
            );
        }