Modifications on the login process to include the 2 step verification

pandora_console/general/login_page.php

@@ -35,6 +35,7 @@ switch ($login_screen) {
 		$logo_title = __('Go to Pandora FMS Website');
 		break;
 	case 'logout':
+	case 'double_auth':
 		$logo_link = 'index.php';
 		$logo_title = __('Go to Login');
 		break;
@@ -129,6 +130,22 @@ echo '
 			echo __('Your session is over. Please close your browser window to close this Pandora session.').'<br /><br />';
 			echo '</p>';
 			break;
+		case 'double_auth':
+			if (!empty ($page) && !empty ($sec)) {
+				foreach ($_POST as $key => $value) {
+					html_print_input_hidden ($key, $value);
+				}
+			}
+			echo '<div class="login_double_auth_code_text">';
+			echo __('Authenticator code') . '<br>';
+			echo '</div>';
+			echo '<div class="login_double_auth_code">';
+			html_print_input_text_extended ("auth_code", '', "auth_code", '', '', '' , false, '', 'class="login login_password"', false, true);
+			echo '</div>';
+			echo '<div class="login_button">';
+			html_print_submit_button(__("Check code") . '&nbsp;&nbsp;>', "login_button", false, 'class="sub next_login"');
+			echo '</div>';
+			break;
 		default:
 			if (isset($error_info)) {
 				echo '<h1 id="log_title">' . $error_info['title'] . '</h1>';

pandora_console/index.php

@@ -168,7 +168,8 @@ if (strlen($search) > 0) {
 }
 
 // Login process
-if (! isset ($config['id_user']) && isset ($_GET["login"])) {
+if (! isset ($config['id_user'])) {
+	if (isset ($_GET["login"])) {
 		include_once('include/functions_db.php'); //Include it to use escape_string_sql function
 		
 		$config["auth_error"] = ""; //Set this to the error message from the authorization mechanism
@@ -177,6 +178,93 @@ if (! isset ($config['id_user']) && isset ($_GET["login"])) {
 		$nick = db_escape_string_sql($nick);
 		$pass = db_escape_string_sql($pass);
 
+		//Since now, only the $pass variable are needed
+		unset ($_GET['pass'], $_POST['pass'], $_REQUEST['pass']);
+
+		// If the auth_code exists, we assume the user has come through the double auth page
+		if (isset ($_POST['auth_code'])) {
+			$double_auth_success = false;
+
+			// The double authentication is activated and the user has surpassed the first step (the login).
+			// Now the authentication code provided will be checked.
+			if (isset ($_SESSION['prepared_login_da'])) {
+				if (isset ($_SESSION['prepared_login_da']['id_user'])
+						&& isset ($_SESSION['prepared_login_da']['timestamp'])) {
+
+					$config["prepared_login_da"] = $_SESSION["prepared_login_da"];
+					// The user has a maximum of 5 minutes to introduce the double auth code
+					$dauth_period = SECONDS_2MINUTES;
+					$now = time();
+					$dauth_time = $config['prepared_login_da']['timestamp'];
+
+					if ($now - $dauth_period < $dauth_time) {
+						// Nick
+						$nick = $config["prepared_login_da"]['id_user'];
+						// Code
+						$code = (string) get_parameter_post ("auth_code");
+
+						if (!empty($code)) {
+							$result = login_validate_double_auth_code($nick, $code);
+
+							if ($result === true) {
+								// Double auth success
+								$double_auth_success = true;
+							}
+							else {
+								// Screen
+								$login_screen = 'double_auth';
+								// Error message
+								$config["auth_error"] = __("Invalid code");
+							}
+						}
+						else {
+							// Screen
+							$login_screen = 'double_auth';
+							// Error message
+							$config["auth_error"] = __("The code shouldn't be empty");
+						}
+					}
+					else {
+						// Expired login
+						unset ($_SESSION['prepared_login_da'], $config["prepared_login_da"]);
+
+						// Error message
+						$config["auth_error"] = __('Expired login');
+					}
+				}
+				else {
+					// If the code doesn't exist, remove the prepared login
+					unset ($_SESSION['prepared_login_da']);
+
+					// Error message
+					$config["auth_error"] = __('Login error');
+				}
+			}
+			// If $_SESSION['prepared_login_da'] doesn't exist, the user have to do the login again
+			else {
+				// Error message
+				$config["auth_error"] = __('Login error');
+			}
+
+			// Remove the authenticator code
+			unset ($_POST['auth_code'], $code);
+
+			if (!$double_auth_success) {
+				$login_failed = true;
+				require_once ('general/login_page.php');
+				db_pandora_audit("Logon Failed", "Invalid double auth login: "
+					.$_SESSION['remote_addr'], $_SESSION['remote_addr']);
+				while (@ob_end_flush ());
+				exit ("</html>");
+			}
+		}
+		
+		if (isset ($double_auth_success) && $double_auth_success) {
+			// This values are true cause there are checked before complete the 2nd auth step
+			$nick_in_db = $config["prepared_login_da"]['id_user'];
+			$expired_pass = false;
+		}
+		else {
 			// process_user_login is a virtual function which should be defined in each auth file.
 			// It accepts username and password. The rest should be internal to the auth file.
 			// The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it
@@ -211,6 +299,7 @@ if (! isset ($config['id_user']) && isset ($_GET["login"])) {
 						break;
 				}
 			}
+		}
 		
 		if (($nick_in_db !== false) && $expired_pass) {
 			//login ok and password has expired
@@ -222,6 +311,23 @@ if (! isset ($config['id_user']) && isset ($_GET["login"])) {
 			exit ("</html>");
 		}
 		else if (($nick_in_db !== false) && (!$expired_pass)) {
+			//login ok and password has not expired
+
+			// Double auth check
+			if ((!isset ($double_auth_success) || !$double_auth_success) && login_is_double_auth_enabled($nick_in_db)) {
+				// Store this values in the session to know if the user login was correct
+				$_SESSION['prepared_login_da'] = array(
+						'id_user' => $nick_in_db,
+						'timestamp' => time()
+					);
+
+				// Load the page to introduce the double auth code
+				$login_screen = 'double_auth';
+				require_once ('general/login_page.php');
+				while (@ob_end_flush ());
+				exit ("</html>");
+			}
+
 			//login ok and password has not expired
 			$process_login = true;
 			
@@ -279,7 +385,7 @@ if (! isset ($config['id_user']) && isset ($_GET["login"])) {
 			$_SESSION['id_usuario'] = $nick_in_db;
 			$config['id_user'] = $nick_in_db;
 			//Remove everything that might have to do with people's passwords or logins
-		unset ($_GET['pass'], $pass, $_POST['pass'], $_REQUEST['pass'], $login_good);
+			unset ($pass, $login_good);
 			
 			$user_language = get_user_language($config['id_user']);
 			
@@ -313,9 +419,9 @@ if (! isset ($config['id_user']) && isset ($_GET["login"])) {
 				exit ("</html>");
 			}
 		}
-}
+	}
-// Hash login process
+	// Hash login process
-elseif (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
+	elseif (isset ($_GET["loginhash"])) {
 		$loginhash_data = get_parameter("loginhash_data", "");
 		$loginhash_user = str_rot13(get_parameter("loginhash_user", ""));
 		
@@ -330,12 +436,13 @@ elseif (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
 			while (@ob_end_flush ());
 			exit ("</html>");
 		}
-}
+	}
-// There is no user connected
+	// There is no user connected
-elseif (! isset ($config['id_user'])) {
+	else {
 		require_once ('general/login_page.php');
 		while (@ob_end_flush ());
 		exit ("</html>");
+	}
 }
 
 // Log off