fix handle session variables
* attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable
This commit is contained in:
bovenliggende
e3d2156d44
commit
02f2f6a843
@ -19,6 +19,7 @@ use D3\Totp\Application\Model\d3backupcodelist;
|
||||
use D3\Totp\Application\Model\d3totp;
|
||||
use D3\Totp\Application\Model\d3totp_conf;
|
||||
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
|
||||
use D3\Totp\Modules\Application\Model\d3_totp_user;
|
||||
use OxidEsales\Eshop\Application\Controller\Admin\AdminController;
|
||||
use OxidEsales\Eshop\Application\Model\User;
|
||||
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
|
||||
@ -42,7 +43,7 @@ class d3totpadminlogin extends AdminController
|
||||
*/
|
||||
public function render(): string
|
||||
{
|
||||
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) ||
|
||||
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) &&
|
||||
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
|
||||
) {
|
||||
$this->getUtils()->redirect('index.php?cl=admin_start');
|
||||
@ -53,7 +54,9 @@ class d3totpadminlogin extends AdminController
|
||||
}
|
||||
}
|
||||
|
||||
if (!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) {
|
||||
if (!Registry::getSession()->hasVariable(d3totp_conf::OXID_ADMIN_AUTH) &&
|
||||
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
|
||||
) {
|
||||
$this->getUtils()->redirect('index.php?cl=login');
|
||||
}
|
||||
|
||||
@ -74,8 +77,12 @@ class d3totpadminlogin extends AdminController
|
||||
*/
|
||||
public function getBackupCodeCountMessage()
|
||||
{
|
||||
/** @var d3_totp_user $user */
|
||||
$user = oxNew(User::class);
|
||||
$userId = $user->d3TotpGetCurrentUser();
|
||||
|
||||
$oBackupCodeList = $this->d3GetBackupCodeListObject();
|
||||
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER));
|
||||
$iCount = $oBackupCodeList->getAvailableCodeCount($userId);
|
||||
|
||||
if ($iCount < 4) {
|
||||
return sprintf(
|
||||
@ -108,10 +115,16 @@ class d3totpadminlogin extends AdminController
|
||||
return oxNew(User::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string|void
|
||||
* @throws DatabaseConnectionException
|
||||
*/
|
||||
public function checklogin()
|
||||
{
|
||||
$session = Registry::getSession();
|
||||
$userId = $session->getVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
/** @var d3_totp_user $user */
|
||||
$user = oxNew(User::class);
|
||||
$userId = $user->d3TotpGetCurrentUser();
|
||||
|
||||
try {
|
||||
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp');
|
||||
@ -125,8 +138,9 @@ class d3totpadminlogin extends AdminController
|
||||
|
||||
$session->initNewSession();
|
||||
$session->setVariable("aAdminProfiles", $adminProfiles);
|
||||
$session->setVariable('auth', $userId);
|
||||
$session->setVariable(d3totp_conf::SESSION_AUTH, true);
|
||||
$session->setVariable(d3totp_conf::OXID_ADMIN_AUTH, $userId);
|
||||
$session->setVariable(d3totp_conf::SESSION_AUTH, $userId);
|
||||
$session->deleteVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
|
||||
return "admin_start";
|
||||
} catch (d3totp_wrongOtpException $e) {
|
||||
|
@ -17,6 +17,7 @@ namespace D3\Totp\Application\Controller\Admin;
|
||||
|
||||
use D3\Totp\Application\Model\d3totp;
|
||||
use D3\Totp\Application\Model\d3backupcodelist;
|
||||
use D3\Totp\Application\Model\d3totp_conf;
|
||||
use D3\Totp\Modules\Application\Model\d3_totp_user;
|
||||
use Exception;
|
||||
use OxidEsales\Eshop\Application\Controller\Admin\AdminDetailsController;
|
||||
|
@ -16,7 +16,6 @@ declare(strict_types=1);
|
||||
namespace D3\Totp\Application\Controller;
|
||||
|
||||
use D3\Totp\Application\Model\d3backupcodelist;
|
||||
use D3\Totp\Application\Model\d3totp;
|
||||
use D3\Totp\Application\Model\d3totp_conf;
|
||||
use OxidEsales\Eshop\Application\Controller\FrontendController;
|
||||
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
|
||||
@ -29,9 +28,7 @@ class d3totplogin extends FrontendController
|
||||
|
||||
public function render()
|
||||
{
|
||||
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) ||
|
||||
false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
|
||||
) {
|
||||
if (false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) {
|
||||
$this->getUtils()->redirect('index.php?cl=start');
|
||||
if (false == defined('OXID_PHP_UNIT')) {
|
||||
// @codeCoverageIgnoreStart
|
||||
@ -60,7 +57,8 @@ class d3totplogin extends FrontendController
|
||||
public function getBackupCodeCountMessage()
|
||||
{
|
||||
$oBackupCodeList = $this->getBackupCodeListObject();
|
||||
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER));
|
||||
$userId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
$iCount = $oBackupCodeList->getAvailableCodeCount($userId);
|
||||
|
||||
if ($iCount < 4) {
|
||||
return sprintf(
|
||||
|
@ -15,6 +15,7 @@ declare(strict_types=1);
|
||||
|
||||
namespace D3\Totp\Application\Model;
|
||||
|
||||
use D3\Totp\Modules\Application\Model\d3_totp_user;
|
||||
use OxidEsales\Eshop\Application\Model\User;
|
||||
use OxidEsales\Eshop\Core\DatabaseProvider;
|
||||
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
|
||||
@ -74,8 +75,9 @@ class d3backupcode extends BaseModel
|
||||
return $this->getUser();
|
||||
}
|
||||
|
||||
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
/** @var d3_totp_user $oUser */
|
||||
$oUser = oxNew(User::class);
|
||||
$sUserId = $oUser->d3TotpGetCurrentUser();
|
||||
$oUser->load($sUserId);
|
||||
return $oUser;
|
||||
}
|
||||
|
@ -17,6 +17,8 @@ namespace D3\Totp\Application\Model;
|
||||
|
||||
class d3totp_conf
|
||||
{
|
||||
public const OXID_ADMIN_AUTH = 'auth';
|
||||
public const OXID_FRONTEND_AUTH = 'usr';
|
||||
public const SESSION_AUTH = 'd3TotpAuth'; // has valid totp, user is logged in completly
|
||||
public const SESSION_CURRENTUSER = 'd3TotpCurrentUser'; // oxid assigned to user from entered username
|
||||
public const SESSION_CURRENTCLASS = 'd3TotpCurrentClass'; // oxid assigned to user from entered username
|
||||
|
@ -18,6 +18,7 @@ namespace D3\Totp\Modules\Application\Component;
|
||||
use D3\Totp\Application\Model\d3totp;
|
||||
use D3\Totp\Application\Model\d3totp_conf;
|
||||
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
|
||||
use D3\Totp\Modules\Application\Model\d3_totp_user;
|
||||
use Doctrine\DBAL\DBALException;
|
||||
use InvalidArgumentException;
|
||||
use OxidEsales\Eshop\Application\Model\User;
|
||||
@ -85,8 +86,9 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
|
||||
{
|
||||
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp', true);
|
||||
|
||||
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
/** @var d3_totp_user $oUser */
|
||||
$oUser = oxNew(User::class);
|
||||
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
|
||||
$oUser->load($sUserId);
|
||||
|
||||
$totp = $this->d3GetTotpObject();
|
||||
@ -95,8 +97,8 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
|
||||
try {
|
||||
if (!$this->d3TotpIsNoTotpOrNoLogin($totp) && $this->d3TotpHasValidTotp($sTotp, $totp)) {
|
||||
// relogin, don't extract from this try block
|
||||
$this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $sTotp);
|
||||
$this->d3TotpGetSession()->setVariable('usr', $oUser->getId());
|
||||
$this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $oUser->getId());
|
||||
$this->d3TotpGetSession()->setVariable(d3totp_conf::OXID_FRONTEND_AUTH, $oUser->getId());
|
||||
$this->setUser(null);
|
||||
$this->setLoginStatus(USER_LOGIN_SUCCESS);
|
||||
$this->_afterLogin($oUser);
|
||||
|
@ -47,4 +47,16 @@ class d3_totp_user extends d3_totp_user_parent
|
||||
{
|
||||
return Registry::getSession();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string|null
|
||||
*/
|
||||
public function d3TotpGetCurrentUser(): ?string
|
||||
{
|
||||
return $this->d3TotpGetSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER) ?
|
||||
$this->d3TotpGetSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER) :
|
||||
(isAdmin() ?
|
||||
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_ADMIN_AUTH) :
|
||||
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_FRONTEND_AUTH));
|
||||
}
|
||||
}
|
||||
|
Laden…
Verwijs in nieuw issue
Block a user