fix handle session variables

* attempted login user id will stored in session while totp request only
* successful totp login stores user id in totp auth session variable
This commit is contained in:
Daniel Seifert 2022-11-10 11:34:05 +01:00
bovenliggende e3d2156d44
commit 02f2f6a843
Getekend door: DanielS
GPG sleutel-ID: 8A7C4C6ED1915C6F
7 gewijzigde bestanden met toevoegingen van 46 en 15 verwijderingen

Bestand weergeven

@ -19,6 +19,7 @@ use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use OxidEsales\Eshop\Application\Controller\Admin\AdminController;
use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -42,7 +43,7 @@ class d3totpadminlogin extends AdminController
*/
public function render(): string
{
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) ||
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) &&
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) {
$this->getUtils()->redirect('index.php?cl=admin_start');
@ -53,7 +54,9 @@ class d3totpadminlogin extends AdminController
}
}
if (!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) {
if (!Registry::getSession()->hasVariable(d3totp_conf::OXID_ADMIN_AUTH) &&
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) {
$this->getUtils()->redirect('index.php?cl=login');
}
@ -74,8 +77,12 @@ class d3totpadminlogin extends AdminController
*/
public function getBackupCodeCountMessage()
{
/** @var d3_totp_user $user */
$user = oxNew(User::class);
$userId = $user->d3TotpGetCurrentUser();
$oBackupCodeList = $this->d3GetBackupCodeListObject();
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER));
$iCount = $oBackupCodeList->getAvailableCodeCount($userId);
if ($iCount < 4) {
return sprintf(
@ -108,10 +115,16 @@ class d3totpadminlogin extends AdminController
return oxNew(User::class);
}
/**
* @return string|void
* @throws DatabaseConnectionException
*/
public function checklogin()
{
$session = Registry::getSession();
$userId = $session->getVariable(d3totp_conf::SESSION_CURRENTUSER);
/** @var d3_totp_user $user */
$user = oxNew(User::class);
$userId = $user->d3TotpGetCurrentUser();
try {
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp');
@ -125,8 +138,9 @@ class d3totpadminlogin extends AdminController
$session->initNewSession();
$session->setVariable("aAdminProfiles", $adminProfiles);
$session->setVariable('auth', $userId);
$session->setVariable(d3totp_conf::SESSION_AUTH, true);
$session->setVariable(d3totp_conf::OXID_ADMIN_AUTH, $userId);
$session->setVariable(d3totp_conf::SESSION_AUTH, $userId);
$session->deleteVariable(d3totp_conf::SESSION_CURRENTUSER);
return "admin_start";
} catch (d3totp_wrongOtpException $e) {

Bestand weergeven

@ -17,6 +17,7 @@ namespace D3\Totp\Application\Controller\Admin;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use Exception;
use OxidEsales\Eshop\Application\Controller\Admin\AdminDetailsController;

Bestand weergeven

@ -16,7 +16,6 @@ declare(strict_types=1);
namespace D3\Totp\Application\Controller;
use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf;
use OxidEsales\Eshop\Application\Controller\FrontendController;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -29,9 +28,7 @@ class d3totplogin extends FrontendController
public function render()
{
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) ||
false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) {
if (false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) {
$this->getUtils()->redirect('index.php?cl=start');
if (false == defined('OXID_PHP_UNIT')) {
// @codeCoverageIgnoreStart
@ -60,7 +57,8 @@ class d3totplogin extends FrontendController
public function getBackupCodeCountMessage()
{
$oBackupCodeList = $this->getBackupCodeListObject();
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER));
$userId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
$iCount = $oBackupCodeList->getAvailableCodeCount($userId);
if ($iCount < 4) {
return sprintf(

Bestand weergeven

@ -15,6 +15,7 @@ declare(strict_types=1);
namespace D3\Totp\Application\Model;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\DatabaseProvider;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -74,8 +75,9 @@ class d3backupcode extends BaseModel
return $this->getUser();
}
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
/** @var d3_totp_user $oUser */
$oUser = oxNew(User::class);
$sUserId = $oUser->d3TotpGetCurrentUser();
$oUser->load($sUserId);
return $oUser;
}

Bestand weergeven

@ -17,6 +17,8 @@ namespace D3\Totp\Application\Model;
class d3totp_conf
{
public const OXID_ADMIN_AUTH = 'auth';
public const OXID_FRONTEND_AUTH = 'usr';
public const SESSION_AUTH = 'd3TotpAuth'; // has valid totp, user is logged in completly
public const SESSION_CURRENTUSER = 'd3TotpCurrentUser'; // oxid assigned to user from entered username
public const SESSION_CURRENTCLASS = 'd3TotpCurrentClass'; // oxid assigned to user from entered username

Bestand weergeven

@ -18,6 +18,7 @@ namespace D3\Totp\Modules\Application\Component;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use Doctrine\DBAL\DBALException;
use InvalidArgumentException;
use OxidEsales\Eshop\Application\Model\User;
@ -85,8 +86,9 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
{
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp', true);
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
/** @var d3_totp_user $oUser */
$oUser = oxNew(User::class);
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
$oUser->load($sUserId);
$totp = $this->d3GetTotpObject();
@ -95,8 +97,8 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
try {
if (!$this->d3TotpIsNoTotpOrNoLogin($totp) && $this->d3TotpHasValidTotp($sTotp, $totp)) {
// relogin, don't extract from this try block
$this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $sTotp);
$this->d3TotpGetSession()->setVariable('usr', $oUser->getId());
$this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $oUser->getId());
$this->d3TotpGetSession()->setVariable(d3totp_conf::OXID_FRONTEND_AUTH, $oUser->getId());
$this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS);
$this->_afterLogin($oUser);

Bestand weergeven

@ -47,4 +47,16 @@ class d3_totp_user extends d3_totp_user_parent
{
return Registry::getSession();
}
/**
* @return string|null
*/
public function d3TotpGetCurrentUser(): ?string
{
return $this->d3TotpGetSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER) ?
$this->d3TotpGetSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER) :
(isAdmin() ?
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_ADMIN_AUTH) :
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_FRONTEND_AUTH));
}
}