D3Public
/
oxtotp
8
0
Fork 1
Code Pull Requests Releases Activity

fix handle session variables 

* attempted login user id will stored in session while totp request only
* successful totp login stores user id in totp auth session variable
This commit is contained in:
Daniel Seifert 2022-11-10 11:34:05 +01:00
parent e3d2156d44
commit 02f2f6a843
Signed by: DanielS
GPG Key ID: 8A7C4C6ED1915C6F
7 changed files with 46 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/Application/Controller/Admin/d3totpadminlogin.php
View File

@ -19,6 +19,7 @@ use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp; use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf; use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException; use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use OxidEsales\Eshop\Application\Controller\Admin\AdminController; use OxidEsales\Eshop\Application\Controller\Admin\AdminController;
use OxidEsales\Eshop\Application\Model\User; use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -42,7 +43,7 @@ class d3totpadminlogin extends AdminController
*/ */
public function render(): string public function render(): string
{ {
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) || if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) &&
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER) !Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) { ) {
$this->getUtils()->redirect('index.php?cl=admin_start'); $this->getUtils()->redirect('index.php?cl=admin_start');
@ -53,7 +54,9 @@ class d3totpadminlogin extends AdminController
} }
} }
if (!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) { if (!Registry::getSession()->hasVariable(d3totp_conf::OXID_ADMIN_AUTH) &&
!Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) {
$this->getUtils()->redirect('index.php?cl=login'); $this->getUtils()->redirect('index.php?cl=login');
} }
@ -74,8 +77,12 @@ class d3totpadminlogin extends AdminController
*/ */
public function getBackupCodeCountMessage() public function getBackupCodeCountMessage()
{ {
/** @var d3_totp_user $user */
$user = oxNew(User::class);
$userId = $user->d3TotpGetCurrentUser();
$oBackupCodeList = $this->d3GetBackupCodeListObject(); $oBackupCodeList = $this->d3GetBackupCodeListObject();
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER)); $iCount = $oBackupCodeList->getAvailableCodeCount($userId);
if ($iCount < 4) { if ($iCount < 4) {
return sprintf( return sprintf(
@ -108,10 +115,16 @@ class d3totpadminlogin extends AdminController
return oxNew(User::class); return oxNew(User::class);
} }
/**
* @return string|void
* @throws DatabaseConnectionException
*/
public function checklogin() public function checklogin()
{ {
$session = Registry::getSession(); $session = Registry::getSession();
$userId = $session->getVariable(d3totp_conf::SESSION_CURRENTUSER); /** @var d3_totp_user $user */
$user = oxNew(User::class);
$userId = $user->d3TotpGetCurrentUser();
try { try {
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp'); $sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp');
@ -125,8 +138,9 @@ class d3totpadminlogin extends AdminController
$session->initNewSession(); $session->initNewSession();
$session->setVariable("aAdminProfiles", $adminProfiles); $session->setVariable("aAdminProfiles", $adminProfiles);
$session->setVariable('auth', $userId); $session->setVariable(d3totp_conf::OXID_ADMIN_AUTH, $userId);
$session->setVariable(d3totp_conf::SESSION_AUTH, true); $session->setVariable(d3totp_conf::SESSION_AUTH, $userId);
$session->deleteVariable(d3totp_conf::SESSION_CURRENTUSER);
return "admin_start"; return "admin_start";
} catch (d3totp_wrongOtpException $e) { } catch (d3totp_wrongOtpException $e) {

1
src/Application/Controller/Admin/d3user_totp.php
View File

@ -17,6 +17,7 @@ namespace D3\Totp\Application\Controller\Admin;
use D3\Totp\Application\Model\d3totp; use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3backupcodelist; use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Modules\Application\Model\d3_totp_user; use D3\Totp\Modules\Application\Model\d3_totp_user;
use Exception; use Exception;
use OxidEsales\Eshop\Application\Controller\Admin\AdminDetailsController; use OxidEsales\Eshop\Application\Controller\Admin\AdminDetailsController;

8
src/Application/Controller/d3totplogin.php
View File

@ -16,7 +16,6 @@ declare(strict_types=1);
namespace D3\Totp\Application\Controller; namespace D3\Totp\Application\Controller;
use D3\Totp\Application\Model\d3backupcodelist; use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf; use D3\Totp\Application\Model\d3totp_conf;
use OxidEsales\Eshop\Application\Controller\FrontendController; use OxidEsales\Eshop\Application\Controller\FrontendController;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -29,9 +28,7 @@ class d3totplogin extends FrontendController
public function render() public function render()
{ {
if (Registry::getSession()->hasVariable(d3totp_conf::SESSION_AUTH) || if (false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)) {
false == Registry::getSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER)
) {
$this->getUtils()->redirect('index.php?cl=start'); $this->getUtils()->redirect('index.php?cl=start');
if (false == defined('OXID_PHP_UNIT')) { if (false == defined('OXID_PHP_UNIT')) {
// @codeCoverageIgnoreStart // @codeCoverageIgnoreStart
@ -60,7 +57,8 @@ class d3totplogin extends FrontendController
public function getBackupCodeCountMessage() public function getBackupCodeCountMessage()
{ {
$oBackupCodeList = $this->getBackupCodeListObject(); $oBackupCodeList = $this->getBackupCodeListObject();
$iCount = $oBackupCodeList->getAvailableCodeCount(Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER)); $userId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
$iCount = $oBackupCodeList->getAvailableCodeCount($userId);
if ($iCount < 4) { if ($iCount < 4) {
return sprintf( return sprintf(

4
src/Application/Model/d3backupcode.php
View File

@ -15,6 +15,7 @@ declare(strict_types=1);
namespace D3\Totp\Application\Model; namespace D3\Totp\Application\Model;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use OxidEsales\Eshop\Application\Model\User; use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\DatabaseProvider; use OxidEsales\Eshop\Core\DatabaseProvider;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
@ -74,8 +75,9 @@ class d3backupcode extends BaseModel
return $this->getUser(); return $this->getUser();
} }
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER); /** @var d3_totp_user $oUser */
$oUser = oxNew(User::class); $oUser = oxNew(User::class);
$sUserId = $oUser->d3TotpGetCurrentUser();
$oUser->load($sUserId); $oUser->load($sUserId);
return $oUser; return $oUser;
} }

2
src/Application/Model/d3totp_conf.php
View File

@ -17,6 +17,8 @@ namespace D3\Totp\Application\Model;
class d3totp_conf class d3totp_conf
{ {
public const OXID_ADMIN_AUTH = 'auth';
public const OXID_FRONTEND_AUTH = 'usr';
public const SESSION_AUTH = 'd3TotpAuth'; // has valid totp, user is logged in completly public const SESSION_AUTH = 'd3TotpAuth'; // has valid totp, user is logged in completly
public const SESSION_CURRENTUSER = 'd3TotpCurrentUser'; // oxid assigned to user from entered username public const SESSION_CURRENTUSER = 'd3TotpCurrentUser'; // oxid assigned to user from entered username
public const SESSION_CURRENTCLASS = 'd3TotpCurrentClass'; // oxid assigned to user from entered username public const SESSION_CURRENTCLASS = 'd3TotpCurrentClass'; // oxid assigned to user from entered username

8
src/Modules/Application/Component/d3_totp_UserComponent.php
View File

@ -18,6 +18,7 @@ namespace D3\Totp\Modules\Application\Component;
use D3\Totp\Application\Model\d3totp; use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf; use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException; use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use Doctrine\DBAL\DBALException; use Doctrine\DBAL\DBALException;
use InvalidArgumentException; use InvalidArgumentException;
use OxidEsales\Eshop\Application\Model\User; use OxidEsales\Eshop\Application\Model\User;
@ -85,8 +86,9 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
{ {
$sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp', true); $sTotp = Registry::getRequest()->getRequestEscapedParameter('d3totp', true);
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER); /** @var d3_totp_user $oUser */
$oUser = oxNew(User::class); $oUser = oxNew(User::class);
$sUserId = Registry::getSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER);
$oUser->load($sUserId); $oUser->load($sUserId);
$totp = $this->d3GetTotpObject(); $totp = $this->d3GetTotpObject();
@ -95,8 +97,8 @@ class d3_totp_UserComponent extends d3_totp_UserComponent_parent
try { try {
if (!$this->d3TotpIsNoTotpOrNoLogin($totp) && $this->d3TotpHasValidTotp($sTotp, $totp)) { if (!$this->d3TotpIsNoTotpOrNoLogin($totp) && $this->d3TotpHasValidTotp($sTotp, $totp)) {
// relogin, don't extract from this try block // relogin, don't extract from this try block
$this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $sTotp); $this->d3TotpGetSession()->setVariable(d3totp_conf::SESSION_AUTH, $oUser->getId());
$this->d3TotpGetSession()->setVariable('usr', $oUser->getId()); $this->d3TotpGetSession()->setVariable(d3totp_conf::OXID_FRONTEND_AUTH, $oUser->getId());
$this->setUser(null); $this->setUser(null);
$this->setLoginStatus(USER_LOGIN_SUCCESS); $this->setLoginStatus(USER_LOGIN_SUCCESS);
$this->_afterLogin($oUser); $this->_afterLogin($oUser);

12
src/Modules/Application/Model/d3_totp_user.php
View File

@ -47,4 +47,16 @@ class d3_totp_user extends d3_totp_user_parent
{ {
return Registry::getSession(); return Registry::getSession();
} }
/**
* @return string|null
*/
public function d3TotpGetCurrentUser(): ?string
{
return $this->d3TotpGetSession()->hasVariable(d3totp_conf::SESSION_CURRENTUSER) ?
$this->d3TotpGetSession()->getVariable(d3totp_conf::SESSION_CURRENTUSER) :
(isAdmin() ?
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_ADMIN_AUTH) :
$this->d3TotpGetSession()->getVariable(d3totp_conf::OXID_FRONTEND_AUTH));
}
} }