DanielS/oxwebauthn
1
0
Fork 0
forked from D3Public/oxtotp
Code Pull Requests Packages Projects Releases Wiki Activity

remove password check in admin, prevent resave, show delete message

Browse Source
This commit is contained in:
Daniel Seifert 2019-08-18 13:24:49 +02:00
parent 6474c59ead
commit b28c9c8757
6 changed files with 23 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/Application/Controller/Admin/d3user_totp.php
View File

@ -24,6 +24,7 @@ use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException; use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
use OxidEsales\Eshop\Core\Exception\StandardException; use OxidEsales\Eshop\Core\Exception\StandardException;
use OxidEsales\Eshop\Core\Registry; use OxidEsales\Eshop\Core\Registry;
use OxidEsales\Eshop\Core\UtilsView;
class d3user_totp extends AdminDetailsController class d3user_totp extends AdminDetailsController
{ {
@ -94,19 +95,13 @@ class d3user_totp extends AdminDetailsController
$aParams = Registry::getRequest()->getRequestEscapedParameter("editval"); $aParams = Registry::getRequest()->getRequestEscapedParameter("editval");
try { try {
$pwd = Registry::getRequest()->getRequestEscapedParameter("pwd");
/** @var d3_totp_user $oUser */
$oUser = $this->getUserObject();
$oUser->load($this->getEditObjectId());
if (false == $oUser->isSamePassword($pwd)) {
$oException = oxNew(StandardException::class, 'D3_TOTP_ERROR_PWDONTPASS');
throw $oException;
}
/** @var d3totp $oTotp */ /** @var d3totp $oTotp */
$oTotp = $this->getTotpObject(); $oTotp = $this->getTotpObject();
if ($oTotp->checkIfAlreadyExist($this->getEditObjectId())) {
$oException = oxNew(StandardException::class, 'D3_TOTP_ALREADY_EXIST');
throw $oException;
};
$oTotpBackupCodes = $this->getBackupcodeListObject(); $oTotpBackupCodes = $this->getBackupcodeListObject();
if ($aParams['d3totp__oxid']) { if ($aParams['d3totp__oxid']) {
$oTotp->load($aParams['d3totp__oxid']); $oTotp->load($aParams['d3totp__oxid']);
@ -140,6 +135,7 @@ class d3user_totp extends AdminDetailsController
if ($aParams['d3totp__oxid']) { if ($aParams['d3totp__oxid']) {
$oTotp->load($aParams['d3totp__oxid']); $oTotp->load($aParams['d3totp__oxid']);
$oTotp->delete(); $oTotp->delete();
Registry::get(UtilsView::class)->addErrorToDisplay('D3_TOTP_REGISTERDELETED');
} }
} }

12
src/Application/Model/d3totp.php
View File

@ -65,6 +65,18 @@ class d3totp extends BaseModel
} }
} }
/**
* @param $userId
* @return bool
* @throws DatabaseConnectionException
*/
public function checkIfAlreadyExist($userId)
{
$oDb = $this->d3GetDb();
$query = "SELECT 1 FROM ".$this->getViewName().' WHERE oxuserid = '.$oDb->quote($userId).' LIMIT 1';
return (bool) $oDb->getOne($query);
}
/** /**
* @return DatabaseInterface * @return DatabaseInterface
* @throws DatabaseConnectionException * @throws DatabaseConnectionException

5
src/Application/views/admin/de/d3totp_lang.php
View File

@ -31,14 +31,13 @@ $aLang = [
'D3_TOTP_QRCODE_HELP' => 'Scannen Sie diesen QR-Code mit Ihrer Authentisierungs-App, um dieses Benutzerkonto dort zu hinterlegen.', 'D3_TOTP_QRCODE_HELP' => 'Scannen Sie diesen QR-Code mit Ihrer Authentisierungs-App, um dieses Benutzerkonto dort zu hinterlegen.',
'D3_TOTP_SECRET' => 'QR-Code kann nicht gescannt werden?', 'D3_TOTP_SECRET' => 'QR-Code kann nicht gescannt werden?',
'D3_TOTP_SECRET_HELP' => 'Setzen Sie keine App ein, die den QR-Code scannen kann, können Sie diese Zeichenkette auch in Ihr Authentisierungstool kopieren. Stellen Sie bitte die Passwortlänge auf 6 Zeichen und das Zeitinterval auf 30 Sekunden ein.', 'D3_TOTP_SECRET_HELP' => 'Setzen Sie keine App ein, die den QR-Code scannen kann, können Sie diese Zeichenkette auch in Ihr Authentisierungstool kopieren. Stellen Sie bitte die Passwortlänge auf 6 Zeichen und das Zeitinterval auf 30 Sekunden ein.',
'D3_TOTP_CURRPWD' => 'Anmeldepasswort des Benutzerkontos',
'D3_TOTP_CURRPWD_HELP' => 'Dies stellt sicher, dass nur Berechtigte Änderungen an diesen Einstellungen vornehmen dürfen.',
'D3_TOTP_CURROTP' => 'Bestätigung mit Einmalpasswort', 'D3_TOTP_CURROTP' => 'Bestätigung mit Einmalpasswort',
'D3_TOTP_CURROTP_HELP' => 'Haben Sie dieses Kundenkonto in Ihrer Authentisierungs-App registriert, generieren Sie damit ein Einmalpasswort, tragen Sie es hier ein und senden das Formular direkt darauf hin ab.', 'D3_TOTP_CURROTP_HELP' => 'Haben Sie dieses Kundenkonto in Ihrer Authentisierungs-App registriert, generieren Sie damit ein Einmalpasswort, tragen Sie es hier ein und senden das Formular direkt darauf hin ab.',
'D3_TOTP_REGISTEREXIST' => 'vorhandene Registrierung', 'D3_TOTP_REGISTEREXIST' => 'vorhandene Registrierung',
'D3_TOTP_REGISTERDELETE' => 'Registrierung löschen', 'D3_TOTP_REGISTERDELETE' => 'Registrierung löschen',
'D3_TOTP_REGISTERDELETE_DESC' => 'Um die Registrierung zu ändern, löschen Sie diese bitte vorerst. Sie können sofort im Anschluss eine neue Registrierung anlegen.<br>Wenn Sie die Registrierung löschen, ist das Konto nicht mehr durch die Zwei-Faktor-Authentisierung geschützt.', 'D3_TOTP_REGISTERDELETE_DESC' => 'Um die Registrierung zu ändern, löschen Sie diese bitte vorerst. Sie können sofort im Anschluss eine neue Registrierung anlegen.<br>Wenn Sie die Registrierung löschen, ist das Konto nicht mehr durch die Zwei-Faktor-Authentisierung geschützt.',
'D3_TOTP_REGISTERDELETED' => 'Die Registrierung wurde gelöscht.',
'D3_TOTP_BACKUPCODES' => 'Backupcodes', 'D3_TOTP_BACKUPCODES' => 'Backupcodes',
'D3_TOTP_BACKUPCODES_DESC' => 'Mit diesen Backupcodes können Sie sich anmelden, wenn die Generierung des Einmalpasswortes nicht möglich ist (z.B. Gerät verloren oder neu installiert). Sie können dann die Einstellungen zur Verwendung der 2-Faktor-Authentisierung ändern oder einen neuen Zugang erstellen. Speichern Sie sich diese Codes bitte in diesem Moment sicher ab. Nach Verlassen dieser Seite können diese Codes nicht erneut angezeigt werden.', 'D3_TOTP_BACKUPCODES_DESC' => 'Mit diesen Backupcodes können Sie sich anmelden, wenn die Generierung des Einmalpasswortes nicht möglich ist (z.B. Gerät verloren oder neu installiert). Sie können dann die Einstellungen zur Verwendung der 2-Faktor-Authentisierung ändern oder einen neuen Zugang erstellen. Speichern Sie sich diese Codes bitte in diesem Moment sicher ab. Nach Verlassen dieser Seite können diese Codes nicht erneut angezeigt werden.',
@ -48,5 +47,5 @@ $aLang = [
'D3_TOTP_SAVE' => 'Speichern', 'D3_TOTP_SAVE' => 'Speichern',
'D3_TOTP_ERROR_UNVALID' => 'Das Einmalpasswort ist ungültig.', 'D3_TOTP_ERROR_UNVALID' => 'Das Einmalpasswort ist ungültig.',
'D3_TOTP_ERROR_PWDONTPASS' => 'Das Passwort passt nicht zum gewählten Benutzerkonto.', 'D3_TOTP_ALREADY_EXIST' => 'Die Registrierung wurde schon gespeichert.',
]; ];

5
src/Application/views/admin/en/d3totp_lang.php
View File

@ -31,14 +31,13 @@ $aLang = [
'D3_TOTP_QRCODE_HELP' => 'Scan this QR code with your authentication app to deposit this user account.', 'D3_TOTP_QRCODE_HELP' => 'Scan this QR code with your authentication app to deposit this user account.',
'D3_TOTP_SECRET' => 'Can not scan QR code?', 'D3_TOTP_SECRET' => 'Can not scan QR code?',
'D3_TOTP_SECRET_HELP' => 'If you do not use an app that can scan the QR code, you can also copy this string into your authentication tool. Please also set the password length to 6 characters and the time interval to 30 seconds.', 'D3_TOTP_SECRET_HELP' => 'If you do not use an app that can scan the QR code, you can also copy this string into your authentication tool. Please also set the password length to 6 characters and the time interval to 30 seconds.',
'D3_TOTP_CURRPWD' => 'Login password of the user account',
'D3_TOTP_CURRPWD_HELP' => 'This ensures that only authorized users can make changes to these settings.',
'D3_TOTP_CURROTP' => 'Confirmation with one-time password', 'D3_TOTP_CURROTP' => 'Confirmation with one-time password',
'D3_TOTP_CURROTP_HELP' => 'If you have registered this customer account in your authentication app, you generate a one-time password, enter it here and send the form out immediately.', 'D3_TOTP_CURROTP_HELP' => 'If you have registered this customer account in your authentication app, you generate a one-time password, enter it here and send the form out immediately.',
'D3_TOTP_REGISTEREXIST' => 'existing registration', 'D3_TOTP_REGISTEREXIST' => 'existing registration',
'D3_TOTP_REGISTERDELETE' => 'Delete registration', 'D3_TOTP_REGISTERDELETE' => 'Delete registration',
'D3_TOTP_REGISTERDELETE_DESC' => 'To change the registration, please delete it. You can then immediately create a new registration. <br> If you delete the registration, the account is no longer protected by the two-factor authentication.', 'D3_TOTP_REGISTERDELETE_DESC' => 'To change the registration, please delete it. You can then immediately create a new registration. <br> If you delete the registration, the account is no longer protected by the two-factor authentication.',
'D3_TOTP_REGISTERDELETED' => 'The registration has been deleted.',
'D3_TOTP_BACKUPCODES' => 'backup codes', 'D3_TOTP_BACKUPCODES' => 'backup codes',
'D3_TOTP_BACKUPCODES_DESC' => 'You can use these backup codes to log on if it is not possible to generate the one-time password (e.g. device lost or newly installed). You can then change the settings to use 2-factor authentication or create a new 2FA login. Please save these codes safely at this moment. After leaving this page, these codes cannot be displayed again.', 'D3_TOTP_BACKUPCODES_DESC' => 'You can use these backup codes to log on if it is not possible to generate the one-time password (e.g. device lost or newly installed). You can then change the settings to use 2-factor authentication or create a new 2FA login. Please save these codes safely at this moment. After leaving this page, these codes cannot be displayed again.',
@ -48,5 +47,5 @@ $aLang = [
'D3_TOTP_SAVE' => 'Save', 'D3_TOTP_SAVE' => 'Save',
'D3_TOTP_ERROR_UNVALID' => 'The one-time password is invalid.', 'D3_TOTP_ERROR_UNVALID' => 'The one-time password is invalid.',
'D3_TOTP_ERROR_PWDONTPASS' => 'The password does not match the selected user account.', 'D3_TOTP_ALREADY_EXIST' => 'The registration has already been saved.',
]; ];

10
src/Application/views/admin/tpl/d3user_totp.tpl
View File

@ -101,16 +101,6 @@
</td> </td>
</tr> </tr>
<tr>
<td class="edittext">
<label for="pwd">[{oxmultilang ident="D3_TOTP_CURRPWD"}]</label>
</td>
<td class="edittext">
<input type="password" class="editinput" size="15" id="pwd" name="pwd" value="" [{$readonly}]>
[{oxinputhelp ident="D3_TOTP_CURRPWD_HELP"}]
</td>
</tr>
<tr> <tr>
<td class="edittext"> <td class="edittext">
<label for="otp">[{oxmultilang ident="D3_TOTP_CURROTP"}]</label> <label for="otp">[{oxmultilang ident="D3_TOTP_CURROTP"}]</label>

70
src/tests/unit/Application/Controller/Admin/d3user_totpTest.php
View File

@ -183,49 +183,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
); );
} }
/**
* @test
* @throws ReflectionException
*/
public function cantSaveBecauseOfWrongPassword()
{
/** @var d3backupcodelist|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oBackupCodeListMock = $this->getMock(d3backupcodelist::class, array(
'save',
));
$oBackupCodeListMock->expects($this->never())->method('save')->willReturn(true);
/** @var d3totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oTotpMock = $this->getMock(d3totp::class, array(
'save',
), array(), '', false);
$oTotpMock->expects($this->never())->method('save')->willReturn(true);
/** @var User|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oUserMock = $this->getMock(User::class, array(
'load',
'isSamePassword',
));
$oUserMock->expects($this->atLeast(1))->method('load')->willReturn(true);
$oUserMock->expects($this->atLeast(1))->method('isSamePassword')->willReturn(false);
/** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oControllerMock = $this->getMock(d3user_totp::class, array(
'getEditObjectId',
'getUserObject',
'getTotpObject',
'getBackupcodeListObject'
));
$oControllerMock->method('getEditObjectId')->willReturn('foobar');
$oControllerMock->expects($this->once())->method('getUserObject')->willReturn($oUserMock);
$oControllerMock->method('getTotpObject')->willReturn($oTotpMock);
$oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock);
$this->_oController = $oControllerMock;
$this->callMethod($this->_oController, 'save');
}
/** /**
* @test * @test
* @throws ReflectionException * @throws ReflectionException
@ -252,14 +209,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
$oTotpMock->method('saveSecret')->willReturn(true); $oTotpMock->method('saveSecret')->willReturn(true);
$oTotpMock->method('assign')->willReturn(true); $oTotpMock->method('assign')->willReturn(true);
/** @var User|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oUserMock = $this->getMock(User::class, array(
'load',
'isSamePassword',
));
$oUserMock->expects($this->once())->method('load')->willReturn(true);
$oUserMock->expects($this->once())->method('isSamePassword')->willReturn(true);
/** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */ /** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oControllerMock = $this->getMock(d3user_totp::class, array( $oControllerMock = $this->getMock(d3user_totp::class, array(
'getEditObjectId', 'getEditObjectId',
@ -268,7 +217,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
'getBackupcodeListObject' 'getBackupcodeListObject'
)); ));
$oControllerMock->method('getEditObjectId')->willReturn('foobar'); $oControllerMock->method('getEditObjectId')->willReturn('foobar');
$oControllerMock->expects($this->once())->method('getUserObject')->willReturn($oUserMock);
$oControllerMock->method('getTotpObject')->willReturn($oTotpMock); $oControllerMock->method('getTotpObject')->willReturn($oTotpMock);
$oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock); $oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock);
@ -305,14 +253,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
$oTotpMock->method('saveSecret')->willReturn(true); $oTotpMock->method('saveSecret')->willReturn(true);
$oTotpMock->method('assign')->willReturn(true); $oTotpMock->method('assign')->willReturn(true);
/** @var User|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oUserMock = $this->getMock(User::class, array(
'load',
'isSamePassword',
));
$oUserMock->expects($this->atLeast(1))->method('load')->willReturn(true);
$oUserMock->expects($this->atLeast(1))->method('isSamePassword')->willReturn(true);
/** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */ /** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oControllerMock = $this->getMock(d3user_totp::class, array( $oControllerMock = $this->getMock(d3user_totp::class, array(
'getEditObjectId', 'getEditObjectId',
@ -321,7 +261,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
'getBackupcodeListObject' 'getBackupcodeListObject'
)); ));
$oControllerMock->method('getEditObjectId')->willReturn('foobar'); $oControllerMock->method('getEditObjectId')->willReturn('foobar');
$oControllerMock->expects($this->once())->method('getUserObject')->willReturn($oUserMock);
$oControllerMock->method('getTotpObject')->willReturn($oTotpMock); $oControllerMock->method('getTotpObject')->willReturn($oTotpMock);
$oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock); $oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock);
@ -363,14 +302,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
$oTotpMock->method('saveSecret')->willReturn(true); $oTotpMock->method('saveSecret')->willReturn(true);
$oTotpMock->method('assign')->willReturn(true); $oTotpMock->method('assign')->willReturn(true);
/** @var User|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oUserMock = $this->getMock(User::class, array(
'load',
'isSamePassword',
));
$oUserMock->expects($this->atLeast(1))->method('load')->willReturn(true);
$oUserMock->expects($this->atLeast(1))->method('isSamePassword')->willReturn(true);
/** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */ /** @var d3user_totp|PHPUnit_Framework_MockObject_MockObject $oControllerMock */
$oControllerMock = $this->getMock(d3user_totp::class, array( $oControllerMock = $this->getMock(d3user_totp::class, array(
'getEditObjectId', 'getEditObjectId',
@ -379,7 +310,6 @@ class d3user_totpTest extends d3TotpUnitTestCase
'getBackupcodeListObject' 'getBackupcodeListObject'
)); ));
$oControllerMock->method('getEditObjectId')->willReturn('foobar'); $oControllerMock->method('getEditObjectId')->willReturn('foobar');
$oControllerMock->expects($this->once())->method('getUserObject')->willReturn($oUserMock);
$oControllerMock->method('getTotpObject')->willReturn($oTotpMock); $oControllerMock->method('getTotpObject')->willReturn($oTotpMock);
$oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock); $oControllerMock->method('getBackupcodeListObject')->willReturn($oBackupCodeListMock);