getSessions(); $tfaSessions = $msz->getTFASessions(); $loginAttempts = $msz->getLoginAttempts(); $remainingAttempts = $loginAttempts->countRemainingAttempts($ipAddress); $tokenString = !empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : ( !empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : '' ); $tokenUserId = $tfaSessions->getTokenUserId($tokenString); if(empty($tokenUserId)) { url_redirect('auth-login'); return; } $userInfo = User::byId((int)$tokenUserId); // checking user_totp_key specifically because there's a fringe chance that // there's a token present, but totp is actually disabled if(!$userInfo->hasTOTPKey()) { url_redirect('auth-login'); return; } while(!empty($twofactor)) { if(!CSRF::validateRequest()) { $notices[] = 'Was unable to verify the request, please try again!'; break; } $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? ''; $redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : ''; if(empty($twofactor['code']) || !is_string($twofactor['code'])) { $notices[] = 'Code field was empty.'; break; } if($remainingAttempts < 1) { $notices[] = 'There are too many failed login attempts from your IP address, please try again later.'; break; } $clientInfo = ClientInfo::fromRequest(); $totp = $userInfo->createTOTPGenerator(); if(!in_array($twofactor['code'], $totp->generateRange())) { $notices[] = sprintf( "Invalid two factor code, %d attempt%s remaining", $remainingAttempts - 1, $remainingAttempts === 2 ? '' : 's' ); $loginAttempts->recordAttempt(false, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo); break; } $loginAttempts->recordAttempt(true, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo); $tfaSessions->deleteToken($tokenString); try { $sessionInfo = $sessions->createSession($userInfo, $ipAddress, $countryCode, $userAgent, $clientInfo); } catch(RuntimeException $ex) { $notices[] = "Something broke while creating a session for you, please tell an administrator or developer about this!"; break; } $authToken = AuthToken::create($userInfo, $sessionInfo); $authToken->applyCookie($sessionInfo->getExpiresTime()); if(!is_local_url($redirect)) $redirect = url('index'); redirect($redirect); return; } Template::render('auth.twofactor', [ 'twofactor_notices' => $notices, 'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : url('index'), 'twofactor_attempts_remaining' => $remainingAttempts, 'twofactor_token' => $tokenString, ]);