flashwave
00d1d2922d
Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary.
107 lines
3.4 KiB
PHP
107 lines
3.4 KiB
PHP
<?php
|
|
namespace Misuzu;
|
|
|
|
use RuntimeException;
|
|
use Misuzu\TOTPGenerator;
|
|
use Misuzu\Auth\AuthTokenCookie;
|
|
|
|
if($msz->isLoggedIn()) {
|
|
url_redirect('index');
|
|
return;
|
|
}
|
|
|
|
$users = $msz->getUsers();
|
|
$sessions = $msz->getSessions();
|
|
$tfaSessions = $msz->getTFASessions();
|
|
$loginAttempts = $msz->getLoginAttempts();
|
|
|
|
$ipAddress = $_SERVER['REMOTE_ADDR'];
|
|
$countryCode = $_SERVER['COUNTRY_CODE'] ?? 'XX';
|
|
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
|
|
$twofactor = !empty($_POST['twofactor']) && is_array($_POST['twofactor']) ? $_POST['twofactor'] : [];
|
|
$notices = [];
|
|
|
|
$remainingAttempts = $loginAttempts->countRemainingAttempts($ipAddress);
|
|
|
|
$tokenString = !empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : (
|
|
!empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : ''
|
|
);
|
|
|
|
$tokenUserId = $tfaSessions->getTokenUserId($tokenString);
|
|
if(empty($tokenUserId)) {
|
|
url_redirect('auth-login');
|
|
return;
|
|
}
|
|
|
|
$userInfo = $users->getUser($tokenUserId, 'id');
|
|
|
|
// checking user_totp_key specifically because there's a fringe chance that
|
|
// there's a token present, but totp is actually disabled
|
|
if(!$userInfo->hasTOTPKey()) {
|
|
url_redirect('auth-login');
|
|
return;
|
|
}
|
|
|
|
while(!empty($twofactor)) {
|
|
if(!CSRF::validateRequest()) {
|
|
$notices[] = 'Was unable to verify the request, please try again!';
|
|
break;
|
|
}
|
|
|
|
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
|
|
$redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : '';
|
|
|
|
if(empty($twofactor['code']) || !is_string($twofactor['code'])) {
|
|
$notices[] = 'Code field was empty.';
|
|
break;
|
|
}
|
|
|
|
if($remainingAttempts < 1) {
|
|
$notices[] = 'There are too many failed login attempts from your IP address, please try again later.';
|
|
break;
|
|
}
|
|
|
|
$clientInfo = ClientInfo::fromRequest();
|
|
$totp = new TOTPGenerator($userInfo->getTOTPKey());
|
|
|
|
if(!in_array($twofactor['code'], $totp->generateRange())) {
|
|
$notices[] = sprintf(
|
|
"Invalid two factor code, %d attempt%s remaining",
|
|
$remainingAttempts - 1,
|
|
$remainingAttempts === 2 ? '' : 's'
|
|
);
|
|
$loginAttempts->recordAttempt(false, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);
|
|
break;
|
|
}
|
|
|
|
$loginAttempts->recordAttempt(true, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);
|
|
$tfaSessions->deleteToken($tokenString);
|
|
|
|
try {
|
|
$sessionInfo = $sessions->createSession($userInfo, $ipAddress, $countryCode, $userAgent, $clientInfo);
|
|
} catch(RuntimeException $ex) {
|
|
$notices[] = "Something broke while creating a session for you, please tell an administrator or developer about this!";
|
|
break;
|
|
}
|
|
|
|
$tokenBuilder = $msz->getAuthInfo()->getTokenInfo()->toBuilder();
|
|
$tokenBuilder->setUserId($userInfo);
|
|
$tokenBuilder->setSessionToken($sessionInfo);
|
|
$tokenBuilder->removeImpersonatedUserId();
|
|
$tokenInfo = $tokenBuilder->toInfo();
|
|
|
|
AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));
|
|
|
|
if(!is_local_url($redirect))
|
|
$redirect = url('index');
|
|
|
|
redirect($redirect);
|
|
return;
|
|
}
|
|
|
|
Template::render('auth.twofactor', [
|
|
'twofactor_notices' => $notices,
|
|
'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : url('index'),
|
|
'twofactor_attempts_remaining' => $remainingAttempts,
|
|
'twofactor_token' => $tokenString,
|
|
]);
|