Don't send a verification code when trusted IP address

humhub · May 16, 2023 · 76d508d · 76d508d
1 parent d424d48
commit 76d508d
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 91 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -1,55 +1,58 @@
-Changelog
-=========
-
-1.1.1 (January 3, 2023)
------------------------
-- Fix #52: Fix checking of current IP address by trusted networks list
-
-1.1.0 (November 9, 2022)
-------------------------
-- Enh #41: Added Option to use Google Authentication as Default
-- Fix #50: Don't send a verification code when browser was remembered
-
-1.0.7 (March 2, 2022)
----------------------
-- Fix #45: Fix remember browser
-
-1.0.6 (February 2, 2022)
--------------------------
-- Enh #36: Update logout url to POST method
-- Enh: Added French translations
-- Enh #33: Added trusted network functionality
-- Enh #16: Added remember browser for X days
-- Fix #41: Fix error for user without email address
-
-1.0.5 (August 10 , 2021)
------------------------
-- Fix #29: Fix button "Log out" to prevent pjax
-- Fix #31: Don't require 2FA on administration action "Impersonate"
-
-1.0.4 (15 June, 2021)
----------------------
-- Fix #23: Urlencode account name in otpauth URL 
-- Fix #25: Fix double rendering QR code after cancel of requesting new code
-
-1.0.3 (May 11, 2021)
---------------------
-- Fix #22: Composer dependencies for Google Auth missing in marketplace package 
-
-1.0.2 (May 10, 2021)
---------------------
-- Enh #18: Generate QR code for Google authenticator by local JS script (Don't send TOTP key to Google)
-
-1.0.1 (May 6, 2021)
--------------------
-- Fix: Link in translatable string
-- Enh: Use controller config for not intercepted actions (HumHub 1.9+)
-- Fix: Don't verify code if user must change password
-
-1.0.0 (February 9, 2021)
-------------------------
-- Enh: Initial release
-- Init: Default driver to send code by e-mail
-- Enh: Driver "Google Authenticator"
-- Enh: Require pin code before enabling Google Authenticator
-
+Changelog
+=========
+
+1.1.2 (Unreleased)
+-----------------------
+- Fix #55: Don't send a verification code when trusted IP address
+
+1.1.1 (January 3, 2023)
+-----------------------
+- Fix #52: Fix checking of current IP address by trusted networks list
+
+1.1.0 (November 9, 2022)
+------------------------
+- Enh #41: Added Option to use Google Authentication as Default
+- Fix #50: Don't send a verification code when browser was remembered
+
+1.0.7 (March 2, 2022)
+---------------------
+- Fix #45: Fix remember browser
+
+1.0.6 (February 2, 2022)
+-------------------------
+- Enh #36: Update logout url to POST method
+- Enh: Added French translations
+- Enh #33: Added trusted network functionality
+- Enh #16: Added remember browser for X days
+- Fix #41: Fix error for user without email address
+
+1.0.5 (August 10 , 2021)
+-----------------------
+- Fix #29: Fix button "Log out" to prevent pjax
+- Fix #31: Don't require 2FA on administration action "Impersonate"
+
+1.0.4 (15 June, 2021)
+---------------------
+- Fix #23: Urlencode account name in otpauth URL 
+- Fix #25: Fix double rendering QR code after cancel of requesting new code
+
+1.0.3 (May 11, 2021)
+--------------------
+- Fix #22: Composer dependencies for Google Auth missing in marketplace package 
+
+1.0.2 (May 10, 2021)
+--------------------
+- Enh #18: Generate QR code for Google authenticator by local JS script (Don't send TOTP key to Google)
+
+1.0.1 (May 6, 2021)
+-------------------
+- Fix: Link in translatable string
+- Enh: Use controller config for not intercepted actions (HumHub 1.9+)
+- Fix: Don't verify code if user must change password
+
+1.0.0 (February 9, 2021)
+------------------------
+- Enh: Initial release
+- Init: Default driver to send code by e-mail
+- Enh: Driver "Google Authenticator"
+- Enh: Require pin code before enabling Google Authenticator
diff --git a/drivers/BaseDriver.php b/drivers/BaseDriver.php
@@ -72,18 +72,34 @@ public function isActive(): bool
         return Yii::$app->user->getIdentity() instanceof User;
     }
 
+    public function canSend(): bool
+    {
+        // if impersonate mode
+        if (TwofaHelper::isImpersonateMode()) {
+            return false;
+        }
+
+        // if user is trusted (ip whitelist)
+        if (TwofaHelper::isTrusted()) {
+            return false;
+        }
+
+        // if user's ticked remember browser
+        if (TwofaHelper::isBrowserRemembered()) {
+            return false;
+        }
+
+        return $this->isActive();
+    }
+
     /**
      * Action before send/generate code
      *
      * @return bool
      */
     protected function beforeSend()
     {
-        if (TwofaHelper::isBrowserRemembered()) {
-            return false;
-        }
-
-        if (!$this->isActive()) {
+        if (!$this->canSend()) {
             return false;
         }
 
@@ -229,4 +245,4 @@ public function getUserSettings()
 
         return $this->userSettings;
     }
-}
+}
diff --git a/helpers/TwofaHelper.php b/helpers/TwofaHelper.php
@@ -237,18 +237,15 @@ public static function disableVerifying()
      */
     public static function isVerifyingRequired()
     {
-        // if impersonate mode of driver is not set up
-        if (self::isImpersonateMode() || !self::getDriver()) {
-            return false;
-        }
+        $driver = self::getDriver();
 
-        // if code is missing for a user, or user is trusted (ip whitelist)
-        if (self::getCode() === null || self::isTrusted()) {
+        // if driver is not set up or impossible to send/generate a code
+        if (!$driver || !$driver->canSend()) {
             return false;
         }
 
-        // if user's ticked remember browser
-        if (self::isBrowserRemembered()) {
+        // if code is missing for a user
+        if (self::getCode() === null) {
             return false;
         }
 
@@ -260,7 +257,7 @@ public static function isVerifyingRequired()
      *
      * @return bool
      */
-    protected static function isImpersonateMode(): bool
+    public static function isImpersonateMode(): bool
     {
         $switchedUserId = Yii::$app->session->get('twofa.switchedUserId');
         if (empty($switchedUserId)) {
@@ -318,7 +315,7 @@ public static function getAccountName()
      * @return bool
      * @throws \yii\base\NotSupportedException
      */
-    public static function isTrusted()
+    public static function isTrusted(): bool
     {
         /** @var TwofaModule $module */
         $module = Yii::$app->getModule('twofa');
@@ -357,7 +354,7 @@ public static function rememberBrowser($days = null)
     /**
      * @return bool
      */
-    public static function isBrowserRemembered()
+    public static function isBrowserRemembered(): bool
     {
         if (empty(Yii::$app->getModule('twofa')->getRememberMeDays())) {
             return false;

diff --git a/module.json b/module.json
@@ -1,19 +1,19 @@
-{
-  "id": "twofa",
-  "name": "Two-Factor Authentication (2FA)",
-  "description": "Increase security by using 2FA methods like e-mail or TOPT.",
-  "keywords": [
-    "2fa",
-    "two-factor authentication"
-  ],
-  "homepage": "https://github.com/humhub/humhub-modules-twofa",
-  "screenshots": [
-    "resources/screen1.png",
-    "resources/screen2.png",
-    "resources/screen3.png"
-  ],
-  "version": "1.1.1",
-  "humhub": {
-    "minVersion": "1.11"
-  }
-}
+{
+  "id": "twofa",
+  "name": "Two-Factor Authentication (2FA)",
+  "description": "Increase security by using 2FA methods like e-mail or TOPT.",
+  "keywords": [
+    "2fa",
+    "two-factor authentication"
+  ],
+  "homepage": "https://github.com/humhub/humhub-modules-twofa",
+  "screenshots": [
+    "resources/screen1.png",
+    "resources/screen2.png",
+    "resources/screen3.png"
+  ],
+  "version": "1.1.2",
+  "humhub": {
+    "minVersion": "1.11"
+  }
+}