From 76d508d04c0c05429d02664bf60e2badb089cffb Mon Sep 17 00:00:00 2001 From: Yuriy Bakhtin Date: Tue, 16 May 2023 16:56:43 +0200 Subject: [PATCH] Don't send a verification code when trusted IP address --- docs/CHANGELOG.md | 113 +++++++++++++++++++++------------------- drivers/BaseDriver.php | 28 +++++++--- helpers/TwofaHelper.php | 19 +++---- module.json | 38 +++++++------- 4 files changed, 107 insertions(+), 91 deletions(-) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 58314e2..2960c00 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,55 +1,58 @@ -Changelog -========= - -1.1.1 (January 3, 2023) ------------------------ -- Fix #52: Fix checking of current IP address by trusted networks list - -1.1.0 (November 9, 2022) ------------------------- -- Enh #41: Added Option to use Google Authentication as Default -- Fix #50: Don't send a verification code when browser was remembered - -1.0.7 (March 2, 2022) ---------------------- -- Fix #45: Fix remember browser - -1.0.6 (February 2, 2022) -------------------------- -- Enh #36: Update logout url to POST method -- Enh: Added French translations -- Enh #33: Added trusted network functionality -- Enh #16: Added remember browser for X days -- Fix #41: Fix error for user without email address - -1.0.5 (August 10 , 2021) ------------------------ -- Fix #29: Fix button "Log out" to prevent pjax -- Fix #31: Don't require 2FA on administration action "Impersonate" - -1.0.4 (15 June, 2021) ---------------------- -- Fix #23: Urlencode account name in otpauth URL -- Fix #25: Fix double rendering QR code after cancel of requesting new code - -1.0.3 (May 11, 2021) --------------------- -- Fix #22: Composer dependencies for Google Auth missing in marketplace package - -1.0.2 (May 10, 2021) --------------------- -- Enh #18: Generate QR code for Google authenticator by local JS script (Don't send TOTP key to Google) - -1.0.1 (May 6, 2021) -------------------- -- Fix: Link in translatable string -- Enh: Use controller config for not intercepted actions (HumHub 1.9+) -- Fix: Don't verify code if user must change password - -1.0.0 (February 9, 2021) ------------------------- -- Enh: Initial release -- Init: Default driver to send code by e-mail -- Enh: Driver "Google Authenticator" -- Enh: Require pin code before enabling Google Authenticator - +Changelog +========= + +1.1.2 (Unreleased) +----------------------- +- Fix #55: Don't send a verification code when trusted IP address + +1.1.1 (January 3, 2023) +----------------------- +- Fix #52: Fix checking of current IP address by trusted networks list + +1.1.0 (November 9, 2022) +------------------------ +- Enh #41: Added Option to use Google Authentication as Default +- Fix #50: Don't send a verification code when browser was remembered + +1.0.7 (March 2, 2022) +--------------------- +- Fix #45: Fix remember browser + +1.0.6 (February 2, 2022) +------------------------- +- Enh #36: Update logout url to POST method +- Enh: Added French translations +- Enh #33: Added trusted network functionality +- Enh #16: Added remember browser for X days +- Fix #41: Fix error for user without email address + +1.0.5 (August 10 , 2021) +----------------------- +- Fix #29: Fix button "Log out" to prevent pjax +- Fix #31: Don't require 2FA on administration action "Impersonate" + +1.0.4 (15 June, 2021) +--------------------- +- Fix #23: Urlencode account name in otpauth URL +- Fix #25: Fix double rendering QR code after cancel of requesting new code + +1.0.3 (May 11, 2021) +-------------------- +- Fix #22: Composer dependencies for Google Auth missing in marketplace package + +1.0.2 (May 10, 2021) +-------------------- +- Enh #18: Generate QR code for Google authenticator by local JS script (Don't send TOTP key to Google) + +1.0.1 (May 6, 2021) +------------------- +- Fix: Link in translatable string +- Enh: Use controller config for not intercepted actions (HumHub 1.9+) +- Fix: Don't verify code if user must change password + +1.0.0 (February 9, 2021) +------------------------ +- Enh: Initial release +- Init: Default driver to send code by e-mail +- Enh: Driver "Google Authenticator" +- Enh: Require pin code before enabling Google Authenticator diff --git a/drivers/BaseDriver.php b/drivers/BaseDriver.php index 47f2f97..f3a1285 100644 --- a/drivers/BaseDriver.php +++ b/drivers/BaseDriver.php @@ -72,6 +72,26 @@ public function isActive(): bool return Yii::$app->user->getIdentity() instanceof User; } + public function canSend(): bool + { + // if impersonate mode + if (TwofaHelper::isImpersonateMode()) { + return false; + } + + // if user is trusted (ip whitelist) + if (TwofaHelper::isTrusted()) { + return false; + } + + // if user's ticked remember browser + if (TwofaHelper::isBrowserRemembered()) { + return false; + } + + return $this->isActive(); + } + /** * Action before send/generate code * @@ -79,11 +99,7 @@ public function isActive(): bool */ protected function beforeSend() { - if (TwofaHelper::isBrowserRemembered()) { - return false; - } - - if (!$this->isActive()) { + if (!$this->canSend()) { return false; } @@ -229,4 +245,4 @@ public function getUserSettings() return $this->userSettings; } -} \ No newline at end of file +} diff --git a/helpers/TwofaHelper.php b/helpers/TwofaHelper.php index cf0d077..82f9134 100644 --- a/helpers/TwofaHelper.php +++ b/helpers/TwofaHelper.php @@ -237,18 +237,15 @@ public static function disableVerifying() */ public static function isVerifyingRequired() { - // if impersonate mode of driver is not set up - if (self::isImpersonateMode() || !self::getDriver()) { - return false; - } + $driver = self::getDriver(); - // if code is missing for a user, or user is trusted (ip whitelist) - if (self::getCode() === null || self::isTrusted()) { + // if driver is not set up or impossible to send/generate a code + if (!$driver || !$driver->canSend()) { return false; } - // if user's ticked remember browser - if (self::isBrowserRemembered()) { + // if code is missing for a user + if (self::getCode() === null) { return false; } @@ -260,7 +257,7 @@ public static function isVerifyingRequired() * * @return bool */ - protected static function isImpersonateMode(): bool + public static function isImpersonateMode(): bool { $switchedUserId = Yii::$app->session->get('twofa.switchedUserId'); if (empty($switchedUserId)) { @@ -318,7 +315,7 @@ public static function getAccountName() * @return bool * @throws \yii\base\NotSupportedException */ - public static function isTrusted() + public static function isTrusted(): bool { /** @var TwofaModule $module */ $module = Yii::$app->getModule('twofa'); @@ -357,7 +354,7 @@ public static function rememberBrowser($days = null) /** * @return bool */ - public static function isBrowserRemembered() + public static function isBrowserRemembered(): bool { if (empty(Yii::$app->getModule('twofa')->getRememberMeDays())) { return false; diff --git a/module.json b/module.json index 56f7dae..3b3268d 100644 --- a/module.json +++ b/module.json @@ -1,19 +1,19 @@ -{ - "id": "twofa", - "name": "Two-Factor Authentication (2FA)", - "description": "Increase security by using 2FA methods like e-mail or TOPT.", - "keywords": [ - "2fa", - "two-factor authentication" - ], - "homepage": "https://github.com/humhub/humhub-modules-twofa", - "screenshots": [ - "resources/screen1.png", - "resources/screen2.png", - "resources/screen3.png" - ], - "version": "1.1.1", - "humhub": { - "minVersion": "1.11" - } -} +{ + "id": "twofa", + "name": "Two-Factor Authentication (2FA)", + "description": "Increase security by using 2FA methods like e-mail or TOPT.", + "keywords": [ + "2fa", + "two-factor authentication" + ], + "homepage": "https://github.com/humhub/humhub-modules-twofa", + "screenshots": [ + "resources/screen1.png", + "resources/screen2.png", + "resources/screen3.png" + ], + "version": "1.1.2", + "humhub": { + "minVersion": "1.11" + } +}