opac-registration-confirmation.tt
opac-memberentry-update-submitted.tt
opac-password-recovery.tt
+ opac-reset-password.tt
);
$authnotrequired = 0 unless grep { $_ eq $template_name }
@allowed_scripts_for_private_opac;
# state variables
my $loggedin = 0;
+ my $auth_state = 'failed';
my %info;
my ( $userid, $cookie, $sessionID, $flags );
$cookie = [];
my $session;
my $invalid_otp_token;
my $require_2FA = ( C4::Context->preference('TwoFactorAuthentication') && $type ne "OPAC" ) ? 1 : 0;
- my $auth_challenge_complete;
# Basic authentication is incompatible with the use of Shibboleth,
# as Shibboleth may return REMOTE_USER as a Shibboleth attribute,
$userid = $session->param('id');
}
- $additional_auth_needed = ( $return eq 'additional-auth-needed' ) ? 1 : 0;
+ $auth_state =
+ $return eq 'ok' ? 'completed'
+ : $return eq 'additional-auth-needed' ? 'additional-auth-needed'
+ : 'failed';
# We are at the second screen if the waiting-for-2FA is set in session
# and otp_token param has been passed
if ( $require_2FA
- && $additional_auth_needed
+ && $auth_state eq 'additional-auth-needed'
&& ( my $otp_token = $query->param('otp_token') ) )
{
my $patron = Koha::Patrons->find( { userid => $userid } );
- my $auth = Koha::Auth::TwoFactorAuth::get_auth( { patron => $patron } );
- my $verified = $auth->verify($otp_token);
+ my $auth = Koha::Auth::TwoFactorAuth->new( { patron => $patron } );
+ my $verified = $auth->verify($otp_token, 1);
$auth->clear;
if ( $verified ) {
# The token is correct, the user is fully logged in!
- $additional_auth_needed = 0;
+ $auth_state = 'completed';
$session->param( 'waiting-for-2FA', 0 );
- $return = "ok";
- $auth_challenge_complete = 1;
# This is an ugly trick to pass the test
# $query->param('koha_login_context') && ( $q_userid ne $userid )
}
}
- if ( $return eq 'ok' ) {
+ if ( $auth_state eq 'completed' ) {
Koha::Logger->get->debug(sprintf "AUTH_SESSION: (%s)\t%s %s - %s", map { $session->param($_) || q{} } qw(cardnumber firstname surname branch));
if ( ( $query->param('koha_login_context') && ( $q_userid ne $userid ) )
));
$flags = haspermission( $userid, $flagsrequired );
- if ($flags) {
- $loggedin = 1;
- } else {
+ unless ( $flags ) {
+ $auth_state = 'failed';
$info{'nopermission'} = 1;
}
}
$info{oldip} = $more_info->{old_ip};
$info{newip} = $more_info->{new_ip};
$info{different_ip} = 1;
+ } elsif ( $return eq 'password_expired' ) {
+ $info{password_has_expired} = 1;
}
}
}
- if ( ( !$loggedin && !$additional_auth_needed ) || $logout ) {
+ if ( $auth_state eq 'failed' || $logout ) {
$sessionID = undef;
$userid = undef;
}
}
$session = undef;
- $additional_auth_needed = 0;
+ $auth_state = 'logout';
}
unless ( $userid ) {
}
# $return: 1 = valid user
- if ($return) {
+ if ($return > 0) {
if ( $flags = haspermission( $userid, $flagsrequired ) ) {
- $loggedin = 1;
+ $auth_state = "logged_in";
}
else {
$info{'nopermission'} = 1;
$session->flush;
} # END unless ($userid)
- if ( $require_2FA && ( $loggedin && !$auth_challenge_complete)) {
- my $patron = Koha::Patrons->find({userid => $userid});
- if ( $patron->auth_method eq 'two-factor' ) {
- # Ask for the OTP token
- $additional_auth_needed = 1;
- $session->param('waiting-for-2FA', 1);
- %info = ();# We remove the warnings/errors we may have set incorrectly before
+
+ if ( $auth_state eq 'logged_in' ) {
+ $auth_state = 'completed';
+
+ # Auth is completed unless an additional auth is needed
+ if ( $require_2FA ) {
+ my $patron = Koha::Patrons->find({userid => $userid});
+ if ( $patron->auth_method eq 'two-factor' ) {
+ # Ask for the OTP token
+ $auth_state = 'additional-auth-needed';
+ $session->param('waiting-for-2FA', 1);
+ %info = ();# We remove the warnings/errors we may have set incorrectly before
+ }
}
}
# finished authentification, now respond
- if ( ( $loggedin || $authnotrequired ) && !$additional_auth_needed ) {
+ if ( $auth_state eq 'completed' || $authnotrequired ) {
# successful login
unless (@$cookie) {
$cookie = $cookie_mgr->replace_in_list( $cookie, $query->cookie(
PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'},
- too_many_login_attempts => ( $patron and $patron->account_locked )
+ too_many_login_attempts => ( $patron and $patron->account_locked ),
);
$template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') );
$template->param( SCI_login => 1 ) if ( $query->param('sci_user_login') );
$template->param( OpacPublic => C4::Context->preference("OpacPublic") );
$template->param( loginprompt => 1 ) unless $info{'nopermission'};
- if ( $additional_auth_needed ) {
+ if ( $auth_state eq 'additional-auth-needed' ) {
$template->param(
TwoFA_prompt => 1,
invalid_otp_token => $invalid_otp_token,
} elsif ( $userid ) {
$session->param( 'lasttime', time() );
+ my $patron = Koha::Patrons->find({ userid => $userid });
+ $patron = Koha::Patron->find({ cardnumber => $userid }) unless $patron;
+ return ("password_expired", undef ) if $patron->password_expired;
my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1;
if ($flags) {
C4::Context->_new_userenv($sessionID);
# 0 if auth is nok
# -1 if user bind failed (LDAP only)
- if ( $patron and $patron->account_locked ) {
+ if ( $patron and ( $patron->account_locked ) ) {
# Nothing to check, account is locked
} elsif ($ldap && defined($password)) {
my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH
if( $patron ) {
if ( $passwd_ok ) {
$patron->update({ login_attempts => 0 });
+ if( $patron->password_expired ){
+ @return = (-2);
+ }
} elsif( !$patron->account_locked ) {
$patron->update({ login_attempts => $patron->login_attempts + 1 });
}