X-Git-Url: http://koha-dev.rot13.org:8081/gitweb/?a=blobdiff_plain;f=members%2Ftwo_factor_auth.pl;h=81220c4b2746c68ca4eb3b983e685f06ba65956b;hb=fc655ca979b733208236981a8cd90430a13b30c5;hp=0cf6843b84330e842eb065f917f8f89a0cb17f9c;hpb=d42cd2b6298bf2765b6a609909526f774450c250;p=koha-ffzg.git diff --git a/members/two_factor_auth.pl b/members/two_factor_auth.pl index 0cf6843b84..81220c4b27 100755 --- a/members/two_factor_auth.pl +++ b/members/two_factor_auth.pl @@ -33,73 +33,54 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( template_name => 'members/two_factor_auth.tt', query => $cgi, type => 'intranet', - flagsrequired => { editcatalogue => '*' }, + flagsrequired => { catalogue => 1 }, } ); -unless ( C4::Context->preference('TwoFactorAuthentication') ) { +my $TwoFactorAuthentication = C4::Context->preference('TwoFactorAuthentication'); +if ( $TwoFactorAuthentication ne 'enabled' && $TwoFactorAuthentication ne 'enforced' ) { print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); exit; } my $logged_in_user = Koha::Patrons->find($loggedinuser); +my $op = $cgi->param('op') // ''; -my $op = $cgi->param('op') // ''; -my $csrf_pars = { - session_id => scalar $cgi->cookie('CGISESSID'), - token => scalar $cgi->param('csrf_token'), -}; - -if ( $op eq 'register-2FA' ) { - output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf($csrf_pars); - - my $pin_code = $cgi->param('pin_code'); - my $secret32 = $cgi->param('secret32'); - my $auth = Koha::Auth::TwoFactorAuth->new( - { patron => $logged_in_user, secret32 => $secret32 } ); - - my $verified = $auth->verify( - $pin_code, - 1, # range - $secret32, - undef, # timestamp (defaults to now) - 30, # interval (default 30) - ); - - if ($verified) { - $logged_in_user->secret($secret32); - $op = 'registered'; - - # FIXME Generate a (new?) secret - $logged_in_user->auth_method('two-factor')->store; - } - else { - $template->param( invalid_pin => 1, ); - $op = 'enable-2FA'; - } -} - -if ( $op eq 'enable-2FA' ) { - - my $secret = Koha::AuthUtils::generate_salt( 'weak', 16 ); - my $auth = Koha::Auth::TwoFactorAuth->new( - { patron => $logged_in_user, secret => $secret } ); - - $template->param( - issuer => $auth->issuer, - key_id => $auth->key_id, - qr_code => $auth->qr_code, - secret32 => $auth->secret32, - # IMPORTANT: get secret32 after qr_code call ! - ); - $auth->clear; - $op = 'register'; +if ( !C4::Context->config('encryption_key') ) { + $template->param( missing_key => 1 ); } -elsif ( $op eq 'disable-2FA' ) { - output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf($csrf_pars); - $logged_in_user->auth_method('password')->store; +else { + + my $csrf_pars = { + session_id => scalar $cgi->cookie('CGISESSID'), + token => scalar $cgi->param('csrf_token'), + }; + + if ( $op eq 'disable-2FA' ) { + output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) + unless Koha::Token->new->check_csrf($csrf_pars); + my $auth = + Koha::Auth::TwoFactorAuth->new( { patron => $logged_in_user } ); + $logged_in_user->secret(undef); + $logged_in_user->auth_method('password')->store; + if ( $logged_in_user->notice_email_address ) { + $logged_in_user->queue_notice( + { + letter_params => { + module => 'members', + letter_code => '2FA_DISABLE', + branchcode => $logged_in_user->branchcode, + lang => $logged_in_user->lang, + tables => { + branches => $logged_in_user->branchcode, + borrowers => $logged_in_user->id + }, + }, + message_transports => ['email'], + } + ); + } + } } $template->param(