|
11 | 11 | use Icinga\Authentication\User\ExternalBackend; |
12 | 12 | use Icinga\Common\Database; |
13 | 13 | use Icinga\Exception\AuthenticationException; |
14 | | -use Icinga\Forms\Authentication\Challenge2FAForm; |
15 | 14 | use Icinga\Forms\Authentication\LoginForm; |
16 | 15 | use Icinga\Web\Controller; |
17 | 16 | use Icinga\Web\Helper\CookieHelper; |
@@ -47,74 +46,62 @@ public function loginAction() |
47 | 46 | if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) { |
48 | 47 | $this->redirectNow(Url::fromPath('setup')); |
49 | 48 | } |
50 | | - $skip2fa = false; |
51 | | - $user = $this->Auth()->getUser(); |
52 | | - if ($user |
53 | | - && $user->getTwoFactorEnabled() |
54 | | - && Session::getSession()->get('2fa_must_challenge_token', false) |
55 | | - ) { |
56 | | - $form = (new Challenge2FAForm()) |
57 | | - ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
58 | | - ->on(Form::ON_SUBMIT, function (Challenge2FAForm $form) { |
59 | | - if ($redirectUrl = $form->getRedirectUrl()) { |
60 | | - $this->redirectNow($redirectUrl); |
61 | | - } |
62 | | - }) |
63 | | - ->on(Form::ON_SENT, function (Challenge2FAForm $form) { |
64 | | - $isCsrfValid = $form->getElement('CSRFToken')->isValid(); |
65 | | - $isCancelPressed = $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL; |
66 | | - |
67 | | - if ($isCsrfValid && $isCancelPressed) { |
68 | | - Session::getSession()->purge(); |
69 | | - $this->redirectNow(Url::fromRequest()); |
70 | | - } |
71 | | - }); |
72 | | - } else { |
73 | | - $form = (new LoginForm()) |
74 | | - ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
75 | | - ->on(Form::ON_SUBMIT, function (LoginForm $form) { |
76 | | - if ($redirectUrl = $form->getRedirectUrl()) { |
77 | | - $this->redirectNow($redirectUrl); |
78 | | - } |
79 | | - }) |
80 | | - ->on(Form::ON_REQUEST, function ($request, LoginForm $form) { |
81 | | - $auth = Auth::getInstance(); |
82 | | - $onlyExternal = true; |
83 | | - // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal(). |
84 | | - foreach ($auth->getAuthChain() as $backend) { |
85 | | - if (! $backend instanceof ExternalBackend) { |
86 | | - $onlyExternal = false; |
87 | | - } |
88 | | - } |
89 | | - if ($onlyExternal) { |
90 | | - $form->addMessage($this->translate( |
91 | | - 'You\'re currently not authenticated using any of the web server\'s authentication' |
92 | | - . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.' |
93 | | - )); |
94 | | - $form->onError(); |
95 | | - } |
96 | | - }); |
97 | 49 |
|
98 | | - if (RememberMe::hasCookie() && $this->hasDb()) { |
99 | | - $authenticated = false; |
100 | | - try { |
101 | | - $rememberMeOld = RememberMe::fromCookie(); |
102 | | - $authenticated = $rememberMeOld->authenticate(); |
103 | | - if ($authenticated) { |
104 | | - $rememberMe = $rememberMeOld->renew(); |
105 | | - $this->getResponse()->setCookie($rememberMe->getCookie()); |
106 | | - $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV()); |
107 | | - $skip2fa = true; |
| 50 | + $form = (new LoginForm()) |
| 51 | + ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
| 52 | + ->on(Form::ON_SUBMIT, function (LoginForm $form) { |
| 53 | + if ($redirectUrl = $form->getRedirectUrl()) { |
| 54 | + $this->redirectNow($redirectUrl); |
| 55 | + } |
| 56 | + }) |
| 57 | + ->on(Form::ON_SENT, function (LoginForm $form) { |
| 58 | + $isCsrfValid = $form->getElement('CSRFToken')->isValid(); |
| 59 | + $isCancelPressed = $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL_2FA; |
| 60 | + |
| 61 | + if ($isCsrfValid && $isCancelPressed) { |
| 62 | + Session::getSession()->purge(); |
| 63 | + $this->redirectNow(Url::fromRequest()); |
| 64 | + } |
| 65 | + }) |
| 66 | + ->on(Form::ON_REQUEST, function ($request, LoginForm $form) { |
| 67 | + $auth = Auth::getInstance(); |
| 68 | + $onlyExternal = true; |
| 69 | + // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal(). |
| 70 | + foreach ($auth->getAuthChain() as $backend) { |
| 71 | + if (! $backend instanceof ExternalBackend) { |
| 72 | + $onlyExternal = false; |
108 | 73 | } |
109 | | - } catch (RuntimeException $e) { |
110 | | - Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage()); |
111 | | - } catch (AuthenticationException $e) { |
112 | | - Logger::error($e); |
113 | 74 | } |
| 75 | + if ($onlyExternal) { |
| 76 | + $form->addMessage($this->translate( |
| 77 | + 'You\'re currently not authenticated using any of the web server\'s authentication' |
| 78 | + . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.' |
| 79 | + )); |
| 80 | + $form->onError(); |
| 81 | + } |
| 82 | + }); |
| 83 | + |
| 84 | + $skip2fa = false; |
114 | 85 |
|
115 | | - if (! $authenticated) { |
116 | | - $this->getResponse()->setCookie(RememberMe::forget()); |
| 86 | + if (RememberMe::hasCookie() && $this->hasDb()) { |
| 87 | + $authenticated = false; |
| 88 | + try { |
| 89 | + $rememberMeOld = RememberMe::fromCookie(); |
| 90 | + $authenticated = $rememberMeOld->authenticate(); |
| 91 | + if ($authenticated) { |
| 92 | + $rememberMe = $rememberMeOld->renew(); |
| 93 | + $this->getResponse()->setCookie($rememberMe->getCookie()); |
| 94 | + $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV()); |
| 95 | + $skip2fa = true; |
117 | 96 | } |
| 97 | + } catch (RuntimeException $e) { |
| 98 | + Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage()); |
| 99 | + } catch (AuthenticationException $e) { |
| 100 | + Logger::error($e); |
| 101 | + } |
| 102 | + |
| 103 | + if (! $authenticated) { |
| 104 | + $this->getResponse()->setCookie(RememberMe::forget()); |
118 | 105 | } |
119 | 106 | } |
120 | 107 |
|
|
0 commit comments