|
17 | 17 | use Icinga\Authentication\User\ExternalBackend; |
18 | 18 | use Icinga\Common\Database; |
19 | 19 | use Icinga\Exception\AuthenticationException; |
20 | | -use Icinga\Forms\Authentication\Challenge2FAForm; |
21 | 20 | use Icinga\Forms\Authentication\LoginForm; |
22 | 21 | use Icinga\Web\Controller; |
23 | 22 | use Icinga\Web\Helper\CookieHelper; |
@@ -54,74 +53,62 @@ public function loginAction() |
54 | 53 | if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) { |
55 | 54 | $this->redirectNow(Url::fromPath('setup')); |
56 | 55 | } |
57 | | - $skip2fa = false; |
58 | | - $user = $this->Auth()->getUser(); |
59 | | - if ($user |
60 | | - && $user->getTwoFactorEnabled() |
61 | | - && Session::getSession()->get('2fa_must_challenge_token', false) |
62 | | - ) { |
63 | | - $form = (new Challenge2FAForm()) |
64 | | - ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
65 | | - ->on(Form::ON_SUBMIT, function (Challenge2FAForm $form) { |
66 | | - if ($redirectUrl = $form->getRedirectUrl()) { |
67 | | - $this->redirectNow($redirectUrl); |
68 | | - } |
69 | | - }) |
70 | | - ->on(Form::ON_SENT, function (Challenge2FAForm $form) { |
71 | | - $isCsrfValid = $form->getElement('CSRFToken')->isValid(); |
72 | | - $isCancelPressed = $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL; |
73 | | - |
74 | | - if ($isCsrfValid && $isCancelPressed) { |
75 | | - Session::getSession()->purge(); |
76 | | - $this->redirectNow(Url::fromRequest()); |
77 | | - } |
78 | | - }); |
79 | | - } else { |
80 | | - $form = (new LoginForm()) |
81 | | - ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
82 | | - ->on(Form::ON_SUBMIT, function (LoginForm $form) { |
83 | | - if ($redirectUrl = $form->getRedirectUrl()) { |
84 | | - $this->redirectNow($redirectUrl); |
85 | | - } |
86 | | - }) |
87 | | - ->on(Form::ON_REQUEST, function ($request, LoginForm $form) { |
88 | | - $auth = Auth::getInstance(); |
89 | | - $onlyExternal = true; |
90 | | - // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal(). |
91 | | - foreach ($auth->getAuthChain() as $backend) { |
92 | | - if (! $backend instanceof ExternalBackend) { |
93 | | - $onlyExternal = false; |
94 | | - } |
95 | | - } |
96 | | - if ($onlyExternal) { |
97 | | - $form->addMessage($this->translate( |
98 | | - 'You\'re currently not authenticated using any of the web server\'s authentication' |
99 | | - . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.' |
100 | | - )); |
101 | | - $form->onError(); |
102 | | - } |
103 | | - }); |
104 | 56 |
|
105 | | - if (RememberMe::hasCookie() && $this->hasDb()) { |
106 | | - $authenticated = false; |
107 | | - try { |
108 | | - $rememberMeOld = RememberMe::fromCookie(); |
109 | | - $authenticated = $rememberMeOld->authenticate(); |
110 | | - if ($authenticated) { |
111 | | - $rememberMe = $rememberMeOld->renew(); |
112 | | - $this->getResponse()->setCookie($rememberMe->getCookie()); |
113 | | - $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV()); |
114 | | - $skip2fa = true; |
| 57 | + $form = (new LoginForm()) |
| 58 | + ->setAction(Url::fromRequest()->getAbsoluteUrl()) |
| 59 | + ->on(Form::ON_SUBMIT, function (LoginForm $form) { |
| 60 | + if ($redirectUrl = $form->getRedirectUrl()) { |
| 61 | + $this->redirectNow($redirectUrl); |
| 62 | + } |
| 63 | + }) |
| 64 | + ->on(Form::ON_SENT, function (LoginForm $form) { |
| 65 | + $isCsrfValid = $form->getElement('CSRFToken')->isValid(); |
| 66 | + $isCancelPressed = $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL_2FA; |
| 67 | + |
| 68 | + if ($isCsrfValid && $isCancelPressed) { |
| 69 | + Session::getSession()->purge(); |
| 70 | + $this->redirectNow(Url::fromRequest()); |
| 71 | + } |
| 72 | + }) |
| 73 | + ->on(Form::ON_REQUEST, function ($request, LoginForm $form) { |
| 74 | + $auth = Auth::getInstance(); |
| 75 | + $onlyExternal = true; |
| 76 | + // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal(). |
| 77 | + foreach ($auth->getAuthChain() as $backend) { |
| 78 | + if (! $backend instanceof ExternalBackend) { |
| 79 | + $onlyExternal = false; |
115 | 80 | } |
116 | | - } catch (RuntimeException $e) { |
117 | | - Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage()); |
118 | | - } catch (AuthenticationException $e) { |
119 | | - Logger::error($e); |
120 | 81 | } |
| 82 | + if ($onlyExternal) { |
| 83 | + $form->addMessage($this->translate( |
| 84 | + 'You\'re currently not authenticated using any of the web server\'s authentication' |
| 85 | + . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.' |
| 86 | + )); |
| 87 | + $form->onError(); |
| 88 | + } |
| 89 | + }); |
| 90 | + |
| 91 | + $skip2fa = false; |
121 | 92 |
|
122 | | - if (! $authenticated) { |
123 | | - $this->getResponse()->setCookie(RememberMe::forget()); |
| 93 | + if (RememberMe::hasCookie() && $this->hasDb()) { |
| 94 | + $authenticated = false; |
| 95 | + try { |
| 96 | + $rememberMeOld = RememberMe::fromCookie(); |
| 97 | + $authenticated = $rememberMeOld->authenticate(); |
| 98 | + if ($authenticated) { |
| 99 | + $rememberMe = $rememberMeOld->renew(); |
| 100 | + $this->getResponse()->setCookie($rememberMe->getCookie()); |
| 101 | + $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV()); |
| 102 | + $skip2fa = true; |
124 | 103 | } |
| 104 | + } catch (RuntimeException $e) { |
| 105 | + Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage()); |
| 106 | + } catch (AuthenticationException $e) { |
| 107 | + Logger::error($e); |
| 108 | + } |
| 109 | + |
| 110 | + if (! $authenticated) { |
| 111 | + $this->getResponse()->setCookie(RememberMe::forget()); |
125 | 112 | } |
126 | 113 | } |
127 | 114 |
|
|
0 commit comments