Hash backup codes in the database using password_hash

This commit is contained in:
Jeremy Benoist 2019-01-23 14:43:39 +01:00
parent 7485a272ff
commit 4654a83b64
No known key found for this signature in database
GPG key ID: BCA73962457ACC3C
4 changed files with 38 additions and 11 deletions

View file

@ -197,18 +197,25 @@ class ConfigController extends Controller
}
$user = $this->getUser();
$secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret();
if (!$user->isGoogleTwoFactor()) {
$secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret();
$user->setGoogleAuthenticatorSecret($secret);
$user->setEmailTwoFactor(false);
$user->setGoogleAuthenticatorSecret($secret);
$user->setEmailTwoFactor(false);
$user->setBackupCodes((new BackupCodes())->toArray());
$backupCodes = (new BackupCodes())->toArray();
$backupCodesHashed = array_map(
function ($backupCode) {
return password_hash($backupCode, PASSWORD_DEFAULT);
},
$backupCodes
);
$this->container->get('fos_user.user_manager')->updateUser($user, true);
}
$user->setBackupCodes($backupCodesHashed);
$this->container->get('fos_user.user_manager')->updateUser($user, true);
return $this->render('WallabagCoreBundle:Config:otp_app.html.twig', [
'backupCodes' => $backupCodes,
'qr_code' => $this->get('scheb_two_factor.security.google_authenticator')->getQRContent($user),
]);
}

View file

@ -20,7 +20,7 @@
<li>
<p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
<p><strong>{{ app.user.getBackupCodes|join("\n")|nl2br }}</strong></p>
<p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
</li>
<li>
<p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>

View file

@ -24,7 +24,7 @@
<li>
<p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
<p><strong>{{ app.user.getBackupCodes|join("\n")|nl2br }}</strong></p>
<p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
</li>
<li>
<p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>

View file

@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
*/
public function isBackupCode(string $code): bool
{
return \in_array($code, $this->backupCodes, true);
return false === $this->findBackupCode($code) ? false : true;
}
/**
@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
*/
public function invalidateBackupCode(string $code): void
{
$key = array_search($code, $this->backupCodes, true);
$key = $this->findBackupCode($code);
if (false !== $key) {
unset($this->backupCodes[$key]);
@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
return $this->clients->first();
}
}
/**
* Try to find a backup code from the list of backup codes of the current user.
*
* @param string $code Given code from the user
*
* @return string|false
*/
private function findBackupCode(string $code)
{
foreach ($this->backupCodes as $key => $backupCode) {
// backup code are hashed using `password_hash`
// see ConfigController->otpAppAction
if (password_verify($code, $backupCode)) {
return $key;
}
}
return false;
}
}