mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2024-11-26 11:01:04 +00:00
Code Issues Projects Releases Wiki Activity

ConfigController: remove 2fa cancel step

Browse source 
This change annoys me, however this endpoint was anyway problematic:
- it was vulnerable to a CSRF attack, see GHSA-56fm-hfp3-x3w3
- it is useless as we don't really handle a two-steps validation

Still, if you send an incorrect code during the "activation" phase a
flash error will pop up but the 2fa will stay enabled. This need rework
when possible.

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf 2023-09-30 00:46:19 +02:00
parent 5240684be9
commit aa06e8328e
3 changed files with 10 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -373,8 +373,10 @@ class ConfigController extends AbstractController
* Cancelling 2FA using OTP app. * Cancelling 2FA using OTP app.
* *
* @Route("/config/otp/app/cancel", name="config_otp_app_cancel") * @Route("/config/otp/app/cancel", name="config_otp_app_cancel")
*
* XXX: commented until we rewrite 2fa with a real two-steps activation
*/ */
public function otpAppCancelAction() /*public function otpAppCancelAction()
{ {
$user = $this->getUser(); $user = $this->getUser();
$user->setGoogleAuthenticatorSecret(null); $user->setGoogleAuthenticatorSecret(null);
@ -383,7 +385,7 @@ class ConfigController extends AbstractController
$this->userManager->updateUser($user, true); $this->userManager->updateUser($user, true);
return $this->redirect($this->generateUrl('config') . '#set3'); return $this->redirect($this->generateUrl('config') . '#set3');
} }*/
/** /**
* Validate OTP code. * Validate OTP code.
@ -415,7 +417,12 @@ class ConfigController extends AbstractController
'scheb_two_factor.code_invalid' 'scheb_two_factor.code_invalid'
); );
return $this->redirect($this->generateUrl('config_otp_app')); $this->addFlash(
'notice',
'scheb_two_factor.code_invalid'
);
return $this->redirect($this->generateUrl('config') . '#set3');
} }
/** /**

3
src/Wallabag/CoreBundle/Resources/views/Config/otp_app.html.twig
View file

@ -50,9 +50,6 @@
</div> </div>
</div> </div>
<div class="card-action"> <div class="card-action">
<a href="{{ path('config_otp_app_cancel') }}" class="waves-effect waves-light grey btn">
{{ 'config.otp.app.cancel'|trans }}
</a>
<button class="btn waves-effect waves-light" type="submit" name="send"> <button class="btn waves-effect waves-light" type="submit" name="send">
{{ 'config.otp.app.enable'|trans }} {{ 'config.otp.app.enable'|trans }}
<i class="material-icons right">send</i> <i class="material-icons right">send</i>

30
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View file

@ -1254,36 +1254,6 @@ class ConfigControllerTest extends WallabagCoreTestCase
$em->flush(); $em->flush();
} }
public function testUserEnable2faGoogleCancel()
{
$this->logInAs('admin');
$client = $this->getTestClient();
$crawler = $client->request('GET', '/config/otp/app');
$this->assertSame(200, $client->getResponse()->getStatusCode());
// restore user
$em = $this->getEntityManager();
$user = $em
->getRepository(User::class)
->findOneByUsername('admin');
$this->assertTrue($user->isGoogleTwoFactor());
$this->assertGreaterThan(0, $user->getBackupCodes());
$crawler = $client->request('GET', '/config/otp/app/cancel');
$this->assertSame(302, $client->getResponse()->getStatusCode());
$user = $em
->getRepository(User::class)
->findOneByUsername('admin');
$this->assertFalse($user->isGoogleTwoFactor());
$this->assertEmpty($user->getBackupCodes());
}
public function testUserDisable2faGoogle() public function testUserDisable2faGoogle()
{ {
$this->logInAs('admin'); $this->logInAs('admin');