diff options
| author | Thomas Steur <tsteur@users.noreply.github.com> | 2018-12-03 06:27:29 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-12-03 06:27:29 +0300 |
| commit | 284bdc0816dd2eff4010e4be42812ff3cc7e25e1 (patch) | |
| tree | 88c60d0e72bae97b5467c5ad7693a64dd477bf3e /plugins/Login/Controller.php | |
| parent | e679e0383496383b00f95fd5fd0e42eed4ca49fe (diff) | |
Implement Two Factor Authentication (#13670)
Diffstat (limited to 'plugins/Login/Controller.php')
| -rw-r--r-- | plugins/Login/Controller.php | 60 |
1 files changed, 58 insertions, 2 deletions
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index a69a7b9ce8..939a160e96 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -12,7 +12,7 @@ use Exception; use Piwik\Common; use Piwik\Config; use Piwik\Container\StaticContainer; -use Piwik\Cookie; +use Piwik\Date; use Piwik\Log; use Piwik\Nonce; use Piwik\Piwik; @@ -44,13 +44,19 @@ class Controller extends \Piwik\Plugin\Controller protected $sessionInitializer; /** + * @var PasswordVerifier + */ + protected $passwordVerify; + + /** * Constructor. * * @param PasswordResetter $passwordResetter * @param AuthInterface $auth * @param SessionInitializer $authenticatedSessionFactory + * @param PasswordVerifier $passwordVerify */ - public function __construct($passwordResetter = null, $auth = null, $sessionInitializer = null) + public function __construct($passwordResetter = null, $auth = null, $sessionInitializer = null, $passwordVerify = null) { parent::__construct(); @@ -64,6 +70,11 @@ class Controller extends \Piwik\Plugin\Controller } $this->auth = $auth; + if (empty($passwordVerify)) { + $passwordVerify = StaticContainer::get('Piwik\Plugins\Login\PasswordVerifier'); + } + $this->passwordVerify = $passwordVerify; + if (empty($sessionInitializer)) { $sessionInitializer = new \Piwik\Session\SessionInitializer(); } @@ -148,6 +159,51 @@ class Controller extends \Piwik\Plugin\Controller $view->nonce = Nonce::getNonce('Login.login'); } + public function confirmPassword() + { + Piwik::checkUserIsNotAnonymous(); + Piwik::checkUserHasSomeViewAccess(); + + if (!$this->passwordVerify->hasPasswordVerifyBeenRequested()) { + throw new Exception('Not available'); + } + + if (!Url::isValidHost()) { + throw new Exception("Cannot confirm password with untrusted hostname!"); + } + + $nonceKey = 'confirmPassword'; + $messageNoAccess = ''; + if (!empty($_POST)) { + $nonce = Common::getRequestVar('nonce', null, 'string', $_POST); + if (!Nonce::verifyNonce($nonceKey, $nonce)) { + $messageNoAccess = $this->getMessageExceptionNoAccess(); + } elseif ($this->verifyPasswordCorrect()) { + $this->passwordVerify->setPasswordVerifiedCorrectly(); + return; + } else { + $messageNoAccess = Piwik::translate('Login_WrongPasswordEntered'); + } + } + + return $this->renderTemplate('confirmPassword', array( + 'nonce' => Nonce::getNonce($nonceKey), + 'AccessErrorString' => $messageNoAccess + )); + } + + private function verifyPasswordCorrect() + { + /** @var \Piwik\Auth $authAdapter */ + $authAdapter = StaticContainer::get('Piwik\Auth'); + $authAdapter->setLogin(Piwik::getCurrentUserLogin()); + $authAdapter->setPasswordHash(null);// ensure authentication happens on password + $authAdapter->setPassword(Common::getRequestVar('password', null, 'string', $_POST)); + $authAdapter->setTokenAuth(null);// ensure authentication happens on password + $authResult = $authAdapter->authenticate(); + return $authResult->wasAuthenticationSuccessful(); + } + /** * Form-less login * @see how to use it on http://piwik.org/faq/how-to/#faq_30 |