From c3a9183f00486007a84af5766f28f4298c74e446 Mon Sep 17 00:00:00 2001
From: Thomas Steur <tsteur@users.noreply.github.com>
Date: Mon, 18 Mar 2019 12:30:03 +1300
Subject: Make sure to anonymize token only when needed (#14216)

---
 plugins/TwoFactorAuth/TwoFactorAuth.php | 51 +++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 21 deletions(-)

(limited to 'plugins/TwoFactorAuth')

diff --git a/plugins/TwoFactorAuth/TwoFactorAuth.php b/plugins/TwoFactorAuth/TwoFactorAuth.php
index 6bfe0d9ac5..06091294f4 100644
--- a/plugins/TwoFactorAuth/TwoFactorAuth.php
+++ b/plugins/TwoFactorAuth/TwoFactorAuth.php
@@ -144,19 +144,40 @@ class TwoFactorAuth extends \Piwik\Plugin
         }
 
         if ($module === 'Proxy') {
+            return false;
+        }
+
+        if (!$this->requiresAuth($module, $action, $parameters)) {
             return;
         }
 
+        $twoFa = $this->getTwoFa();
+
+        $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin());
+        if ($isUsing2FA && !Request::isRootRequestApiRequest() && Session::isStarted()) {
+            $sessionFingerprint = new SessionFingerprint();
+            if (!$sessionFingerprint->hasVerifiedTwoFactor()) {
+                $module = 'TwoFactorAuth';
+                $action = 'loginTwoFactorAuth';
+            }
+        } elseif (!$isUsing2FA && $twoFa->isUserRequiredToHaveTwoFactorEnabled()) {
+            $module = 'TwoFactorAuth';
+            $action = 'onLoginSetupTwoFactorAuth';
+        }
+    }
+
+    private function requiresAuth($module, $action, $parameters)
+    {
         if ($module === 'TwoFactorAuth' && $action === 'showQrCode') {
-            return;
+            return false;
         }
 
         if ($module === 'CoreUpdater') {
-            return;
+            return false;
         }
 
         if ($module === Piwik::getLoginPluginName() && $action === 'logout') {
-            return;
+            return false;
         }
 
         if (Piwik::getModule() === 'Widgetize') {
@@ -165,30 +186,14 @@ class TwoFactorAuth extends \Piwik\Plugin
             if ($auth && !$auth->getLogin() && method_exists($auth, 'getTokenAuth') && $auth->getTokenAuth()) {
                 // when authenticated by token only, we do not require 2fa
                 // needed eg for rendering exported widgets authenticated by token
-                return;
+                return false;
             }
         }
 
         $requiresAuth = true;
         Piwik::postEvent('TwoFactorAuth.requiresTwoFactorAuthentication', array(&$requiresAuth, $module, $action, $parameters));
 
-        if (!$requiresAuth) {
-            return;
-        }
-
-        $twoFa = $this->getTwoFa();
-
-        $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin());
-        if ($isUsing2FA && !Request::isRootRequestApiRequest() && Session::isStarted()) {
-            $sessionFingerprint = new SessionFingerprint();
-            if (!$sessionFingerprint->hasVerifiedTwoFactor()) {
-                $module = 'TwoFactorAuth';
-                $action = 'loginTwoFactorAuth';
-            }
-        } elseif (!$isUsing2FA && $twoFa->isUserRequiredToHaveTwoFactorEnabled()) {
-            $module = 'TwoFactorAuth';
-            $action = 'onLoginSetupTwoFactorAuth';
-        }
+        return $requiresAuth;
     }
 
     public function onRequestDispatchEnd(&$result, $module, $action, $parameters)
@@ -198,6 +203,10 @@ class TwoFactorAuth extends \Piwik\Plugin
             return;
         }
 
+        if (!$this->requiresAuth($module, $action, $parameters)) {
+            return;
+        }
+
         $twoFa = $this->getTwoFa();
 
         $isUsing2FA = $twoFa->isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin());
-- 
cgit v1.2.3