1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-25 02:47:04 +00:00

Only update mru_token for matched mfa row

This commit is contained in:
Felix Spöttel 2020-09-29 20:05:58 +02:00
parent be5032ffbe
commit ada2167d08

View File

@ -43,9 +43,9 @@ def enable_mfa(email, type, secret, token, label, env):
c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label)) c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
conn.commit() conn.commit()
def set_mru_token(email, token, env): def set_mru_token(email, mfa_id, token, env):
conn, c = open_database(env, with_connection=True) conn, c = open_database(env, with_connection=True)
c.execute('UPDATE mfa SET mru_token=? WHERE user_id=?', (token, get_user_id(email, c))) c.execute('UPDATE mfa SET mru_token=? WHERE user_id=? AND id=?', (token, get_user_id(email, c), mfa_id))
conn.commit() conn.commit()
def disable_mfa(email, mfa_id, env): def disable_mfa(email, mfa_id, env):
@ -127,7 +127,7 @@ def validate_auth_mfa(email, request, env):
continue continue
# On success, record the token to prevent a replay attack. # On success, record the token to prevent a replay attack.
set_mru_token(email, token, env) set_mru_token(email, mfa_mode['id'], token, env)
return (True, []) return (True, [])
# On a failed login, indicate failure and any hints for what the user can do instead. # On a failed login, indicate failure and any hints for what the user can do instead.