external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2026-03-04 15:54:48 +01:00
Code Issues Releases Wiki Activity

Add TOTP secret to user_key hash

Browse Source 
thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
This commit is contained in:
Felix Spöttel
2020-09-12 16:34:06 +02:00
parent 2ea97f0643
commit dcb93d071c
6 changed files with 43 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
management/templates/index.html
View File

@@ -363,6 +363,16 @@ function api(url, method, data, callback, callback_error, headers) {
var current_panel = null;
var switch_back_to_panel = null;
function do_logout() {
api_credentials = ["", ""];
if (typeof localStorage != 'undefined')
localStorage.removeItem("miab-cp-credentials");
if (typeof sessionStorage != 'undefined')
sessionStorage.removeItem("miab-cp-credentials");
show_panel('login');
}
function show_panel(panelid) {
if (panelid.getAttribute)
// we might be passed an HTMLElement <a>.

9
management/templates/login.html
View File

@@ -166,15 +166,6 @@ function do_login() {
});
}
function do_logout() {
api_credentials = ["", ""];
if (typeof localStorage != 'undefined')
localStorage.removeItem("miab-cp-credentials");
if (typeof sessionStorage != 'undefined')
sessionStorage.removeItem("miab-cp-credentials");
show_panel('login');
}
function show_login() {
$('#loginForm').removeClass('is-twofactor');
$('#loginOtpInput').val('');

24
management/templates/two-factor-auth.html
View File

@@ -37,31 +37,35 @@
<div class="loading-indicator">Loading...</div>
<form id="totp-setup">
<p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
<div class="form-group">
<h3>Setup</h3>
<p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
<h3>Setup Instructions</h3>
<p>1. Scan the QR code or enter the secret into an authenticator app (e.g. Google Authenticator)</p>
<div id="totp-setup-qr"></div>
</div>
<div class="form-group">
<label for="otp">2. Enter the code displayed in the Authenticator app</label>
<p>You will have to log into the admin panel again after enabling two-factor authentication.</p>
<input type="text" id="totp-setup-token" class="form-control" placeholder="6-digit code" />
</div>
<input type="hidden" id="totp-setup-secret" />
<div class="form-group">
<button id="totp-setup-submit" disabled type="submit" class="btn">Enable two factor authentication</button>
<button id="totp-setup-submit" disabled type="submit" class="btn">Enable two-factor authentication</button>
</div>
</form>
<form id="disable-2fa">
<div class="form-group">
<p>Two factor authentication is active.</p>
<p>Two-factor authentication is active for your account. You can disable it by clicking below button.</p>
<p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
</div>
<div class="form-group">
<button type="submit" class="btn btn-danger">Disable two-factor authentication</button>
</div>
<button type="submit" class="btn btn-danger">Disable two factor authentication</button>
</form>
<div id="output-2fa" class="panel panel-danger">
@@ -173,7 +177,9 @@
'/mfa/totp/disable',
'POST',
{},
function() { show_two_factor_auth(); }
function() {
do_logout();
}
);
return false;
@@ -190,7 +196,9 @@
token: $(el.totpSetupToken).val(),
secret: $(el.totpSetupSecret).val()
},
function(res) { show_two_factor_auth(); },
function(res) {
do_logout();
},
function(res) {
var errorMessage = 'Something went wrong.';
var parsed;