File: login-mfa.php

package info (click to toggle)
postfixadmin 4.0.1%2Bds-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,888 kB
  • sloc: php: 12,256; perl: 1,156; sh: 717; python: 142; xml: 63; sql: 3; makefile: 2
file content (94 lines) | stat: -rw-r--r-- 2,668 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
<?php

/**
 * Postfix Admin
 *
 * LICENSE
 * This source file is subject to the GPL license that is bundled with
 * this package in the file LICENSE.TXT.
 *
 * Further details on the project are available at https://github.com/postfixadmin/postfixadmin
 *
 * @version $Id$
 * @license GNU GPL v2 or later.
 *
 * File: login-totp.php
 * Authenticates a user, and populates their $_SESSION as appropriate.
 * Template File: login.tpl
 *
 * Template Variables:
 *
 *  none
 *
 * Form POST \ GET Variables:
 *
 *  fUsername
 *  fPassword
 *  token
 *  lang
 */

require_once('common.php');

$CONF = Config::getInstance()->getAll();
$smarty = PFASmarty::getInstance();
$error = '';

if (Config::bool('totp') === false) {
    session_destroy();
    session_start();
    header("Location: login.php");
    exit(0); // shouldn't really be here?
}
if (authentication_has_role("admin")) {
    header("Location: main.php");
    exit(0);
}

if (isset($_GET["abort"]) && $_GET["abort"] == "1" && authentication_mfa_incomplete()) {
    session_unset();
    session_destroy();
    session_start();
    header("Location: login.php");
    exit(0);
}

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if (!isset($_SESSION['PFA_token'])) {
        die("Invalid token (session timeout; refresh the page and try again?)");
    }

    if (safepost('token') != $_SESSION['PFA_token']) {
        die('Invalid token! (CSRF check failed)');
    }

    $totppf = new TotpPf('admin', new Login('admin'));
    $fTotp = safepost('fTOTP_code');
    $h = new AdminHandler();

    if (authentication_mfa_incomplete() && $totppf->checkUserTOTP(authentication_get_username(), $fTotp)) {
        init_session(authentication_get_username(), true, true);

        // get superadmin status and store in session
        $h->init(authentication_get_username());
        if ($h->result()['superadmin'] == 1) {
            $_SESSION['sessid']['roles'][] = 'global-admin';
        }
        header("Location: main.php");
        exit(0);
    } else {
        error_log("PostfixAdmin admin second factor login failed (username: " . authentication_get_username() . ", ip_address: {$_SERVER['REMOTE_ADDR']})");
        $error = $PALANG['pTotp_failed'];
        flash_error($PALANG['pTotp_failed']);
    }
}

$_SESSION['PFA_token'] = md5(uniqid("pfa" . rand(), true));

$smarty->assign('pTOPT_code_text', $error);
$smarty->assign('smarty_template', 'login-mfa');
$smarty->assign('language_selector', language_selector(), false);
$smarty->assign('forgotten_password_reset', Config::bool('forgotten_admin_password_reset'));
$smarty->display('index.tpl');

/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */