aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2023-03-11 20:24:56 +0000
committerMario <mario@mariovavti.com>2023-03-11 20:24:56 +0000
commitac9c33fb3b31f4a3801fbdf7c723b923d699964d (patch)
treeedc1f7bad40238e4150709bc5cd6f58cdc012443
parent641b1c2e1b5be0d5b7b94ea6566238baa830ebe4 (diff)
downloadvolse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.tar.gz
volse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.tar.bz2
volse-hubzilla-ac9c33fb3b31f4a3801fbdf7c723b923d699964d.zip
check form security token and require password to enable/diable mfa
-rw-r--r--Zotlabs/Module/Settings/Multifactor.php15
-rw-r--r--view/tpl/totp_setup.tpl1
2 files changed, 16 insertions, 0 deletions
diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index 191055e2c..4df718c6a 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -12,10 +12,24 @@ use ParagonIE\ConstantTime\Base32;
class Multifactor {
public function post() {
+ check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa');
+
$account = App::get_account();
if (!$account) {
return;
}
+
+ if (empty($_POST['password'])) {
+ notice(t('Password is required') . EOL);
+ return;
+ }
+
+ $password = trim($_POST['password']);
+ if(!account_verify_password($account['account_email'], $password)) {
+ notice(t('The provided password is not correct') . EOL);
+ return;
+ }
+
$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
if ($enable_mfa) {
@@ -67,6 +81,7 @@ class Multifactor {
t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
[t('No'), t('Yes')]
],
+ '$password' => ['password', t('Please enter your password'), '', t('Required')],
'$submit' => t('Submit'),
'$test' => t('Test')
]
diff --git a/view/tpl/totp_setup.tpl b/view/tpl/totp_setup.tpl
index 2ee79fae9..1301d0001 100644
--- a/view/tpl/totp_setup.tpl
+++ b/view/tpl/totp_setup.tpl
@@ -28,6 +28,7 @@
<div id="mfa-submit-wrapper" class="{{if !$enable_mfa.2}}d-none{{/if}}">
<form action="settings/multifactor" method="post">
<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
+ {{include file="field_password.tpl" field=$password}}
{{include file="field_checkbox.tpl" field=$enable_mfa}}
<div class="settings-submit-wrapper" >
<button id="otp-enable-submit" type="b" name="submit" class="btn btn-primary">