dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure tokens handled by 2F modules are temporary sessions (#2791)

This commit is contained in:
Maxime Besson 2022-09-02 10:56:38 +02:00
parent 5e72df3f06
commit 318e08ccc7
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
View File

@ -437,6 +437,12 @@ sub _choice {
return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
}
unless ( $session->{_2fRealSession} ) {
$self->logger->error("Invalid 2FA session token");
$req->noLoginDisplay(1);
return $self->p->do( $req, [ sub { PE_ERROR } ] );
}
$req->sessionInfo($session);
# New token

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
View File

@ -5,6 +5,7 @@ use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_SENDRESPONSE
PE_OK
PE_ERROR
PE_NOTOKEN
PE_TOKENEXPIRED
PE_BADCREDENTIALS
@ -104,6 +105,11 @@ sub _verify {
$req->noLoginDisplay(1);
return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
}
unless ( $session->{_2fRealSession} ) {
$self->logger->error("Invalid 2FA session token");
$req->noLoginDisplay(1);
return $self->p->do( $req, [ sub { PE_ERROR } ] );
}
# Launch second factor verification
my $res = $self->verify( $req, $session );