Merge branch 'fix-2fa-timeout-2757' into 'v2.0'
Add specific 2FA timeout (#2757) See merge request lemonldap-ng/lemonldap-ng!269
This commit is contained in:
Maxime Besson
commit
cd41ba8872
|
|
@ -562,6 +562,7 @@ sfEngine Second factor engine
|
|||
sfExtra Extra second factors ✔
|
||||
sfManagerRule Rule to display second factor Manager link ✔
|
||||
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
|
||||
sfLoginTimeout Timeout for 2F login process ✔
|
||||
sfRegisterTimeout Timeout for 2F registration process ✔
|
||||
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
|
||||
sfRemovedNotifMsg Notification message ✔
|
||||
|
|
|
|||
|
|
@ -76,10 +76,19 @@ of doing a complete reauthentication.
|
|||
|
||||
.. |beta| image:: /documentation/beta.png
|
||||
|
||||
Login timeout
|
||||
-------------
|
||||
|
||||
Allowed time for the user to authenticate using their second factor. By default
|
||||
it is set to 2 minutes, but some complex second factor types (TOTP, email...)
|
||||
may require more time to be used.
|
||||
|
||||
Registration timeout
|
||||
--------------------
|
||||
|
||||
Allowed time to register a TOTP.
|
||||
Allowed time for the user to register their new second factor. By default it is
|
||||
set to 2 minutes, but some complex second factor types (TOTP...) may require
|
||||
more time to be registered.
|
||||
|
||||
Second factor expiration
|
||||
------------------------
|
||||
|
|
|
|||
|
|
@ -4026,6 +4026,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
},
|
||||
'type' => 'sfExtraContainer'
|
||||
},
|
||||
'sfLoginTimeout' => {
|
||||
'type' => 'int'
|
||||
},
|
||||
'sfManagerRule' => {
|
||||
'default' => 1,
|
||||
'type' => 'boolOrExpr'
|
||||
|
|
|
|||
|
|
@ -3374,6 +3374,10 @@ sub attributes {
|
|||
help => 'secondfactor.html',
|
||||
documentation => 'Notification message',
|
||||
},
|
||||
sfLoginTimeout => {
|
||||
type => 'int',
|
||||
documentation => 'Timeout for 2F login process',
|
||||
},
|
||||
sfRegisterTimeout => {
|
||||
type => 'int',
|
||||
documentation => 'Timeout for 2F registration process',
|
||||
|
|
|
|||
|
|
@ -886,6 +886,7 @@ sub tree {
|
|||
'sfManagerRule',
|
||||
'sfRequired',
|
||||
'sfOnlyUpgrade',
|
||||
'sfLoginTimeout',
|
||||
'sfRegisterTimeout',
|
||||
{
|
||||
title => 'utotp2f',
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"جلسة( أو جلسات )",
|
||||
"sessions":"الجلسات",
|
||||
"sfExtra":"Additional second factors",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"session(s)",
|
||||
"sessions":"Sessions",
|
||||
"sfExtra":"Additional second factors",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"sesión(es)",
|
||||
"sessions":"Sesiones",
|
||||
"sfExtra":"Segundos factores adicionales",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"session(s)",
|
||||
"sessions":"Sessions",
|
||||
"sfExtra":"Seconds facteurs additionnels",
|
||||
"sfLoginTimeout":"Délai maximum d'authentification",
|
||||
"sfManagerRule":"Afficher le lien du Gestionnaire",
|
||||
"sfOnlyUpgrade":"Utiliser le SF pour augmenter le niveau d'authentification",
|
||||
"sfRegisterTimeout":"Délai d'expiration de l'enregistrement",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"session(s)",
|
||||
"sessions":"הפעלות",
|
||||
"sfExtra":"Additional second factors",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"sessione(i)",
|
||||
"sessions":"Sessioni",
|
||||
"sfExtra":"Additional second factors",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"sesja/e",
|
||||
"sessions":"Sesje",
|
||||
"sfExtra":"Dodatkowe drugie czynniki",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Link do Menedżera wyświetlania",
|
||||
"sfOnlyUpgrade":"Użyj 2FA do aktualizacji sesji",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"oturum(lar)",
|
||||
"sessions":"Oturumlar",
|
||||
"sfExtra":"Ek ikinci faktörler",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Yönetici bağlantısını görüntüle",
|
||||
"sfOnlyUpgrade":"Oturum yükseltme için 2FA kullan",
|
||||
"sfRegisterTimeout":"Kayıtlanma zaman aşımı",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"session (s)",
|
||||
"sessions":"Phiên",
|
||||
"sfExtra":"Additional second factors",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"Display Manager link",
|
||||
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"工作階段",
|
||||
"sessions":"工作階段",
|
||||
"sfExtra":"額外的第二因素",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"顯示管理程式連結",
|
||||
"sfOnlyUpgrade":"使用 2FA 進行工作階段升級",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
|
|
@ -1076,6 +1076,7 @@
|
|||
"session_s":"工作階段",
|
||||
"sessions":"工作階段",
|
||||
"sfExtra":"額外的第二因素",
|
||||
"sfLoginTimeout":"Login timeout",
|
||||
"sfManagerRule":"顯示管理程式連結",
|
||||
"sfOnlyUpgrade":"使用 2FA 進行工作階段升級",
|
||||
"sfRegisterTimeout":"Registration timeout",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -41,7 +41,8 @@ has ott => (
|
|||
default => sub {
|
||||
my $ott =
|
||||
$_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
|
||||
$ott->timeout( $_[0]->{conf}->{formTimeout} );
|
||||
$ott->timeout( $_[0]->{conf}->{sfLoginTimeout}
|
||||
|| $_[0]->{conf}->{formTimeout} );
|
||||
return $ott;
|
||||
}
|
||||
);
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ has ott => (
|
|||
my $ott =
|
||||
$_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
|
||||
$ott->timeout( $_[0]->{conf}->{mail2fTimeout}
|
||||
|| $_[0]->{conf}->{sfLoginTimeout}
|
||||
|| $_[0]->{conf}->{formTimeout} );
|
||||
return $ott;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,8 @@ has ott => (
|
|||
default => sub {
|
||||
my $ott =
|
||||
$_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken');
|
||||
$ott->timeout( $_[0]->{conf}->{formTimeout} );
|
||||
$ott->timeout( $_[0]->{conf}->{sfLoginTimeout}
|
||||
|| $_[0]->{conf}->{formTimeout} );
|
||||
return $ott;
|
||||
}
|
||||
);
|
||||
|
|
|
|||
|
|
@ -19,9 +19,10 @@ SKIP: {
|
|||
totp2fActivation => 1,
|
||||
sfRequired => 1,
|
||||
sfRegisterTimeout => 600,
|
||||
sfLoginTimeout => 600,
|
||||
tokenUseGlobalStorage => 1,
|
||||
issuerDBCASActivation => 1,
|
||||
issuersTimeout => 600,
|
||||
issuersTimeout => 1200,
|
||||
}
|
||||
}
|
||||
);
|
||||
|
|
@ -128,9 +129,14 @@ SKIP: {
|
|||
$pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' );
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/totp2fcheck', 'token' );
|
||||
|
||||
# Test Login timeout
|
||||
Time::Fake->offset("+10m");
|
||||
|
||||
ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ),
|
||||
'Code' );
|
||||
$query =~ s/code=/code=$code/;
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/totp2fcheck', IO::String->new($query),
|
||||
|
|
|
|||
Loading…
Reference in New Issue