diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Authentication/TwoFactorAuth/Manager.php | 18 | ||||
| -rw-r--r-- | lib/private/legacy/api.php | 2 | ||||
| -rw-r--r-- | lib/private/legacy/json.php | 2 | ||||
| -rw-r--r-- | lib/private/legacy/util.php | 2 |
4 files changed, 19 insertions, 5 deletions
diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 66bcafbce71..143fe7dc927 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -165,10 +165,24 @@ class Manager { /** * Check if the currently logged in user needs to pass 2FA * + * @param IUser $user the currently logged in user * @return boolean */ - public function needsSecondFactor() { - return $this->session->exists(self::SESSION_UID_KEY); + public function needsSecondFactor(IUser $user = null) { + if (is_null($user) || !$this->session->exists(self::SESSION_UID_KEY)) { + return false; + } + + if (!$this->isTwoFactorAuthenticated($user)) { + // There is no second factor any more -> let the user pass + // This prevents infinite redirect loops when a user is about + // to solve the 2FA challenge, and the provider app is + // disabled the same time + $this->session->remove(self::SESSION_UID_KEY); + return false; + } + + return true; } /** diff --git a/lib/private/legacy/api.php b/lib/private/legacy/api.php index 30083294861..17ee9c5d468 100644 --- a/lib/private/legacy/api.php +++ b/lib/private/legacy/api.php @@ -311,7 +311,7 @@ class OC_API { // reuse existing login $loggedIn = \OC::$server->getUserSession()->isLoggedIn(); if ($loggedIn === true) { - if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor()) { + if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor(\OC::$server->getUserSession()->getUser())) { // Do not allow access to OCS until the 2FA challenge was solved successfully return false; } diff --git a/lib/private/legacy/json.php b/lib/private/legacy/json.php index 2882ac94ea9..f386d03ab1b 100644 --- a/lib/private/legacy/json.php +++ b/lib/private/legacy/json.php @@ -68,7 +68,7 @@ class OC_JSON{ public static function checkLoggedIn() { $twoFactorAuthManger = \OC::$server->getTwoFactorAuthManager(); if( !OC_User::isLoggedIn() - || $twoFactorAuthManger->needsSecondFactor()) { + || $twoFactorAuthManger->needsSecondFactor(\OC::$server->getUserSession()->getUser())) { $l = \OC::$server->getL10N('lib'); http_response_code(\OCP\AppFramework\Http::STATUS_UNAUTHORIZED); self::error(array( 'data' => array( 'message' => $l->t('Authentication error'), 'error' => 'authentication_error' ))); diff --git a/lib/private/legacy/util.php b/lib/private/legacy/util.php index a975da39271..7341331518d 100644 --- a/lib/private/legacy/util.php +++ b/lib/private/legacy/util.php @@ -975,7 +975,7 @@ class OC_Util { exit(); } // Redirect to index page if 2FA challenge was not solved yet - if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor()) { + if (\OC::$server->getTwoFactorAuthManager()->needsSecondFactor(\OC::$server->getUserSession()->getUser())) { header('Location: ' . \OCP\Util::linkToAbsolute('', 'index.php')); exit(); } |