exclude oauth clients & app passwords from mailbox tfa

2022-07-14 18:37:21 +02:00 · 2022-07-14 18:37:21 +02:00 · be08742653
commit be08742653
parent 528f7da5ef
2 changed files with 22 additions and 18 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@ -807,7 +807,7 @@ function verify_hash($hash, $password) {
  }
  return false;
 }
-function check_login($user, $pass, $app_passwd_data = false) {
+function check_login($user, $pass, $app_passwd_data = false, $skip_tfa = false) {
  global $pdo;
  global $redis;
  global $imap_server;
@ -938,6 +938,8 @@ function check_login($user, $pass, $app_passwd_data = false) {
  foreach ($rows as $row) {
    // verify password
    if (verify_hash($row['password'], $pass) !== false) {
      if ($app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true && !$skip_tfa){
        // check for tfa authenticators
        $authenticators = get_tfa($user);
        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
@ -951,6 +953,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
            'msg' => array('logged_in_as', $user)
          );
          return "pending";
        }
      } else {
        if ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
          $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
@ -961,12 +964,13 @@ function check_login($user, $pass, $app_passwd_data = false) {
            ':username' => $user,
            ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
          ));
-        }
+        } elseif (!$skip_tfa) {
        unset($_SESSION['ldelay']);
          // Reactivate TFA if it was set to "deactivate TFA for next login"
          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
          $stmt->execute(array(':user' => $user));
        }
        unset($_SESSION['ldelay']);
        return "user";
      }
    }
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@ -131,7 +131,7 @@ class mailcowPdo extends OAuth2\Storage\Pdo {
    $this->config['user_table'] = 'mailbox';
  }
  public function checkUserCredentials($username, $password) {
-    if (check_login($username, $password) == 'user') {
+    if (check_login($username, $password, false, true) == 'user') {
      return true;
    }
    return false;