archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-05-06 09:10:06 +00:00
Code Issues Projects Releases Wiki Activity

Fixed guest user email showing in TOTP setup url

Browse source 
- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes
This commit is contained in:
Dan Brown 2021-10-14 18:02:16 +01:00
parent d21b60079c
commit c9c0e5e16f
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
3 changed files with 23 additions and 3 deletions
app
Auth/Access/Mfa
TotpService.php
Http/Controllers/Auth
MfaTotpController.php
tests/Auth
MfaConfigurationTest.php

5
app/Auth/Access/Mfa/TotpService.php
View file

@ -8,6 +8,7 @@ use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\RendererStyle\Fill; use BaconQrCode\Renderer\RendererStyle\Fill;
use BaconQrCode\Renderer\RendererStyle\RendererStyle; use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer; use BaconQrCode\Writer;
use BookStack\Auth\User;
use PragmaRX\Google2FA\Google2FA; use PragmaRX\Google2FA\Google2FA;
use PragmaRX\Google2FA\Support\Constants; use PragmaRX\Google2FA\Support\Constants;
@ -36,11 +37,11 @@ class TotpService
/** /**
* Generate a TOTP URL from secret key. * Generate a TOTP URL from secret key.
*/ */
public function generateUrl(string $secret): string public function generateUrl(string $secret, User $user): string
{ {
return $this->google2fa->getQRCodeUrl( return $this->google2fa->getQRCodeUrl(
setting('app-name'), setting('app-name'),
user()->email, $user->email,
$secret $secret
); );
} }

2
app/Http/Controllers/Auth/MfaTotpController.php
View file

@ -31,7 +31,7 @@ class MfaTotpController extends Controller
session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret)); session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
} }
$qrCodeUrl = $totp->generateUrl($totpSecret); $qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
$svg = $totp->generateQrCodeSvg($qrCodeUrl); $svg = $totp->generateQrCodeSvg($qrCodeUrl);
return view('mfa.totp-generate', [ return view('mfa.totp-generate', [

19
tests/Auth/MfaConfigurationTest.php
View file

@ -4,6 +4,7 @@ namespace Tests\Auth;
use BookStack\Actions\ActivityType; use BookStack\Actions\ActivityType;
use BookStack\Auth\Access\Mfa\MfaValue; use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\Role;
use BookStack\Auth\User; use BookStack\Auth\User;
use PragmaRX\Google2FA\Google2FA; use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase; use Tests\TestCase;
@ -164,4 +165,22 @@ class MfaConfigurationTest extends TestCase
$this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD); $this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
$this->assertEquals(0, $admin->mfaValues()->count()); $this->assertEquals(0, $admin->mfaValues()->count());
} }
public function test_totp_setup_url_shows_correct_user_when_setup_forced_upon_login()
{
$admin = $this->getAdmin();
/** @var Role $role */
$role = $admin->roles()->first();
$role->mfa_enforced = true;
$role->save();
$resp = $this->post('/login', ['email' => $admin->email, 'password' => 'password']);
$this->assertFalse(auth()->check());
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/totp/generate');
$resp->assertSeeText('Mobile App Setup');
$resp->assertDontSee("otpauth://totp/BookStack:guest%40example.com");
$resp->assertSee("otpauth://totp/BookStack:admin%40admin.com");
}
} }