mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2025-03-03 15:20:06 -05:00
MeshCMD inner auth 2FA fixes.
This commit is contained in:
Ylian Saint-Hilaire
parent
4519f377bf
commit
6ddf4bd151
@ -2023,8 +2023,12 @@ function OnServerWebSocket(msg, s, head) {
|
|||||||
if (command.msg == 'tokenrequired') {
|
if (command.msg == 'tokenrequired') {
|
||||||
if (command.email2fasent === true) {
|
if (command.email2fasent === true) {
|
||||||
console.log("Login token email sent.");
|
console.log("Login token email sent.");
|
||||||
} else if (command.email2fa === true) {
|
} else if ((command.email2fa === true) && (command.sms2fa === true)) {
|
||||||
console.log("Login token required, use --token [token], or --emailtoken, --smstoken get a token.");
|
console.log("Login token required, use --token [token], or --emailtoken, --smstoken get a token.");
|
||||||
|
} else if (command.sms2fa === true) {
|
||||||
|
console.log("Login token required, use --token [token], or --smstoken get a token.");
|
||||||
|
} else if (command.email2fa === true) {
|
||||||
|
console.log("Login token required, use --token [token], or --emailtoken get a token.");
|
||||||
} else {
|
} else {
|
||||||
console.log("Login token required, use --token [token].");
|
console.log("Login token required, use --token [token].");
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2293,7 +2293,7 @@ module.exports.CreateAmtManager = function (parent) {
|
|||||||
cert.XPrivateKey = keys[j]; // Link the certificate to the key pair
|
cert.XPrivateKey = keys[j]; // Link the certificate to the key pair
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} catch (e) { console.log(e); }
|
} catch (ex) { console.log(ex); }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
15
webserver.js
15
webserver.js
@ -5782,12 +5782,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
if ((err == null) && (user)) {
|
if ((err == null) && (user)) {
|
||||||
// Check if a 2nd factor is needed
|
// Check if a 2nd factor is needed
|
||||||
var emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
|
var emailcheck = ((domain.mailserver != null) && (obj.parent.certificates.CommonName != null) && (obj.parent.certificates.CommonName.indexOf('.') != -1) && (obj.args.lanonly != true) && (domain.auth != 'sspi') && (domain.auth != 'ldap'))
|
||||||
|
|
||||||
|
// See if we support two-factor trusted cookies
|
||||||
|
var twoFactorCookieDays = 30;
|
||||||
|
if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
|
||||||
|
|
||||||
if (checkUserOneTimePasswordRequired(domain, user, req) == true) {
|
if (checkUserOneTimePasswordRequired(domain, user, req) == true) {
|
||||||
// Figure out if email 2FA is allowed
|
// Figure out if email 2FA is allowed
|
||||||
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
|
var email2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.email2factor != false)) && (domain.mailserver != null) && (user.otpekey != null));
|
||||||
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
|
var sms2fa = (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.sms2factor != false)) && (parent.smsserver != null) && (user.phone != null));
|
||||||
if ((typeof req.query.token != 'string') || (req.query.token == '**email**') || (req.query.token == '**sms**')) {
|
if ((typeof command.token != 'string') || (command.token == '**email**') || (command.token == '**sms**')) {
|
||||||
if ((req.query.token == '**email**') && (email2fa == true)) {
|
if ((command.token == '**email**') && (email2fa == true)) {
|
||||||
// Cause a token to be sent to the user's registered email
|
// Cause a token to be sent to the user's registered email
|
||||||
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
|
user.otpekey = { k: obj.common.zeroPad(getRandomEightDigitInteger(), 8), d: Date.now() };
|
||||||
obj.db.SetUser(user);
|
obj.db.SetUser(user);
|
||||||
@ -5795,7 +5800,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
|
domain.mailserver.sendAccountLoginMail(domain, user.email, user.otpekey.k, obj.getLanguageCodes(req), req.query.key);
|
||||||
// Ask for a login token & confirm email was sent
|
// Ask for a login token & confirm email was sent
|
||||||
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
|
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, email2fasent: true, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
|
||||||
} else if ((req.query.token == '**sms**') && (sms2fa == true)) {
|
} else if ((command.token == '**sms**') && (sms2fa == true)) {
|
||||||
// Cause a token to be sent to the user's phone number
|
// Cause a token to be sent to the user's phone number
|
||||||
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
|
user.otpsms = { k: obj.common.zeroPad(getRandomSixDigitInteger(), 6), d: Date.now() };
|
||||||
obj.db.SetUser(user);
|
obj.db.SetUser(user);
|
||||||
@ -5806,10 +5811,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
} else {
|
} else {
|
||||||
// Ask for a login token
|
// Ask for a login token
|
||||||
parent.debug('web', 'Asking for login token');
|
parent.debug('web', 'Asking for login token');
|
||||||
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (e) { }
|
try { ws.send(JSON.stringify({ action: 'close', cause: 'noauth', msg: 'tokenrequired', email2fa: email2fa, sms2fa: sms2fa, twoFactorCookieDays: twoFactorCookieDays })); ws.close(); } catch (ex) { console.log(ex); }
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
checkUserOneTimePassword(req, domain, user, req.query.token, null, function (result) {
|
checkUserOneTimePassword(req, domain, user, command.token, null, function (result) {
|
||||||
if (result == false) {
|
if (result == false) {
|
||||||
// Failed, ask for a login token again
|
// Failed, ask for a login token again
|
||||||
parent.debug('web', 'Invalid login token, asking again');
|
parent.debug('web', 'Invalid login token, asking again');
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user