From ff226d3f039daf8e77259a20083d1befbe5a1469 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Wed, 10 Apr 2019 11:33:17 -0700 Subject: [PATCH] Added option to force 2 factor auth setup --- package.json | 2 +- sample-config.json | 2 +- views/default-min.handlebars | 2 +- views/default-mobile-min.handlebars | 2 +- views/default-mobile.handlebars | 14 ++++++++++++-- views/default.handlebars | 16 +++++++++++----- webserver.js | 1 + 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index f355696b..137ec043 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.3.2-c", + "version": "0.3.2-d", "keywords": [ "Remote Management", "Intel AMT", diff --git a/sample-config.json b/sample-config.json index 2affe5a5..950e98f9 100644 --- a/sample-config.json +++ b/sample-config.json @@ -49,7 +49,7 @@ "_NewAccountEmailDomains": [ "sample.com" ], "Footer": "Twitter", "_CertUrl": "https://192.168.2.106:443/", - "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1, "reset": 90 }, + "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1, "reset": 90, "force2factor": true }, "_AgentNoProxy": true, "_GeoLocation": true, "_UserAllowedIP": "127.0.0.1,192.168.1.0/24", diff --git a/views/default-min.handlebars b/views/default-min.handlebars index c54b3aa9..d3e44468 100644 --- a/views/default-min.handlebars +++ b/views/default-min.handlebars @@ -1 +1 @@ - {{{title}}}
{{{title}}}
{{{title2}}}

{{{logoutControl}}}

 

\ No newline at end of file + {{{title}}}
{{{title}}}
{{{title2}}}

{{{logoutControl}}}

 

\ No newline at end of file diff --git a/views/default-mobile-min.handlebars b/views/default-mobile-min.handlebars index e1b96347..76c2662a 100644 --- a/views/default-mobile-min.handlebars +++ b/views/default-mobile-min.handlebars @@ -1 +1 @@ - MeshCentral
{{{title}}}
{{{title2}}}
\ No newline at end of file + MeshCentral
{{{title}}}
{{{title2}}}
\ No newline at end of file diff --git a/views/default-mobile.handlebars b/views/default-mobile.handlebars index b12064f7..d9abdecb 100644 --- a/views/default-mobile.handlebars +++ b/views/default-mobile.handlebars @@ -1165,8 +1165,11 @@ function account_createMesh() { if (xxdialogMode) return; - // Check if we are allowed to create a new device group - if ((userinfo.emailVerified !== true) && (userinfo.email != null) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "New Device Group", 1, null, "Unable to create a new device group until the email address is verified. Go to the \"My Account\" menu option to change and verify an email address."); return; } + // Remind the user to verify the email address + if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until a email address is verified. This is required for password recovery. Go to the \"My Account\" to change and verify an email address."); return; } + + // Remind the user to add two factor authentication + if ((features & 0x00040000) && !((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0) || (userinfo.otpkeys > 0))) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until two-factor authentication is enabled. This is required for extra security. Go to the \"My Account\" and look at the \"Account Security\" section."); return; } // We are allowed, let's prompt to information var x = addHtmlValue('Name', ''); @@ -1701,6 +1704,13 @@ var powerTimeline = null; function getCurrentNode() { return currentNode; }; function gotoDevice(nodeid, panel, refresh) { + + // Remind the user to verify the email address + if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until a email address is verified. This is required for password recovery. Go to the \"My Account\" to change and verify an email address."); return; } + + // Remind the user to add two factor authentication + if ((features & 0x00040000) && !((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0) || (userinfo.otpkeys > 0))) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until two-factor authentication is enabled. This is required for extra security. Go to the \"My Account\" and look at the \"Account Security\" section."); return; } + var node = getNodeFromId(nodeid); if (node == null) { goBack(); return; } var mesh = meshes[node.meshid]; diff --git a/views/default.handlebars b/views/default.handlebars index d559a242..c760adc8 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -751,7 +751,7 @@ - +     @@ -3558,8 +3558,11 @@ function getCurrentNode() { return currentNode; }; function gotoDevice(nodeid, panel, refresh, event) { - // Check if we are allowed to create a new device group - if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "New Device Group", 1, null, "Unable to create a new device group until a email address is verified. This is required for password recovery. Go to the \"My Account\" tab to change and verify an email address."); return; } + // Remind the user to verify the email address + if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until a email address is verified. This is required for password recovery. Go to the \"My Account\" tab to change and verify an email address."); return; } + + // Remind the user to add two factor authentication + if ((features & 0x00040000) && !((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0) || (userinfo.otpkeys > 0))) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until two-factor authentication is enabled. This is required for extra security. Go to the \"My Account\" tab and look at the \"Account Security\" section."); return; } if (event && (event.shiftKey == true)) { // Open the device in a different tab @@ -5783,8 +5786,11 @@ // Check if we are disallowed from creating a device group if ((userinfo.siteadmin != 0xFFFFFFFF) && ((userinfo.siteadmin & 64) != 0)) { setDialogMode(2, "New Device Group", 1, null, "This account does not have the rights to create a new device group."); return; } - // Check if we are allowed to create a new device group - if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "New Device Group", 1, null, "Unable to create a new device group until a email address is verified. This is required for password recovery. Go to the \"My Account\" tab to change and verify an email address."); return; } + // Remind the user to verify the email address + if ((userinfo.emailVerified !== true) && (serverinfo.emailcheck == true) && (userinfo.siteadmin != 0xFFFFFFFF)) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until a email address is verified. This is required for password recovery. Go to the \"My Account\" tab to change and verify an email address."); return; } + + // Remind the user to add two factor authentication + if ((features & 0x00040000) && !((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0) || (userinfo.otpkeys > 0))) { setDialogMode(2, "Account Security", 1, null, "Unable to access a device until two-factor authentication is enabled. This is required for extra security. Go to the \"My Account\" tab and look at the \"Account Security\" section."); return; } // We are allowed, let's prompt to information var x = "Create a new device group using the options below.

"; diff --git a/webserver.js b/webserver.js index c1a5efe7..8468c61b 100644 --- a/webserver.js +++ b/webserver.js @@ -1174,6 +1174,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (domain.geolocation == true) { features += 0x00008000; } // Enable geo-location features if ((domain.passwordrequirements != null) && (domain.passwordrequirements.hint === true)) { features += 0x00010000; } // Enable password hints if ((parent.config.settings.no2factorauth !== true) && (obj.f2l != null)) { features += 0x00020000; } // Enable WebAuthn/FIDO2 support + if ((obj.args.nousers != true) && (domain.passwordrequirements != null) && (domain.passwordrequirements.force2factor === true)) { features += 0x00040000; } // Force 2-factor auth // Create a authentication cookie const authCookie = obj.parent.encodeCookie({ userid: user._id, domainid: domain.id }, obj.parent.loginCookieEncryptionKey);