Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 05:36:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed guest user email showing in TOTP setup url

Browse Source 
- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes #2971
This commit is contained in:
Dan Brown 2021-10-14 18:02:16 +01:00
parent d21b60079c
commit c9c0e5e16f
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/Auth/Access/Mfa/TotpService.php
View File

@ -8,6 +8,7 @@ use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\RendererStyle\Fill;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;
use BookStack\Auth\User;
use PragmaRX\Google2FA\Google2FA;
use PragmaRX\Google2FA\Support\Constants;
@ -36,11 +37,11 @@ class TotpService
/**
* Generate a TOTP URL from secret key.
*/
public function generateUrl(string $secret): string
public function generateUrl(string $secret, User $user): string
{
return $this->google2fa->getQRCodeUrl(
setting('app-name'),
user()->email,
$user->email,
$secret
);
}

2
app/Http/Controllers/Auth/MfaTotpController.php
View File

@ -31,7 +31,7 @@ class MfaTotpController extends Controller
session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
}
$qrCodeUrl = $totp->generateUrl($totpSecret);
$qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
$svg = $totp->generateQrCodeSvg($qrCodeUrl);
return view('mfa.totp-generate', [

19
tests/Auth/MfaConfigurationTest.php
View File

@ -4,6 +4,7 @@ namespace Tests\Auth;
use BookStack\Actions\ActivityType;
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\Role;
use BookStack\Auth\User;
use PragmaRX\Google2FA\Google2FA;
use Tests\TestCase;
@ -164,4 +165,22 @@ class MfaConfigurationTest extends TestCase
$this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
$this->assertEquals(0, $admin->mfaValues()->count());
}
public function test_totp_setup_url_shows_correct_user_when_setup_forced_upon_login()
{
$admin = $this->getAdmin();
/** @var Role $role */
$role = $admin->roles()->first();
$role->mfa_enforced = true;
$role->save();
$resp = $this->post('/login', ['email' => $admin->email, 'password' => 'password']);
$this->assertFalse(auth()->check());
$resp->assertRedirect('/mfa/verify');
$resp = $this->get('/mfa/totp/generate');
$resp->assertSeeText('Mobile App Setup');
$resp->assertDontSee("otpauth://totp/BookStack:guest%40example.com");
$resp->assertSee("otpauth://totp/BookStack:admin%40admin.com");
}
}