ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add email notification to agents if their 2FA code is entered incorrectly (this may be a sign of account compromise)

Browse Source 
- Tidy login code flow so that the "logged" session variable only has to be set in one place, rather than in two (both for 2fa and non-2fa logins)
This commit is contained in:
Marcus Hill
2023-01-21 13:25:16 +00:00
parent 6d26b07d70
commit b9b0440186
1 changed files with 143 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files
login.php
+68 -31
View File
@@ -12,6 +12,20 @@ include("functions.php");
$ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
// Query Settings for "default" company (as companies are being removed shortly)
$sql_settings = mysqli_query($mysqli,"SELECT * FROM settings WHERE company_id = 1");
$row = mysqli_fetch_array($sql_settings);
// Mail
$config_smtp_host = $row['config_smtp_host'];
$config_smtp_port = $row['config_smtp_port'];
$config_smtp_encryption = $row['config_smtp_encryption'];
$config_smtp_username = $row['config_smtp_username'];
$config_smtp_password = $row['config_smtp_password'];
$config_mail_from_email = $row['config_mail_from_email'];
$config_mail_from_name = $row['config_mail_from_name'];
// HTTP-Only cookies
ini_set("session.cookie_httponly", True);
@@ -48,23 +62,46 @@ if (isset($_POST['login'])) {
// Passed login brute force check
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$password = $_POST['password'];
$current_code = 0; // Default value
if (isset($_POST['current_code'])) {
$current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code']));
}
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users LEFT JOIN user_settings on users.user_id = user_settings.user_id WHERE user_email = '$email' AND user_archived_at IS NULL AND user_status = 1"));
// Check password
if ($row && password_verify($password, $row['user_password'])) {
// User variables
$token = $row['user_token'];
// User password correct (partial login)
// Set temporary user variables
$user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name']));
$user_id = $row['user_id'];
$user_email = $row['user_email'];
$token = $row['user_token'];
// Checking for user 2FA
require_once("rfc6238.php");
if (empty($token) || TokenAuth6238::verify($token, $current_code)) {
// FULL LOGIN SUCCESS - 2FA not configured or was successful
// Determine whether 2FA was used (for logs)
$extended_log = ''; // Default value
if ($current_code !== 0 ) {
$extended_log = 'with 2FA';
}
// Logging successful login
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in $extended_log', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id");
// Session info
$_SESSION['user_id'] = $user_id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_role'] = $row['user_role'];
$_SESSION['csrf_token'] = bin2hex(random_bytes(78));
$_SESSION['logged'] = TRUE;
// Setup encryption session key
if (isset($row['user_specific_encryption_ciphertext']) && $row['user_role'] > 1) {
@@ -84,12 +121,6 @@ if (isset($_POST['login'])) {
}
}
if (empty($token)) {
// Full Login successful
$_SESSION['logged'] = TRUE;
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id");
// Show start page/dashboard depending on role
if ($row['user_role'] == 2) {
header("Location: dashboard_technical.php");
@@ -97,11 +128,15 @@ if (isset($_POST['login'])) {
header("Location: dashboard_financial.php");
}
} else {
// Prompt for MFA
$token_field = "<div class='input-group mb-3'>
<input type='text' class='form-control' placeholder='Token' name='current_code' autofocus>
} else {
// MFA is configured and needs to be confirmed, or was unsuccessful
// HTML code for the token input field
$token_field = "
<div class='input-group mb-3'>
<input type='text' class='form-control' placeholder='2FA Token' name='current_code' required autofocus>
<div class='input-group-append'>
<div class='input-group-text'>
<span class='fas fa-key'></span>
@@ -109,41 +144,43 @@ if (isset($_POST['login'])) {
</div>
</div>";
require_once("rfc6238.php");
// Log/notify if MFA was unsuccessful
if ($current_code !== 0) {
if (TokenAuth6238::verify($token, $current_code)) {
// Full login (with MFA) successful
$_SESSION['logged'] = TRUE;
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login 2FA', log_action = 'Success', log_description = '$user_name successfully logged in using 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id");
// Show start page/dashboard depending on role
if ($row['user_role'] == 2) {
header("Location: dashboard_technical.php");
} else {
header("Location: dashboard_financial.php");
}
} else {
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = '2FA Failed', log_description = '$user_name failed 2FA', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id");
// Email the tech to advise their credentials may be compromised
if (!empty($config_smtp_host)) {
$subject = "Important: ITFlow failed 2FA login attempt for $user_name";
$body = "Hi $user_name, <br><br>A recent login to ITFlow was unsuccessful due to an incorrect 2FA code. If you did not attempt this login, your credentials may be compromised. <br><br>Thanks, <br>ITFlow";
$mail = sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port,
$config_mail_from_email, $config_mail_from_name,
$user_email, $user_name,
$subject, $body);
}
// HTML feedback for incorrect 2FA code
$response = "
<div class='alert alert-primary'>
<div class='alert alert-warning'>
Please Enter 2FA Key!
<button class='close' data-dismiss='alert'>&times;</button>
</div>
";
</div>";
}
}
} else {
// Password incorrect or user doesn't exist - show generic error
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
$response = "
<div class='alert alert-danger'>
Incorrect username or password.
<button class='close' data-dismiss='alert'>&times;</button>
</div>
";
</div>";
}
}
}