Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added 2FA logic on login screen #8241

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added 2FA logic on login screen #8241

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
404462e
Added 2FA logic on login screen
smitty-nieto Jan 23, 2025
fa89b1d
Remove duplicate logic and rely on isMFARequired()
smitty-nieto Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions src/www/authgui.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,15 @@ function check_security_http_referer_enforcement()
return false;
}

function isMFARequired($config) {
global $config;
$authMode = $config['system']['webgui']['authmode'] ?? 'Local Database';
$authServer = array_filter($config['system']['authserver'] ?? [], function($server) use ($authMode) {
return $server['name'] === $authMode && $server['type'] === 'totp';
});
return !empty($authServer);
}

function session_auth()
{
global $config;
Expand All @@ -146,6 +155,8 @@ function session_auth()
session_start();
}

$showMFAField = isMFARequired($config);

// Detect protocol change
if (!isset($_POST['login']) && !empty($_SESSION['Username']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) {
session_write_close();
Expand All @@ -167,6 +178,28 @@ function session_auth()

/* Validate incoming login request */
if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {

// Concatenate 2FA token with password if MFA is enabled
if ($showMFAField) {
if (empty($_POST['mfacode'])) {
display_login_form(!empty($_POST['usernamefld']) ? gettext('MFA code is required.') : null);
exit;
}
// Sanitize MFA code input
$_POST['mfacode'] = preg_replace('/[^0-9]/', '', $_POST['mfacode']);

// Check for passwordFirst logic
$passwordFirst = isset($authServer[0]['passwordFirst']) && $authServer[0]['passwordFirst'] === '1';

if ($passwordFirst) {
// Concatenate password first, then token
$_POST['passwordfld'] = $_POST['passwordfld'] . $_POST['mfacode'];
} else {
// Default: Concatenate token first, then password
$_POST['passwordfld'] = $_POST['mfacode'] . $_POST['passwordfld'];
}
}

$authFactory = new \OPNsense\Auth\AuthenticationFactory();
$is_authenticated = $authFactory->authenticate("WebGui", $_POST['usernamefld'], $_POST['passwordfld']);

Expand Down Expand Up @@ -409,6 +442,16 @@ function display_login_form($Login_Error)
<label for="passwordfld"><?=gettext("Password:"); ?></label>
<input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
</div>
<?php
// Determine if we need to display the MFA code field
$showMFAField = isMFARequired($config);

if ($showMFAField): ?>
<div class="form-group">
<label for="mfacode"><?= gettext("MFA Code:"); ?></label>
<input type="text" class="form-control" name="mfacode" id="mfacode" value="" />
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there cases where MFA wouldn't be a number? Otherwise we might want to improve browser hinting for the auto-completion (e.g., password manager) by adding inputmode="numeric", autocomplete="one-time-code" as well as pattern="\d*".

</div>
<?php endif; ?>

<button type="submit" name="login" value="1" class="btn btn-primary pull-right"><?=gettext("Login"); ?></button>

Expand All @@ -434,3 +477,4 @@ function display_login_form($Login_Error)
</body>
</html>
<?php }