From 4bee1b903ee20818f4a8ecb9d974b9536cc54cb4 Mon Sep 17 00:00:00 2001 From: Artur Heinze Date: Fri, 12 Aug 2022 16:54:25 +0200 Subject: [PATCH] Fix exposing 2FA secret in JWT token on login --- CHANGELOG.md | 1 + modules/App/Controller/Auth.php | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570e850c..42418e64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ## WIP - Add `./tower app:update` cli command to update Cockpit to the latest or specific version +- Fix exposing 2FA secret in JWT token on login ## 2.2.1 (2022-08-10) diff --git a/modules/App/Controller/Auth.php b/modules/App/Controller/Auth.php index 246b7416..4aeffb13 100644 --- a/modules/App/Controller/Auth.php +++ b/modules/App/Controller/Auth.php @@ -78,21 +78,29 @@ public function check() { if (isset($user['twofa']['enabled']) && $user['twofa']['enabled']) { + unset($user['twofa']); + return [ 'success' => true, 'user' => [ 'name' => $user['name'], 'user' => $user['user'], 'email' => $user['email'], - 'twofa' => $this->helper('jwt')->create($user) + 'twofa' => $this->helper('jwt')->create([ + '_id' => $user['_id'], + 'user' => $user['user'], + 'name' => $user['name'], + 'email' => $user['email'], + 'role' => $user['role'], + ]) ] ]; - } else { - // remove twofa settings - unset($user['twofa']); } + // remove 2FA settings from user session + unset($user['twofa']); + $this->app->trigger('app.user.disguise', [&$user]); $this->helper('auth')->setUser($user); @@ -140,4 +148,4 @@ public function validate2FA() { return $this->stop(412); } -} \ No newline at end of file +}