Fix exposing 2FA secret in JWT token on login

Cockpit-HQ · Aug 12, 2022 · 4bee1b9 · 4bee1b9
1 parent 593d45e
commit 4bee1b9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 ## WIP
 
 - Add `./tower app:update` cli command to update Cockpit to the latest or specific version
+- Fix exposing 2FA secret in JWT token on login
 
 ## 2.2.1 (2022-08-10)
 

diff --git a/modules/App/Controller/Auth.php b/modules/App/Controller/Auth.php
@@ -78,21 +78,29 @@ public function check() {
 
             if (isset($user['twofa']['enabled']) && $user['twofa']['enabled']) {
 
+                unset($user['twofa']);
+
                 return [
                     'success' => true,
                     'user' => [
                         'name' => $user['name'],
                         'user' => $user['user'],
                         'email' => $user['email'],
-                        'twofa' => $this->helper('jwt')->create($user)
+                        'twofa' => $this->helper('jwt')->create([
+                            '_id'   => $user['_id'],
+                            'user'  => $user['user'],
+                            'name'  => $user['name'],
+                            'email' => $user['email'],
+                            'role'  => $user['role'],
+                        ])
                     ]
                 ];
 
-            } else {
-                // remove twofa settings
-                unset($user['twofa']);
             }
 
+            // remove 2FA settings from user session
+            unset($user['twofa']);
+
             $this->app->trigger('app.user.disguise', [&$user]);
 
             $this->helper('auth')->setUser($user);
@@ -140,4 +148,4 @@ public function validate2FA() {
         return $this->stop(412);
 
     }
-}
+}