mirror of
https://github.com/wallabag/wallabag.git
synced 2025-08-01 17:38:38 +00:00
ConfigController: move OTP endpoints to POST method only
Fixes GHSA-56fm-hfp3-x3w3 Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This commit is contained in:
Kevin Decherf
parent
9ec351e8b6
commit
5240684be9
5 changed files with 101 additions and 41 deletions
|
|
@ -254,10 +254,14 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Disable 2FA using email.
|
||||
*
|
||||
* @Route("/config/otp/email/disable", name="disable_otp_email")
|
||||
* @Route("/config/otp/email/disable", name="disable_otp_email", methods={"POST"})
|
||||
*/
|
||||
public function disableOtpEmailAction()
|
||||
public function disableOtpEmailAction(Request $request)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
$user->setEmailTwoFactor(false);
|
||||
|
||||
|
|
@ -274,10 +278,14 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Enable 2FA using email.
|
||||
*
|
||||
* @Route("/config/otp/email", name="config_otp_email")
|
||||
* @Route("/config/otp/email", name="config_otp_email", methods={"POST"})
|
||||
*/
|
||||
public function otpEmailAction()
|
||||
public function otpEmailAction(Request $request)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
|
||||
$user->setGoogleAuthenticatorSecret(null);
|
||||
|
|
@ -297,10 +305,14 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Disable 2FA using OTP app.
|
||||
*
|
||||
* @Route("/config/otp/app/disable", name="disable_otp_app")
|
||||
* @Route("/config/otp/app/disable", name="disable_otp_app", methods={"POST"})
|
||||
*/
|
||||
public function disableOtpAppAction()
|
||||
public function disableOtpAppAction(Request $request)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
|
||||
$user->setGoogleAuthenticatorSecret('');
|
||||
|
|
@ -319,10 +331,14 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Enable 2FA using OTP app, user will need to confirm the generated code from the app.
|
||||
*
|
||||
* @Route("/config/otp/app", name="config_otp_app")
|
||||
* @Route("/config/otp/app", name="config_otp_app", methods={"POST"})
|
||||
*/
|
||||
public function otpAppAction(GoogleAuthenticatorInterface $googleAuthenticator)
|
||||
public function otpAppAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
$secret = $googleAuthenticator->generateSecret();
|
||||
|
||||
|
|
@ -372,10 +388,14 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Validate OTP code.
|
||||
*
|
||||
* @Route("/config/otp/app/check", name="config_otp_app_check")
|
||||
* @Route("/config/otp/app/check", name="config_otp_app_check", methods={"POST"})
|
||||
*/
|
||||
public function otpAppCheckAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$isValid = $googleAuthenticator->checkCode(
|
||||
$this->getUser(),
|
||||
$request->get('_auth_code')
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue