Add a two-step setup of OTP

Before this change, 2FA with OTP was enabled before the user was able to submit a code to validate the setup. Thus, this could lead to a situation where the user is locked out of her account if there was an issue setting up her application. Now we rely on a new boolean property that is set to true only after the user submits a valid code during the setup phase. Fixes #4867 Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2025-09-15 18:57:05 +00:00 · 2025-04-13 16:12:13 +02:00 · 2025-04-13 16:12:13 +02:00 · 5f0cb45b2d
commit 5f0cb45b2d
parent 3f6c01103d
3 changed files with 49 additions and 2 deletions
--- a/migrations/Version20250413133131.php
+++ b/migrations/Version20250413133131.php
@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Application\Migrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Wallabag\Doctrine\WallabagMigration;
+
+/**
+ * Add boolean for two-step setup for google authenticator
+ */
+final class Version20250413133131 extends WallabagMigration
+{
+    public function up(Schema $schema): void
+    {
+        $userTable = $schema->getTable($this->getTable('user'));
+
+        $this->skipIf($userTable->hasColumn('googleauthenticator'), 'It seems that you already played this migration.');
+
+        $userTable->addColumn('googleauthenticator', 'boolean', [
+            'default' => false,
+            'notnull' => false,
+        ]);
+    }
+
+    public function down(Schema $schema): void
+    {
+        $userTable = $schema->getTable($this->getTable('user'));
+        $userTable->dropColumn('googleauthenticator');
+    }
+}
--- a/src/Controller/ConfigController.php
+++ b/src/Controller/ConfigController.php
@ -312,7 +312,8 @@ class ConfigController extends AbstractController

        $user = $this->getUser();

-        $user->setGoogleAuthenticatorSecret('');
+        $user->setGoogleAuthenticatorSecret(null);
+        $user->setGoogleAuthenticator(false);
        $user->setBackupCodes(null);

        $this->userManager->updateUser($user);
@ -408,6 +409,9 @@ class ConfigController extends AbstractController
                'notice',
                'flashes.config.notice.otp_enabled'
            );
+            $user->setGoogleAuthenticator(true);
+            $this->userManager->updateUser($user);
+            $this->entityManager->flush();

            return $this->redirect($this->generateUrl('config') . '#set3');
        }
--- a/src/Entity/User.php
+++ b/src/Entity/User.php
@ -147,6 +147,9 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
    #[ORM\Column(name: 'googleAuthenticatorSecret', type: 'string', nullable: true)]
    private $googleAuthenticatorSecret;

+    #[ORM\Column(name: 'googleAuthenticator', type: 'boolean')]
+    private $googleAuthenticator;
+
    /**
     * @var array
     */
@ -264,6 +267,14 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
        $this->emailTwoFactor = $emailTwoFactor;
    }

+    /**
+     * @param bool $googleAuthenticator
+     */
+    public function setGoogleAuthenticator(bool $googleAuthenticator): void
+    {
+        $this->googleAuthenticator = $googleAuthenticator;
+    }
+
    /**
     * Used in the user config form to be "like" the email option.
     */
@ -294,7 +305,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI

    public function isGoogleAuthenticatorEnabled(): bool
    {
-        return $this->googleAuthenticatorSecret ? true : false;
+        return $this->googleAuthenticator;
    }

    public function getGoogleAuthenticatorUsername(): string