From: Tim Düsterhus Date: Wed, 25 Nov 2020 17:24:37 +0000 (+0100) Subject: Expire pending user changes after 15 minutes X-Git-Tag: 5.4.0_Alpha_1~555^2~18^2 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=010c37374e9a5fe8f0a2bba726639ce97b164c9f;p=GitHub%2FWoltLab%2FWCF.git Expire pending user changes after 15 minutes 15 minutes should be plenty of time for the user to complete the MF authentication flow. A user is not going to sit patiently for 15 minutes without simply closing the browser window which de facto forces them to start anew, because nothing leads back to the MF authentication flow except performing yet another login. Email codes are the only (default) method that could be slow without the user being able to do anything about it (e.g. due to greylisting). These codes already expire after 10 minutes, giving an implicit upper bound (when ignoring the fact that a new code will be sent every 2 minutes during refreshing). --- diff --git a/wcfsetup/install/files/lib/form/MultifactorAuthenticationForm.class.php b/wcfsetup/install/files/lib/form/MultifactorAuthenticationForm.class.php index ceea1c9000..0954afec8a 100644 --- a/wcfsetup/install/files/lib/form/MultifactorAuthenticationForm.class.php +++ b/wcfsetup/install/files/lib/form/MultifactorAuthenticationForm.class.php @@ -6,6 +6,7 @@ use wcf\form\AbstractFormBuilderForm; use wcf\system\application\ApplicationHandler; use wcf\system\cache\runtime\UserProfileRuntimeCache; use wcf\system\exception\IllegalLinkException; +use wcf\system\exception\NamedUserException; use wcf\system\exception\PermissionDeniedException; use wcf\system\form\builder\TemplateFormNode; use wcf\system\request\LinkHandler; @@ -77,7 +78,9 @@ class MultifactorAuthenticationForm extends AbstractFormBuilderForm { $this->user = WCF::getSession()->getPendingUserChange(); if (!$this->user) { - throw new PermissionDeniedException(); + throw new NamedUserException(WCF::getLanguage()->getDynamicVariable( + 'wcf.user.security.multifactor.authentication.noPendingUserChange' + )); } $this->setups = Setup::getAllForUser($this->user); diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index 0f0839a323..739a7db766 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -133,11 +133,12 @@ final class SessionHandler extends SingletonFactory { */ private $xsrfToken; - private const ACP_SESSION_LIFETIME = 7200; - private const GUEST_SESSION_LIFETIME = 7200; - private const USER_SESSION_LIFETIME = 86400 * 14; + private const ACP_SESSION_LIFETIME = 2 * 3600; + private const GUEST_SESSION_LIFETIME = 2 * 3600; + private const USER_SESSION_LIFETIME = 14 * 86400; private const CHANGE_USER_AFTER_MULTIFACTOR_KEY = '__changeUserAfterMultifactor__'; + private const PENDING_USER_LIFETIME = 15 * 60; /** * Provides access to session data. @@ -705,7 +706,10 @@ final class SessionHandler extends SingletonFactory { */ public function changeUserAfterMultifactor(User $user): bool { if ($user->multifactorActive) { - $this->register(self::CHANGE_USER_AFTER_MULTIFACTOR_KEY, $user->userID); + $this->register(self::CHANGE_USER_AFTER_MULTIFACTOR_KEY, [ + 'userId' => $user->userID, + 'expires' => TIME_NOW + self::PENDING_USER_LIFETIME, + ]); $this->setLanguageID($user->languageID); return true; @@ -746,8 +750,15 @@ final class SessionHandler extends SingletonFactory { * Returns the pending user change initiated by changeUserAfterMultifactor(). */ public function getPendingUserChange(): ?User { - $userId = $this->getVar(self::CHANGE_USER_AFTER_MULTIFACTOR_KEY); - if (!$userId) { + $data = $this->getVar(self::CHANGE_USER_AFTER_MULTIFACTOR_KEY); + if (!$data) { + return null; + } + + $userId = $data['userId']; + $expires = $data['expires']; + + if ($expires < TIME_NOW) { return null; } diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml index 175e07076a..b312e5801d 100644 --- a/wcfsetup/install/lang/de.xml +++ b/wcfsetup/install/lang/de.xml @@ -4945,6 +4945,7 @@ Die E-Mail-Adresse des neuen Benutzers lautet: {@$user->email} {if LANGUAGE_USE_INFORMAL_VARIANT}Du hast{else}Sie haben{/if} die Mehrfaktor-Authentifizierung mit dem Verfahren „{lang}wcf.user.security.multifactor.{$method->objectType}{/lang}“ erfolgreich aktiviert. {if LANGUAGE_USE_INFORMAL_VARIANT}Du wirst{else}Sie werden{/if} von nun an bei jedem Login den zusätzlichen Faktor benötigen. {if LANGUAGE_USE_INFORMAL_VARIANT}Du hast{else}Sie haben{/if} auch eine Liste von Notfallcodes erhalten, falls der zusätzliche Faktor unbrauchbar werden sollte. **{if LANGUAGE_USE_INFORMAL_VARIANT}Hast du dir{else}Haben Sie sich{/if} die Notfallcodes notiert?** Falls {if LANGUAGE_USE_INFORMAL_VARIANT}du es vergessen hast, kannst du{else}Sie es vergessen haben, können Sie{/if} dies nachholen, indem {if LANGUAGE_USE_INFORMAL_VARIANT}du{else}Sie{/if} in der Verwaltung der Notfallcodes [URL:{link controller='MultifactorManage' object=$backupMethod isEmail=true}{/link}] neue Notfallcodes {if LANGUAGE_USE_INFORMAL_VARIANT}generierst{else}generieren{/if}.]]> + {if LANGUAGE_USE_INFORMAL_VARIANT}logge dich{else}loggen Sie sich{/if} erneut ein.]]> diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml index 95e900e6f4..684f18b3f2 100644 --- a/wcfsetup/install/lang/en.xml +++ b/wcfsetup/install/lang/en.xml @@ -4942,6 +4942,7 @@ You can manage multi-factor authentication within the Account Security page [URL You successfully enabled multi-factor authentication using the „{lang}wcf.user.security.multifactor.{$method->objectType}{/lang}“ method. Going forward you will need to have your second factor handy for every login. You also received a list of emergency codes to use when your second factor becomes unavailable. **Did you store these emergency codes securely?** If you forgot you can do now by generating new codes in the Emergency Code Management [URL:{link controller='MultifactorManage' object=$backupMethod isEmail=true}{/link}].]]> + Login once again.]]>