From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Tue, 24 Nov 2020 13:21:54 +0000 (+0100)
Subject: Add email notification when using a backup code
X-Git-Tag: 5.4.0_Alpha_1~555^2~33^2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=bb9c9ae53b94362581587f80b7d641c21baa275f;p=GitHub%2FWoltLab%2FWCF.git

Add email notification when using a backup code
---

diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
index 05d8fc4b5d..dbd7d44bc2 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
@@ -1,5 +1,6 @@
 <?php
 namespace wcf\system\user\multifactor;
+use wcf\system\email\SimpleEmail;
 use wcf\system\flood\FloodControl;
 use wcf\system\form\builder\container\FormContainer;
 use wcf\system\form\builder\field\ButtonFormField;
@@ -275,5 +276,47 @@ class BackupMultifactorMethod implements IMultifactorMethod {
 		if ($statement->getAffectedRows() !== 1) {
 			throw new \RuntimeException('Unable to invalidate the code.');
 		}
+		
+		$this->sendAuthenticationEmail($setup, $usedCode);
+	}
+	
+	/**
+	 * Notifies the user that an emergency code has been used.
+	 */
+	private function sendAuthenticationEmail(Setup $setup, array $usedCode): void {
+		$sql = "SELECT	COUNT(*) - COUNT(useTime) AS count
+			FROM	wcf".WCF_N."_user_multifactor_backup
+			WHERE	setupID = ?";
+		$statement = WCF::getDB()->prepareStatement($sql);
+		$statement->execute([$setup->getId()]);
+		
+		$remaining = $statement->fetchSingleColumn();
+	
+		$email = new SimpleEmail();
+		$email->setRecipient($setup->getUser());
+		
+		$email->setSubject(
+			WCF::getLanguage()->getDynamicVariable('wcf.user.security.multifactor.backup.authenticationEmail.subject', [
+				'remaining' => $remaining,
+				'usedCode' => $usedCode,
+				'setup' => $setup,
+			])
+		);
+		$email->setHtmlMessage(
+			WCF::getLanguage()->getDynamicVariable('wcf.user.security.multifactor.backup.authenticationEmail.body.html', [
+				'remaining' => $remaining,
+				'usedCode' => $usedCode,
+				'setup' => $setup,
+			])
+		);
+		$email->setMessage(
+			WCF::getLanguage()->getDynamicVariable('wcf.user.security.multifactor.backup.authenticationEmail.body.plain', [
+				'remaining' => $remaining,
+				'usedCode' => $usedCode,
+				'setup' => $setup,
+			])
+		);
+		
+		$email->send();
 	}
 }
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 994acdc89d..eaf9674fdb 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -4920,6 +4920,17 @@ Die E-Mail-Adresse des neuen Benutzers lautet: {@$user->email}
 		<item name="wcf.user.security.multifactor.disable.confirm.required"><![CDATA[{if LANGUAGE_USE_INFORMAL_VARIANT}Bitte bestÃ¤tige, dass du die Hinweise gelesen hast und mit der Deaktivierung fortfahren mÃ¶chtest.{else}Bitte bestÃ¤tigen Sie, dass Sie die Hinweise gelesen haben und mit der Deaktivierung fortfahren mÃ¶chten.{/if}]]></item>
 		<item name="wcf.user.security.multifactor.disable.success"><![CDATA[Das Verfahren <strong>{lang}wcf.user.security.multifactor.{$setup->getObjectType()->objectType}{/lang}</strong> wurde erfolgreich deaktiviert.]]></item>
 		<item name="wcf.user.security.multifactor.disable.success.full"><![CDATA[Die Mehrfaktor-Authentifizierung wurde erfolgreich deaktiviert.]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.subject"><![CDATA[Authentifizierung mittels Notfall-Code auf {@PAGE_TITLE|language}]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.body.html"><![CDATA[<h2>Hallo {$setup->getUser()->username},</h2>
+
+<p>{if LANGUAGE_USE_INFORMAL_VARIANT}Du hast{else}Sie haben{/if} den Notfall-Code <code>{$usedCode[identifier]}</code> zur Mehrfaktor-Authentifizierung genutzt. Dieser Code ist nun nicht mehr gÃ¼ltig. {plural value=$remaining 0='<b>Es gibt keine weiteren gÃ¼ltigen Codes.</b>' 1='Es verbleibt ein gÃ¼ltiger Code.' other='Es verbleiben # gÃ¼ltige Codes.'}</p>
+
+<p>{if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie kÃ¶nnen{/if} die Mehrfaktor-Authentifizierung in der <a href="{link controller='AccountSecurity' isHtmlEmail=true}{/link}">Account-Sicherheit</a> verwalten und dort neue Notfall-Codes generieren oder die Mehrfaktor-Authentifizierung deaktivieren.</p>]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.body.plain"><![CDATA[Hallo {$setup->getUser()->username},
+
+{if LANGUAGE_USE_INFORMAL_VARIANT}Du hast{else}Sie haben{/if} den Notfall-Code â{$usedCode[identifier]}â zur Mehrfaktor-Authentifizierung genutzt. Dieser Code ist nun nicht mehr gÃ¼ltig. {plural value=$remaining 0='**Es gibt keine weiteren gÃ¼ltigen Codes.**' 1='Es verbleibt ein gÃ¼ltiger Code.' other='Es verbleiben # gÃ¼ltige Codes.'} {* this line ends with a space *}
+
+{if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie kÃ¶nnen{/if} die Mehrfaktor-Authentifizierung in der Account-Sicherheit [URL:{link controller='AccountSecurity' isEmail=true}{/link}] verwalten und dort neue Notfall-Codes generieren oder die Mehrfaktor-Authentifizierung deaktivieren.]]></item>
 	</category>
 	<category name="wcf.user.trophy">
 		<item name="wcf.user.trophy.trophyPoints"><![CDATA[TrophÃ¤en]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index f440faba8f..d0045d3e5b 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -4917,6 +4917,17 @@ Open the link below to access the user profile:
 		<item name="wcf.user.security.multifactor.disable.confirm.required"><![CDATA[Please confirm that you read the explanation and that you would like to proceed.]]></item>
 		<item name="wcf.user.security.multifactor.disable.success"><![CDATA[The <strong>{lang}wcf.user.security.multifactor.{$setup->getObjectType()->objectType}{/lang}</strong> method has successfully been disabled.]]></item>
 		<item name="wcf.user.security.multifactor.disable.success.full"><![CDATA[The multi-factor authentication has successfully been disabled.]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.subject"><![CDATA[Authentication using emergency code on {@PAGE_TITLE|language}]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.body.html"><![CDATA[<h2>Dear {$setup->getUser()->username},</h2>
+
+<p>You used the emergency code <code>{$usedCode[identifier]}</code> for multi-factor authentication. This code no longer is valid. {plural value=$remaining 0='<b>You don't have any remaining codes.</b>' 1='You have one remaining code.' other='You have # remaining codes.'}</p>
+
+<p>You can manage multi-factor authentication within the <a href="{link controller='AccountSecurity' isHtmlEmail=true}{/link}">Account Security</a> page. Within account security you can generate new emergency codes or disable multi-factor authentication.</p>]]></item>
+		<item name="wcf.user.security.multifactor.backup.authenticationEmail.body.plain"><![CDATA[Dear {$setup->getUser()->username},
+
+You used the emergency code â{$usedCode[identifier]}â for multi-factor authentication. This code no longer is valid. {plural value=$remaining 0='**You don't have any remaining codes.**' 1='You have one remaining code.' other='You have # remaining codes.'} {* this line ends with a space *}
+
+You can manage multi-factor authentication within the Account Security page [URL:{link controller='AccountSecurity' isEmail=true}{/link}]. Within account security you can generate new emergency codes or disable multi-factor authentication.]]></item>
 	</category>
 	<category name="wcf.user.trophy">
 		<item name="wcf.user.trophy.trophyPoints"><![CDATA[Trophies]]></item>
