Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix exposing 2FA secret in JWT token on login
  • Loading branch information
aheinze committed Aug 12, 2022
1 parent 593d45e commit 4bee1b9
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -4,6 +4,7 @@
## WIP

- Add `./tower app:update` cli command to update Cockpit to the latest or specific version
- Fix exposing 2FA secret in JWT token on login

## 2.2.1 (2022-08-10)

Expand Down
18 changes: 13 additions & 5 deletions modules/App/Controller/Auth.php
Expand Up @@ -78,21 +78,29 @@ public function check() {

if (isset($user['twofa']['enabled']) && $user['twofa']['enabled']) {

unset($user['twofa']);

return [
'success' => true,
'user' => [
'name' => $user['name'],
'user' => $user['user'],
'email' => $user['email'],
'twofa' => $this->helper('jwt')->create($user)
'twofa' => $this->helper('jwt')->create([
'_id' => $user['_id'],
'user' => $user['user'],
'name' => $user['name'],
'email' => $user['email'],
'role' => $user['role'],
])
]
];

} else {
// remove twofa settings
unset($user['twofa']);
}

// remove 2FA settings from user session
unset($user['twofa']);

$this->app->trigger('app.user.disguise', [&$user]);

$this->helper('auth')->setUser($user);
Expand Down Expand Up @@ -140,4 +148,4 @@ public function validate2FA() {
return $this->stop(412);

}
}
}

0 comments on commit 4bee1b9

Please sign in to comment.