diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index 03db7390ee..cfe992f594 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -254,10 +254,14 @@ public function indexAction(Request $request, Config $craueConfig, TaggingRuleRe
/**
* Disable 2FA using email.
*
- * @Route("/config/otp/email/disable", name="disable_otp_email")
+ * @Route("/config/otp/email/disable", name="disable_otp_email", methods={"POST"})
*/
- public function disableOtpEmailAction()
+ public function disableOtpEmailAction(Request $request)
{
+ if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
$user = $this->getUser();
$user->setEmailTwoFactor(false);
@@ -274,10 +278,14 @@ public function disableOtpEmailAction()
/**
* Enable 2FA using email.
*
- * @Route("/config/otp/email", name="config_otp_email")
+ * @Route("/config/otp/email", name="config_otp_email", methods={"POST"})
*/
- public function otpEmailAction()
+ public function otpEmailAction(Request $request)
{
+ if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
$user = $this->getUser();
$user->setGoogleAuthenticatorSecret(null);
@@ -297,10 +305,14 @@ public function otpEmailAction()
/**
* Disable 2FA using OTP app.
*
- * @Route("/config/otp/app/disable", name="disable_otp_app")
+ * @Route("/config/otp/app/disable", name="disable_otp_app", methods={"POST"})
*/
- public function disableOtpAppAction()
+ public function disableOtpAppAction(Request $request)
{
+ if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
$user = $this->getUser();
$user->setGoogleAuthenticatorSecret('');
@@ -319,10 +331,14 @@ public function disableOtpAppAction()
/**
* Enable 2FA using OTP app, user will need to confirm the generated code from the app.
*
- * @Route("/config/otp/app", name="config_otp_app")
+ * @Route("/config/otp/app", name="config_otp_app", methods={"POST"})
*/
- public function otpAppAction(GoogleAuthenticatorInterface $googleAuthenticator)
+ public function otpAppAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
{
+ if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
$user = $this->getUser();
$secret = $googleAuthenticator->generateSecret();
@@ -357,8 +373,10 @@ function ($backupCode) {
* Cancelling 2FA using OTP app.
*
* @Route("/config/otp/app/cancel", name="config_otp_app_cancel")
+ *
+ * XXX: commented until we rewrite 2fa with a real two-steps activation
*/
- public function otpAppCancelAction()
+ /*public function otpAppCancelAction()
{
$user = $this->getUser();
$user->setGoogleAuthenticatorSecret(null);
@@ -367,15 +385,19 @@ public function otpAppCancelAction()
$this->userManager->updateUser($user, true);
return $this->redirect($this->generateUrl('config') . '#set3');
- }
+ }*/
/**
* Validate OTP code.
*
- * @Route("/config/otp/app/check", name="config_otp_app_check")
+ * @Route("/config/otp/app/check", name="config_otp_app_check", methods={"POST"})
*/
public function otpAppCheckAction(Request $request, GoogleAuthenticatorInterface $googleAuthenticator)
{
+ if (!$this->isCsrfTokenValid('otp', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
$isValid = $googleAuthenticator->checkCode(
$this->getUser(),
$request->get('_auth_code')
@@ -395,7 +417,12 @@ public function otpAppCheckAction(Request $request, GoogleAuthenticatorInterface
'scheb_two_factor.code_invalid'
);
- return $this->redirect($this->generateUrl('config_otp_app'));
+ $this->addFlash(
+ 'notice',
+ 'scheb_two_factor.code_invalid'
+ );
+
+ return $this->redirect($this->generateUrl('config') . '#set3');
}
/**
diff --git a/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php b/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
index c8544e428d..cd5148db60 100644
--- a/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
+++ b/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
@@ -23,15 +23,6 @@ public function buildForm(FormBuilderInterface $builder, array $options)
->add('email', EmailType::class, [
'label' => 'config.form_user.email_label',
])
- ->add('emailTwoFactor', CheckboxType::class, [
- 'required' => false,
- 'label' => 'config.form_user.emailTwoFactor_label',
- ])
- ->add('googleTwoFactor', CheckboxType::class, [
- 'required' => false,
- 'label' => 'config.form_user.googleTwoFactor_label',
- 'mapped' => false,
- ])
->add('save', SubmitType::class, [
'label' => 'config.form.save',
])
diff --git a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
index c0d57c0677..4d65e82ed4 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
@@ -209,6 +209,10 @@
{{ form_widget(form.user.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }}
+ {{ form_widget(form.user._token) }}
+
+ {{ form_end(form.user) }}
+