sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#53706 wire OTP secret validation - api, jwt

Browse Source 
Change-Id: I7f0205323811196eb0e319fcb2c888cf8a314f81
mr13.3
Rene Krenn 2 months ago
parent 6c68438dc0
commit b0b646db5b
3 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File

7
lib/NGCP/Panel/Controller/API/Root.pm
Unescape View File

@ -447,6 +447,13 @@ sub invalid_user : Private {
return; return;
} }
sub invalid_otp : Private {
my ($self, $c, $otp) = @_;
$self->error($c, HTTP_FORBIDDEN, "Invalid OTP");
return;
}
sub banned_user : Private { sub banned_user : Private {
my ($self, $c, $user) = @_; my ($self, $c, $user) = @_;

10
lib/NGCP/Panel/Controller/Root.pm
Unescape View File

@ -273,11 +273,14 @@ sub auto :Private {
} else { } else {
$c->log->debug("Root::auto API admin request with http auth"); $c->log->debug("Root::auto API admin request with http auth");
my ($user, $pass) = $c->req->headers->authorization_basic; my ($user, $pass) = $c->req->headers->authorization_basic;
my ($otp) = $c->request->header('X-OTP');
#$c->log->debug("user: " . $user . " pass: " . $pass); #$c->log->debug("user: " . $user . " pass: " . $pass);
my $res = NGCP::Panel::Utils::Auth::perform_auth($c, $user, $pass, "api_admin" , "api_admin_bcrypt"); my $res = NGCP::Panel::Utils::Auth::perform_auth($c, $user, $pass, "api_admin" , "api_admin_bcrypt");
if ($res && $res == -2) { if ($res && $res == -2) {
$c->detach(qw(API::Root banned_user), [$user]); $c->detach(qw(API::Root banned_user), [$user]);
} elsif ($res && $res == -3) {
$c->detach(qw(API::Root invalid_otp), [$otp]);
} }
if($res and $c->user_exists and $c->user->is_active) { if($res and $c->user_exists and $c->user->is_active) {
@ -534,6 +537,7 @@ sub login_jwt :Chained('/') :PathPart('login_jwt') :Args(0) :Method('POST') {
my $auth_token = $c->req->body_data->{token} // ''; my $auth_token = $c->req->body_data->{token} // '';
my $jwt = $c->req->body_data->{jwt} // ''; my $jwt = $c->req->body_data->{jwt} // '';
my $otp = $c->req->body_data->{otp} // '';
my $user = $c->req->body_data->{username} // ''; my $user = $c->req->body_data->{username} // '';
my $pass = $c->req->body_data->{password} // ''; my $pass = $c->req->body_data->{password} // '';
my $ngcp_realm = $c->request->env->{NGCP_REALM} // 'admin'; my $ngcp_realm = $c->request->env->{NGCP_REALM} // 'admin';
@ -729,7 +733,11 @@ sub login_jwt :Chained('/') :PathPart('login_jwt') :Args(0) :Method('POST') {
$c->log->info("User not found"); $c->log->info("User not found");
return; return;
} }
if ($res
and $auth_user->enable_2fa
and not verify_otp($auth_user->otp_secret,$otp,time())) {
$res = 0;
}
} }
} else { } else {
my $authrs = $c->model('DB')->resultset('provisioning_voip_subscribers')->search({ my $authrs = $c->model('DB')->resultset('provisioning_voip_subscribers')->search({

12
lib/NGCP/Panel/Utils/Auth.pm
Unescape View File

@ -151,9 +151,19 @@ sub perform_auth {
$res = 1; $res = 1;
$c->set_authenticated($dbadmin); # logs the user in and calls persist_user $c->set_authenticated($dbadmin); # logs the user in and calls persist_user
} }
} else {
$c->log->error("unsupported auth_mode " . $dbadmin->auth_mode);
$res = 0;
$log_failed_login_attempt = 0;
} }
$res ? do { if ($res
and $dbadmin->enable_2fa
and not verify_otp($dbadmin->otp_secret,$otp,time())) {
$res = -3;
}
$res > 0 ? do {
clear_failed_login_attempts($c, $user, 'admin'); clear_failed_login_attempts($c, $user, 'admin');
reset_ban_increment_stage($c, $user, 'admin'); reset_ban_increment_stage($c, $user, 'admin');
} }

Write Preview
Loading…
Cancel
Save