Merge branch 'staging' into nightly

2022-09-01 13:57:39 +02:00
parent 9e76b6ee70 a40df1ff87
commit cf5fa96a93
10 changed files with 139 additions and 30 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -938,13 +938,16 @@ function check_login($user, $pass, $app_passwd_data = false) {
    $stmt->execute(array(':user' => $user));
    $rows = array_merge($rows, $stmt->fetchAll(PDO::FETCH_ASSOC));
  }
-  foreach ($rows as $row) {
+  foreach ($rows as $row) { 
    // verify password
-    if ($app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true){
-      if (verify_hash($row['password'], $pass) !== false) {
+    if (verify_hash($row['password'], $pass) !== false) {
+      if (!array_key_exists("app_passwd_id", $row)){ 
+        // password is not a app password
        // check for tfa authenticators
        $authenticators = get_tfa($user);
-        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 &&
+            $app_passwd_data['eas'] !== true && $app_passwd_data['dav'] !== true) {
+          // authenticators found, init TFA flow
          $_SESSION['pending_mailcow_cc_username'] = $user;
          $_SESSION['pending_mailcow_cc_role'] = "user";
          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
@@ -955,7 +958,8 @@ function check_login($user, $pass, $app_passwd_data = false) {
            'msg' => array('logged_in_as', $user)
          );
          return "pending";
-        } else {
+        } else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
+          // no authenticators found, login successfull
          // Reactivate TFA if it was set to "deactivate TFA for next login"
          $stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
          $stmt->execute(array(':user' => $user));
@@ -963,22 +967,19 @@ function check_login($user, $pass, $app_passwd_data = false) {
          unset($_SESSION['ldelay']);
          return "user";
        }
-      }
-    } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
-      if (array_key_exists("app_passwd_id", $row)){
-        if (verify_hash($row['password'], $pass) !== false) {
-          $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
-          $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
-          $stmt->execute(array(
-            ':service' => $service,
-            ':app_id' => $row['app_passwd_id'],
-            ':username' => $user,
-            ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
-          ));
+      } elseif ($app_passwd_data['eas'] === true || $app_passwd_data['dav'] === true) {
+        // password is a app password
+        $service = ($app_passwd_data['eas'] === true) ? 'EAS' : 'DAV';
+        $stmt = $pdo->prepare("REPLACE INTO sasl_log (`service`, `app_password`, `username`, `real_rip`) VALUES (:service, :app_id, :username, :remote_addr)");
+        $stmt->execute(array(
+          ':service' => $service,
+          ':app_id' => $row['app_passwd_id'],
+          ':username' => $user,
+          ':remote_addr' => ($_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['REMOTE_ADDR'])
+        ));

-          unset($_SESSION['ldelay']);
-          return "user";
-        }
+        unset($_SESSION['ldelay']);
+        return "user";
      }
    }
  }