Change email validation requirements for 2fa setup

- Remove "Successfully Authenticated" flash message on 2fa success to be consistent with auth module. - Remove session's email verification status on successful 2fa setup to prevent re-setup during session hijack.
2025-01-06 03:54:17 +02:00 · 2021-07-01 19:58:06 -07:00 · 2021-07-01 19:58:06 -07:00 · 1ca5c1caf1
commit 1ca5c1caf1
parent 7939063139
3 changed files with 5 additions and 6 deletions
--- a/config.go
+++ b/config.go
@ -132,10 +132,9 @@ type Config struct {
 		// RecoverTokenDuration controls how long a token sent via
 		// email for password recovery is valid for.
 		RecoverTokenDuration time.Duration
-		// RecoverLoginAfterRecovery says for the recovery module after a
-		// user has successfully recovered the password, are they simply
-		// logged in, or are they redirected to the login page with an
-		// "updated password" message.
+		// RecoverLoginAfterRecovery if true will log users in after password
+		// recovery, if false they will be redirected and need to log in
+		// again manually.
 		RecoverLoginAfterRecovery bool

 		// OAuth2Providers lists all providers that can be used. See
--- a/otp/twofactor/sms2fa/sms.go
+++ b/otp/twofactor/sms2fa/sms.go
@ -432,6 +432,7 @@ func (s *SMSValidator) validateCode(w http.ResponseWriter, r *http.Request, user
 			return err
 		}

+		authboss.DelSession(w, authboss.Session2FAAuthed)
 		authboss.DelSession(w, SessionSMSSecret)
 		authboss.DelSession(w, SessionSMSNumber)

@ -466,7 +467,6 @@ func (s *SMSValidator) validateCode(w http.ResponseWriter, r *http.Request, user

 		ro := authboss.RedirectOptions{
 			Code:             http.StatusTemporaryRedirect,
-			Success:          "Successfully Authenticated",
 			RedirectPath:     s.Authboss.Config.Paths.AuthLoginOK,
 			FollowRedirParam: true,
 		}
--- a/otp/twofactor/totp2fa/totp.go
+++ b/otp/twofactor/totp2fa/totp.go
@ -287,6 +287,7 @@ func (t *TOTP) PostConfirm(w http.ResponseWriter, r *http.Request) error {
 	}

 	authboss.DelSession(w, SessionTOTPSecret)
+	authboss.DelSession(w, authboss.Session2FAAuthed)

 	logger := t.RequestLogger(r)
 	logger.Infof("user %s enabled totp 2fa", user.GetPID())
@ -380,7 +381,6 @@ func (t *TOTP) PostValidate(w http.ResponseWriter, r *http.Request) error {

 	ro := authboss.RedirectOptions{
 		Code:             http.StatusTemporaryRedirect,
-		Success:          "Successfully Authenticated",
 		RedirectPath:     t.Authboss.Config.Paths.AuthLoginOK,
 		FollowRedirParam: true,
 	}