Ensure important events are firing for 2fa modules

2025-02-09 13:47:09 +02:00 · 2018-10-28 23:17:10 -07:00 · 2018-10-28 23:17:10 -07:00 · 25eda89076
commit 25eda89076
parent 3944d57c9d
3 changed files with 31 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -30,6 +30,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Fix LoadCurrentUser error handling, it was swallowing errors when users were
  not logged in, changed to be consistent, now returns ErrUserNotFound just like
  CurrentUser.
+- Fix a bug where EventAuth and EventAuthFailure were not being fired in the
+  2fa modules which would stop users from becoming locked on 2fa failures
+  or logging in without being confirmed.

 ## [2.0.0] - 2018-09-03

--- a/otp/twofactor/sms2fa/sms.go
+++ b/otp/twofactor/sms2fa/sms.go
@ -363,6 +363,13 @@ func (s *SMSValidator) validateCode(w http.ResponseWriter, r *http.Request, user
 	}

 	if !verified {
+		handled, err := s.Authboss.Events.FireAfter(authboss.EventAuthFail, w, r)
+		if err != nil {
+			return err
+		} else if handled {
+			return nil
+		}
+
 		logger.Infof("user %s sms 2fa failure (wrong code)", user.GetPID())
 		data := authboss.HTMLData{
 			authboss.DataValidation: map[string][]string{FormValueCode: []string{"2fa code was invalid"}},
@ -420,6 +427,13 @@ func (s *SMSValidator) validateCode(w http.ResponseWriter, r *http.Request, user

 		logger.Infof("user %s sms 2fa success", user.GetPID())

+		handled, err := s.Authboss.Events.FireAfter(authboss.EventAuth, w, r)
+		if err != nil {
+			return err
+		} else if handled {
+			return nil
+		}
+
 		ro := authboss.RedirectOptions{
 			Code:             http.StatusTemporaryRedirect,
 			Success:          "Successfully Authenticated",
--- a/otp/twofactor/totp2fa/totp.go
+++ b/otp/twofactor/totp2fa/totp.go
@ -318,6 +318,13 @@ func (t *TOTP) PostValidate(w http.ResponseWriter, r *http.Request) error {
 	case err != nil:
 		return err
 	case !ok:
+		handled, err := t.Authboss.Events.FireAfter(authboss.EventAuthFail, w, r)
+		if err != nil {
+			return err
+		} else if handled {
+			return nil
+		}
+
 		logger.Infof("user %s totp 2fa failure (wrong code)", user.GetPID())
 		data := authboss.HTMLData{
 			authboss.DataValidation: map[string][]string{FormValueCode: []string{"2fa code was invalid"}},
@ -334,6 +341,13 @@ func (t *TOTP) PostValidate(w http.ResponseWriter, r *http.Request) error {

 	logger.Infof("user %s totp 2fa success", user.GetPID())

+	handled, err := t.Authboss.Events.FireAfter(authboss.EventAuth, w, r)
+	if err != nil {
+		return err
+	} else if handled {
+		return nil
+	}
+
 	ro := authboss.RedirectOptions{
 		Code:             http.StatusTemporaryRedirect,
 		Success:          "Successfully Authenticated",