Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
Tomas Cohen Arazi 6fba85d23b Bug 29924: Avoid leaking information on wrong credentials 
If the passed credentials are wrong, we shouldn't expose things like the
password is expired.

This patch takes care of that.

To test:
1. Have a known patron with password_expiration_date set so its
   password is expired. Can be done like:
   $ koha-mysql kohadev
   > UPDATE borrowers \
     SET password_expiration_date='2022-04-25' \
     WHERE borrowernumber=132;
   Note: change the borrowernumber
2. Attempt to login to the OPAC with wrong credentials
=> SUCCESS: You are rejected, with a message telling credentials are
            wrong
=> FAIL: You are told the password is expired.
3. Apply this patch and restart Plack
4. Repeat 2
=> SUCCESS: You are rejected, credentials are wrong and no mention to
            password being expired.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-05-06 10:33:09 -10:00

257 lines
16 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Koha %]
[% USE Categories %]
[% USE AdditionalContents %]
[% PROCESS 'html_helpers.inc' %]
[% SET OpacLoginInstructions = AdditionalContents.get( location => "OpacLoginInstructions", lang => lang, library => branchcode || default_branch ) %]
[% INCLUDE 'doc-head-open.inc' %]
<title>
[% IF Koha.Preference( 'opacuserlogin' ) == 1 %]
Log in to your account
[% ELSE %]
Catalog login disabled
[% END %] &rsaquo;
[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog
</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-login-page' bodyclass='scrollto' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<nav id="breadcrumbs" aria-label="Breadcrumb" class="breadcrumbs">
<ol class="breadcrumb">
<li class="breadcrumb-item">
<a href="/cgi-bin/koha/opac-main.pl">Home</a>
</li>
<li class="breadcrumb-item active">
<a href="#" aria-current="page">Log in</a>
</li>
</ol>
</nav> <!-- /#breadcrumbs -->
<div class="container-fluid">
<div class="row justify-content-center">
<div class="col-md-10 col-lg-6">
<div id="opac-auth" class="maincontent">
<!--CONTENT-->
[% IF Koha.Preference( 'opacuserlogin' ) == 1 %]
[% IF ( nopermission ) %]
<!-- This is what is displayed if user doesn't have permission -->
<div class="alert alert-warning">
<h1>Access denied</h1>
<p>Sorry, the system doesn't think you have permission to access this page. </p>
[% IF SCO_login %]
<p><a href="/cgi-bin/koha/sco/sco-main.pl?logout.x=1">Log out and try again with a different user.</a></p>
[% ELSIF SCI_login %]
<p><a href="/cgi-bin/koha/sci/sci-main.pl?logout.x=1">Log out and try again with a different user.</a></p>
[% END %]
</div>
[% END %]
[% IF ( loginprompt ) %]
<!-- login prompt time-->
<h1>Log in to your account</h1>
[% IF ( timed_out ) %]
<!-- This is what is displayed if login has timed out -->
<div class="alert alert-info">
<p>Sorry, your session has timed out. Please log in again.</p>
</div>
[% END %]
[% IF ( different_ip ) %]
<!-- This is what is displayed if user doesn't have permission -->
<div class="alert alert-info">
<p>You are logging from a different IP address. Please log in again.</p>
</div>
[% END %]
[% IF invalid_username_or_password || too_many_login_attempts %]
<!-- This is what is displayed if user doesn't have permission or account is locked. (Do not expose more information than needed.) -->
<div class="alert alert-info">
<p>You entered an incorrect username or password. Please try again! But note that passwords are case sensitive[% IF Koha.Preference('FailedLoginAttempts') %] and that your account will be locked out after a fixed number of failed login attempts[% END %]. Please contact a library staff member if you continue to have problems.</p>
</div>
[% END %]
[% IF ( shibbolethAuthentication ) %]
[% IF ( invalidShibLogin ) %]
<!-- This is what is displayed if shibboleth login has failed to match a koha user -->
<div class="alert alert-info">
<p>Sorry, your Shibboleth identity does not match a valid library identity.</p>
[% UNLESS ( Koha.Preference('OPACShibOnly') ) %]
[% IF ( casAuthentication ) %]
[% IF ( invalidCasLogin ) %]
<!-- This is what is displayed if cas login has failed -->
<p>Sorry, the CAS login also failed. If you have a local login you may use that below.</p>
[% ELSE %]
<p>If you have a CAS account, you may use that below.</p>
[% END %]
[% ELSE %]
<p>If you have a local account, you may use that below.</p>
[% END %]
[% END %]
</div>
[% ELSE %]
<h2>Shibboleth Login</h2>
<p><a href="[% shibbolethLoginUrl | $raw %]">Log in using a Shibboleth account.</a></p>
[% END # /IF invalidShibLogin %]
[% UNLESS ( Koha.Preference('OPACShibOnly') ) %]
[% IF ( casAuthentication ) %]
<h2>CAS login</h2>
<p>If you do not have a Shibboleth account, but you do have a CAS account, you can use CAS.</p>
[% ELSE %]
<h2>Local login</h2>
<p>If you do not have a Shibboleth account, but you do have a local login, then you may login below.</p>
[% END %]
[% END %]
[% END # /IF shibbolethAuthentication %]
[% UNLESS ( Koha.Preference('OPACShibOnly') ) %]
[% IF ( casAuthentication ) %]
[% IF ( shibbolethAuthentication ) %]
[% IF ( casServerUrl ) %]
<p><a href="[% casServerUrl | $raw %]">Log in.</a><p>
[% END %]
[% IF ( casServersLoop ) %]
<p>Please choose against which one you would like to authenticate: </p>
<ul>
[% FOREACH casServer IN casServersLoop %]
<li><a href="[% casServer.value | $raw %]">[% casServer.name | html %]</a></li>
[% END %]
</ul>
[% END %]
[% ELSE %]
<h2>CAS login</h2>
[% IF ( invalidCasLogin ) %]
<!-- This is what is displayed if cas login has failed -->
<p>Sorry, the CAS login failed.</p>
[% END %]
[% IF ( casServerUrl ) %]
<p><a href="[% casServerUrl | $raw %]">Log in using a CAS account.</a><p>
[% END %]
[% IF ( casServersLoop ) %]
<p>If you have a CAS account, please choose against which one you would like to authenticate:</p>
<ul>
[% FOREACH casServer IN casServersLoop %]
<li><a href="[% casServer.value | $raw %]">[% casServer.name | html %]</a></li>
[% END %]
</ul>
[% END %]
[% END # /IF shibbolethAuthentication %]
[% IF ( shibbolethAuthentication ) %]
<p>Nothing</p>
[% ELSE %]
<h2>Local login</h2>
<p>If you do not have a CAS account, but do have a local account, you can still log in: </p>
[% END %]
[% END # / IF casAuthentication %]
[% IF ( Koha.Preference('GoogleOpenIDConnect') == 1 ) %]
[% IF ( invalidGoogleOpenIDConnectLogin ) %]
<h2>Google login</h2>
<p>Sorry, your Google login failed. <span class="error">[% invalidGoogleOpenIDConnectLogin | html %]</span></p>
<p>Please note that the Google login will only work if you are using the e-mail address registered with this library.</p>
<p>If you want to, you can try to <a href="/cgi-bin/koha/svc/auth/googleopenidconnect?reauthenticate=select_account">log in using a different account</a>
[% END %]
<a href="/cgi-bin/koha/svc/auth/googleopenidconnect" class="btn btn-light" id="openid_connect"><i class="fa fa-google" aria-hidden="true"></i> Log in with Google</a>
<p>If you do not have a Google account, but do have a local account, you can still log in: </p>
[% END # /IF GoogleOpenIDConnect %]
[% END # /UNLESS OPACShibOnly %]
[% IF !(invalid_username_or_password || too_many_login_attempts) and password_has_expired %]
<div class="alert alert-info">
<p><strong>Error: </strong>Your password has expired!</p>
</div>
[% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %]
<div id="resetpassword">
<a href="/cgi-bin/koha/opac-password-recovery.pl">Reset your password?</a>
</div>
[% ELSE %]
<p>You must contact the library to reset your password</p>
[% END %]
[% ELSIF !Koha.Preference('OPACShibOnly') or SCO_login or SCI_login %]
[% IF SCO_login %]
<form action="/cgi-bin/koha/sco/sco-main.pl" name="auth" id="auth" method="post" autocomplete="off">
[% ELSIF SCI_login %]
<form action="/cgi-bin/koha/sci/sci-main.pl" name="auth" id="auth" method="post" autocomplete="off">
[% ELSE %]
<form action="[% script_name | html %]" name="auth" id="auth" method="post" autocomplete="off">
[% END %]
<input type="hidden" name="koha_login_context" value="opac" />
<fieldset class="brief">
[% FOREACH INPUT IN INPUTS %]
[% NEXT IF INPUT.name == 'logout.x' %]
<input type="hidden" name="[% INPUT.name | html %]" value="[% INPUT.value | html %]" />
[% END %]
<div class="form-group">
<label for="userid">Login:</label>
<input class="form-control" type="text" size="25" id="userid" name="userid" />
</div>
<div class="form-group">
<label for="password">Password:</label>
<input class="form-control" type="password" size="25" id="password" name="password" />
</div>
<fieldset class="action">
<input type="submit" value="Log in" class="btn btn-primary" />
</fieldset>
</fieldset>
<div id="nologininstructions">
[% IF OpacLoginInstructions %]
[% PROCESS koha_news_block news => OpacLoginInstructions %]
[% ELSE %]
<h2>Don't have a password yet?</h2>
<p>If you don't have a password yet, stop by the circulation desk the next time you're in the library. We'll happily set one up for you.</p>
<h2>Don't have a library card?</h2>
<p>If you don't have a library card, stop by your local library to sign up.</p>
[% END # / IF OpacLoginInstructions %]
</div>
[% IF Koha.Preference('OpacPasswordChange') && Categories.can_any_reset_password %]
<div id="forgotpassword">
<a href="/cgi-bin/koha/opac-password-recovery.pl">Forgot your password?</a>
</div>
[% END %]
[% IF PatronSelfRegistration && PatronSelfRegistrationDefaultCategory %]
<div id="registrationinstructions">
<span>
<a href="/cgi-bin/koha/opac-memberentry.pl">You may register here.</a>
</span>
</div>
[% END %]
</form>
[% END # / IF password_has_expired / ELSIF !OPACShibOnly or SCO_login or SCI_login %]
[% END # / IF loginprompt %]
[% ELSE %]
<h1>Logging on to the catalog has not been enabled by the library.</h1>
<ul>
<li>To report this error, you can email the Koha Administrator.<a href="mailto:[% admin | uri %]">Email</a></li>
<li>Use top menu bar to navigate to another part of Koha.</li>
</ul>
[% END # / IF opacuserlogin %]
</div> <!-- /.opac-auth -->
</div> <!-- /.col-md-10 col-lg-6 -->
</div> <!-- /.row -->
</div> <!-- /.container-fluid -->
</div> <!-- /.main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %]
<script>
// Hide circular 'Log in to Your Account' link in opac-auth.pl
$(document).ready(function() {
if ( $("#auth" ) ) { $("#members ul li a").hide(); }
});
</script>
[% END %]
View git blame Copy permalink