From 2e4345cc77d0b457d9d7f1bf42d1cbddf125d393 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Thu, 20 Jan 2022 15:07:30 +0000 Subject: [PATCH] Bug 29894: Clear secret when disabling 2FA Test plan: Deregister 2FA for patron. Check if secret is empty in borrowers.secret. Signed-off-by: Marcel de Rooy Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart Signed-off-by: Fridolin Somers --- members/two_factor_auth.pl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/members/two_factor_auth.pl b/members/two_factor_auth.pl index 0cf6843b84..7b8a1a434b 100755 --- a/members/two_factor_auth.pl +++ b/members/two_factor_auth.pl @@ -68,11 +68,10 @@ if ( $op eq 'register-2FA' ) { ); if ($verified) { - $logged_in_user->secret($secret32); - $op = 'registered'; - # FIXME Generate a (new?) secret + $logged_in_user->secret($secret32); $logged_in_user->auth_method('two-factor')->store; + $op = 'registered'; } else { $template->param( invalid_pin => 1, ); @@ -81,7 +80,6 @@ if ( $op eq 'register-2FA' ) { } if ( $op eq 'enable-2FA' ) { - my $secret = Koha::AuthUtils::generate_salt( 'weak', 16 ); my $auth = Koha::Auth::TwoFactorAuth->new( { patron => $logged_in_user, secret => $secret } ); @@ -99,6 +97,7 @@ if ( $op eq 'enable-2FA' ) { elsif ( $op eq 'disable-2FA' ) { output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) unless Koha::Token->new->check_csrf($csrf_pars); + $logged_in_user->secret(undef); $logged_in_user->auth_method('password')->store; } -- 2.39.5