diff options
| author |  Inverle <inverle@proton.me>
| 2025-07-31 13:53:14 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-07-31 13:53:14 +0200 |
| commit | 3ce64d271b2b470bd6c9f7294946347dcdfed9b9 (patch) | |
| tree | 56b5a0928f1ce2b0486e866abd5456bc43ea8ed9 /app/Controllers/authController.php | |
| parent | d0425f8c3ab14e72142b1a4f946d57b408f26c88 (diff) | |
Implement sudo mode / reauthentication (#7753)
* Implement sudo mode / reauthentication
* i18n: fr
* generate flags
* Improvements
* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'app/Controllers/authController.php')
| -rw-r--r-- | app/Controllers/authController.php | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index b090eb486..6b8d924d6 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -21,6 +21,10 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { Minz_Error::error(403); } + if (FreshRSS_Auth::requestReauth()) { + return; + } + FreshRSS_View::prependTitle(_t('admin.auth.title') . ' · '); if (Minz_Request::isPost()) { @@ -219,6 +223,35 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController { } } + public function reauthAction(): void { + if (!FreshRSS_Auth::hasAccess()) { + Minz_Error::error(403); + return; + } + /** @var array{c?: string, a?: string, params?: array<string, mixed>} $redirect */ + $redirect = Minz_Url::unserialize(Minz_Request::paramString('r')); + if (!FreshRSS_Auth::needsReauth()) { + Minz_Request::forward($redirect, true); + return; + } + if (Minz_Request::isPost()) { + $username = Minz_User::name() ?? ''; + $nonce = Minz_Session::paramString('nonce'); + $challenge = Minz_Request::paramString('challenge'); + if (!FreshRSS_FormAuth::checkCredentials( + $username, FreshRSS_Context::userConf()->passwordHash, $nonce, $challenge + )) { + Minz_Request::setBadNotification(_t('feedback.auth.login.invalid')); + } else { + Minz_Session::_param('lastReauth', time()); + Minz_Request::forward($redirect, true); + return; + } + } + FreshRSS_View::prependTitle(_t('gen.auth.reauth.title') . ' · '); + FreshRSS_View::appendScript(Minz_Url::display('/scripts/vendor/bcrypt.js?' . @filemtime(PUBLIC_PATH . '/scripts/vendor/bcrypt.js'))); + } + /** * This action removes all accesses of the current user. */ |