diff options
| author |  Inverle <inverle@proton.me>
| 2025-07-31 13:53:14 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-07-31 13:53:14 +0200 |
| commit | 3ce64d271b2b470bd6c9f7294946347dcdfed9b9 (patch) | |
| tree | 56b5a0928f1ce2b0486e866abd5456bc43ea8ed9 /app/Models | |
| parent | d0425f8c3ab14e72142b1a4f946d57b408f26c88 (diff) | |
Implement sudo mode / reauthentication (#7753)
* Implement sudo mode / reauthentication
* i18n: fr
* generate flags
* Improvements
* Remove HMAC check
* Don't require reauth to access logs when signed in as admin
* Notify user of bad login via notification instead
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat (limited to 'app/Models')
| -rw-r--r-- | app/Models/Auth.php | 51 | ||||
| -rw-r--r-- | app/Models/SystemConfiguration.php | 2 |
2 files changed, 53 insertions, 0 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php index 5c861f1db..19cd26aa5 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -165,6 +165,7 @@ class FreshRSS_Auth { self::$login_ok = false; Minz_Session::_params([ 'loginOk' => false, + 'lastReauth' => false, 'csrf' => false, 'REMOTE_USER' => false, ]); @@ -230,4 +231,54 @@ class FreshRSS_Auth { } return $token != '' && $token === $csrf; } + + public static function needsReauth(): bool { + $auth_type = FreshRSS_Context::systemConf()->auth_type; + $reauth_required = FreshRSS_Context::systemConf()->reauth_required; + $reauth_time = FreshRSS_Context::systemConf()->reauth_time; + + if (!$reauth_required) { + return false; + } + + $last_reauth = Minz_Session::paramInt('lastReauth'); + + if ($auth_type !== 'none' && time() - $last_reauth > $reauth_time) { + if ($auth_type === 'http_auth') { + // TODO: not implemented - just let the user through + return false; + } + return true; + } + return false; + } + + /** + * Return if user needs reauth and got redirected to login page. + * + * @param array{c?: string, a?: string, params?: array<string, mixed>}|null $redirect + */ + public static function requestReauth(?array $redirect = null): bool { + if (self::needsReauth()) { + if (Minz_Request::paramBoolean('ajax')) { + // Send 403 and exit instead of redirect with Minz_Error::error() + header('HTTP/1.1 403 Forbidden'); + exit(); + } + + $redirect = Minz_Url::serialize($redirect ?? Minz_Request::currentRequest()); + + Minz_Request::forward([ + 'c' => 'auth', + 'a' => 'reauth', + 'params' => [ + 'r' => $redirect, + ], + ], true); + + return true; + } + + return false; + } } diff --git a/app/Models/SystemConfiguration.php b/app/Models/SystemConfiguration.php index 403950728..7c7862b8a 100644 --- a/app/Models/SystemConfiguration.php +++ b/app/Models/SystemConfiguration.php @@ -9,6 +9,8 @@ declare(strict_types=1); * @property bool $api_enabled * @property string $archiving * @property 'form'|'http_auth'|'none' $auth_type + * @property-read bool $reauth_required + * @property-read int $reauth_time * @property-read string $auto_update_url * @property-read array<int,mixed> $curl_options * @property string $default_user |