Improved TOTp handling in login.
Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well.
This commit is contained in:
Dane Everitt
parent
7345385442
commit
288ee1a258
5 changed files with 113 additions and 101 deletions
|
|
@ -10,20 +10,22 @@ class AuthRoutes {
|
|||
|
||||
public function map(Router $router) {
|
||||
$router->group(['prefix' => 'auth'], function () use ($router) {
|
||||
|
||||
$router->get('login', [ 'as' => 'auth.login', 'uses' => 'Auth\AuthController@getLogin' ]);
|
||||
$router->post('login/totp', [ 'as' => 'auth.login.totp', 'uses' => 'Auth\AuthController@checkTotp' ]);
|
||||
$router->post('login', [ 'as' => 'auth.login.submit', 'uses' => 'Auth\AuthController@postLogin' ]);
|
||||
$router->post('login', [ 'uses' => 'Auth\AuthController@postLogin' ]);
|
||||
$router->post('login/totp', [ 'uses' => 'Auth\AuthController@checkTotp' ]);
|
||||
|
||||
|
||||
$router->get('password', [ 'as' => 'auth.password', 'uses' => 'Auth\PasswordController@getEmail' ]);
|
||||
$router->post('password', [ 'as' => 'auth.password.submit', 'uses' => 'Auth\PasswordController@postEmail' ], function () {
|
||||
return redirect('auth/password')->with('sent', true);
|
||||
});
|
||||
|
||||
$router->post('password/verify', [ 'uses' => 'Auth\PasswordController@postReset' ]);
|
||||
$router->get('password/verify/{token}', [ 'as' => 'auth.verify', 'uses' => 'Auth\PasswordController@getReset' ]);
|
||||
$router->post('password/verify', [ 'as' => 'auth.verify.submit', 'uses' => 'Auth\PasswordController@postReset' ]);
|
||||
|
||||
$router->get('logout', [ 'as' => 'auth.logout', 'uses' => 'Auth\AuthController@getLogout' ]);
|
||||
|
||||
});
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue