Improved TOTp handling in login.

Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well.
2015-12-10 21:58:17 -05:00 · 2015-12-10 21:58:17 -05:00 · 288ee1a258
commit 288ee1a258
parent 7345385442
5 changed files with 113 additions and 101 deletions
--- a/resources/lang/en/auth.php
+++ b/resources/lang/en/auth.php
@ -21,5 +21,6 @@ return [
    'sendlink' => 'Send Password Reset Link',
    'emailsent' => 'Your password reset email is on its way.',
    'remeberme' => 'Remeber Me',
+    'totp_failed' => 'The TOTP token provided was invalid. Please ensure that the token generated by your device was valid.'

 ];
--- a/resources/lang/en/strings.php
+++ b/resources/lang/en/strings.php
@ -12,7 +12,6 @@ return [
    'password' => 'Password',
    'email' => 'Email',
    'whoops' => 'Whoops',
-    'failed' => 'Your request could not be processed. Please try again later.',
    'success' => 'Success',
    'location' => 'Location',
    'node' => 'Node',
--- a/resources/views/auth/login.blade.php
+++ b/resources/views/auth/login.blade.php
@ -24,6 +24,14 @@
                    </ul>
                </div>
            @endif
+            @foreach (Alert::getMessages() as $type => $messages)
+                @foreach ($messages as $message)
+                    <div class="alert alert-{{ $type }} alert-dismissable" role="alert">
+                        <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+                        {{ $message }}
+                    </div>
+                @endforeach
+            @endforeach
            <div class="form-group">
                <label for="email" class="control-label">{{ trans('strings.email') }}</label>
                <div>
@ -76,33 +84,35 @@
 <div class="col-md-3"></div>
 <script type="text/javascript">
 $(document).ready(function() {
-	$("#login-form").one("submit", function(event) {
+    $('#login-form').submit(function (event) {
        event.preventDefault();
-		var check_email = $("#email").val();
-		$.ajax({
-			type: 'POST',
-			url: '/auth/login/totp',
-			data: {
-				email: check_email,
-				_token: '{!! csrf_token() !!}'
-			}
-		}).done(function(data) {
-			if (typeof data.id !== 'undefined') {
-				$("#openTOTP").modal('show');
-				$('#openTOTP').on('shown.bs.modal', function() {
-					$("#totp_token").focus();
-				});
-			} else {
-                $("#login-form").submit();
-			}
-		}).fail(function(jqXHR) {
-			alert("{{ trans('strings.failed') }}");
-		});
-	});
-	$("#totp-form").submit(function() {
-		$('#login-form :input').not(':submit').clone().hide().appendTo('#totp-form');
-		return true;
-	});
+        var check_email = $('#email').val();
+        $.ajax({
+            type: 'POST',
+            url: '/auth/login/totp',
+            headers: {
+                'X-CSRF-TOKEN': '{{ csrf_token() }}'
+            },
+            data: {
+                email: check_email
+            }
+        }).done(function (data) {
+            if (typeof data.id !== 'undefined') {
+                $('#openTOTP').modal('show');
+                $('#openTOTP').on('shown.bs.modal', function() {
+                    $('#totp_token').focus();
+                });
+            } else {
+                $('#login-form').submit();
+            }
+        }).fail(function (jqXHR) {
+            alert('Unable to validate potential TOTP need.');
+            console.error(jqXHR);
+        });
+    });
+    $('#totp-form').submit(function () {
+        return $('#login-form :input').not(':submit').clone().hide().appendTo('#totp-form');
+    });
 });
 </script>
@endsection