Skip to content

Commit

Permalink
Merge pull request #4455 from corentin-soriano/remove_session_password
Browse files Browse the repository at this point in the history
Remove login password from sessions.
  • Loading branch information
nilsteampassnet authored Nov 14, 2024
2 parents d2bec30 + 28aeae9 commit fae22cd
Show file tree
Hide file tree
Showing 8 changed files with 162 additions and 99 deletions.
28 changes: 22 additions & 6 deletions includes/core/load.js.php
Original file line number Diff line number Diff line change
Expand Up @@ -596,7 +596,7 @@ function(data) {
'</div>' +
'<div class="hidden" id="new-encryption-div">' +

'<div class="row'+((store.get('teampassUser').auth_type !== 'ldap' && store.get('teampassUser').auth_type !== 'oauth2') ? '' : ' hidden') + '">' +
'<div class="row' + ((store.get('teampassUser').auth_type !== 'oauth2') ? '' : ' hidden') + '">' +
'<div class="input-group mb-2">' +
'<div class="input-group-prepend">' +
'<span class="input-group-text"><?php echo $lang->get('confirm_password'); ?></span>' +
Expand Down Expand Up @@ -660,8 +660,6 @@ function(data) {
if ($('#recovery-public-key').val() !== '' && $('#recovery-private-key').val() !== '') {
$('#confirm-no-recovery-keys-div').removeClass('alert-danger');
$('#confirm-no-recovery-keys').prop('checked', false);
} else {

}
});

Expand Down Expand Up @@ -691,10 +689,14 @@ function(data) {
.html('<i class="fa-solid fa-spinner fa-spin"></i>');
$('#warningModalButtonClose').addClass('disabled');

const user_pwd = store.get('teampassUser').auth_type !== 'oauth2'
? $('#encryption-otp').val() // User password (local or ldap)
: hashUserId(store.get('userOauth2Info').sub); // Oauth

// update the process
// add all tasks
var parameters = {
'user_pwd': $('#encryption-otp').val(),
'user_pwd': user_pwd,
'encryption_key': '',
'delete_existing_keys': true,
'encrypt_with_user_pwd': true,
Expand Down Expand Up @@ -1386,7 +1388,15 @@ function(teampassUser) {
* NEW LDAP USER HAS TO BUILD THE ITEMS DATABASE
*/
$(document).on('click', '#dialog-ldap-user-build-keys-database-do', function() {
if ($('#dialog-ldap-user-build-keys-database-code').val() === '') {

// Add OAuth password in hidden field.
if (store.get('teampassUser').auth_type === 'oauth2') {
$('#dialog-ldap-user-build-keys-database-userpassword')
.val(hashUserId(store.get('userOauth2Info').sub));
}

if ($('#dialog-ldap-user-build-keys-database-code').val() === ''
|| $('#dialog-ldap-user-build-keys-database-userpassword').val() === '') {

return false;
}
Expand Down Expand Up @@ -1444,7 +1454,7 @@ function(data) {
data = {
'user_id': store.get('teampassUser').user_id,
'current_code': $('#dialog-ldap-user-build-keys-database-code').val(),
'new_code': '',
'new_code': $('#dialog-ldap-user-build-keys-database-userpassword').val(),
'action_type' : '',
}
if (debugJavascript === true) console.log(data);
Expand Down Expand Up @@ -2115,4 +2125,10 @@ function applyTheme(switch_theme) {
// Store new theme value
$.cookie('teampass_theme', mode, { expires: 365, secure: true});
}

// manage cryto ID
function hashUserId(userId) {
const hash = CryptoJS.SHA256(userId);
return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
}
</script>
10 changes: 4 additions & 6 deletions includes/core/login.js.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,13 +84,11 @@ function(teampassUser) {
// get the Teampass login from userPrincipalName
userOauth2Info['login'] = userOauth2Info['userPrincipalName'].split("@")[0];

// manage cryto ID
function hashUserId(userId) {
const hash = CryptoJS.SHA256(userId);
return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
}
// ID exists only with azure. Use the sub with generic oauth provider.
const user_id = userOauth2Info['id'] ?? userOauth2Info['sub'];

$("#login").val(userOauth2Info['login']);
$("#pw").val(hashUserId(userOauth2Info['id']));
$("#pw").val(hashUserId(user_id));

// store userOauth2Info
store.set(
Expand Down
7 changes: 7 additions & 0 deletions index.php
Original file line number Diff line number Diff line change
Expand Up @@ -941,6 +941,13 @@
<span class="input-group-text"><?php echo $lang->get('temporary_encryption_code'); ?></span>
</div>
<input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-code">
<br/>
</div>
<div class="input-group mb-3<?php if ($session_auth_type === 'oauth2') echo ' hidden'; ?>">
<div class="input-group-prepend">
<span class="input-group-text"><?php echo $lang->get('provide_your_current_password'); ?></span>
</div>
<input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-userpassword">
</div>

<div class="form-control mt-3 font-weight-light grey" id="dialog-ldap-user-build-keys-database-progress">
Expand Down
58 changes: 0 additions & 58 deletions pages/users.js.php
Original file line number Diff line number Diff line change
Expand Up @@ -491,64 +491,6 @@ function(data) {
);
});


function userTasksCreation(userId, userPassword, userTemporaryCode)
{
var data = {
user_id: userId,
user_pwd: userPassword,
user_code: userTemporaryCode,
}

// Do query
$.post(
"sources/users.queries.php", {
type: "create_new_user_tasks",
data: prepareExchangedData(JSON.stringify(data), 'encode', '<?php echo $session->get('key'); ?>'),
key: '<?php echo $session->get('key'); ?>'
},
function(data) {
data = prepareExchangedData(data, "decode", "<?php echo $session->get('key'); ?>");
if (debugJavascript === true) {
console.info("Réception des données :")
console.log(data);
}

if (data.error === true) {
// error
toastr.remove();
toastr.error(
data.message,
'<?php echo $lang->get('caution'); ?>', {
timeOut: 5000,
progressBar: true
}
);

dfd.reject();
} else {
// show message to user
$('#warningModal').modal('hide');

// Inform user
toastr.success(
'<?php echo $lang->get('done'); ?>',
'', {
timeOut: 2000
}
);

// Reload list of users
oTable.ajax.reload();

// Prepare UI
$('#row-list, #group-create-special-folder, #group-delete-user').removeClass('hidden');
$('#row-form').addClass('hidden');
}
}
);
}

/**
*
*/
Expand Down
23 changes: 18 additions & 5 deletions sources/identify.php
Original file line number Diff line number Diff line change
Expand Up @@ -520,7 +520,6 @@ function identifyUser(string $sentData, array $SETTINGS): bool
$session->set('user-name', empty($userInfo['name']) === false ? stripslashes($userInfo['name']) : '');
$session->set('user-lastname', empty($userInfo['lastname']) === false ? stripslashes($userInfo['lastname']) : '');
$session->set('user-id', (int) $userInfo['id']);
$session->set('user-password', $passwordClear);
$session->set('user-admin', (int) $userInfo['admin']);
$session->set('user-manager', (int) $userInfo['gestionnaire']);
$session->set('user-can_manage_all_users', $userInfo['can_manage_all_users']);
Expand Down Expand Up @@ -1463,20 +1462,19 @@ function finalizeAuthentication(
'id = %i',
$userInfo['id']
);
} elseif ($passwordManager->verifyPassword($userInfo['pw'], $passwordClear) === false) {
} elseif ($passwordManager->verifyPassword($hashedPassword, $passwordClear) === false) {
// Case where user is auth by LDAP but his password in Teampass is not synchronized
// For example when user has changed his password in AD.
// So we need to update it in Teampass and ask for private key re-encryption
DB::update(
prefixTable('users'),
[
'pw' => $hashedPassword,
'pw' => $passwordManager->hashPassword($passwordClear),
],
'id = %i',
$userInfo['id']
);
}
if (WIP === true) error_log("finalizeAuthentication - hashedPassword: " . $hashedPassword. " | ".$passwordManager->verifyPassword($userInfo['pw'], $passwordClear)." || ".$passwordClear);
}

/**
Expand Down Expand Up @@ -2520,6 +2518,21 @@ function createOauth2User(
// Oauth2 user already exists and authenticated
if (WIP === true) error_log("--- USER AUTHENTICATED ---");
$userInfo['has_been_created'] = 0;

$passwordManager = new PasswordManager();

// Update user hash un database if needed
if (!$passwordManager->verifyPassword($userInfo['pw'], $passwordClear)) {
DB::update(
prefixTable('users'),
[
'pw' => $passwordManager->hashPassword($passwordClear),
],
'id = %i',
$userInfo['id']
);
}

return [
'error' => false,
'retExternalAD' => $userInfo,
Expand All @@ -2528,7 +2541,7 @@ function createOauth2User(
];
}

// return if no addmin
// return if no admin
return [
'error' => false,
'retLDAP' => [],
Expand Down
9 changes: 6 additions & 3 deletions sources/main.functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -3632,6 +3632,7 @@ function handleUserKeys(
'pw' => $hashedPassword,
'public_key' => $userKeys['public_key'],
'private_key' => $userKeys['private_key'],
'keys_recovery_time' => NULL,
),
'id=%i',
$userId
Expand All @@ -3641,6 +3642,8 @@ function handleUserKeys(
if ($userId === $session->get('user-id')) {
$session->set('user-private_key', $userKeys['private_key_clear']);
$session->set('user-public_key', $userKeys['public_key']);
// Notify user that he must re download his keys:
$session->set('user-keys_recovery_time', NULL);
}

// Manage empty encryption key
Expand Down Expand Up @@ -4165,7 +4168,7 @@ function handleUserRecoveryKeysDownload(int $userId, array $SETTINGS):string
$session = SessionManager::getSession();
// Check if user exists
$userInfo = DB::queryFirstRow(
'SELECT pw, public_key, private_key, login, name
'SELECT login
FROM ' . prefixTable('users') . '
WHERE id = %i',
$userId
Expand All @@ -4177,8 +4180,8 @@ function handleUserRecoveryKeysDownload(int $userId, array $SETTINGS):string
$export_value = file_get_contents(__DIR__."/../includes/core/teampass_ascii.txt")."\n".
"Generation date: ".date($SETTINGS['date_format'] . ' ' . $SETTINGS['time_format'], $now)."\n\n".
"RECOVERY KEYS - Not to be shared - To be store safely\n\n".
"Public Key:\n".$userInfo['public_key']."\n\n".
"Private Key:\n".decryptPrivateKey($session->get('user-password'), $userInfo['private_key'])."\n\n";
"Public Key:\n".$session->get('user-public_key')."\n\n".
"Private Key:\n".$session->get('user-private_key')."\n\n";

// Update user's keys_recovery_time
DB::update(
Expand Down
Loading

0 comments on commit fae22cd

Please sign in to comment.