Allow Skip 2FA fuction for xx Days

jaapmarcus · jaapmarcus · commit 5e8f5c9e8c1a · 2020-07-26T21:58:57.000+02:00
With the new propsed system you are forced to login again every 1 hour after no use...

With this function you are allowed to skip the 2FA Step for a xx period (Default 1 day)
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1665,6 +1665,7 @@ fi
 #----------------------------------------------------------#
 
 echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
+echo "TWOFA_VALID_LENGTH='1'" >> $HESTIA/conf/hestia.conf
 
 #----------------------------------------------------------#
 #                   Configure Admin User                   #
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1688,6 +1688,7 @@ fi
 #----------------------------------------------------------#
 
 echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
+echo "TWOFA_VALID_LENGTH='1'" >> $HESTIA/conf/hestia.conf
 
 #----------------------------------------------------------#
 #                      Fix phpmyadmin                      #
diff --git a/install/upgrade/versions/latest.sh b/install/upgrade/versions/latest.sh
@@ -58,4 +58,5 @@ if [ -f "$apt/postgresql.list" ]; then
 fi
 
 # Limit PHP Session Live time 
-echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
+echo "INACTIVE_SESSION_TIMEOUT='60'" >> $HESTIA/conf/hestia.conf
+echo "TWOFA_VALID_LENGTH='1'" >> $HESTIA/conf/hestia.conf
diff --git a/web/js/fingerprint2.min.js b/web/js/fingerprint2.min.js
diff --git a/web/login/index.php b/web/login/index.php
@@ -8,6 +8,7 @@
 
 // Logout
 if (isset($_GET['logout'])) {
+    setcookie('limit2fa','',time() - 3600,"/");
     session_destroy();
 }
 
@@ -86,33 +87,38 @@ function authenticate_user(){
                 $error = "<a class=\"error\">".__('Invalid username or password')."</a>";
                 return $error;
             } else {
-
                 // Make root admin user
                 if ($_POST['user'] == 'root') $v_user = 'admin';
-
                 // Get user speciefic parameters
                 exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
                 $data = json_decode(implode('', $output), true);
-
-                // Check if 2FA is active
-                if ($data[$_POST['user']]['TWOFA'] != '') {
-                   if (empty($_POST['twofa'])){
-                       return false;
-                   }else{
-                        $v_twofa = $_POST['twofa'];
-                        exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
-                        unset($output);
-                        if ( $return_var > 0 ) {
-                            sleep(2);
-                            $error = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
-                            return $error;
-                            unset($_POST['twofa']);
+                if ($data[$user]['TWOFA'] != '') {
+                    if(password_hash($data[$user]['TWOFA'].$_POST['murmur'],PASSWORD_BCRYPT) == $_COOKIE['limit2fa']){
+
+                    }else{                        
+                       setcookie('limit2fa','',time() - 3600,"/");
+                        if(empty($_POST['twofa'])){
+                            return false;
+                        }else{
+                            $v_twofa = $_POST['twofa'];
+                            exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
+                            unset($output);
+                            if ( $return_var > 0 ) {
+                                sleep(2);
+                                $error = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>";
+                                return $error;
+                                unset($_POST['twofa']);
+                            }   
                         }
-                   }
+                        
+                    }
                 }
                 // Define session user
                 $_SESSION['user'] = key($data);
                 $v_user = $_SESSION['user'];
+                if(empty($_COOKIE['limit2fa'])){
+                    setcookie('limit2fa',password_hash($data[$user]['TWOFA'].$_POST['murmur'],PASSWORD_BCRYPT),time()+60*60*24*$_SESSION['TWOFA_VALID_LENGTH'],"/");
+                };
                 $_SESSION['LAST_ACTIVITY'] = time();
                 // Define language
                 $output = '';
@@ -123,7 +129,6 @@ function authenticate_user(){
                 } else {
                     $_SESSION['language'] = 'en';
                 }
-
                 // Regenerate session id to prevent session fixation
                 session_regenerate_id();
 
diff --git a/web/templates/header.html b/web/templates/header.html
@@ -4,12 +4,13 @@
   <meta charset="utf-8">
   <link rel="icon" href="/images/favicon.ico" type="image/x-icon">
   <title><?php echo $_SERVER['HTTP_HOST']; ?> - <?=__($TAB)?> - <?=__('Hestia Control Panel');?></title>
-  <link type="text/css" rel="stylesheet" href="/css/styles.min.css?1446554106" />
+  <link type="text/css" rel="stylesheet" href="/css/styles.min.css?<?=JS_LATEST_UPDATE?>" />
   <link type="text/css" rel="stylesheet" href="/css/active-theme.css?<?php echo rand(); ?>" />
-  <link type="text/css" href="/css/animate.min.css?1446554103" rel="stylesheet" />
-  <link type="text/css" href="/css/jquery-custom-dialogs.css?1446554103" rel="stylesheet" />
-  <link type="text/css" href="/css/all.min.css?1446554103" rel="stylesheet" />
+  <link type="text/css" href="/css/animate.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" />
+  <link type="text/css" href="/css/jquery-custom-dialogs.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" />
+  <link type="text/css" href="/css/all.min.css?<?=JS_LATEST_UPDATE?>" rel="stylesheet" />
   <script src="/inc/jquery/jquery-3.4.1.min.js"></script>
+  <script type="text/javascript" src="/js/fingerprint2.min.js?<?=JS_LATEST_UPDATE?>"></script>
   <script>
     //
     //  GLOBAL SETTINGS
@@ -19,6 +20,24 @@
     GLOBAL.DB_USER_PREFIX   = 'admin_';
     GLOBAL.DB_DBNAME_PREFIX = 'admin_';
     GLOBAL.AJAX_URL = '';
+    
+    if (window.requestIdleCallback) {
+        requestIdleCallback(function () {
+            Fingerprint2.get(function (components) {
+                var values = components.map(function (component) { return component.value })
+                var murmur = Fingerprint2.x64hash128(values.join(''), 31);
+                $('#murmur').val(murmur);
+            })
+        })
+    } else {
+        setTimeout(function () {
+                Fingerprint2.get(function (components) {
+                var values = components.map(function (component) { return component.value })
+                var murmur = Fingerprint2.x64hash128(values.join(''), 31);
+                $('#murmur').val(murmur);
+            })  
+        }, 500);
+    }
   </script>
 </head>
 <body class="body-<?=strtolower($TAB)?> lang-<?=$_SESSION['language']?>">
diff --git a/web/templates/login.html b/web/templates/login.html
@@ -10,6 +10,7 @@
                                 <td style="padding: 40px 60px 0 0;">
                                     <form method="post" action="/login/" id="form_login">
                                     <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
+                                    <input type="hidden" name="murmur" value="" id="murmur">
                                     <table class="login-box">
                                         <tr>
                                             <td style="padding: 12px 0 0 2px;" class="login-welcome">
diff --git a/web/templates/login_1.html b/web/templates/login_1.html
@@ -11,6 +11,8 @@
                                     <form method="post" action="/login/" id="form_login">
                                     <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                                     <input type="hidden" name="user" value="<?php echo $_POST['user']; ?>">
+                                    <input type="hidden" name="murmur" value="<?php echo $_POST['murmur']; ?>" id="murmur">
+                                    
                                     
                                     <table class="login-box">
                                         <tr>
diff --git a/web/templates/login_2.html b/web/templates/login_2.html
@@ -12,6 +12,7 @@
                                     <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                                     <input type="hidden" name="user" value="<?php echo $_POST['user']; ?>">
                                     <input type="hidden" name="password" value="<?php echo $_POST['password']; ?>">
+                                    <input type="hidden" name="murmur" value="" id="murmur">
                                     <table class="login-box">
                                         <tr>
                                             <td style="padding: 12px 0 0 2px;" class="login-welcome">
