Skip to content
Snippets Groups Projects
Verified Commit 61c3876f authored by Peter Bolha's avatar Peter Bolha :ok_hand_tone1:
Browse files

fix: failcounter handling

parent f80f0c27
No related branches found
No related tags found
1 merge request!25Fix TOTP failcounter handling
Pipeline #355047 failed
...@@ -92,6 +92,9 @@ ...@@ -92,6 +92,9 @@
"error_message": { "error_message": {
"en": "Verification was not successful. Please try again." "en": "Verification was not successful. Please try again."
}, },
"failcounter_error_message": {
"en": "Verification code you have entered is either incorrect or this method of authentication has been deactivated for your account due to numerous failed login attempts. If your login attempts using verification codes keep failing, please use a recovery code or a security key."
},
"error": { "error": {
"en": "Error" "en": "Error"
} }
......
...@@ -138,6 +138,9 @@ ...@@ -138,6 +138,9 @@
"error_message": { "error_message": {
"cs": "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu." "cs": "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu."
}, },
"failcounter_error_message": {
"cs": "Zadaný ověřovací kód je nesprávný, nebo byly ověřovací kódy ve Vašem účtu zablokovány (např. kvůli velkému počtu neúspěšných pokusů). Pokud se Vám opakovaně nedaří použít ověřovací kód, prosím použijte bezpečnostní klíč nebo záložní kód."
},
"error": { "error": {
"cs": "Chyba" "cs": "Chyba"
} }
......
...@@ -105,7 +105,21 @@ class Utils ...@@ -105,7 +105,21 @@ class Utils
} }
} else { } else {
try { try {
$response = $pi->validateCheck($username, $formParams['otp'], $transactionID); // limit otp validation to totp tokens to prevent incrementing of webauthn failcounter
$params["type"] = "totp";
$params["user"] = $username;
$params["pass"] = $formParams['otp'];
$headers = [];
$rawResponse = $pi->sendRequest($params, $headers, 'POST', '/validate/check');
$response = PIResponse::fromJSON($rawResponse, $pi);
$isAuthUnuccessful = $response->value === false;
if ($isAuthUnuccessful) {
// prepare custom error message placeholder - failcounter might have been exceeded
Logger::debug("Original TOTP validation response error message: " . $response->errorMessage);
$response->errorMessage = "possible failcounter exceeded";
}
} catch (\Exception $e) { } catch (\Exception $e) {
self::handlePrivacyIDEAException($e, $state); self::handlePrivacyIDEAException($e, $state);
} }
...@@ -318,7 +332,7 @@ class Utils ...@@ -318,7 +332,7 @@ class Utils
} else { } else {
// Unexpected response // Unexpected response
Logger::error('privacyIDEA: ' . $response->message); Logger::error('privacyIDEA: ' . $response->message);
$state['privacyidea:privacyidea']['errorMessage'] = $response->message; $state['privacyidea:privacyidea']['errorMessage'] = $response->errorMessage;
} }
return State::saveState($state, 'privacyidea:privacyidea'); return State::saveState($state, 'privacyidea:privacyidea');
......
...@@ -119,6 +119,9 @@ msgstr "Zkusit znovu" ...@@ -119,6 +119,9 @@ msgstr "Zkusit znovu"
msgid "{privacyidea:privacyidea:error_message}" msgid "{privacyidea:privacyidea:error_message}"
msgstr "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu." msgstr "Ověření nebylo úspěšné. Zkuste to znovu nebo použijte jinou metodu."
msgid "{privacyidea:privacyidea:failcounter_error_message}"
msgstr "Zadaný kód ověřovací kód je nesprávný nebo byly ověřovací kódy ve Vašem účtu zablokovány (např. kvůli velkému počtu neúspěšných pokusů). Pokud se Vám opakovaně nedaří použít ověřovací kód, prosím použijte bezpečnostní klíč nebo záložní kód."
msgid "{privacyidea:privacyidea:error}" msgid "{privacyidea:privacyidea:error}"
msgstr "Chyba" msgstr "Chyba"
...@@ -117,6 +117,9 @@ msgstr "Try Again" ...@@ -117,6 +117,9 @@ msgstr "Try Again"
msgid "{privacyidea:privacyidea:error_message}" msgid "{privacyidea:privacyidea:error_message}"
msgstr "Verification was not successful. Please try again." msgstr "Verification was not successful. Please try again."
msgid "{privacyidea:privacyidea:failcounter_error_message}"
msgstr "Verification code you have entered is either incorrect or this method of authentication has been deactivated for your account due to numerous failed login attempts. If your login attempts using verification codes keep failing, please use a recovery code or a security key."
msgid "{privacyidea:privacyidea:error}" msgid "{privacyidea:privacyidea:error}"
msgstr "Error" msgstr "Error"
...@@ -45,6 +45,13 @@ if ( ...@@ -45,6 +45,13 @@ if (
$tpl->data['errorCode'] = ($state['privacyidea:privacyidea']['errorCode'] ?? null) ?: ''; $tpl->data['errorCode'] = ($state['privacyidea:privacyidea']['errorCode'] ?? null) ?: '';
$state['privacyidea:privacyidea']['errorCode'] = ''; $state['privacyidea:privacyidea']['errorCode'] = '';
$tpl->data['errorMessage'] = $tpl->t('{privacyidea:privacyidea:error_message}'); $tpl->data['errorMessage'] = $tpl->t('{privacyidea:privacyidea:error_message}');
// replace custom error message placeholder
$errorMessage = $state['privacyidea:privacyidea']['errorMessage'];
if (stripos($errorMessage, "possible failcounter exceeded") !== false) {
$tpl->data['errorMessage'] = $tpl->t('{privacyidea:privacyidea:failcounter_error_message}');
}
$state['privacyidea:privacyidea']['errorMessage'] = ''; $state['privacyidea:privacyidea']['errorMessage'] = '';
$stateId = State::saveState($state, 'privacyidea:privacyidea'); $stateId = State::saveState($state, 'privacyidea:privacyidea');
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment