mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2026-07-01 10:35:44 +00:00
[Web] Add forced 2FA setup and password update enforcement
This commit is contained in:
@@ -377,6 +377,112 @@ function recursiveBase64StrToArrayBuffer(obj) {
|
||||
});
|
||||
{% endif %}
|
||||
|
||||
{% if pending_tfa_setup %}
|
||||
var setupTFAModal = new bootstrap.Modal(document.getElementById("SetupTFAModal"), {
|
||||
backdrop: 'static',
|
||||
keyboard: false
|
||||
});
|
||||
setupTFAModal.show();
|
||||
|
||||
// Load QR code for TOTP setup in SetupTFAModal
|
||||
var setupTotpSecret = $('#setup-tfa-qr-img').data('totp-secret');
|
||||
if (setupTotpSecret) {
|
||||
$.ajax({
|
||||
type: "GET",
|
||||
url: "/inc/ajax/qr_gen.php?token=" + encodeURIComponent(setupTotpSecret),
|
||||
success: function(data) {
|
||||
$('#setup-tfa-qr-img').attr('src', data);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// WebAuthn registration for SetupTFAModal
|
||||
$('#start_setup_webauthn_register').click(function() {
|
||||
if (!window.fetch || !navigator.credentials || !navigator.credentials.create) {
|
||||
window.alert('Browser not supported.');
|
||||
return;
|
||||
}
|
||||
var keyId = $('#setup_webauthn_reg_form input[name=key_id]').val();
|
||||
if (!keyId) {
|
||||
$('#setup_webauthn_return_code').show().text('Please fill in the key ID first.');
|
||||
return;
|
||||
}
|
||||
window.fetch('/api/v1/get/webauthn-tfa-registration', {method: 'GET', cache: 'no-cache'}).then(function(response) {
|
||||
return response.json();
|
||||
}).then(function(json) {
|
||||
if (json.success === false) throw new Error(json.error || 'Registration failed');
|
||||
recursiveBase64StrToArrayBuffer(json);
|
||||
return navigator.credentials.create(json);
|
||||
}).then(function(cred) {
|
||||
return {
|
||||
id: cred.id,
|
||||
rawId: arrayBufferToBase64(cred.rawId),
|
||||
response: {
|
||||
attestationObject: arrayBufferToBase64(cred.response.attestationObject),
|
||||
clientDataJSON: arrayBufferToBase64(cred.response.clientDataJSON)
|
||||
},
|
||||
type: cred.type
|
||||
};
|
||||
}).then(function(credData) {
|
||||
$('#setup_webauthn_register_data').val(JSON.stringify(credData));
|
||||
$('#setup_webauthn_reg_form input[name=set_tfa]').val('1');
|
||||
$('#setup_webauthn_reg_form').submit();
|
||||
}).catch(function(err) {
|
||||
$('#setup_webauthn_return_code').show().text(err.message || 'Registration failed');
|
||||
});
|
||||
});
|
||||
{% endif %}
|
||||
|
||||
{% if pending_pw_update_modal and not pending_tfa_setup and not pending_tfa_methods %}
|
||||
var changePWModal = new bootstrap.Modal(document.getElementById("ChangePWModal"), {
|
||||
backdrop: 'static',
|
||||
keyboard: false
|
||||
});
|
||||
changePWModal.show();
|
||||
|
||||
$('#changePWModalForm').on('submit', function(e) {
|
||||
e.preventDefault();
|
||||
var newPw = $('#changePWNew').val();
|
||||
var newPw2 = $('#changePWNew2').val();
|
||||
var role = '{{ mailcow_cc_role }}';
|
||||
var username = '{{ mailcow_cc_username }}';
|
||||
|
||||
var url, attrPayload, itemsPayload;
|
||||
if (role === 'admin') {
|
||||
url = '/api/v1/edit/admin';
|
||||
attrPayload = {password: newPw, password2: newPw2};
|
||||
itemsPayload = [username];
|
||||
} else {
|
||||
url = '/api/v1/edit/self';
|
||||
attrPayload = {user_new_pass: newPw, user_new_pass2: newPw2};
|
||||
itemsPayload = null;
|
||||
}
|
||||
|
||||
$('#changePWAlert').hide();
|
||||
$.ajax({
|
||||
type: 'POST',
|
||||
url: url,
|
||||
data: {
|
||||
attr: JSON.stringify(attrPayload),
|
||||
items: JSON.stringify(itemsPayload),
|
||||
csrf_token: '{{ csrf_token }}'
|
||||
},
|
||||
dataType: 'json',
|
||||
success: function(data) {
|
||||
if (data && data[0] && data[0].type === 'success') {
|
||||
window.location.reload();
|
||||
} else {
|
||||
var msg = (data && data[0] && data[0].msg) ? data[0].msg : 'Password change failed.';
|
||||
$('#changePWAlert').show().text(msg);
|
||||
}
|
||||
},
|
||||
error: function() {
|
||||
$('#changePWAlert').show().text('Request failed. Please try again.');
|
||||
}
|
||||
});
|
||||
});
|
||||
{% endif %}
|
||||
|
||||
|
||||
// Validate FIDO2
|
||||
$("#fido2-login").click(function(){
|
||||
|
||||
@@ -39,6 +39,24 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row mb-2">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<input type="hidden" value="0" name="force_tfa">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
|
||||
<small class="text-muted d-block">{{ lang.tfa.force_tfa_info }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row mb-2">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<input type="hidden" value="0" name="force_pw_update">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_pw_update"{% if result.attributes.force_pw_update == '1' %} checked{% endif %}> {{ lang.edit.force_pw_update }}</label>
|
||||
<small class="text-muted d-block">{{ lang.edit.force_pw_update_info|format(ui_texts.main_name) }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-api-reload-location="/admin" data-id="editadmin" data-item="{{ admin }}" data-api-url='edit/admin' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
|
||||
|
||||
@@ -52,6 +52,24 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row mb-2">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<input type="hidden" value="0" name="force_tfa">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
|
||||
<small class="text-muted d-block">{{ lang.tfa.force_tfa_info }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row mb-2">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<input type="hidden" value="0" name="force_pw_update">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_pw_update"{% if result.attributes.force_pw_update == '1' %} checked{% endif %}> {{ lang.edit.force_pw_update }}</label>
|
||||
<small class="text-muted d-block">{{ lang.edit.force_pw_update_info|format(ui_texts.main_name) }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row mb-4">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-api-reload-location="/admin" data-id="editdomainadmin" data-item="{{ domain_admin }}" data-api-url='edit/domain-admin' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
|
||||
|
||||
@@ -24,6 +24,7 @@
|
||||
<form class="form-horizontal" data-id="editmailbox" role="form" method="post">
|
||||
<input type="hidden" value="default" name="sender_acl">
|
||||
<input type="hidden" value="0" name="force_pw_update">
|
||||
<input type="hidden" value="0" name="force_tfa">
|
||||
<input type="hidden" value="0" name="sogo_access">
|
||||
<input type="hidden" value="0" name="protocol_access">
|
||||
<div class="row mb-2">
|
||||
@@ -317,6 +318,14 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
|
||||
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% if not skip_sogo %}
|
||||
<div data-acl="{{ acl.sogo_access }}" class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
|
||||
@@ -311,6 +311,135 @@
|
||||
</div>
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if pending_tfa_setup %}
|
||||
<div class="modal fade" id="SetupTFAModal" tabindex="-1" role="dialog" aria-labelledby="SetupTFAModalLabel">
|
||||
<div class="modal-dialog" role="document">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h3 class="modal-title">{{ lang.tfa.setup_title }}</h3>
|
||||
<form method="post" class="d-inline">
|
||||
<button type="submit" name="logout" value="1" class="btn-close" aria-label="Close"></button>
|
||||
</form>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<div class="alert alert-warning">
|
||||
<i class="bi bi-shield-exclamation"></i> {{ lang.tfa.setup_required }}
|
||||
</div>
|
||||
<ul class="nav nav-tabs mb-3" id="setupTFATabNav">
|
||||
<li class="nav-item">
|
||||
<a class="nav-link active" href="#setup_tab_totp" data-bs-toggle="tab"><i class="bi bi-clock-history"></i> Time-based OTP</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="#setup_tab_webauthn" data-bs-toggle="tab"><i class="bi bi-fingerprint"></i> WebAuthn</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="#setup_tab_yubi" data-bs-toggle="tab"><i class="bi bi-usb-drive"></i> Yubi OTP</a>
|
||||
</li>
|
||||
</ul>
|
||||
<div class="tab-content">
|
||||
<div role="tabpanel" class="tab-pane active" id="setup_tab_totp">
|
||||
<form role="form" method="post" id="setup_totp_form">
|
||||
<div class="mb-2">
|
||||
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id_totp }}" autocomplete="off" required>
|
||||
</div>
|
||||
<hr>
|
||||
<input type="hidden" value="{{ totp_secret }}" name="totp_secret">
|
||||
<input type="hidden" name="tfa_method" value="totp">
|
||||
<ol class="mb-4">
|
||||
<li>
|
||||
<p>{{ lang.tfa.scan_qr_code }}</p>
|
||||
<img id="setup-tfa-qr-img" data-totp-secret="{{ totp_secret }}" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">
|
||||
<p class="text-muted">{{ lang.tfa.enter_qr_code }}:<br />
|
||||
<code>{{ totp_secret }}</code>
|
||||
</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>{{ lang.tfa.confirm_totp_token }}:</p>
|
||||
<p><input type="number" style="width:33%" class="form-control" name="totp_confirm_token" autocomplete="off" required></p>
|
||||
<p><button class="btn btn-sm d-block d-sm-inline btn-success" type="submit" name="set_tfa">{{ lang.tfa.confirm }}</button></p>
|
||||
</li>
|
||||
</ol>
|
||||
</form>
|
||||
</div>
|
||||
<div role="tabpanel" class="tab-pane" id="setup_tab_webauthn">
|
||||
<form class="d-flex flex-column" role="form" method="post" id="setup_webauthn_reg_form">
|
||||
<div class="mb-2">
|
||||
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id }}" autocomplete="off" required>
|
||||
</div>
|
||||
<hr>
|
||||
<div class="text-center">
|
||||
<div style="cursor:pointer" id="start_setup_webauthn_register">
|
||||
<i class="bi bi-fingerprint" style="font-size:4rem"></i>
|
||||
<p>{{ lang.tfa.start_webauthn_validation }}</p>
|
||||
</div>
|
||||
</div>
|
||||
<hr>
|
||||
<p id="setup_webauthn_status_reg"></p>
|
||||
<div class="alert alert-danger" style="display:none" id="setup_webauthn_return_code"></div>
|
||||
<input type="hidden" name="token" id="setup_webauthn_register_data"/>
|
||||
<input type="hidden" name="tfa_method" value="webauthn">
|
||||
<input type="hidden" name="set_tfa"/><br/>
|
||||
</form>
|
||||
</div>
|
||||
<div role="tabpanel" class="tab-pane" id="setup_tab_yubi">
|
||||
<form role="form" method="post">
|
||||
<div class="mb-4">
|
||||
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id }}" autocomplete="off" required>
|
||||
</div>
|
||||
<hr>
|
||||
<p class="text-muted">{{ lang.tfa.api_register|format(ui_texts.main_name)|raw }}</p>
|
||||
<div class="mb-2">
|
||||
<input type="text" class="form-control" name="yubico_id" placeholder="Yubico API ID" autocomplete="off" required>
|
||||
</div>
|
||||
<div class="mb-4">
|
||||
<input type="text" class="form-control" name="yubico_key" placeholder="Yubico API Key" autocomplete="off" required>
|
||||
</div>
|
||||
<hr>
|
||||
<div class="mb-4">
|
||||
<div class="input-group">
|
||||
<span class="input-group-text" id="yubi-setup-addon"><img alt="Yubicon Icon" src="/img/yubi.ico"></span>
|
||||
<input type="text" name="otp_token" class="form-control" placeholder="Touch Yubikey" aria-describedby="yubi-setup-addon">
|
||||
<input type="hidden" name="tfa_method" value="yubi_otp">
|
||||
</div>
|
||||
</div>
|
||||
<button class="btn btn-sm d-block d-sm-inline btn-success" type="submit" name="set_tfa">{{ lang.user.save_changes }}</button>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if pending_pw_update_modal and not pending_tfa_methods %}
|
||||
<div class="modal fade" id="ChangePWModal" tabindex="-1" role="dialog" aria-labelledby="ChangePWModalLabel">
|
||||
<div class="modal-dialog" role="document">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h3 class="modal-title">{{ lang.user.change_password }}</h3>
|
||||
<form method="post" class="d-inline">
|
||||
<button type="submit" name="logout" value="1" class="btn-close" aria-label="Close"></button>
|
||||
</form>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<div class="alert alert-warning">
|
||||
<i class="bi bi-key"></i> {{ lang.user.pw_update_required }}
|
||||
</div>
|
||||
<form role="form" id="changePWModalForm">
|
||||
<div class="mb-3">
|
||||
<input type="password" class="form-control" id="changePWNew" placeholder="{{ lang.user.new_password }}" autocomplete="new-password" required>
|
||||
</div>
|
||||
<div class="mb-4">
|
||||
<input type="password" class="form-control" id="changePWNew2" placeholder="{{ lang.user.new_password_repeat }}" autocomplete="new-password" required>
|
||||
</div>
|
||||
<div id="changePWAlert" class="alert alert-danger" style="display:none"></div>
|
||||
<button class="btn btn-sm btn-success" type="submit">{{ lang.user.save_changes }}</button>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if mailcow_cc_role == 'admin' %}
|
||||
<div id="RestartContainer" class="modal fade" role="dialog">
|
||||
<div class="modal-dialog">
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
<div class="modal-body">
|
||||
<form class="form-horizontal" data-cached-form="true" data-id="add_mailbox" role="form" autocomplete="off">
|
||||
<input type="hidden" value="0" name="force_pw_update">
|
||||
<input type="hidden" value="0" name="force_tfa">
|
||||
<input type="hidden" value="0" name="sogo_access">
|
||||
<input type="hidden" value="0" name="protocol_access">
|
||||
<input type="hidden" value="mailcow" name="authsource">
|
||||
@@ -204,6 +205,14 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa" id="force_tfa"> {{ lang.tfa.force_tfa }}</label>
|
||||
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% if not skip_sogo %}
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
@@ -237,6 +246,7 @@
|
||||
<form class="form-horizontal" data-id="addmailbox_template" role="form" method="post">
|
||||
<input type="hidden" value="default" name="sender_acl">
|
||||
<input type="hidden" value="0" name="force_pw_update">
|
||||
<input type="hidden" value="0" name="force_tfa">
|
||||
<input type="hidden" value="0" name="sogo_access">
|
||||
<input type="hidden" value="0" name="protocol_access">
|
||||
|
||||
@@ -394,6 +404,14 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
<div class="form-check">
|
||||
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"> {{ lang.tfa.force_tfa }}</label>
|
||||
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% if not skip_sogo %}
|
||||
<div class="row">
|
||||
<div class="offset-sm-2 col-sm-10">
|
||||
|
||||
Reference in New Issue
Block a user