1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2026-07-01 10:35:44 +00:00

[Web] Add forced 2FA setup and password update enforcement

This commit is contained in:
FreddleSpl0it
2026-02-24 10:44:33 +01:00
parent 404e2f0190
commit ad5b94af5e
33 changed files with 810 additions and 285 deletions
+106
View File
@@ -377,6 +377,112 @@ function recursiveBase64StrToArrayBuffer(obj) {
});
{% endif %}
{% if pending_tfa_setup %}
var setupTFAModal = new bootstrap.Modal(document.getElementById("SetupTFAModal"), {
backdrop: 'static',
keyboard: false
});
setupTFAModal.show();
// Load QR code for TOTP setup in SetupTFAModal
var setupTotpSecret = $('#setup-tfa-qr-img').data('totp-secret');
if (setupTotpSecret) {
$.ajax({
type: "GET",
url: "/inc/ajax/qr_gen.php?token=" + encodeURIComponent(setupTotpSecret),
success: function(data) {
$('#setup-tfa-qr-img').attr('src', data);
}
});
}
// WebAuthn registration for SetupTFAModal
$('#start_setup_webauthn_register').click(function() {
if (!window.fetch || !navigator.credentials || !navigator.credentials.create) {
window.alert('Browser not supported.');
return;
}
var keyId = $('#setup_webauthn_reg_form input[name=key_id]').val();
if (!keyId) {
$('#setup_webauthn_return_code').show().text('Please fill in the key ID first.');
return;
}
window.fetch('/api/v1/get/webauthn-tfa-registration', {method: 'GET', cache: 'no-cache'}).then(function(response) {
return response.json();
}).then(function(json) {
if (json.success === false) throw new Error(json.error || 'Registration failed');
recursiveBase64StrToArrayBuffer(json);
return navigator.credentials.create(json);
}).then(function(cred) {
return {
id: cred.id,
rawId: arrayBufferToBase64(cred.rawId),
response: {
attestationObject: arrayBufferToBase64(cred.response.attestationObject),
clientDataJSON: arrayBufferToBase64(cred.response.clientDataJSON)
},
type: cred.type
};
}).then(function(credData) {
$('#setup_webauthn_register_data').val(JSON.stringify(credData));
$('#setup_webauthn_reg_form input[name=set_tfa]').val('1');
$('#setup_webauthn_reg_form').submit();
}).catch(function(err) {
$('#setup_webauthn_return_code').show().text(err.message || 'Registration failed');
});
});
{% endif %}
{% if pending_pw_update_modal and not pending_tfa_setup and not pending_tfa_methods %}
var changePWModal = new bootstrap.Modal(document.getElementById("ChangePWModal"), {
backdrop: 'static',
keyboard: false
});
changePWModal.show();
$('#changePWModalForm').on('submit', function(e) {
e.preventDefault();
var newPw = $('#changePWNew').val();
var newPw2 = $('#changePWNew2').val();
var role = '{{ mailcow_cc_role }}';
var username = '{{ mailcow_cc_username }}';
var url, attrPayload, itemsPayload;
if (role === 'admin') {
url = '/api/v1/edit/admin';
attrPayload = {password: newPw, password2: newPw2};
itemsPayload = [username];
} else {
url = '/api/v1/edit/self';
attrPayload = {user_new_pass: newPw, user_new_pass2: newPw2};
itemsPayload = null;
}
$('#changePWAlert').hide();
$.ajax({
type: 'POST',
url: url,
data: {
attr: JSON.stringify(attrPayload),
items: JSON.stringify(itemsPayload),
csrf_token: '{{ csrf_token }}'
},
dataType: 'json',
success: function(data) {
if (data && data[0] && data[0].type === 'success') {
window.location.reload();
} else {
var msg = (data && data[0] && data[0].msg) ? data[0].msg : 'Password change failed.';
$('#changePWAlert').show().text(msg);
}
},
error: function() {
$('#changePWAlert').show().text('Request failed. Please try again.');
}
});
});
{% endif %}
// Validate FIDO2
$("#fido2-login").click(function(){
+18
View File
@@ -39,6 +39,24 @@
</div>
</div>
</div>
<div class="row mb-2">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<input type="hidden" value="0" name="force_tfa">
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
<small class="text-muted d-block">{{ lang.tfa.force_tfa_info }}</small>
</div>
</div>
</div>
<div class="row mb-2">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<input type="hidden" value="0" name="force_pw_update">
<label><input type="checkbox" class="form-check-input" value="1" name="force_pw_update"{% if result.attributes.force_pw_update == '1' %} checked{% endif %}> {{ lang.edit.force_pw_update }}</label>
<small class="text-muted d-block">{{ lang.edit.force_pw_update_info|format(ui_texts.main_name) }}</small>
</div>
</div>
</div>
<div class="row">
<div class="offset-sm-2 col-sm-10">
<button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-api-reload-location="/admin" data-id="editadmin" data-item="{{ admin }}" data-api-url='edit/admin' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
+18
View File
@@ -52,6 +52,24 @@
</div>
</div>
</div>
<div class="row mb-2">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<input type="hidden" value="0" name="force_tfa">
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
<small class="text-muted d-block">{{ lang.tfa.force_tfa_info }}</small>
</div>
</div>
</div>
<div class="row mb-2">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<input type="hidden" value="0" name="force_pw_update">
<label><input type="checkbox" class="form-check-input" value="1" name="force_pw_update"{% if result.attributes.force_pw_update == '1' %} checked{% endif %}> {{ lang.edit.force_pw_update }}</label>
<small class="text-muted d-block">{{ lang.edit.force_pw_update_info|format(ui_texts.main_name) }}</small>
</div>
</div>
</div>
<div class="row mb-4">
<div class="offset-sm-2 col-sm-10">
<button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-api-reload-location="/admin" data-id="editdomainadmin" data-item="{{ domain_admin }}" data-api-url='edit/domain-admin' data-api-attr='{}' href="#">{{ lang.edit.save }}</button>
+9
View File
@@ -24,6 +24,7 @@
<form class="form-horizontal" data-id="editmailbox" role="form" method="post">
<input type="hidden" value="default" name="sender_acl">
<input type="hidden" value="0" name="force_pw_update">
<input type="hidden" value="0" name="force_tfa">
<input type="hidden" value="0" name="sogo_access">
<input type="hidden" value="0" name="protocol_access">
<div class="row mb-2">
@@ -317,6 +318,14 @@
</div>
</div>
</div>
<div class="row">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"{% if result.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
</div>
</div>
</div>
{% if not skip_sogo %}
<div data-acl="{{ acl.sogo_access }}" class="row">
<div class="offset-sm-2 col-sm-10">
+129
View File
@@ -311,6 +311,135 @@
</div>
</div>
{% endif %}
{% if pending_tfa_setup %}
<div class="modal fade" id="SetupTFAModal" tabindex="-1" role="dialog" aria-labelledby="SetupTFAModalLabel">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h3 class="modal-title">{{ lang.tfa.setup_title }}</h3>
<form method="post" class="d-inline">
<button type="submit" name="logout" value="1" class="btn-close" aria-label="Close"></button>
</form>
</div>
<div class="modal-body">
<div class="alert alert-warning">
<i class="bi bi-shield-exclamation"></i> {{ lang.tfa.setup_required }}
</div>
<ul class="nav nav-tabs mb-3" id="setupTFATabNav">
<li class="nav-item">
<a class="nav-link active" href="#setup_tab_totp" data-bs-toggle="tab"><i class="bi bi-clock-history"></i> Time-based OTP</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#setup_tab_webauthn" data-bs-toggle="tab"><i class="bi bi-fingerprint"></i> WebAuthn</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#setup_tab_yubi" data-bs-toggle="tab"><i class="bi bi-usb-drive"></i> Yubi OTP</a>
</li>
</ul>
<div class="tab-content">
<div role="tabpanel" class="tab-pane active" id="setup_tab_totp">
<form role="form" method="post" id="setup_totp_form">
<div class="mb-2">
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id_totp }}" autocomplete="off" required>
</div>
<hr>
<input type="hidden" value="{{ totp_secret }}" name="totp_secret">
<input type="hidden" name="tfa_method" value="totp">
<ol class="mb-4">
<li>
<p>{{ lang.tfa.scan_qr_code }}</p>
<img id="setup-tfa-qr-img" data-totp-secret="{{ totp_secret }}" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=">
<p class="text-muted">{{ lang.tfa.enter_qr_code }}:<br />
<code>{{ totp_secret }}</code>
</p>
</li>
<li>
<p>{{ lang.tfa.confirm_totp_token }}:</p>
<p><input type="number" style="width:33%" class="form-control" name="totp_confirm_token" autocomplete="off" required></p>
<p><button class="btn btn-sm d-block d-sm-inline btn-success" type="submit" name="set_tfa">{{ lang.tfa.confirm }}</button></p>
</li>
</ol>
</form>
</div>
<div role="tabpanel" class="tab-pane" id="setup_tab_webauthn">
<form class="d-flex flex-column" role="form" method="post" id="setup_webauthn_reg_form">
<div class="mb-2">
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id }}" autocomplete="off" required>
</div>
<hr>
<div class="text-center">
<div style="cursor:pointer" id="start_setup_webauthn_register">
<i class="bi bi-fingerprint" style="font-size:4rem"></i>
<p>{{ lang.tfa.start_webauthn_validation }}</p>
</div>
</div>
<hr>
<p id="setup_webauthn_status_reg"></p>
<div class="alert alert-danger" style="display:none" id="setup_webauthn_return_code"></div>
<input type="hidden" name="token" id="setup_webauthn_register_data"/>
<input type="hidden" name="tfa_method" value="webauthn">
<input type="hidden" name="set_tfa"/><br/>
</form>
</div>
<div role="tabpanel" class="tab-pane" id="setup_tab_yubi">
<form role="form" method="post">
<div class="mb-4">
<input type="text" class="form-control" name="key_id" placeholder="{{ lang.tfa.key_id }}" autocomplete="off" required>
</div>
<hr>
<p class="text-muted">{{ lang.tfa.api_register|format(ui_texts.main_name)|raw }}</p>
<div class="mb-2">
<input type="text" class="form-control" name="yubico_id" placeholder="Yubico API ID" autocomplete="off" required>
</div>
<div class="mb-4">
<input type="text" class="form-control" name="yubico_key" placeholder="Yubico API Key" autocomplete="off" required>
</div>
<hr>
<div class="mb-4">
<div class="input-group">
<span class="input-group-text" id="yubi-setup-addon"><img alt="Yubicon Icon" src="/img/yubi.ico"></span>
<input type="text" name="otp_token" class="form-control" placeholder="Touch Yubikey" aria-describedby="yubi-setup-addon">
<input type="hidden" name="tfa_method" value="yubi_otp">
</div>
</div>
<button class="btn btn-sm d-block d-sm-inline btn-success" type="submit" name="set_tfa">{{ lang.user.save_changes }}</button>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
{% endif %}
{% if pending_pw_update_modal and not pending_tfa_methods %}
<div class="modal fade" id="ChangePWModal" tabindex="-1" role="dialog" aria-labelledby="ChangePWModalLabel">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h3 class="modal-title">{{ lang.user.change_password }}</h3>
<form method="post" class="d-inline">
<button type="submit" name="logout" value="1" class="btn-close" aria-label="Close"></button>
</form>
</div>
<div class="modal-body">
<div class="alert alert-warning">
<i class="bi bi-key"></i> {{ lang.user.pw_update_required }}
</div>
<form role="form" id="changePWModalForm">
<div class="mb-3">
<input type="password" class="form-control" id="changePWNew" placeholder="{{ lang.user.new_password }}" autocomplete="new-password" required>
</div>
<div class="mb-4">
<input type="password" class="form-control" id="changePWNew2" placeholder="{{ lang.user.new_password_repeat }}" autocomplete="new-password" required>
</div>
<div id="changePWAlert" class="alert alert-danger" style="display:none"></div>
<button class="btn btn-sm btn-success" type="submit">{{ lang.user.save_changes }}</button>
</form>
</div>
</div>
</div>
</div>
{% endif %}
{% if mailcow_cc_role == 'admin' %}
<div id="RestartContainer" class="modal fade" role="dialog">
<div class="modal-dialog">
+18
View File
@@ -9,6 +9,7 @@
<div class="modal-body">
<form class="form-horizontal" data-cached-form="true" data-id="add_mailbox" role="form" autocomplete="off">
<input type="hidden" value="0" name="force_pw_update">
<input type="hidden" value="0" name="force_tfa">
<input type="hidden" value="0" name="sogo_access">
<input type="hidden" value="0" name="protocol_access">
<input type="hidden" value="mailcow" name="authsource">
@@ -204,6 +205,14 @@
</div>
</div>
</div>
<div class="row">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa" id="force_tfa"> {{ lang.tfa.force_tfa }}</label>
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
</div>
</div>
</div>
{% if not skip_sogo %}
<div class="row">
<div class="offset-sm-2 col-sm-10">
@@ -237,6 +246,7 @@
<form class="form-horizontal" data-id="addmailbox_template" role="form" method="post">
<input type="hidden" value="default" name="sender_acl">
<input type="hidden" value="0" name="force_pw_update">
<input type="hidden" value="0" name="force_tfa">
<input type="hidden" value="0" name="sogo_access">
<input type="hidden" value="0" name="protocol_access">
@@ -394,6 +404,14 @@
</div>
</div>
</div>
<div class="row">
<div class="offset-sm-2 col-sm-10">
<div class="form-check">
<label><input type="checkbox" class="form-check-input" value="1" name="force_tfa"> {{ lang.tfa.force_tfa }}</label>
<small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
</div>
</div>
</div>
{% if not skip_sogo %}
<div class="row">
<div class="offset-sm-2 col-sm-10">