From cb47fa406f10ce929543e3e918c11b985a500ab2 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Tue, 15 Apr 2025 13:48:13 +0200 Subject: [PATCH] [Web] Fix force password update at next login --- data/web/inc/functions.auth.inc.php | 14 ++++++++++++++ data/web/inc/functions.inc.php | 1 + data/web/inc/triggers.user.inc.php | 8 ++++++-- data/web/sogo-auth.php | 3 ++- 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index 994915efc..57dec808d 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -242,6 +242,7 @@ function user_login($user, $pass, $extra = null){ return false; } + $row['attributes'] = json_decode($row['attributes'], true); switch ($row['authsource']) { case 'keycloak': // user authsource is keycloak, try using via rest flow @@ -261,6 +262,10 @@ function user_login($user, $pass, $extra = null){ return false; } + if (intval($row['attributes']['force_pw_update']) == 1) { + $_SESSION['pending_pw_update'] = true; + } + // check for tfa authenticators $authenticators = get_tfa($user); if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { @@ -313,6 +318,10 @@ function user_login($user, $pass, $extra = null){ return false; } + if (intval($row['attributes']['force_pw_update']) == 1) { + $_SESSION['pending_pw_update'] = true; + } + // check for tfa authenticators $authenticators = get_tfa($user); if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { @@ -351,6 +360,11 @@ function user_login($user, $pass, $extra = null){ } // verify password if (verify_hash($row['password'], $pass) !== false) { + + if (intval($row['attributes']['force_pw_update']) == 1) { + $_SESSION['pending_pw_update'] = true; + } + // check for tfa authenticators $authenticators = get_tfa($user); if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 49e26b978..334b99e64 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1001,6 +1001,7 @@ function edit_user_account($_data) { ':password_hashed' => $password_hashed, ':username' => $username )); + $_SESSION['pending_pw_update'] = false; update_sogo_static_view(); } diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php index 33eb83e7b..30bf0fe64 100644 --- a/data/web/inc/triggers.user.inc.php +++ b/data/web/inc/triggers.user.inc.php @@ -76,7 +76,9 @@ if (isset($_POST["verify_tfa_login"])) { $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; - if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { + if (intval($user_details['attributes']['sogo_access']) == 1 && + intval($user_details['attributes']['force_pw_update']) != 1 && + !$is_dual) { header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}"); die(); } else { @@ -139,7 +141,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) { $user_details = mailbox("get", "mailbox_details", $login_user); $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; - if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual) { + if (intval($user_details['attributes']['sogo_access']) == 1 && + intval($user_details['attributes']['force_pw_update']) != 1 && + !$is_dual) { header("Location: /SOGo/so/{$login_user}"); die(); } else { diff --git a/data/web/sogo-auth.php b/data/web/sogo-auth.php index 5e0f3c39b..00709fe5f 100644 --- a/data/web/sogo-auth.php +++ b/data/web/sogo-auth.php @@ -94,7 +94,8 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT !empty($email) && filter_var($email, FILTER_VALIDATE_EMAIL) && is_array($_SESSION[$session_var_user_allowed]) && - in_array($email, $_SESSION[$session_var_user_allowed]) + in_array($email, $_SESSION[$session_var_user_allowed]) && + !$_SESSION['pending_pw_update'] ) { $username = $email; $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");