Do not give the user the secret.

2024-11-23 01:16:46 -06:00 · 2016-03-19 07:56:57 +01:00 · 2016-03-19 07:56:57 +01:00 · fb165ef28b
commit fb165ef28b
parent a26acf4a25
4 changed files with 9 additions and 18 deletions
--- a/app/Http/Controllers/PreferencesController.php
+++ b/app/Http/Controllers/PreferencesController.php
@ -37,10 +37,11 @@ class PreferencesController extends Controller
    {
        $domain = $this->getDomain();
        $secret = $google2fa->generateSecretKey(16, Auth::user()->id);
+        Session::flash('two-factor-secret', $secret);
        $image  = $google2fa->getQRCodeInline('Firefly III at ' . $domain, null, $secret, 150);


-        return view('preferences.code', compact('secret', 'image'));
+        return view('preferences.code', compact('image'));
    }

    /**
--- a/app/Http/Requests/TokenFormRequest.php
+++ b/app/Http/Requests/TokenFormRequest.php
@ -29,8 +29,7 @@ class TokenFormRequest extends Request
    {

        $rules = [
-            'secret' => 'required',
-            'code'   => 'required|2faCode:secret',
+            'code'   => 'required|2faCode',
        ];

        return $rules;
--- a/app/Validation/FireflyValidator.php
+++ b/app/Validation/FireflyValidator.php
@ -18,8 +18,8 @@ use FireflyIII\Rules\Triggers\TriggerInterface;
 use FireflyIII\User;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Validation\Validator;
-use Input;
 use Log;
+use Session;
 use Symfony\Component\Translation\TranslatorInterface;

 /**
@ -59,9 +59,7 @@ class FireflyValidator extends Validator
            return false;
        }

-        // Retrieve the secret from our hidden form field.
-        $secret = Input::get($parameters[0]);
-
+        $secret    = Session::get('two-factor-secret');
        $google2fa = app('PragmaRX\Google2FA\Google2FA');

        return $google2fa->verifyKey($secret, $value);
--- a/resources/views/preferences/code.twig
+++ b/resources/views/preferences/code.twig
@ -6,8 +6,6 @@

 {% block content %}
    {{ Form.open({'class' : 'form-horizontal','id' : 'preferences.code'}) }}
-    <input type="hidden" name="secret" value="{{ secret }}"/>
-
    <div class="row">
        <div class="col-lg-6 col-md-6 col-sm-6">            
            <div class="box">
@ -19,19 +17,14 @@
                        {{ 'pref_two_factor_auth_code_help'|_ }}
                    </p>
                    <div class="form group">
-                        
                        <div class="col-sm-8 col-md-offset-4">
-                            <img src="{{ image }}" />
+                            <img src="{{ image }}" alt="" title="" />
+                            <br /><br />
                        </div>
                        
                    </div>
-                    <div class="form group">
-                        <div class="col-sm-8 col-md-offset-4">
-                            <p>{{ secret }}</p>
-                        </div>
-                    </div>
-                    
-                    {{ ExpandedForm.text('code', code, {'label' : 'Code'}) }}
+
+                    {{ ExpandedForm.text('code', code) }}
                </div>
            </div>            
        </div>