diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 3593ff2c4..6a70eb6e3 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1385,6 +1385,7 @@ function fido2($_data) { ); break; case "verify": + $role = ""; $tokenData = json_decode($_data['token']); $clientDataJSON = base64_decode($tokenData->clientDataJSON); $authenticatorData = base64_decode($tokenData->authenticatorData); @@ -1418,17 +1419,17 @@ function fido2($_data) { $stmt->execute(array(':username' => $process_fido2['username'])); $obj_props = $stmt->fetch(PDO::FETCH_ASSOC); if ($obj_props['superadmin'] === 1 && (!$_data['user'] || $_data['user'] == "admin")) { - $_SESSION["mailcow_cc_role"] = "admin"; + $role = "admin"; } elseif ($obj_props['superadmin'] === 0 && (!$_data['user'] || $_data['user'] == "domainadmin")) { - $_SESSION["mailcow_cc_role"] = "domainadmin"; + $role = "domainadmin"; } elseif (!isset($obj_props['superadmin']) && (!$_data['user'] || $_data['user'] == "user")) { $stmt = $pdo->prepare("SELECT `username` FROM `mailbox` WHERE `username` = :username"); $stmt->execute(array(':username' => $process_fido2['username'])); $row = $stmt->fetch(PDO::FETCH_ASSOC); if ($row['username'] == $process_fido2['username']) { - $_SESSION["mailcow_cc_role"] = "user"; + $role = "user"; } } else { @@ -1439,7 +1440,7 @@ function fido2($_data) { ); return false; } - if (empty($_SESSION["mailcow_cc_role"])) { + if (empty($role)) { session_unset(); session_destroy(); $_SESSION['return'][] = array( @@ -1449,15 +1450,17 @@ function fido2($_data) { ); return false; } - $_SESSION["mailcow_cc_username"] = $process_fido2['username']; - $_SESSION["fido2_cid"] = $process_fido2['cid']; unset($_SESSION["challenge"]); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array("fido2_login", $_data['user'], $process_fido2['username']), 'msg' => array('logged_in_as', $process_fido2['username']) ); - return true; + return array( + "role" => $role, + "username" => $process_fido2['username'], + "cid" => $process_fido2['cid'] + ); break; } } diff --git a/data/web/inc/triggers.admin.inc.php b/data/web/inc/triggers.admin.inc.php index 883d9fd5c..df46a459c 100644 --- a/data/web/inc/triggers.admin.inc.php +++ b/data/web/inc/triggers.admin.inc.php @@ -19,11 +19,16 @@ if (isset($_POST["verify_tfa_login"])) { unset($_SESSION['pending_tfa_methods']); } if (isset($_POST["verify_fido2_login"])) { - fido2(array( + $res = fido2(array( "action" => "verify", "token" => $_POST["token"], "user" => "admin" )); + if (is_array($res) && $res['role'] == "admin" && !empty($res['username'])){ + $_SESSION["mailcow_cc_username"] = $res['username']; + $_SESSION["mailcow_cc_role"] = $res['role']; + $_SESSION["fido2_cid"] = $res['cid']; + } exit; } diff --git a/data/web/inc/triggers.domainadmin.inc.php b/data/web/inc/triggers.domainadmin.inc.php index dd1c653bd..a9f913688 100644 --- a/data/web/inc/triggers.domainadmin.inc.php +++ b/data/web/inc/triggers.domainadmin.inc.php @@ -30,11 +30,16 @@ if (isset($_POST["verify_tfa_login"])) { unset($_SESSION['pending_tfa_methods']); } if (isset($_POST["verify_fido2_login"])) { - fido2(array( + $res = fido2(array( "action" => "verify", "token" => $_POST["token"], "user" => "domainadmin" )); + if (is_array($res) && $res['role'] == "domainadmin" && !empty($res['username'])){ + $_SESSION["mailcow_cc_username"] = $res['username']; + $_SESSION["mailcow_cc_role"] = $res['role']; + $_SESSION["fido2_cid"] = $res['cid']; + } exit; } diff --git a/data/web/inc/triggers.user.inc.php b/data/web/inc/triggers.user.inc.php index 64282b075..842fad14a 100644 --- a/data/web/inc/triggers.user.inc.php +++ b/data/web/inc/triggers.user.inc.php @@ -84,11 +84,15 @@ if (isset($_POST["verify_tfa_login"])) { unset($_SESSION['pending_tfa_methods']); } if (isset($_POST["verify_fido2_login"])) { - fido2(array( + $res = fido2(array( "action" => "verify", "token" => $_POST["token"], "user" => "user" )); + if (is_array($res) && $res['role'] == "user" && !empty($res['username'])){ + set_user_loggedin_session($res['username']); + $_SESSION["fido2_cid"] = $res['cid']; + } exit; }