Adjust remember me functionality to work with 2fa

If 2fa is enable the remember me cookie only gets set if the 2fa
authentication was successful. To log the user back in from the
cookie the 2fa will be skipped.

Author: jrauh01

application/controllers/AuthenticationController.php

@@ -44,7 +44,7 @@ public function loginAction()
         if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) {
             $this->redirectNow(Url::fromPath('setup'));
         }
-
+        $skip2fa = false;
         $user = $this->Auth()->getUser();
         if ($user
             && $user->getTwoFactorEnabled()
@@ -55,30 +55,31 @@ public function loginAction()
             $cancel2faForm->handleRequest();
         } else {
             $form = new LoginForm();
-        }
 
-        if (RememberMe::hasCookie() && $this->hasDb()) {
-            $authenticated = false;
-            try {
-                $rememberMeOld = RememberMe::fromCookie();
-                $authenticated = $rememberMeOld->authenticate();
-                if ($authenticated) {
-                    $rememberMe = $rememberMeOld->renew();
-                    $this->getResponse()->setCookie($rememberMe->getCookie());
-                    $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV());
+            if (RememberMe::hasCookie() && $this->hasDb()) {
+                $authenticated = false;
+                try {
+                    $rememberMeOld = RememberMe::fromCookie();
+                    $authenticated = $rememberMeOld->authenticate();
+                    if ($authenticated) {
+                        $rememberMe = $rememberMeOld->renew();
+                        $this->getResponse()->setCookie($rememberMe->getCookie());
+                        $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV());
+                        $skip2fa = true;
+                    }
+                } catch (RuntimeException $e) {
+                    Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage());
+                } catch (AuthenticationException $e) {
+                    Logger::error($e);
                 }
-            } catch (RuntimeException $e) {
-                Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage());
-            } catch (AuthenticationException $e) {
-                Logger::error($e);
-            }
 
-            if (! $authenticated) {
-                $this->getResponse()->setCookie(RememberMe::forget());
+                if (! $authenticated) {
+                    $this->getResponse()->setCookie(RememberMe::forget());
+                }
             }
         }
 
-        if ($this->Auth()->isAuthenticated()) {
+        if ($this->Auth()->isAuthenticated($skip2fa)) {
             // Call provided AuthenticationHook(s) when login action is called
             // but icinga web user is already authenticated
             AuthenticationHook::triggerLogin($this->Auth()->getUser());

application/forms/Authentication/Challenge2FAForm.php

@@ -2,7 +2,9 @@
 
 namespace Icinga\Forms\Authentication;
 
+use Exception;
 use Icinga\Application\Hook\AuthenticationHook;
+use Icinga\Application\Logger;
 use Icinga\Authentication\Auth;
 use Icinga\Authentication\IcingaTotp;
 use Icinga\Web\Session;
@@ -55,8 +57,20 @@ public function onSuccess()
 
             $auth->setAuthenticated($user);
 
+            if ($rememberMe = Session::getSession()->get('2fa_remember_me_cookie')) {
+                try {
+                    $this->getResponse()->setCookie($rememberMe->getCookie());
+                    $rememberMe->persist();
+                } catch (Exception $e) {
+                    Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+                }
+            }
+
+            // Call provided AuthenticationHook(s) after successful login
             AuthenticationHook::triggerLogin($user);
+
             $this->getResponse()->setRerenderLayout(true);
+
             return true;
         }
 

application/forms/Authentication/LoginForm.php

@@ -150,18 +150,6 @@ public function onSuccess()
         $authenticated = $authChain->authenticate($user, $password);
         if ($authenticated) {
             $auth->setAuthenticated($user);
-            if ($this->getElement('rememberme')->isChecked()) {
-                try {
-                    $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
-                    $this->getResponse()->setCookie($rememberMe->getCookie());
-                    $rememberMe->persist();
-                } catch (Exception $e) {
-                    Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
-                }
-            }
-
-            // Call provided AuthenticationHook(s) after successful login
-            AuthenticationHook::triggerLogin($user);
 
             // If user has 2FA enabled and the token hasn't been validated, redirect to login again, so that
             // the token is challenged.
@@ -172,9 +160,27 @@ public function onSuccess()
                 );
                 Session::getSession()->set('2fa_must_challenge_token', true);
 
+                if ($this->getElement('rememberme')->isChecked()) {
+                    $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
+                    Session::getSession()->set('2fa_remember_me_cookie', $rememberMe);
+                }
+
                 return true;
             }
 
+            if ($this->getElement('rememberme')->isChecked()) {
+                try {
+                    $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
+                    $this->getResponse()->setCookie($rememberMe->getCookie());
+                    $rememberMe->persist();
+                } catch (Exception $e) {
+                    Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+                }
+            }
+
+            // Call provided AuthenticationHook(s) after successful login
+            AuthenticationHook::triggerLogin($user);
+
             $this->getResponse()->setRerenderLayout(true);
             return true;
         }

library/Icinga/Authentication/Auth.php

@@ -88,10 +88,10 @@ public function getAuthChain()
      *
      * @return bool
      */
-    public function isAuthenticated()
+    public function isAuthenticated(bool $skip2fa = false)
     {
         if ($this->user !== null) {
-            if ($this->user->getTwoFactorEnabled() && ! $this->user->getTwoFactorSuccessful()) {
+            if (! $skip2fa && $this->user->getTwoFactorEnabled() && ! $this->user->getTwoFactorSuccessful()) {
                 return false;
             }
             return true;

library/Icinga/Web/RememberMe.php

@@ -5,8 +5,8 @@
 
 use Icinga\Application\Config;
 use Icinga\Authentication\Auth;
-use Icinga\Crypt\AesCrypt;
 use Icinga\Common\Database;
+use Icinga\Crypt\AesCrypt;
 use Icinga\User;
 use ipl\Sql\Expression;
 use ipl\Sql\Select;
@@ -246,6 +246,7 @@ public function authenticate()
         );
 
         if ($authenticated) {
+            $user->setTwoFactorSuccessful(true);
             $auth->setAuthenticated($user);
         }