Merge pull request #10489 from O-Jiangweidong/pr@dev@fix_mfa_bypass

fix: 修复某待审核用户返回时，登录其他用户可绕开mfa的问题
2023-05-19 10:41:19 +08:00 · 2023-05-19 10:41:19 +08:00 · a236de1eff
parent 48fca8f0f3 bb27be0924
commit a236de1eff
1 changed files with 7 additions and 5 deletions
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -221,7 +221,8 @@ class MFAMixin:
        self._do_check_user_mfa(code, mfa_type, user=user)

    def check_user_mfa_if_need(self, user):
-        if self.request.session.get('auth_mfa'):
+        if self.request.session.get('auth_mfa') and \
+                self.request.session.get('auth_mfa_username') == user.username:
            return
        if not user.mfa_enabled:
            return
@ -229,15 +230,16 @@ class MFAMixin:
        active_mfa_names = user.active_mfa_backends_mapper.keys()
        raise errors.MFARequiredError(mfa_types=tuple(active_mfa_names))

-    def mark_mfa_ok(self, mfa_type):
+    def mark_mfa_ok(self, mfa_type, user):
        self.request.session['auth_mfa'] = 1
+        self.request.session['auth_mfa_username'] = user.username
        self.request.session['auth_mfa_time'] = time.time()
        self.request.session['auth_mfa_required'] = 0
        self.request.session['auth_mfa_type'] = mfa_type
-        MFABlockUtils(self.request.user.username, self.get_request_ip()).clean_failed_count()
+        MFABlockUtils(user.username, self.get_request_ip()).clean_failed_count()

    def clean_mfa_mark(self):
-        keys = ['auth_mfa', 'auth_mfa_time', 'auth_mfa_required', 'auth_mfa_type']
+        keys = ['auth_mfa', 'auth_mfa_time', 'auth_mfa_required', 'auth_mfa_type', 'auth_mfa_username']
        for k in keys:
            self.request.session.pop(k, '')

@ -272,7 +274,7 @@ class MFAMixin:
            ok, msg = mfa_backend.check_code(code)

        if ok:
-            self.mark_mfa_ok(mfa_type)
+            self.mark_mfa_ok(mfa_type, user)
            return

        raise errors.MFAFailedError(