From e50825d974473ce0ff42d42ab3c424a41e0ec34e Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Mon, 27 Feb 2023 10:47:44 +0100 Subject: [PATCH 1/7] framework: esi, fragments not used so disable --- config/packages/framework.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml index 4bd86311e..fb4790e60 100644 --- a/config/packages/framework.yaml +++ b/config/packages/framework.yaml @@ -1,5 +1,5 @@ framework: - #esi: ~ + esi: false secret: "%secret%" form: ~ csrf_protection: ~ @@ -13,5 +13,5 @@ framework: name: sess_selfservice cookie_httponly: true cookie_secure: true - fragments: ~ + fragments: false http_method_override: true From c4465917763bb21ca776fcd0c2f0fafb7202be71 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Mar 2023 10:15:39 +0000 Subject: [PATCH 2/7] Bump phpseclib/phpseclib from 3.0.18 to 3.0.19 Bumps [phpseclib/phpseclib](https://github.com/phpseclib/phpseclib) from 3.0.18 to 3.0.19. - [Release notes](https://github.com/phpseclib/phpseclib/releases) - [Changelog](https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md) - [Commits](https://github.com/phpseclib/phpseclib/compare/3.0.18...3.0.19) --- updated-dependencies: - dependency-name: phpseclib/phpseclib dependency-type: indirect ... Signed-off-by: dependabot[bot] --- composer.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/composer.lock b/composer.lock index f1d051996..c6b0ae5a2 100644 --- a/composer.lock +++ b/composer.lock @@ -2233,16 +2233,16 @@ }, { "name": "phpseclib/phpseclib", - "version": "3.0.18", + "version": "3.0.19", "source": { "type": "git", "url": "https://github.com/phpseclib/phpseclib.git", - "reference": "f28693d38ba21bb0d9f0c411ee5dae2b178201da" + "reference": "cc181005cf548bfd8a4896383bb825d859259f95" }, "dist": { "type": "zip", - "url": "https://github.com/repos/phpseclib/phpseclib/zipball/f28693d38ba21bb0d9f0c411ee5dae2b178201da", - "reference": "f28693d38ba21bb0d9f0c411ee5dae2b178201da", + "url": "https://github.com/repos/phpseclib/phpseclib/zipball/cc181005cf548bfd8a4896383bb825d859259f95", + "reference": "cc181005cf548bfd8a4896383bb825d859259f95", "shasum": "" }, "require": { @@ -2323,7 +2323,7 @@ ], "support": { "issues": "https://github.com/phpseclib/phpseclib/issues", - "source": "https://github.com/phpseclib/phpseclib/tree/3.0.18" + "source": "https://github.com/phpseclib/phpseclib/tree/3.0.19" }, "funding": [ { @@ -2339,7 +2339,7 @@ "type": "tidelift" } ], - "time": "2022-12-17T18:26:50+00:00" + "time": "2023-03-05T17:13:09+00:00" }, { "name": "psr/cache", From c1ade58af0e5df336e3f7d6a0199b09fcf604701 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Mar 2023 09:17:10 +0000 Subject: [PATCH 3/7] Bump webpack from 5.75.0 to 5.76.0 Bumps [webpack](https://github.com/webpack/webpack) from 5.75.0 to 5.76.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Commits](https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0) --- updated-dependencies: - dependency-name: webpack dependency-type: direct:development ... Signed-off-by: dependabot[bot] --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 376040e9a..7a63cbe67 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "ts-jest": "^27", "ts-loader": "^9.0", "typescript": "^4", - "webpack": "^5.75.0", + "webpack": "^5.76.0", "webpack-cli": "^5.0.0", "webpack-import-glob-loader": "^1.6.3" }, diff --git a/yarn.lock b/yarn.lock index 2baf16b4b..390cb4069 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6587,10 +6587,10 @@ webpack-sources@^3.2.3: resolved "https://registry.yarnpkg.com/webpack-sources/-/webpack-sources-3.2.3.tgz#2d4daab8451fd4b240cc27055ff6a0c2ccea0cde" integrity sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w== -webpack@^5.75.0: - version "5.75.0" - resolved "https://registry.yarnpkg.com/webpack/-/webpack-5.75.0.tgz#1e440468647b2505860e94c9ff3e44d5b582c152" - integrity sha512-piaIaoVJlqMsPtX/+3KTTO6jfvrSYgauFVdt8cr9LTHKmcq/AMd4mhzsiP7ZF/PGRNPGA8336jldh9l2Kt2ogQ== +webpack@^5.76.0: + version "5.76.0" + resolved "https://registry.yarnpkg.com/webpack/-/webpack-5.76.0.tgz#f9fb9fb8c4a7dbdcd0d56a98e56b8a942ee2692c" + integrity sha512-l5sOdYBDunyf72HW8dF23rFtWq/7Zgvt/9ftMof71E/yUb1YLOBmTgA2K4vQthB3kotMrSj609txVE0dnr2fjA== dependencies: "@types/eslint-scope" "^3.7.3" "@types/estree" "^0.0.51" From ba1a3fb5586bdd86131b9a384d5367040dd6177c Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Tue, 11 Apr 2023 11:54:44 +0200 Subject: [PATCH 4/7] Repair return type inconsistency in RT Trait The handleSmsChallenge can return a Response when the OTP challenge request limit is reached. Before this fix, the trait would return an array response. Resulting in this error in the logs: `php.CRITICAL: Uncaught Error: Return value of Surfnet\StepupSelfService\SelfServiceBundle\Controller\SelfAssertedTokensController::handleSmsChallenge() must be an instance of Symfony\Component\HttpFoundation\Response, array returned {"exception":"[object] (TypeError(code: 0): Return value of Surfnet\\StepupSelfService\\SelfServiceBundle\\Controller\\SelfAssertedTokensController::handleSmsChallenge() must be an instance of Symfony\\Component\\HttpFoundation\\Response, array returned at /src/Stepup-SelfService/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php:76)` To fix that issue, the array return statement is updated to also return a Response object. Simply using the Twig Template that was requested for this response. No formal bug ticket was created for this bug --- .../Controller/RecoveryTokenControllerTrait.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php index cc241f668..ab6f544c0 100644 --- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php +++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/RecoveryTokenControllerTrait.php @@ -73,7 +73,8 @@ private function handleSmsChallenge( if ($otpRequestsRemaining === 0) { $this->addFlash('error', 'ss.prove_phone_possession.challenge_request_limit_reached'); - return array_merge(['form' => $form->createView()], $viewVariables); + $parameters = array_merge(['form' => $form->createView()], $viewVariables); + return $this->render($templateName, $parameters); } if ($this->smsService->sendChallenge($command)) { From 6bc387cfc9809b6019b2100d6c72ec6cf6382d1c Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Thu, 13 Apr 2023 11:51:38 +0200 Subject: [PATCH 5/7] Ensure `verifyEmail` view variable is available When the max attempts are expired, the view vars did not include the verifyEmail property. That was fixed in this boy scout commit. --- .../Controller/Registration/SmsController.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php index 646ce7c39..030523f8f 100644 --- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php +++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Registration/SmsController.php @@ -46,7 +46,11 @@ public function sendChallengeAction(Request $request) $service = $this->get('surfnet_stepup_self_service_self_service.service.sms_second_factor'); $otpRequestsRemaining = $service->getOtpRequestsRemainingCount(SmsSecondFactorServiceInterface::REGISTRATION_SECOND_FACTOR_ID); $maximumOtpRequests = $service->getMaximumOtpRequestsCount(); - $viewVariables = ['otpRequestsRemaining' => $otpRequestsRemaining, 'maximumOtpRequests' => $maximumOtpRequests]; + $viewVariables = [ + 'otpRequestsRemaining' => $otpRequestsRemaining, + 'maximumOtpRequests' => $maximumOtpRequests, + 'verifyEmail' => $this->emailVerificationIsRequired(), + ]; if ($form->isSubmitted() && $form->isValid()) { $command->identity = $identity->id; @@ -67,7 +71,6 @@ public function sendChallengeAction(Request $request) return array_merge( [ 'form' => $form->createView(), - 'verifyEmail' => $this->emailVerificationIsRequired(), ], $viewVariables ); From 42ba3481d7d622b7dd91325c42a09877214d23e6 Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Thu, 13 Apr 2023 11:59:22 +0200 Subject: [PATCH 6/7] Revert prematurely removed sms route The ss_registration_sms_prove_possession might have been skipped by the SMS RT proof op posession where it was removed. During that action this route was also removed. But it was still used in the token registration of an SMS token. See: https://www.pivotaltracker.com/story/show/184750138 --- .../SelfServiceBundle/Resources/config/routing.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml index c7ff81c7a..e025f7169 100644 --- a/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml +++ b/src/Surfnet/StepupSelfService/SelfServiceBundle/Resources/config/routing.yml @@ -130,6 +130,11 @@ ss_registration_sms_send_challenge: methods: [GET,POST] defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:Registration/Sms:sendChallenge } +ss_registration_sms_prove_possession: + path: /registration/sms/prove-possession + methods: [GET,POST] + defaults: { _controller: SurfnetStepupSelfServiceSelfServiceBundle:Registration/Sms:provePossession } + ss_registration_gssf_status_report: path: /registration/gssf/{provider}/status methods: [GET] From 7f455c14f82ae202559343ae99bdfb0705616bf4 Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Thu, 13 Apr 2023 14:56:29 +0200 Subject: [PATCH 7/7] Update CHANGELOG.md for 4.0.5 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbe675c6c..f5bcce0d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,14 @@ # Changelog + +## 4.0.5 +**Maintenance:** +- Framework: esi, fragments not used so disable +- Security upgrades are installed + +**Bugfixes:** +- SMS prove possession route not found #288 +- Repair return type inconsistency in recovery token trait #287 + ## 4.0.4 - Support self-vetting using a self-asserted token #284