Merge pull request #851 from Worteks/issue-165-multiple_sms_tokens

Securisation of reset by SMS token feature
ltb-project · Mar 20, 2024 · 4f06056 · 4f06056
2 parents 9ec3ad9 + 941e5d6
commit 4f06056
Show file tree

Hide file tree

Showing 38 changed files with 574 additions and 198 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -95,7 +95,7 @@
 $hash_options['crypt_salt_prefix'] = "$6$";
 $hash_options['crypt_salt_length'] = "6";
 
-# USE rate-limiting by IP and/or by user 
+# USE rate-limiting by IP and/or by user
 $use_ratelimit = false;
 # dir for json db's (system default tmpdir)
 #$ratelimit_dbdir = '/tmp';
@@ -288,6 +288,10 @@
 ## SMS
 # Use sms
 $use_sms = true;
+# Get telephone number directly from LDAP (only first number entry)
+# and hide telephone number input field
+# default = false
+$sms_use_ldap = false;
 # SMS method (mail, api)
 $sms_method = "mail";
 $sms_api_lib = "lib/smsapi.inc.php";
@@ -404,6 +408,7 @@
 # by default mailnomatch is obscured since it can disclose account existence
 $obscure_failure_messages = array("mailnomatch");
 $obscure_usernotfound_sendtoken = true;
+$obscure_notfound_sendsms = true;
 
 # HTTP Header name that may hold a login to preset in forms
 #$header_name_preset_login="Auth-User";

diff --git a/docs/config_general.rst b/docs/config_general.rst
@@ -92,7 +92,7 @@ Set one of them in ``$lang``:
 
    $lang = "en";
 
-Language is picked according to browser choice among the available ones. All languages 
+Language is picked according to browser choice among the available ones. All languages
 are allowed by default, to restrict them add ``$allowed_lang`` array:
 
 .. code-block:: php
@@ -220,15 +220,16 @@ displayed and replaced by a generic "bad credentials" error:
 
    $obscure_failure_messages = array("mailnomatch");
 
-For the reset process via mail token, there is also a specific parameter,
+For the reset process via mail token and send sms token, there are also a specific parameters,
 enabled by default, to avoid account disclosure:
 
 .. code-block:: php
 
    $obscure_usernotfound_sendtoken = true;
+   $obscure_notfound_sendsms = true;
 
-Set this parameter to ``false`` if you want to show an error if the account entered
-by the user do not exist in the directory.
+Set these parameter to ``false`` if you want to show an error if the information of the account
+entered by the user do not exist in the directory.
 
 Default action
 --------------
@@ -308,4 +309,3 @@ To require a captcha, set ``$use_captcha``:
 .. |image21| image:: images/tr.png
 .. |image22| image:: images/ua.png
 .. |image23| image:: images/rs.png
-
diff --git a/docs/config_sms.rst b/docs/config_sms.rst
@@ -46,6 +46,17 @@ You can enable or disable this feature with $use_sms:
 .. warning:: If you enable this option, you must change the default
   value of the security keyphrase.
 
+SMS configuration
+------------------
+
+You can avoid to request the telephone number to the user, only the login will
+be asked, and the telephone number will be read from LDAP:
+
+.. code-block:: php
+
+   $sms_use_ldap = true;
+
+
 Method
 ------
 
@@ -105,7 +116,7 @@ Read the provider guidelines to know how to access its API.
 
 .. tip:: An example is given in lib/smsapi-example.inc.php. Copy this
   file to lib/smsapi.inc.php and start coding!
-  
+
 See also :ref:`sms_api`.
 
 Mobile attribute

diff --git a/docs/upgrade.rst b/docs/upgrade.rst
@@ -4,6 +4,22 @@ Upgrade
 From 1.5 to 1.6
 ---------------
 
+SMS configuration
+~~~~~~~~~~~~~~~~~
+
+We now demand by default the telephone number to the user, if you want to ask only the login and to read the telephone number from LDAP:
+
+.. code-block:: php
+
+   $sms_use_ldap = true;
+
+The default notification's behaviour for sms is obscured. To change this behaviour into explicit information for the user ( for example: wrong username, wrong phone number), the following option must be set to false:
+
+.. code-block:: php
+
+   $obscure_notfound_sendsms = false;
+
+
 Bundled dependencies
 ~~~~~~~~~~~~~~~~~~~~
 

diff --git a/htdocs/index.php b/htdocs/index.php
@@ -225,6 +225,7 @@
 $smarty->assign('use_sms', $use_sms);
 $smarty->assign('change_sshkey', $change_sshkey);
 $smarty->assign('mail_address_use_ldap', $mail_address_use_ldap);
+$smarty->assign('sms_use_ldap', $sms_use_ldap);
 $smarty->assign('default_action', $default_action);
 //$smarty->assign('',);
 
@@ -335,7 +336,7 @@
     $smarty->assign('error', $messages[$result]);
     // TODO : Make it clean $error_sms - START
     if ($action == 'sendsms') {
-        if (isset($result) && ($result == 'smscrypttokensrequired' || $result == 'smsuserfound' || $result == 'smssent' || $result == 'tokenattempts')) {
+        if (isset($result) && ($result == 'smscrypttokensrequired' || $result == 'smsuserfound' || $result == 'smssent' || $result == 'smssent_ifexists' || $result == 'tokenattempts')) {
             $smarty->assign('error_sms', $result);
         } else {
             $smarty->assign('error_sms', false);