mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Only check every 10 minutes if the user needs to setup a 2FA method enforced by its group

Browse source 
That saves us 3 database queries on many requests.
This commit is contained in:
Jan Böhmer 2023-07-19 00:56:28 +02:00
parent 87cf4c2d08
commit 2c6de84c9a
2 changed files with 47 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/EventSubscriber/UserSystem/PasswordChangeNeededSubscriber.php
View file

@ -26,6 +26,7 @@ use Symfony\Bundle\SecurityBundle\Security;
use App\Entity\UserSystem\Group; use App\Entity\UserSystem\Group;
use App\Entity\UserSystem\User; use App\Entity\UserSystem\User;
use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface; use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
use Symfony\Component\HttpFoundation\Session\Session; use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\SessionInterface; use Symfony\Component\HttpFoundation\Session\SessionInterface;
@ -84,7 +85,7 @@ final class PasswordChangeNeededSubscriber implements EventSubscriberInterface
} }
//Abort if we dont need to redirect the user. //Abort if we dont need to redirect the user.
if (!$user->isNeedPwChange() && !static::TFARedirectNeeded($user)) { if (!$user->isNeedPwChange() && !self::TFARedirectNeeded($user, $request)) {
return; return;
} }
@ -111,7 +112,7 @@ final class PasswordChangeNeededSubscriber implements EventSubscriberInterface
$flashBag->add('warning', 'user.pw_change_needed.flash'); $flashBag->add('warning', 'user.pw_change_needed.flash');
} }
if (static::TFARedirectNeeded($user)) { if (self::TFARedirectNeeded($user, $request)) {
$flashBag->add('warning', 'user.2fa_needed.flash'); $flashBag->add('warning', 'user.2fa_needed.flash');
} }
@ -122,16 +123,35 @@ final class PasswordChangeNeededSubscriber implements EventSubscriberInterface
* Check if a redirect because of a missing 2FA method is needed. * Check if a redirect because of a missing 2FA method is needed.
* That is the case if the group of the user enforces 2FA, but the user has neither Google Authenticator nor an * That is the case if the group of the user enforces 2FA, but the user has neither Google Authenticator nor an
* U2F key setup. * U2F key setup.
* The result is cached for some minutes in the session to prevent unnecessary database queries.
* *
* @param User $user the user for which should be checked if it needs to be redirected * @param User $user the user for which should be checked if it needs to be redirected
* *
* @return bool true if the user needs to be redirected * @return bool true if the user needs to be redirected
*/ */
public static function TFARedirectNeeded(User $user): bool public static function TFARedirectNeeded(User $user, Request $request): bool
{ {
//Check if when we have checked the user the last time
$session = $request->getSession();
$last_check = $session->get('tfa_redirect_check', 0);
//If we have checked the user already in the last 10 minutes, we don't need to check it again
if ($last_check > time() - 600) {
return false;
}
//Otherwise we check the user again
$tfa_enabled = $user->isWebAuthnAuthenticatorEnabled() || $user->isGoogleAuthenticatorEnabled(); $tfa_enabled = $user->isWebAuthnAuthenticatorEnabled() || $user->isGoogleAuthenticatorEnabled();
return $user->getGroup() instanceof Group && $user->getGroup()->isEnforce2FA() && !$tfa_enabled; $result = $user->getGroup() instanceof Group && $user->getGroup()->isEnforce2FA() && !$tfa_enabled;
//If no redirect is needed, we set the last check time to now
if (!$result) {
$session->set('tfa_redirect_check', time());
}
return $result;
} }
public static function getSubscribedEvents(): array public static function getSubscribedEvents(): array

28
tests/EventSubscriber/PasswordChangeNeededSubscriberTest.php
View file

@ -27,6 +27,9 @@ use App\Entity\UserSystem\User;
use App\Entity\UserSystem\WebauthnKey; use App\Entity\UserSystem\WebauthnKey;
use App\EventSubscriber\UserSystem\PasswordChangeNeededSubscriber; use App\EventSubscriber\UserSystem\PasswordChangeNeededSubscriber;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
use Symfony\Component\Uid\Uuid; use Symfony\Component\Uid\Uuid;
use Webauthn\TrustPath\EmptyTrustPath; use Webauthn\TrustPath\EmptyTrustPath;
@ -37,21 +40,33 @@ class PasswordChangeNeededSubscriberTest extends TestCase
$user = new User(); $user = new User();
$group = new Group(); $group = new Group();
$request = new Request();
$session = new Session(new MockArraySessionStorage());
$request->setSession($session);
//A user without a group must not redirect //A user without a group must not redirect
$user->setGroup(null); $user->setGroup(null);
$this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user)); $this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user, $request));
$session->clear();
//When the group does not enforce the redirect the user must not be redirected //When the group does not enforce the redirect the user must not be redirected
$user->setGroup($group); $user->setGroup($group);
$this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user)); $this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user, $request));
$session->clear();
//The user must be redirected if the group enforces 2FA, and it does not have a method //The user must be redirected if the group enforces 2FA, and it does not have a method
$group->setEnforce2FA(true); $group->setEnforce2FA(true);
$this->assertTrue(PasswordChangeNeededSubscriber::TFARedirectNeeded($user)); $this->assertTrue(PasswordChangeNeededSubscriber::TFARedirectNeeded($user, $request));
$session->clear();
//User must not be redirect if google authenticator is set up //User must not be redirect if google authenticator is set up
$user->setGoogleAuthenticatorSecret('abcd'); $user->setGoogleAuthenticatorSecret('abcd');
$this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user)); $this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user, $request));
$session->clear();
//User must not be redirect if 2FA is set up //User must not be redirect if 2FA is set up
$user->setGoogleAuthenticatorSecret(null); $user->setGoogleAuthenticatorSecret(null);
@ -66,6 +81,9 @@ class PasswordChangeNeededSubscriberTest extends TestCase
"", "",
0 0
)); ));
$this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user));
$session->clear();
$this->assertFalse(PasswordChangeNeededSubscriber::TFARedirectNeeded($user, $request));
} }
} }