Force setup of MFA on login

Author: wrongecho

login.php

@@ -119,10 +119,6 @@
         $user_role = intval($row['user_role']);
         $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
         $user_extension_key = $row['user_extension_key'];
-        if($force_mfa == 1 && $token == NULL) {
-            $config_start_page = "user_security.php";
-            $_SESSION['alert_message'] = "Please set up MFA.";
-        }
 
         $mfa_is_complete = false; // Default to requiring MFA
         $extended_log = ''; // Default value
@@ -202,8 +198,14 @@
             $_SESSION['csrf_token'] = randomString(156);
             $_SESSION['logged'] = true;
 
+            // Forcing MFA
+            if ($force_mfa == 1 && $token == NULL) {
+                $secretMFA = key32gen();
+                $config_start_page = "post.php?enable_2fa_force&token=$secretMFA&csrf_token=$_SESSION[csrf_token]";
+            }
+
             // Setup encryption session key
-            if (isset($user_encryption_ciphertext) && $user_role > 1) {
+            if (isset($user_encryption_ciphertext)) {
                 $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
                 generateUserSessionKey($site_encryption_master_key);
 

post/user/profile.php

@@ -207,24 +207,35 @@
 
 }
 
-if (isset($_POST['enable_2fa'])){
+if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) {
 
     // CSRF Check
-    validateCSRFToken($_POST['csrf_token']);
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        validateCSRFToken($_POST['csrf_token']);
+
+        $extended_log_description = "";
+        $token = sanitizeInput($_POST['token']);
+    } else {
+        // If this is a GET request then we forced MFA as part of login
+        validateCSRFToken($_GET['csrf_token']);
+
+        $extended_log_description = "(forced)";
+        $token = sanitizeInput($_GET['token']);
+    }
+
 
-    $token = sanitizeInput($_POST['token']);
 
     mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
 
     // Delete any existing 2FA tokens - these browsers should be re-validated
     mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
 
     //Logging
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User Settings', log_action = 'Modify', log_description = '$session_name enabled 2FA on their account $extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
 
-    $_SESSION['alert_message'] = "Two-factor authentication enabled";
+    $_SESSION['alert_message'] = "Two-factor authentication enabled $extended_log_description";
 
-    header("Location: " . $_SERVER["HTTP_REFERER"]);
+    header("Location: user_security.php");
 
 }