search

therealssj / tfa

TFA 8.x fork
0 stars 0 forks source link

TFA setup link hardcoded to use same validation plugin #9

Closed paraacha closed 8 years ago

paraacha commented 8 years ago

After TFA has been enabled in a website, all users with "require tfa" permission are asked to setup TFA for their accounts. If the TFA gets enabled with HOTP validation plugin, the TFA setup link should be "user/{user}/security/tfa/HOTP". If instead, TFA gets enabled TOTP validation plugin, the TFA setup link should be "user/{user}/security/tfa/TOTP".

But currently, the setup link is hardcoded to always use the same validation plugin. That's because of the line # 148 in TfaLoginForm.php:

$tfa_setup_link = '/user/' . $account->id() . '/security/tfa/tfa_totp';
paraacha commented 8 years ago

Here is how the variable should be created:

$tfa_setup_link = Url::fromRoute('tfa.validation.setup', array(
    'user' => $account->id(),
    'method' => $validate_plugin,
  ));
$tfa_setup_link = $tfa_setup_link->toString();

Also, using Url::fromRoute() is better than manually creating a relative link.

therealssj commented 8 years ago

marked for next commit