'Login', 'summary' => 'Login to ProcessWire', 'version' => 109, 'permanent' => true, 'permission' => 'page-view', ); } /** * @var InputfieldText|InputfieldEmail * */ protected $nameField; /** * @var InputfieldText * */ protected $passField; /** * @var InputfieldSubmit * */ protected $submitField; /** * @var InputfieldForm * */ protected $form; /** * Requested page edit ID (no longer used, but kept in case anything else monitoring it) * * @var int * */ protected $id; /** * Is this login form being used for admin login? * * @var bool * */ protected $isAdmin = false; /** * URL to redirect to after login * * @var string * */ protected $loginURL = ''; /** * URL to redirect to after logout * * @var string * */ protected $logoutURL = ''; /** * Did user login with two factor authentication? * * @var bool * */ protected $tfaLoginSuccess = false; /** * Cached value from useEmailLogin method * * @var bool|null * */ protected $useEmailLogin = null; /** * Custom labels that override defaults, indexed by label name * * @var array * */ protected $customLabels = array(); /** * Login name as submitted (after sanitize) * * @var string * */ protected $submitLoginName = ''; /** * Configurable markup for this module * * @var array * */ protected $customMarkup = array( 'error' => '

{out}

', 'login-link' => '{out}', 'login-links' => '

{out}

', 'login-links-split' => '
', 'forgot-icon' => '', // in constructor 'home-icon' => '', // in constructor ); /** * Construct * */ public function __construct() { $this->set('tfaRecRoleIDs', array()); $this->set('tfaRememberDays', 90); $this->set('tfaRememberFingerprints', array('agentVL', 'accept', 'scheme', 'host')); $this->set('tfaAutoType', ''); $this->set('tfaAutoRoleIDs', array()); $this->set('allowEmail', false); $this->set('emailField', 'email'); $this->customMarkup['forgot-icon'] = wireIconMarkup('question-circle', 'fw'); $this->customMarkup['home-icon'] = wireIconMarkup('home', 'fw'); parent::__construct(); } /** * Build the login form * */ public function init() { $this->id = isset($_GET['id']) ? (int) $_GET['id'] : ''; // id no longer used as anything but a toggle (on/off) $this->set('allowForgot', $this->modules->isInstalled('ProcessForgotPassword')); $this->isAdmin = $this->wire()->page->template == 'admin'; $this->useEmailLogin = $this->useEmailLogin(); parent::init(); } /** * Get or set named label text * * @param string $name Label name * @param null|string $value Specify value to replace label with custom value at runtime, otherwise omit * @return string * @since 3.0.154 * */ public function labels($name, $value = null) { if($value !== null) $this->customLabels[$name] = $value; if(isset($this->customLabels[$name])) return $this->customLabels[$name]; switch($name) { // alpha order case 'continue': $label = $this->_('Continue'); break; case 'edit-profile': $label = $this->_('Edit Profile'); break; case 'email': $label = $this->_('Email'); break; // Email input label case 'email-not-supported': $label = $this->_('Login is not supported for that email address.'); break; case 'fail-cookie': $label = $this->_('Cookie check failed: please enable cookies to login.'); break; case 'fail-javascript': $label = $this->_('Javascript check failed: please enable Javascript to login.'); break; case 'forgot-password': $label = $this->_('Forgot your password?'); break; case 'invalid-name': $label = $this->_('Invalid login name'); break; case 'login': $label = $this->_('Login'); break; // Login submit button label case 'login-failed': $label = $this->_('Login failed'); break; case 'login-headline': $label = $this->_x('Login', 'headline'); break; // Login form headline case 'logged-in': $label = $this->_('You are logged in.'); break; case 'logged-out': $label = $this->_('You have logged out'); break; case 'password': $label = $this->_('Password'); break; // Password input label case 'username': $label = $this->_('Username'); break; // Username input label case 'username-or-email': $label = $this->_('Username or Email'); break; // Name/email input label default: $label = "Unknown label name: $name"; } return $label; } /** * Get or set custom markup * * @param string $name * @param null|string $value * @return string * @since 3.0.154 * */ public function markup($name, $value = null) { if($value !== null) $this->customMarkup[$name] = $value; return isset($this->customMarkup[$name]) ? $this->customMarkup[$name] : "Unknown markup name: $name"; } /** * Use login by email? * * Returns false if no, int 1 of yes, int 2 if either email or name allowed * * @return bool|int * @since 3.0.151 * */ public function useEmailLogin() { if($this->useEmailLogin !== null) return $this->useEmailLogin; if(!$this->allowEmail) return false; if(!$this->emailField) return false; /** @var Field $field */ $field = $this->wire()->fields->get($this->emailField); if(!$field) return false; if(!$field->type instanceof FieldtypeEmail) return false; if(!$field->hasFlag(Field::flagUnique)) return false; /** @var Template $template */ $template = $this->wire()->templates->get($this->wire()->config->userTemplateID); if(!$template || !$template->hasField($field)) return false; return (int) $this->allowEmail; } /** * Set URL to redirect to after login success * * If not set, redirect will be back to the current page with a "login=1" GET variable. * However, you should only check if the user is logged in with if($user->isLoggedin()). * * @param $url * @return $this * @throws WireException if given invalid URL * */ public function setLoginURL($url) { $url = $this->wire()->sanitizer->url($url, array('throw' => true)); $this->loginURL = $url; return $this; } /** * Set URL to redirect to after logout success * * If not set, redirect will be back to the current page with a "logout=2" GET variable. * * @param $url * @return $this * @throws WireException if given invalid URL * */ public function setLogoutURL($url) { $url = $this->wire()->sanitizer->url($url, array('throw' => true)); $this->logoutURL = $url; return $this; } /** * Set cache control headers to prevent caching * * Note that PHP already does this, but if someone has overridden PHP’s default settings * then these ones will apply. This is in order to prevent a cached copy of the login form * from being used since the login form is rendered prior to login session. * */ protected function setCacheHeaders() { header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); } /** * Check if login posted and attempt login, otherwise render the login form * * @return string * */ public function ___execute() { $session = $this->wire()->session; $input = $this->wire()->input; $user = $this->wire()->user; if($user->isLoggedin()) { if($this->loginURL && !$input->get('login')) { $this->afterLoginRedirect($this->loginURL); } if($input->get('layout')) return ''; // blank placeholder page option for admin themes $this->message($this->labels('logged-in')); if($this->isAdmin && $user->hasPermission('page-edit') && !$input->get('login')) { $this->afterLoginRedirect(); } // fallback if nothing set return $this->afterLoginOutput(); } else if($input->urlSegmentStr() === 'logout') { $session->location('../'); } $tfa = $this->getTfa(); if($tfa && $tfa->active()) { // two factor authentication if($tfa->success()) { $this->tfaLoginSuccess = true; $this->loginSuccess($this->wire()->user); $this->afterLoginRedirect('./'); } else { return $tfa->render(); } } else if($input->get('forgot') && $this->allowForgot) { /** @var ProcessForgotPassword $process */ $process = $this->modules->get('ProcessForgotPassword'); if($this->useEmailLogin()) $process->askEmail = true; return $process->execute(); } $this->buildLoginForm(); $loginSubmit = $input->post('login_submit'); if(!$loginSubmit) { $this->beforeLogin(); return $this->renderLoginForm(); } $this->loginFormProcessReady($this->form); $this->form->processInput($input->post); // at this point login form has been submitted $name = $this->getLoginName(); $pass = substr($this->passField->attr('value'), 0, 128); $this->loginFormProcessed($this->form, $name); if(!$name || !$pass) return $this->renderLoginForm(); // vars to copy from non-logged in session to logged-in session $session->setFor($this, 'copyVars', array( 'hidpi' => $input->post('login_hidpi') ? true : false, 'touch' => $input->post('login_touch') ? true : false, 'clientWidth' => (int) $input->post('login_width'), )); if($tfa) $tfa->start($name, $pass); $this->login($name, $pass); return $this->renderLoginForm(); } /** * Get Tfa instance or null if not applicable * * @return null|Tfa * @since 3.0.160 * */ public function getTfa() { $tfas = $this->wire()->modules->findByPrefix('Tfa'); if(!count($tfas)) return null; $tfa = new Tfa(); $this->wire($tfa); $tfa->rememberDays = $this->tfaRememberDays; $tfa->rememberFingerprints = $this->tfaRememberFingerprints; $tfa->autoType = $this->tfaAutoType && $this->tfaAutoType !== '0' ? $this->tfaAutoType : ''; $tfa->autoRoleIDs = $this->tfaAutoRoleIDs; return $tfa; } /** * Get login username (whether email or name used) * * @return string|bool * @since 3.0.151 * */ protected function getLoginName() { $sanitizer = $this->wire()->sanitizer; $config = $this->wire()->config; $users = $this->wire()->users; $value = $this->nameField->attr('value'); if(!strlen($value)) return false; $originalValue = $value; if(!$this->useEmailLogin() || !strpos($value, '@')) { $value = $this->sanitizer->pageNameUTF8($value); $this->submitLoginName = $value; if($originalValue !== $value && strtolower($originalValue) !== $value) { // if sanitizer changed anything about the value (other than case) do not accept it $this->loginFailed($value, $this->labels('invalid-name')); $value = false; } return $value; } // at this point we are dealing with an email login $value = strtolower($sanitizer->email($value)); $this->submitLoginName = $value; if(empty($value)) return false; if(strtolower($originalValue) !== $value) { // if sanitizer changed anything about the email (not likely) do not accept it $this->loginFailed($value, $this->labels('invalid-name')); return false; } $error = $this->labels('email-not-supported'); $items = $users->find("include=all, $this->emailField=" . $sanitizer->selectorValue($value)); if(!$items->count()) { // fail: no matches $this->loginFailed($value); return false; } else if($items->count() > 1) { // fail: more than one match if($config->debug) $error .= ' (not unique)'; $this->loginFailed($value, $error); return false; } // success: single match $user = $items->first(); if($user->status > Page::statusHidden) { // hidden, unpublished, trash if($config->debug) $error .= ' (inactive)'; $this->loginFailed($value, $error); return false; } return $user->name; } /** * Determine the after login URL and page, then populate to session to pick up after login * * @since 3.0.167 * */ protected function determineAfterLoginUrl() { $input = $this->wire()->input; $session = $this->wire()->session; // if we’ve already done this then exit early if($session->getFor($this, 'afterLoginPageId') !== null) return; // ProcessPageView sets a loginRequestPageID variable to its session // this is the ID of the page that access control blocked and sent user to login $requestPageId = (int) $session->getFor('ProcessPageView', 'loginRequestPageID'); if(!$requestPageId || $requestPageId === $this->wire()->page->id) return; // load the requested page $requestPage = $this->wire()->pages->get($requestPageId); if(!$requestPage->id) { $session->setFor($this, 'afterLoginPageId', 0); return; } if($requestPage->process) { // admin: this is likely an admin page with a Process module $process = (string) $requestPage->process; if(!$process || $process === "ProcessLogin") return; $className = $this->wire()->modules->getModuleClass($process, true); if(!$className || !class_exists($className)) return; $url = call_user_func_array("$className::getAfterLoginUrl", array($requestPage)); } else { // front-end $url = ''; } if(empty($url)) { $url = $session->getFor('ProcessPageView', 'loginRequestURL'); } else { // common integer GET vars in admin to identify if present and not already in $url foreach(array('id', 'modal') as $name) { $value = $input->get($name); if($value === null || !ctype_digit("$value")) continue; // not an integer if(preg_match('/[&?]' . $name . '=/', $url)) continue; // already present $url .= (strpos($url, '?') ? '&' : '?') . "$name=" . ((int) $value); } } // set what we found to session $session->setFor($this, 'afterLoginUrl', $url); $session->setFor($this, 'afterLoginPageId', $requestPage->id); } /** * Perform login and redirect on success * * @param string $name * @param string $pass * @return bool Returns false on fail, performs redirect on success * */ public function ___login($name, $pass) { $session = $this->wire()->session; $input = $this->wire()->input; $this->loginAttemptReady($name); if($name && $pass) { $loginUser = $session->login($name, $pass); } else { $loginUser = false; } $this->loginAttempted($loginUser, $name); if($loginUser && $loginUser->id) { $this->loginSuccess($loginUser); $url = $input->urlSegment1 === 'navJSON' ? '../' : './'; $this->afterLoginRedirect($url); } else { $this->loginFailed($this->submitLoginName ? $this->submitLoginName : $name); } return false; } /** * Log the user out * * @return string * */ public function ___executeLogout() { if($this->logoutURL) { $url = $this->logoutURL; } else if($this->isAdmin || $this->wire()->page->template->name === 'admin') { $url = $this->wire()->config->urls->admin . './?loggedout=1'; } else { $url = "./?logout=2"; } $session = $this->wire()->session; $session->logout(); $session->redirect($url, false); return ''; } /** * Check that sessions can be initiated and attempt to rectify situation if not * * Happens only on the admin login form. * */ protected function ___beforeLogin() { $session = $this->wire()->session; $beforeLoginVars = $this->getBeforeLoginVars(); $session->setFor($this, 'beforeLoginVars', $beforeLoginVars); // check if Process module provides an after login URL that it wants us to use $this->determineAfterLoginUrl(); // if checks already completed don't run them again if($session->getFor($this, 'beforeLoginChecks')) return; $modules = $this->wire()->modules; $config = $this->wire()->config; $input = $this->wire()->input; $files = $this->wire()->files; $log = $this->wire()->log; // any remaining checks only if currently in the admin if(!$this->isAdmin) return; if( ini_get('session.save_handler') == 'files' && !$modules->isInstalled('SessionHandlerDB') && !$input->get('db') ) { $installSessionDB = false; $path = $config->paths->sessions; $error = ''; if(!file_exists($path)) { $files->mkdir($path); clearstatcache(); if(file_exists($path)) { $log->message("Created session path $path"); } else { $installSessionDB = true; $error = "Session path $path does not exist and we are unable to create it."; } } if(!is_writable($path)) { $files->chmod($path); clearstatcache(); if(is_writable($path)) { $log->message("Updated session path to be writable $path"); } else { $installSessionDB = true; $error = "Unable to write to session path $path, and unable to fix the permissions."; } } // if we can't get file-based sessions going, switch to database sessions to ensure admin can login if($installSessionDB) { if($error) $log->error($error); if($modules->get('SessionHandlerDB')) { $log->error("Installed SessionHandlerDB as an alternate session handler. If you wish to uninstall this, do so after correcting the session path error."); $session->redirect("./?db=1"); // db param to prevent potential infinite redirect } else { $log->error("Unable to install alternate session handler module SessionHandlerDB"); $this->error("Session write error. Login may not be possible."); } } } $session->setFor($this, 'beforeLoginChecks', 1); } /** * Hook called after login * * Notify admin if there are any issues that need their attention. * Happens only on the admin login form after superuser login. * */ protected function ___afterLogin() { if($this->wire()->user->isSuperuser()) { /** @var SystemUpdater $systemUpdater */ $systemUpdater = $this->wire()->modules->get('SystemUpdater'); if($systemUpdater) { $updatesApplied = $systemUpdater->getUpdatesApplied(); $checks = $systemUpdater->getChecks(); $checks->setShowNotices(true); //$checks->setTestAll(true); if(count($updatesApplied)) { $checks->checkWelcome(); $this->message( sprintf( $this->_('Skipping after-login system checks because updates were applied (%s)'), implode(', ', $updatesApplied) ), Notice::debug ); } else { $checks->execute(); } } } } /** * Build the login form * * @return InputfieldForm * */ protected function ___buildLoginForm() { $modules = $this->wire()->modules; $useEmailLogin = $this->useEmailLogin(); $nameInputType = 'InputfieldText'; $nameInputLabel = $this->labels('username'); // Login form: username field label if($useEmailLogin === 1) { $nameInputType = 'InputfieldEmail'; $nameInputLabel = $this->labels('email'); // Login form: email field label } else if($useEmailLogin === 2) { $nameInputLabel = $this->labels('username-or-email'); // Login form: username OR email field label } $this->nameField = $modules->get($nameInputType); $this->nameField->label = $nameInputLabel; $this->nameField->attr('id+name', 'login_name'); $this->nameField->attr('class', $this->className() . 'Name'); $this->nameField->addClass('InputfieldFocusFirst'); $this->nameField->collapsed = Inputfield::collapsedNever; $this->passField = $modules->get('InputfieldText'); $this->passField->set('label', $this->labels('password')); // Login form: password field label $this->passField->attr('id+name', 'login_pass'); $this->passField->attr('type', 'password'); $this->passField->attr('class', $this->className() . 'Pass'); $this->passField->collapsed = Inputfield::collapsedNever; $this->submitField = $modules->get('InputfieldSubmit'); $this->submitField->attr('name', 'login_submit'); $this->submitField->attr('value', $this->labels('login')); // Login form: submit login button $this->form = $modules->get('InputfieldForm'); // we'll retain an ID field in the GET url, if it was there (note: no longer used as anything but a toggle on/off) $this->form->attr('action', "./" . ($this->id ? "?id=$this->id" : '')); $this->form->addClass('InputfieldFormFocusFirst'); $this->form->attr('id', $this->className() . 'Form'); $this->form->add($this->nameField); $this->form->add($this->passField); $this->form->add($this->submitField); if($this->isAdmin) { // detect hidpi at login (populated from js) /** @var InputfieldHidden $f */ $f = $modules->get('InputfieldHidden'); $f->attr('id+name', 'login_hidpi'); $f->attr('value', 0); $this->form->add($f); // detect touch device login (populated from js) /** @var InputfieldHidden $f */ $f = $modules->get('InputfieldHidden'); $f->attr('id+name', 'login_touch'); $f->attr('value', 0); $this->form->add($f); // detect touch device login (populated from js) /** @var InputfieldHidden $f */ $f = $modules->get('InputfieldHidden'); $f->attr('id+name', 'login_width'); $f->attr('value', 0); $this->form->add($f); } /** @var InputfieldHidden $f */ $f = $modules->get('InputfieldHidden'); $f->attr('id+name', 'login_start'); $f->val(gmdate('U')); // GMT/UTC unix timestamp of when login form was rendered $this->form->add($f); $s = 'script'; $jsError = str_replace('{out}', $this->labels('fail-javascript'), $this->markup('error')); $cookieError = str_replace(array('{out}', "'"), array($this->labels('fail-cookie'), '"'), $this->markup('error')); $this->form->prependMarkup .= "<$s>if(!navigator.cookieEnabled) document.write('$cookieError');"; if($this->isAdmin) $this->form->prependMarkup .= "$jsError"; return $this->form; } /** * Render the login form * * @return string * */ protected function ___renderLoginForm() { $loggedIn = $this->wire()->user->isLoggedin(); $out = ''; if($this->wire()->input->get('login') && $loggedIn) { // redirect to page after login $this->afterLoginRedirect(); } else if($loggedIn) { // user is already logged in, do nothing } else { // render login form if($this->isAdmin) $this->setCacheHeaders(); // note the space after 'Login ' is intentional to separate it from the Login button for translation purposes $this->headline($this->labels('login-headline')); // Headline for login form page $this->passField->attr('value', ''); $out = $this->form->render(); $links = $this->getLoginLinks(); if(count($links)) { $out .= str_replace('{out}', implode($this->markup('login-links-split'), $links), $this->markup('login-links')); } if(!$this->wire()->modules->isInstalled('InputDetect')) { $config = $this->wire()->config; $config->scripts->prepend($config->urls('ProcessLogin') . 'what-input.min.js'); } } return $out; } /** * Get array of links to display under login form * * Each item in returned array must be entire `` tag for link * * #pw-hooker * * @return array * @since 3.0.154 * */ protected function ___getLoginLinks() { $links = array(); $markup = $this->markup('login-link'); if($this->allowForgot) { $icon = $this->markup('forgot-icon'); $label = $this->labels('forgot-password'); $links['forgot'] = str_replace( array('{url}', '{out}'), array('./?forgot=1', "$icon $label"), $markup ); } $home = $this->pages->get('/'); $icon = $this->markup('home-icon'); $label = $this->wire()->sanitizer->entities($home->getUnformatted('title')); $links['home'] = str_replace( array('{url}', '{out}'), array($home->url, "$icon $label"), $markup ); return $links; } /** * Output that appears if there is nowhere to redirect to after login * * Called only if login originated from the actual login page, OR if user does not have page-edit permission * and thus can’t browse around in the admin. * * This method is not often used since it’s more common and recommended to redirect after login. * * @return string * */ protected function ___afterLoginOutput() { $config = $this->wire()->config; /** @var InputfieldButton $btn */ $btn = $this->wire()->modules->get('InputfieldButton'); if($this->wire()->user->hasPermission('profile-edit')) { $btn->value = $this->labels('edit-profile'); $btn->href = $config->urls->admin . 'profile/'; } else { $btn->value = $this->labels('continue'); $btn->href = $config->urls->root; } return "

" . $btn->render() . "

"; } /** * Redirect to admin root after login * * @param string $url * */ protected function ___afterLoginRedirect($url = '') { $url = $this->afterLoginURL($url); $session = $this->wire()->session; $session->removeFor($this, 'beforeLoginVars'); $session->removeFor($this, 'beforeLoginChecks'); $session->removeFor($this, 'afterLoginUrl'); $session->removeFor($this, 'afterLoginPageId'); $session->removeFor('ProcessPageView', 'loginRequestPageID'); $session->removeFor('ProcessPageView', 'loginRequestURL'); if(strpos($url, '/navJSON') !== false) $url = str_replace(array('/navJSON/', '/navJSON'), '/', $url); $session->redirect($url, false); } /** * Hooks can modify the redirect URL with this hook * * #pw-hooker * #pw-internal * * @param string $url * @return string * */ public function ___afterLoginURL($url = '') { $session = $this->wire()->session; $afterLoginUrl = $session->getFor($this, 'afterLoginUrl'); $id = (int) $session->getFor($this, 'afterLoginPageId'); if($afterLoginUrl) { $page = $id ? $this->wire()->pages->get($id) : new NullPage(); if(!$page->id || $page->viewable()) return $afterLoginUrl; } if(empty($url)) { $user = $this->wire()->user; if($this->loginURL) { $url = $this->loginURL; } else if($this->isAdmin && $user->isLoggedin() && $user->hasPermission('page-edit')) { if($this->id || ((string) $this->wire()->process) !== $this->className()) { $url = './'; } else { $url = $this->wire()->config->urls->admin . 'page/'; } } else { $url = './'; } } $beforeLoginVars = $session->getFor($this, 'beforeLoginVars'); if(!is_array($beforeLoginVars)) $beforeLoginVars = array(); if(!isset($beforeLoginVars['login'])) $beforeLoginVars['login'] = 1; $a = array(); foreach($beforeLoginVars as $name => $value) { if(strpos($url, "?$name=") !== false || strpos($url, "&$name=") !== false) continue; // skip if overridden $a[$name] = $value; } if(count($a)) { $url .= strpos($url, '?') !== false ? '&' : '?'; $url .= http_build_query($a); } return $url; } /** * Get validated/sanitized variables in the query string for not logged-in user to retain after login * * Hook this if you need to add more than 'id' but make sure anything populated * to the return value is fully validated and sanitized. * * @return array Associative array of variables * */ public function ___getBeforeLoginVars() { $session = $this->wire()->session; $vars = $session->getFor($this, 'beforeLoginVars'); if(!is_array($vars)) $vars = array(); $id = $this->wire()->input->get('id'); if($id !== null) $vars['id'] = $this->wire()->sanitizer->intUnsigned($id); return $vars; } /** * Hook called right before a login is attempted * * #pw-hooker * * @param string $name * @since 3.0.223 * */ protected function ___loginAttemptReady($name) {} /** * Hook called immediately after a login was attempted * * #pw-hooker * * @param User|false $user This will be User object on success, or false on fail * @param string $name Attempted login name * @since 3.0.223 * */ protected function ___loginAttempted($user, $name) {} /** * Hook called immediately before the login form in processed * * #pw-hooker * * @param InputfieldForm $form * @since 3.0.223 * */ protected function ___loginFormProcessReady($form) {} /** * Hook called immediately after login form processed and user name/pass identified as present * * #pw-hooker * * @param InputfieldForm $form * @param string $name Attempted user name * @since 3.0.223 * */ protected function ___loginFormProcessed($form, $name) {} /** * Hook called on login fail * * @param string $name * @param string $message Specify only to override default error message (since 3.0.151) * */ protected function ___loginFailed($name, $message = '') { if(empty($message)) $message = "$name - " . $this->labels('login-failed'); $this->error($message); } /** * Hook called on login success * * @param User $user * */ protected function ___loginSuccess(User $user) { $session = $this->wire()->session; if($this->isAdmin) { $copyVars = $session->getFor($this, 'copyVars'); if(!is_array($copyVars)) $copyVars = array(); foreach($copyVars as $key => $value) { $session->set($key, $value); } $session->remove('error'); $session->removeFor($this, 'copyVars'); } if(!$user->hasTfa() && count($this->tfaRecRoleIDs) && !$this->tfaLoginSuccess) { // determine if Tfa module is installed and user has role requiring Tfa $requireTfa = false; $roles = $this->wire()->roles; if(count($this->wire()->modules->findByPrefix('Tfa'))) { foreach($this->tfaRecRoleIDs as $roleID) { $role = $roles->get((int) $roleID); if($role && $user->hasRole($role)) { $requireTfa = true; break; } } } if($requireTfa) { $url = $this->wire()->config->urls('admin') . 'profile/#wrap_Inputfield_tfa_type'; $session->setFor('_user', 'requireTfa', $url); } } if($this->isAdmin) $this->afterLogin(); } /** * Configure module settings * * @param InputfieldWrapper $inputfields * */ public function getModuleConfigInputfields(InputfieldWrapper $inputfields) { $modules = $this->wire()->modules; /** @var InputfieldRadios $f */ $f = $modules->get('InputfieldRadios'); $emailAllow = true; $emailField = $this->wire()->fields->get($this->emailField); /** @var Field $field */ $emailAttrs = array(); $emailLabel = $this->_('Email address'); $emailNotes = array(); if($emailField && ((int) $this->allowEmail) !== 1) { if(!$emailField->hasFlag(Field::flagUnique)) { $emailAllow = false; $emailNotes[] = sprintf( $this->_('You must [enable the “unique” setting](%s) for your email field'), $emailField->editUrl('flagUnique') ); } $role = $this->wire()->roles->get($this->wire()->config->superUserRolePageID); if($this->wire()->users->count("roles=$role, email=''") > 0) { $emailAllow = false; $emailNotes[] = $this->_('All superusers must have an email address defined'); } if(!$emailAllow) { $emailAttrs['disabled'] = 'disabled'; $emailLabel .= ' - ' . $this->_('See notes below to enable'); } } $f->attr('name', 'allowEmail'); $f->label = $this->_('Login type'); $f->addOption(0, $this->_('User name')); $f->addOption(1, $emailLabel, $emailAttrs); $f->addOption(2, $this->_('Either'), $emailAttrs); $f->icon = 'sign-in'; $f->val((int) $this->allowEmail); if(count($emailNotes)) $f->notes = $this->_('To use login-by-email: ') . implode(', ', $emailNotes); $inputfields->add($f); $inputfields->add($this->getTfaConfigInputfields()); } /** * Get Inputfields to configure Tfa settings * * @param array $data * @return InputfieldFieldset * @since 3.0.163 * */ public function getTfaConfigInputfields(array $data = array()) { $defaults = array( 'tfaAutoType' => $this->tfaAutoType, 'tfaAutoRoleIDs' => $this->tfaAutoRoleIDs, 'tfaRecRoleIDs' => $this->tfaRecRoleIDs, 'tfaRememberDays' => $this->tfaRememberDays, 'tfaRememberFingerprints' => $this->tfaRememberFingerprints, ); $data = array_merge($defaults, $data); $modules = $this->wire()->modules; $items = array(); $autos = array(); /** @var InputfieldFieldset $fieldset */ $fieldset = $modules->get('InputfieldFieldset'); $fieldset->attr('id', 'tfaConfigFieldset'); $fieldset->label = $this->_('Two-factor authentication'); $fieldset->icon = 'user-secret'; $fieldset->appendMarkup = "

" . $this->_('Tfa modules in the ProcessWire modules directory') . ' ' . wireIconMarkup('external-link') . "

"; $tfaModules = $modules->findByPrefix('Tfa'); if(!count($tfaModules)) { $fieldset->description = $this->_('To configure this you must first install one or more Tfa modules and then return here.'); $fieldset->collapsed = Inputfield::collapsedYes; return $fieldset; } foreach($tfaModules as $name) { $items[] = "[$name](" . $modules->getModuleEditUrl($name) . ")"; /** @var Tfa $tfaModule */ $tfaModule = $modules->getModule($name, array('noCache' => true, 'noInit' => true)); if($tfaModule && $tfaModule->autoEnableSupported()) { $autos[$name] = $modules->getModuleInfoProperty($name, 'title'); } } $fieldset->description = $this->_('Found the following Tfa modules:') . ' ' . implode(', ', $items) . ' ' . $this->_('(click to configure)'); if(count($autos)) { $forceLabel = $this->_('Force two-factor authentication'); /** @var InputfieldRadios $f */ $f = $modules->get('InputfieldRadios'); $f->attr('name', 'tfaAutoType'); $f->label = $forceLabel . ' - ' . $this->_x('Type', 'Module name/type'); $f->description = $this->_('When a Tfa module is selected here, it will be enabled automatically (at login) for users that are not using two-factor authentication.'); $f->addOption('0', $this->_('Disabled')); foreach($autos as $name => $title) { $f->addOption($name, "$title ($name)"); } $f->icon = 'gavel'; $f->val(!empty($data['tfaAutoType']) ? $data['tfaAutoType'] : '0'); $fieldset->add($f); /** @var InputfieldCheckboxes $f */ $f = $modules->get('InputfieldCheckboxes'); $f->attr('name', 'tfaAutoRoleIDs'); $f->label = $forceLabel . ' - ' . $this->_x('Roles', 'Roles selection'); $f->description = $this->_('Check roles to force two-factor authentication for, or leave all unchecked to force for ALL roles (when/where possible).'); foreach($this->wire('roles') as $role) { if($role->name == 'guest') continue; $f->addOption($role->id, $role->name); } $f->icon = 'gavel'; $f->attr('value', $data['tfaAutoRoleIDs']); $f->showIf = 'tfaAutoType!=0'; $f->collapsed = Inputfield::collapsedBlank; $fieldset->add($f); } /** @var InputfieldCheckboxes $f */ $f = $modules->get('InputfieldCheckboxes'); $f->attr('name', 'tfaRecRoleIDs'); $f->icon = 'gears'; $f->label = $this->_('Strongly suggest two-factor authentication for these roles'); $f->description = $this->_('After logging in to the admin, ProcessWire will prompt users in the roles you select here to use two-factor authentication for their accounts.'); foreach($this->wire('roles') as $role) { if($role->name == 'guest') continue; $f->addOption($role->id, $role->name); } $f->attr('value', $data['tfaRecRoleIDs']); $f->collapsed = Inputfield::collapsedBlank; $fieldset->add($f); /** @var InputfieldInteger $f */ $f = $modules->get('InputfieldInteger'); $f->attr('name', 'tfaRememberDays'); $f->label = $this->_('Allow users the option to skip code entry when their browser/location is remembered?'); $f->description = $this->_('This presents users with a “Remember this computer?” option on the code entry screen at login.') . ' ' . $this->_('Enter the number of days that a user’s browser/location can be remembered for, or 0 to disable.'); $f->attr('value', (int) $data['tfaRememberDays']); $f->icon = 'unlock-alt'; $fieldset->add($f); $fingerprints = array( 'agent' => $this->_('User agent (browser, platform, and versions of each)'), 'agentVL' => $this->_('Non-versioned user agent (browser and platform, but no versions—less likely to change often)'), 'accept' => $this->_('Accept header (content types user’s browser accepts)'), 'scheme' => $this->_('Current request scheme whether HTTP or HTTPS'), 'host' => $this->_('Server hostname (value of $config->httpHost)'), 'ip' => $this->_('User’s IP address (REMOTE_ADDR)'), 'fwip' => $this->_('User’s forwarded or client IP address (HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP)'), ); /** @var InputfieldCheckboxes $f */ $f = $modules->get('InputfieldCheckboxes'); $f->attr('name', 'tfaRememberFingerprints'); $f->label = $this->_('Do not allow user to skip code entry when any of these properties change'); $f->description = $this->_('Changes to password, name, email, or a random cookie in the user’s browser, will always require code entry at login.') . ' ' . $this->_('In addition, changes to any checked items below will also require code entry at login.') . ' ' . $this->_('These properties form a fingerprint of the user’s browser beyond the random cookie that we set.'); $f->notes = $this->_('This setting only applies when the option to remember browser/location is enabled.'); foreach($fingerprints as $name => $label) { $f->addOption($name, $label); } $f->showIf = 'tfaRememberDays!=0'; $f->attr('value', $data['tfaRememberFingerprints']); $f->icon = 'lock'; $fieldset->add($f); return $fieldset; } }