tfa/tfa.module at master · doylejd/tfa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<?php

/**
 * @file
 * Contains tfa.module
 */
use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Access\AccessResult;

/**
 * Implements hook_help().
 */
function tfa_help($route_name, RouteMatchInterface $route_match) {
  switch ($route_name) {
    // Main module help for the tfa module.
    case 'help.page.tfa':
      $output = '';
      $output .= '<h3>' . t('About') . '</h3>';
      $output .= '<p>' . t('Pluggable provider of second factor authentication for Drupal') . '</p>';
      return $output;
      break;
  }
}


/**
 * Implements hook_user_login()
 * @param $account
 */
function tfa_user_login($account) {
  if (!\Drupal::config('tfa.settings')->get('enabled')) {
    drupal_set_message(t('TFA is not enabled.'));
    return;
  }

  drupal_set_message(t('TFA is enabled.'));

  //$tfa = tfa_get_process($account);

  /*
  if ($account->hasPermission('require tfa') && !tfa_login_complete($account) && !$tfa->ready()) {
    tfa_logout();
    drupal_set_message(t('Login disallowed. You are required to setup two-factor authentication. Please contact a site administrator.'), 'error');
    drupal_goto('user');
  }
  elseif (!tfa_login_complete($account) && $tfa->ready() && !tfa_login_allowed($account)) {
    // User has been authenticated so force logout and redirect to TFA form.
    tfa_logout();
    // Restart flood levels, session context, and TFA process.
    flood_clear_event('tfa_validate');
    flood_register_event('tfa_begin');
    $context = tfa_start_context($account);
    $tfa = tfa_get_process($account);

    // Hold onto destination. It will be used in tfa_form_submit().
    $query = drupal_get_query_parameters();
    if (arg(0) == 'user' && arg(1) == 'reset') {
      // If one-time login reset destination and hold onto token.
      $query['destination'] = 'user/' . $account->uid . '/edit';
      $query['pass-reset-token'] = arg(4);
    }
    unset($_GET['destination']);

    // Begin TFA and set process context.
    $tfa->begin();
    $context = $tfa->getContext();
    tfa_set_context($account, $context);

    $login_hash = tfa_login_hash($account);
    // Use of $_GET['destination'] would allow other hooks to run but since the
    // current user is no longer authenticated their expectation would be wrong.
    drupal_goto('system/tfa/' . $account->uid . '/' . $login_hash, array('query' => $query));
  }
  */
}

/**
 * Implements hook_block_access()
 *
 * Remove access to the core user_login_block so we can replace with the TFA login block.
 *
 * @param \Drupal\block\Entity\Block $block
 * @param $operation
 * @param \Drupal\user\Entity\User $account
 * @param $langcode
 * @return \Drupal\Core\Access\AccessResult
 */
function tfa_block_access(\Drupal\block\Entity\Block $block, $operation, \Drupal\Core\Session\AccountInterface $account, $langcode){
  if(\Drupal::config('tfa.settings')->get('enabled') && $block->getPluginId() === 'user_login_block'){
    return AccessResult::forbidden();
  }
}


/**
 * Implements hook_block_alter().
 *
 * Removes the User Login Block if the TFA module is enabled. The TFA User Login
 * block will function with or without TFA actually being enabled.
 *
 */
function tfa_block_alter(&$definitions) {
  unset($definitions['user_login_block']);
}