From 4ec4a04e491bf334c1d129d51aa7ca65dc54dfe3 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 23 Jul 2019 20:03:08 -0400 Subject: [PATCH] Remove mod/ping from 2fa exception list - Prevent asynchronous calls to redirect to /2fa in case of missing valid 2fa session --- src/Core/Authentication.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/Core/Authentication.php b/src/Core/Authentication.php index 646729c434..e75cc93e7f 100644 --- a/src/Core/Authentication.php +++ b/src/Core/Authentication.php @@ -7,6 +7,7 @@ namespace Friendica\Core; use Friendica\App; use Friendica\BaseObject; +use Friendica\Network\HTTPException\ForbiddenException; use Friendica\Util\BaseURL; /** @@ -71,7 +72,7 @@ class Authentication extends BaseObject } // Check current path, if 2fa authentication module return - if ($a->argc > 0 && in_array($a->argv[0], ['ping', '2fa', 'view', 'help', 'api', 'proxy', 'logout'])) { + if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) { return; } @@ -81,7 +82,11 @@ class Authentication extends BaseObject } // Case 2: No valid 2FA session: redirect to code verification page - $a->internalRedirect('2fa'); + if ($a->isAjax()) { + throw new ForbiddenException(); + } else { + $a->internalRedirect('2fa'); + } } } -- 2.39.5