[SECURITY] Deny login to a deleted account

2024-11-13 10:39:24 +03:00 · 2022-01-27 14:01:27 +03:00 · 2022-01-27 14:01:27 +03:00 · 22157c7fa3
commit 22157c7fa3
parent 870653ccb1
2 changed files with 12 additions and 2 deletions
--- a/Web/Presenters/AuthPresenter.php
+++ b/Web/Presenters/AuthPresenter.php
@ -126,6 +126,10 @@ final class AuthPresenter extends OpenVKPresenter
            if(!$this->authenticator->verifyCredentials($user->id, $this->postParam("password")))
                $this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));

+            $ovkUser = new User($user->related("profiles.user")->fetch());
+            if($ovkUser->isDeleted())
+                $this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));
+
            $secret = $user->related("profiles.user")->fetch()["2fa_secret"];
            $code   = $this->postParam("code");
            if(!is_null($secret)) {
@ -136,7 +140,6 @@ final class AuthPresenter extends OpenVKPresenter
                if(is_null($code))
                    return;

-                $ovkUser = new User($user->related("profiles.user")->fetch());
                if(!($code === (new Totp)->GenerateToken(Base32::decode($secret)) || $ovkUser->use2faBackupCode((int) $code))) {
                    $this->flash("err", tr("login_failed"), tr("incorrect_2fa_code"));
                    return;
@ -229,7 +232,7 @@ final class AuthPresenter extends OpenVKPresenter
            }
            
            $user = $this->users->getByChandlerUser(new ChandlerUser($uRow));
-            if(!$user)
+            if(!$user || $user->isDeleted())
                $this->flashFail("err", tr("error"), tr("password_reset_error"));
            
            $request = $this->restores->getLatestByUser($user);
--- a/Web/Presenters/OpenVKPresenter.php
+++ b/Web/Presenters/OpenVKPresenter.php
@ -210,6 +210,13 @@ abstract class OpenVKPresenter extends SimplePresenter
            $this->user->id              = $this->user->identity->getId();
            $this->template->thisUser    = $this->user->identity;
            $this->template->userTainted = $user->isTainted();
+
+            if($this->user->identity->isDeleted()) {
+                Authenticator::i()->logout();
+                Session::i()->set("_su", NULL);
+                $this->flashFail("err", tr("error"), tr("profile_not_found"));
+                $this->redirect("/", static::REDIRECT_TEMPORARY);
+            }
            
            if($this->user->identity->isBanned() && !$this->banTolerant) {
                header("HTTP/1.1 403 Forbidden");