diff --git a/tfa.api.php b/tfa.api.php index 63eec28..1a6aefe 100644 --- a/tfa.api.php +++ b/tfa.api.php @@ -158,10 +158,11 @@ function hook_tfa_flood_hit($context = array()) { * Whether log in should be halted because TFA is not setup for the account. * * Implement this hook to decide if authentication should be denied under the - * conditions of the account not having TFA set up. TFA module will have invoked - * 'ready' methods on enabled plugins already. + * conditions of the account not having TFA set up. TFA module will have already + * invoked 'ready' methods on enabled plugins. * * @param object $account + * User account. * * @return bool * FALSE to disallow login or TRUE to allow it without undergoing TFA. diff --git a/tfa.module b/tfa.module index 29dbbb3..c1624ba 100644 --- a/tfa.module +++ b/tfa.module @@ -258,19 +258,30 @@ function tfa_login_submit($form, &$form_state) { // Similar to tfa_user_login() but not required to force user logout. $account = isset($form_state['uid']) ? user_load($form_state['uid']) : user_load_by_name($form_state['values']['name']); - $tfa = tfa_get_process($account); - // Check if user has gone through TFA process. - $tfa_complete = tfa_login_complete($account); + // Return early if user has succesfully gone through TFA process or if + // a login plugin specifically allows it. + if (tfa_login_allowed($account)) { + // Authentication can continue so invoke user_login_submit(). + user_login_submit($form, $form_state); + return; + } - // Allow other modules to act on login when account is not set up for TFA. - if (!$tfa_complete && !$tfa->ready()) { + $tfa = tfa_get_process($account); + // Check if TFA has been set up by the account. + if (!$tfa->ready()) { + // Allow other modules to act on login when account is not set up for TFA. $require_tfa = array_filter(module_invoke_all('tfa_require', $account)); if (!empty($require_tfa)) { $form_state['redirect'] = !empty($form_state['redirect']) ? $form_state['redirect'] : 'user'; return; } + else { + // Not required so continue with log in. + user_login_submit($form, $form_state); + return; + } } - if (!$tfa_complete && $tfa->ready() && !tfa_login_allowed($account)) { + else { // Restart flood levels, session context, and TFA process. $identifier = variable_get('user_failed_login_identifier_uid_only', FALSE) ? $account->uid : $account->uid . '-' . ip_address(); @@ -299,34 +310,22 @@ function tfa_login_submit($form, &$form_state) { array('query' => $query), ); } - else { - // Authentication can continue so invoke user_login_submit(). - user_login_submit($form, $form_state); - } } /** - * Check if TFA process has completed so authentication should not be stopped. + * Check TFA plugins if login should be interrupted for authenticating account. + * + * @param object $account + * User account * - * @param $account User account * @return bool */ -function tfa_login_complete($account) { +function tfa_login_allowed($account) { // TFA master login allowed switch is set by tfa_login(). if (isset($_SESSION['tfa'][$account->uid]['login']) && $_SESSION['tfa'][$account->uid]['login'] === TRUE) { return TRUE; } - return FALSE; -} - -/** - * Check TFA plugins if login should be interrupted for authenticating account. - * - * @param $account User account - * @return bool - */ -function tfa_login_allowed($account) { - // Check if login plugins will allow login. + // Else check if login plugins will specifically allow login. $tfa = tfa_get_process($account); return $tfa->loginAllowed() === TRUE; } @@ -339,19 +338,23 @@ function tfa_user_login(&$edit, $account) { return; } - $tfa = tfa_get_process($account); - // Check if user has gone through TFA process. - $tfa_complete = tfa_login_complete($account); + // Return early if user has succesfully gone through TFA process or if + // a login plugin specifically allows it. + if (tfa_login_allowed($account)) { + return; + } - // Allow other modules to act on login when account is not set up for TFA. - if (!$tfa_complete && !$tfa->ready()) { + $tfa = tfa_get_process($account); + // Check if TFA has been set up by the account. + if (!$tfa->ready()) { + // Allow other modules to act on login when account is not set up for TFA. $require_tfa = array_filter(module_invoke_all('tfa_require', $account)); if (!empty($require_tfa)) { tfa_logout(); drupal_goto('user'); } } - if (!$tfa_complete && $tfa->ready() && !tfa_login_allowed($account)) { + else { // User has been authenticated so force logout and redirect to TFA form. tfa_logout(); // Restart flood levels, session context, and TFA process.