Fixed guest user email showing in TOTP setup url

- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes #2971

diff --git a/app/Auth/Access/Mfa/TotpService.php b/app/Auth/Access/Mfa/TotpService.php
index 0d9bd37ce3810f789e5ca52dee307a4fdf8865e9..e73c549fe0790230f89cb97334afcdc1ca9079a0 100644 (file)
--- a/app/Auth/Access/Mfa/TotpService.php
+++ b/app/Auth/Access/Mfa/TotpService.php
@@ -8,6 +8,7 @@ use BaconQrCode\Renderer\ImageRenderer;
 use BaconQrCode\Renderer\RendererStyle\Fill;
 use BaconQrCode\Renderer\RendererStyle\RendererStyle;
 use BaconQrCode\Writer;
+use BookStack\Auth\User;
 use PragmaRX\Google2FA\Google2FA;
 use PragmaRX\Google2FA\Support\Constants;
 
@@ -36,11 +37,11 @@ class TotpService
     /**
      * Generate a TOTP URL from secret key.
      */
-    public function generateUrl(string $secret): string
+    public function generateUrl(string $secret, User $user): string
     {
         return $this->google2fa->getQRCodeUrl(
             setting('app-name'),
-            user()->email,
+            $user->email,
             $secret
         );
     }

diff --git a/app/Http/Controllers/Auth/MfaTotpController.php b/app/Http/Controllers/Auth/MfaTotpController.php
index 694d69d76ec9edcd3ac3af362d548c76b8ce1ef2..5644f02688e8618a99e0599bb60eb3cb1b68f82e 100644 (file)
--- a/app/Http/Controllers/Auth/MfaTotpController.php
+++ b/app/Http/Controllers/Auth/MfaTotpController.php
@@ -31,7 +31,7 @@ class MfaTotpController extends Controller
             session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
         }
 
-        $qrCodeUrl = $totp->generateUrl($totpSecret);
+        $qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
         $svg = $totp->generateQrCodeSvg($qrCodeUrl);
 
         return view('mfa.totp-generate', [

diff --git a/tests/Auth/MfaConfigurationTest.php b/tests/Auth/MfaConfigurationTest.php
index 685aad83a242016ba4e7cec714436be835f33d39..4223d052dac877cdc81f8478369506fec9311364 100644 (file)
--- a/tests/Auth/MfaConfigurationTest.php
+++ b/tests/Auth/MfaConfigurationTest.php
@@ -4,6 +4,7 @@ namespace Tests\Auth;
 
 use BookStack\Actions\ActivityType;
 use BookStack\Auth\Access\Mfa\MfaValue;
+use BookStack\Auth\Role;
 use BookStack\Auth\User;
 use PragmaRX\Google2FA\Google2FA;
 use Tests\TestCase;
@@ -164,4 +165,22 @@ class MfaConfigurationTest extends TestCase
         $this->assertActivityExists(ActivityType::MFA_REMOVE_METHOD);
         $this->assertEquals(0, $admin->mfaValues()->count());
     }
+
+    public function test_totp_setup_url_shows_correct_user_when_setup_forced_upon_login()
+    {
+        $admin = $this->getAdmin();
+        /** @var Role $role */
+        $role = $admin->roles()->first();
+        $role->mfa_enforced = true;
+        $role->save();
+
+        $resp = $this->post('/login', ['email' => $admin->email, 'password' => 'password']);
+        $this->assertFalse(auth()->check());
+        $resp->assertRedirect('/mfa/verify');
+
+        $resp = $this->get('/mfa/totp/generate');
+        $resp->assertSeeText('Mobile App Setup');
+        $resp->assertDontSee("otpauth://totp/BookStack:guest%40example.com");
+        $resp->assertSee("otpauth://totp/BookStack:admin%40admin.com");
+    }
 }