= 3) {
hesk_forceLogout($hesklang['bf_int']);
}
$_SESSION['mfa_emails_sent']++;
} else {
$_SESSION['mfa_emails_sent'] = 1;
}
} elseif (hesk_POST('a') === 'verify') {
$skip_email = true;
$mfa_method = intval(hesk_POST('mfa-method'));
if ($mfa_method === 0) {
$pass = hesk_input( hesk_POST('verification-code') );
if ( ! $pass) {
$error = $hesklang['enter_pass'];
} elseif (strlen($pass) > 64) {
$error = $hesklang['pass_len'];
} else {
hesk_limitInternalBfAttempts();
if (hesk_password_verify($pass, fetch_current_user_password())) {
handle_successful_elevation();
} else {
$error = $hesklang['wrong_pass'];
}
}
hesk_process_messages($error, 'NOREDIRECT');
} else {
hesk_limitInternalBfAttempts();
if (($mfa_method === 1 && is_mfa_email_code_valid($_SESSION['id'], hesk_POST('verification-code'))) ||
($mfa_method === 2 && is_mfa_app_code_valid($_SESSION['id'], hesk_POST('verification-code')))) {
handle_successful_elevation();
} else {
// Verification failed
hesk_process_messages($hesklang['mfa_invalid_verification_code'], 'NOREDIRECT');
}
}
} elseif (hesk_POST('a') === 'do_backup_code_verification') {
$skip_email = true;
hesk_limitInternalBfAttempts();
if (verify_mfa_backup_code($_SESSION['id'], hesk_POST('backup-code'))) {
handle_successful_elevation();
} else {
// Verification failed
hesk_process_messages($hesklang['mfa_invalid_verification_code'], 'NOREDIRECT');
}
} else {
// Invalid action, something strange is going on... Let's force logout
hesk_forceLogout($hesklang['invalid_action']);
}
}
$message = ''; //$hesklang['elevator_intro'] . '
';
if ($mfa_enrollment === 0) {
$mfa_verify_option = 0;
$message .= $hesklang['elevator_enter_password'];
} elseif ($mfa_enrollment === 1) {
// Email
$mfa_verify_option = 1;
// Unless the "Send another email" link was clicked, don't send a new email until the old one is valid
if (! $skip_email && empty($force_send_email) && isset($_SESSION['skip_mfa_emails_until']) && $_SESSION['skip_mfa_emails_until'] > date('Y-m-d H:i:s')) {
$skip_email = true;
}
// Don't send a new email each time a verification fails
if (! $skip_email) {
$verification_code = generate_mfa_code();
hash_and_store_mfa_verification_code($_SESSION['id'], $verification_code);
send_mfa_email($_SESSION['name'], $_SESSION['email'], $verification_code);
hesk_process_messages($hesklang['mfa_sent'], 'NOREDIRECT', 'INFO');
// Don't send a new email until the old one is valid (with 15 min buffer) unless explicitly asked to
$skip_mfa_emails_until = new DateTime();
$skip_mfa_emails_until->add(new DateInterval('PT15M'));
$_SESSION['skip_mfa_emails_until'] = $skip_mfa_emails_until->format('Y-m-d H:i:s');
}
$message .= $hesklang['mfa_verification_needed_email'];
} elseif ($mfa_enrollment === 2) {
// Authenticator App
$message .= $hesklang['mfa_verification_needed_auth_app'];
$mfa_verify_option = 2;
}
/* Print header */
require_once(HESK_PATH . 'inc/header.inc.php');
/* Print main manage users page */
require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
?>
add(new DateInterval("P{$interval_amount}"));
$_SESSION['elevated'] = $elevation_expiration;
$elevator_target = hesk_SESSION('elevator_target', 'admin_main.php');
unset($_SESSION['elevator_target']);
header('Location: ' . $elevator_target);
exit();
}
exit();