IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
1e472ee095
firefly-iii/app/Http/Controllers/Auth/TwoFactorController.php

203 lines
6.4 KiB
PHP
Raw Blame History

<?php
/**
* TwoFactorController.php
* Copyright (c) 2019 james@firefly-iii.org
*
* This file is part of Firefly III (https://github.com/firefly-iii).
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
namespace FireflyIII\Http\Controllers\Auth;
use FireflyIII\Events\Security\MFABackupFewLeft;
use FireflyIII\Events\Security\MFABackupNoLeft;
use FireflyIII\Events\Security\MFAUsedBackupCode;
use FireflyIII\Http\Controllers\Controller;
use FireflyIII\User;
use Illuminate\Contracts\View\Factory;
use Illuminate\Contracts\View\View;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Routing\Redirector;
use Illuminate\Support\Facades\Log;
use PragmaRX\Google2FALaravel\Support\Authenticator;
/**
* Class TwoFactorController.
*/
class TwoFactorController extends Controller
{
/**
* What to do if 2FA lost?
*
* @return Factory|View
*/
public function lostTwoFactor()
{
/** @var User $user */
$user = auth()->user();
$siteOwner = config('firefly.site_owner');
$title = (string) trans('firefly.two_factor_forgot_title');
return view('auth.lost-two-factor', compact('user', 'siteOwner', 'title'));
}
/**
* @return Redirector|RedirectResponse
*/
public function submitMFA(Request $request)
{
/** @var array $mfaHistory */
$mfaHistory = app('preferences')->get('mfa_history', [])->data;
$mfaCode = (string) $request->get('one_time_password');
// is in history? then refuse to use it.
if ($this->inMFAHistory($mfaCode, $mfaHistory)) {
$this->filterMFAHistory();
session()->flash('error', trans('firefly.wrong_mfa_code'));
return redirect(route('home'));
}
/** @var Authenticator $authenticator */
$authenticator = app(Authenticator::class)->boot($request);
if ($authenticator->isAuthenticated()) {
// save MFA in preferences
$this->addToMFAHistory($mfaCode);
// otp auth success!
return redirect(route('home'));
}
// could be user has a backup code.
if ($this->isBackupCode($mfaCode)) {
$this->removeFromBackupCodes($mfaCode);
$authenticator->login();
session()->flash('info', trans('firefly.mfa_backup_code'));
// send user notification.
$user = auth()->user();
Log::channel('audit')->info(sprintf('User "%s" has used a backup code.', $user->email));
event(new MFAUsedBackupCode($user));
return redirect(route('home'));
}
session()->flash('error', trans('firefly.wrong_mfa_code'));
return redirect(route('home'));
}
/**
* Each MFA history has a timestamp and a code, saving the MFA entries for 5 minutes. So if the
* submitted MFA code has been submitted in the last 5 minutes, it won't work despite being valid.
*/
private function inMFAHistory(string $mfaCode, array $mfaHistory): bool
{
$now = time();
foreach ($mfaHistory as $entry) {
$time = $entry['time'];
$code = $entry['code'];
if ($code === $mfaCode && $now - $time <= 300) {
return true;
}
}
return false;
}
/**
* Remove old entries from the preferences array.
*/
private function filterMFAHistory(): void
{
/** @var array $mfaHistory */
$mfaHistory = app('preferences')->get('mfa_history', [])->data;
$newHistory = [];
$now = time();
foreach ($mfaHistory as $entry) {
$time = $entry['time'];
$code = $entry['code'];
if ($now - $time <= 300) {
$newHistory[] = [
'time' => $time,
'code' => $code,
];
}
}
app('preferences')->set('mfa_history', $newHistory);
}
private function addToMFAHistory(string $mfaCode): void
{
/** @var array $mfaHistory */
$mfaHistory = app('preferences')->get('mfa_history', [])->data;
$entry = [
'time' => time(),
'code' => $mfaCode,
];
$mfaHistory[] = $entry;
app('preferences')->set('mfa_history', $mfaHistory);
$this->filterMFAHistory();
}
/**
* Checks if code is in users backup codes.
*/
private function isBackupCode(string $mfaCode): bool
{
$list = app('preferences')->get('mfa_recovery', [])->data;
if (!is_array($list)) {
$list = [];
}
if (in_array($mfaCode, $list, true)) {
return true;
}
return false;
}
/**
* Remove the used code from the list of backup codes.
*/
private function removeFromBackupCodes(string $mfaCode): void
{
$list = app('preferences')->get('mfa_recovery', [])->data;
if (!is_array($list)) {
$list = [];
}
$newList = array_values(array_diff($list, [$mfaCode]));
// if the list is 3 or less, send a notification.
if(count($newList) <= 3 && count($newList) > 0) {
$user = auth()->user();
Log::channel('audit')->info(sprintf('User "%s" has used a backup code. They have %d backup codes left.', $user->email, count($newList)));
event(new MFABackupFewLeft($user, count($newList)));
}
// if the list is empty, send notification
if(0 === count($newList)) {
$user = auth()->user();
Log::channel('audit')->info(sprintf('User "%s" has used their last backup code.', $user->email));
event(new MFABackupNoLeft($user));
}
app('preferences')->set('mfa_recovery', $newList);
}
}
Reference in New Issue View Git Blame Copy Permalink