Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-19 08:30:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Improve 2 factor usage

Browse source
This commit is contained in:
Philipp 2022-06-25 14:45:33 +02:00
parent f3de8d7764
commit 0223c030a9
No known key found for this signature in database
GPG key ID: 24A7501396EB5432
20 changed files with 400 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/Module/Security/Logout.php
View file

@ -31,7 +31,6 @@ use Friendica\Core\System;
use Friendica\Model\Profile;
use Friendica\Model\User\Cookie;
use Friendica\Module\Response;
use Friendica\Security\TwoFactor;
use Friendica\Util\Profiler;
use Psr\Log\LoggerInterface;
@ -46,17 +45,14 @@ class Logout extends BaseModule
protected $cookie;
/** @var IHandleSessions */
protected $session;
/** @var TwoFactor\Repository\TrustedBrowser */
protected $trustedBrowserRepo;
public function __construct(L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, TwoFactor\Repository\TrustedBrowser $trustedBrowserRepo, ICanCache $cache, Cookie $cookie, IHandleSessions $session, array $server, array $parameters = [])
public function __construct(L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, ICanCache $cache, Cookie $cookie, IHandleSessions $session, array $server, array $parameters = [])
{
parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);
$this->cache = $cache;
$this->cookie = $cookie;
$this->session = $session;
$this->trustedBrowserRepo = $trustedBrowserRepo;
$this->cache = $cache;
$this->cookie = $cookie;
$this->session = $session;
}
@ -73,9 +69,9 @@ class Logout extends BaseModule
Hook::callAll("logging_out");
// Remove this trusted browser as it won't be able to be used ever again after the cookie is cleared
if ($this->cookie->get('trusted')) {
$this->trustedBrowserRepo->removeForUser(local_user(), $this->cookie->get('trusted'));
// If this is a trusted browser, redirect to the 2fa signout page
if ($this->cookie->get('2fa_cookie_hash')) {
$this->baseUrl->redirect('2fa/signout');
}
$this->cookie->clear();

129
src/Module/Security/TwoFactor/Signout.php Normal file
View file

@ -0,0 +1,129 @@
<?php
/**
* @copyright Copyright (C) 2010-2022, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Module\Security\TwoFactor;
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;
use Friendica\Core\Session\Capability\IHandleSessions;
use Friendica\Model\User\Cookie;
use Friendica\Module\Response;
use Friendica\Network\HTTPException\NotFoundException;
use Friendica\Util\Profiler;
use Friendica\Security\TwoFactor;
use Psr\Log\LoggerInterface;
/**
* Page 4: Logout dialog for trusted browsers
*
* @package Friendica\Module\TwoFactor
*/
class Signout extends BaseModule
{
protected $errors = [];
/** @var IHandleSessions */
protected $session;
/** @var Cookie */
protected $cookie;
/** @var TwoFactor\Repository\TrustedBrowser */
protected $trustedBrowserRepositoy;
public function __construct(L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, IHandleSessions $session, Cookie $cookie, TwoFactor\Repository\TrustedBrowser $trustedBrowserRepositoy, Profiler $profiler, Response $response, array $server, array $parameters = [])
{
parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);
$this->session = $session;
$this->cookie = $cookie;
$this->trustedBrowserRepositoy = $trustedBrowserRepositoy;
}
protected function post(array $request = [])
{
if (!local_user() || !($this->cookie->get('2fa_cookie_hash'))) {
return;
}
$action = $request['action'] ?? '';
if (!empty($action)) {
self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_signout');
switch ($action) {
case 'trust_and_sign_out':
$trusted = $this->cookie->get('2fa_cookie_hash');
$this->cookie->reset(['2fa_cookie_hash' => $trusted]);
$this->session->clear();
info($this->t('Logged out.'));
$this->baseUrl->redirect();
break;
case 'sign_out':
$this->trustedBrowserRepositoy->removeForUser(local_user(), $this->cookie->get('2fa_cookie_hash'));
$this->cookie->clear();
$this->session->clear();
info($this->t('Logged out.'));
$this->baseUrl->redirect();
break;
default:
$this->baseUrl->redirect();
}
}
}
protected function content(array $request = []): string
{
if (!local_user() || !($this->cookie->get('2fa_cookie_hash'))) {
$this->baseUrl->redirect();
}
try {
$trustedBrowser = $this->trustedBrowserRepositoy->selectOneByHash($this->cookie->get('2fa_cookie_hash'));
if (!$trustedBrowser->trusted) {
$trusted = $this->cookie->get('2fa_cookie_hash');
$this->cookie->reset(['2fa_cookie_hash' => $trusted]);
$this->session->clear();
info($this->t('Logged out.'));
$this->baseUrl->redirect();
}
} catch (NotFoundException $exception) {
$this->cookie->clear();
$this->session->clear();
info($this->t('Logged out.'));
$this->baseUrl->redirect();
}
return Renderer::replaceMacros(Renderer::getMarkupTemplate('twofactor/signout.tpl'), [
'$form_security_token' => self::getFormSecurityToken('twofactor_signout'),
'$title' => $this->t('Sign out of this browser?'),
'$message' => $this->t('<p>If you trust this browser, you will not be asked for verification code the next time you sign in.</p>'),
'$sign_out_label' => $this->t('Sign out'),
'$cancel_label' => $this->t('Cancel'),
'$trust_and_sign_out_label' => $this->t('Trust and sign out'),
]);
}
}

126
src/Module/Security/TwoFactor/Trust.php Normal file
View file

@ -0,0 +1,126 @@
<?php
/**
* @copyright Copyright (C) 2010-2022, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Module\Security\TwoFactor;
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;
use Friendica\Core\Session\Capability\IHandleSessions;
use Friendica\Model\User;
use Friendica\Model\User\Cookie;
use Friendica\Module\Response;
use Friendica\Network\HTTPException\NotFoundException;
use Friendica\Security\Authentication;
use Friendica\Util\Profiler;
use Friendica\Security\TwoFactor;
use Psr\Log\LoggerInterface;
/**
* Page 2: Trust Browser dialog
*
* @package Friendica\Module\TwoFactor
*/
class Trust extends BaseModule
{
/** @var App */
protected $app;
/** @var Authentication */
protected $auth;
/** @var IHandleSessions */
protected $session;
/** @var Cookie */
protected $cookie;
/** @var TwoFactor\Factory\TrustedBrowser */
protected $trustedBrowserFactory;
/** @var TwoFactor\Repository\TrustedBrowser */
protected $trustedBrowserRepositoy;
public function __construct(App $app, Authentication $auth, L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, IHandleSessions $session, Cookie $cookie, TwoFactor\Factory\TrustedBrowser $trustedBrowserFactory, TwoFactor\Repository\TrustedBrowser $trustedBrowserRepositoy, Response $response, array $server, array $parameters = [])
{
parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);
$this->app = $app;
$this->auth = $auth;
$this->session = $session;
$this->cookie = $cookie;
$this->trustedBrowserFactory = $trustedBrowserFactory;
$this->trustedBrowserRepositoy = $trustedBrowserRepositoy;
}
protected function post(array $request = [])
{
if (!local_user() || !$this->session->get('2fa')) {
return;
}
$action = $request['action'] ?? '';
if (!empty($action)) {
self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_trust');
switch ($action) {
case 'trust':
case 'dont_trust':
$trustedBrowser = $this->trustedBrowserFactory->createForUserWithUserAgent(local_user(), $this->server['HTTP_USER_AGENT'], $action === 'trust');
$this->trustedBrowserRepositoy->save($trustedBrowser);
// The string is sent to the browser to be sent back with each request
if (!$this->cookie->set('2fa_cookie_hash', $trustedBrowser->cookie_hash)) {
notice($this->t('Couldn\'t save browser to Cookie.'));
};
break;
}
$this->auth->setForUser($this->app, User::getById($this->app->getLoggedInUserId()), true, true);
}
}
protected function content(array $request = []): string
{
if (!local_user() || !$this->session->get('2fa')) {
$this->baseUrl->redirect();
}
if ($this->cookie->get('2fa_cookie_hash')) {
try {
$trustedBrowser = $this->trustedBrowserRepositoy->selectOneByHash($this->cookie->get('2fa_cookie_hash'));
if (!$trustedBrowser->trusted) {
$this->auth->setForUser($this->app, User::getById($this->app->getLoggedInUserId()), true, true);
$this->baseUrl->redirect();
}
} catch (NotFoundException $exception) {
$this->logger->notice('Trusted Browser of the cookie not found.', ['cookie_hash' => $this->cookie->get('trusted'), 'uid' => $this->app->getLoggedInUserId(), 'exception' => $exception]);
}
}
return Renderer::replaceMacros(Renderer::getMarkupTemplate('twofactor/trust.tpl'), [
'$form_security_token' => self::getFormSecurityToken('twofactor_trust'),
'$title' => $this->t('Trust this browser?'),
'$message' => $this->t('<p>If you choose to trust this browser, you will not be asked for a verification code the next time you sign in.</p>'),
'$not_now_label' => $this->t('Not now'),
'$dont_trust_label' => $this->t('Don\'t trust'),
'$trust_label' => $this->t('Trust'),
]);
}
}

76
src/Module/Security/TwoFactor/Verify.php
View file

@ -21,13 +21,17 @@
namespace Friendica\Module\Security\TwoFactor;
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\PConfig\Capability\IManagePersonalConfigValues;
use Friendica\Core\Renderer;
use Friendica\Core\Session;
use Friendica\DI;
use Friendica\Model\User;
use Friendica\Core\Session\Capability\IHandleSessions;
use Friendica\Module\Response;
use Friendica\Util\Profiler;
use PragmaRX\Google2FA\Google2FA;
use Friendica\Security\TwoFactor;
use Psr\Log\LoggerInterface;
/**
* Page 1: Authenticator code verification
@ -36,7 +40,20 @@ use Friendica\Security\TwoFactor;
*/
class Verify extends BaseModule
{
private static $errors = [];
protected $errors = [];
/** @var IHandleSessions */
protected $session;
/** @var IManagePersonalConfigValues */
protected $pConfig;
public function __construct(L10n $l10n, App\BaseURL $baseUrl, App\Arguments $args, LoggerInterface $logger, Profiler $profiler, Response $response, IManagePersonalConfigValues $pConfig, IHandleSessions $session, array $server, array $parameters = [])
{
parent::__construct($l10n, $baseUrl, $args, $logger, $profiler, $response, $server, $parameters);
$this->session = $session;
$this->pConfig = $pConfig;
}
protected function post(array $request = [])
{
@ -44,36 +61,20 @@ class Verify extends BaseModule
return;
}
if (($_POST['action'] ?? '') == 'verify') {
if (($request['action'] ?? '') === 'verify') {
self::checkFormSecurityTokenRedirectOnError('2fa', 'twofactor_verify');
$a = DI::app();
$code = $request['verify_code'] ?? '';
$code = $_POST['verify_code'] ?? '';
$valid = (new Google2FA())->verifyKey(DI::pConfig()->get(local_user(), '2fa', 'secret'), $code);
$valid = (new Google2FA())->verifyKey($this->pConfig->get(local_user(), '2fa', 'secret'), $code);
// The same code can't be used twice even if it's valid
if ($valid && Session::get('2fa') !== $code) {
Session::set('2fa', $code);
if ($valid && $this->session->get('2fa') !== $code) {
$this->session->set('2fa', $code);
// Trust this browser feature
if (!empty($_REQUEST['trust_browser'])) {
$trustedBrowserFactory = new TwoFactor\Factory\TrustedBrowser(DI::logger());
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger(), $trustedBrowserFactory);
$trustedBrowser = $trustedBrowserFactory->createForUserWithUserAgent(local_user(), $_SERVER['HTTP_USER_AGENT']);
$trustedBrowserRepository->save($trustedBrowser);
// The string is sent to the browser to be sent back with each request
DI::cookie()->set('trusted', $trustedBrowser->cookie_hash);
}
// Resume normal login workflow
DI::auth()->setForUser($a, User::getById($a->getLoggedInUserId()), true, true);
$this->baseUrl->redirect('2fa/trust');
} else {
self::$errors[] = DI::l10n()->t('Invalid code, please retry.');
$this->errors[] = $this->t('Invalid code, please retry.');
}
}
}
@ -81,25 +82,24 @@ class Verify extends BaseModule
protected function content(array $request = []): string
{
if (!local_user()) {
DI::baseUrl()->redirect();
$this->baseUrl->redirect();
}
// Already authenticated with 2FA token
if (Session::get('2fa')) {
DI::baseUrl()->redirect();
if ($this->session->get('2fa')) {
$this->baseUrl->redirect();
}
return Renderer::replaceMacros(Renderer::getMarkupTemplate('twofactor/verify.tpl'), [
'$form_security_token' => self::getFormSecurityToken('twofactor_verify'),
'$title' => DI::l10n()->t('Two-factor authentication'),
'$message' => DI::l10n()->t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'),
'$errors_label' => DI::l10n()->tt('Error', 'Errors', count(self::$errors)),
'$errors' => self::$errors,
'$recovery_message' => DI::l10n()->t('If you do not have access to your authentication code you can use <a href="%s">a two-factor recovery code</a>.', '2fa/recovery'),
'$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="one-time-code" placeholder="000000" inputmode="numeric" pattern="[0-9]*"'],
'$trust_browser' => ['trust_browser', DI::l10n()->t('This is my two-factor authenticator app device'), !empty($_REQUEST['trust_browser'])],
'$verify_label' => DI::l10n()->t('Verify code and complete login'),
'$title' => $this->t('Two-factor authentication'),
'$message' => $this->t('<p>Open the two-factor authentication app on your device to get an authentication code and verify your identity.</p>'),
'$errors_label' => $this->tt('Error', 'Errors', count($this->errors)),
'$errors' => $this->errors,
'$recovery_message' => $this->t('If you do not have access to your authentication code you can use a <a href="%s">two-factor recovery code</a>.', '2fa/recovery'),
'$verify_code' => ['verify_code', $this->t('Please enter a code from your authentication app'), '', '', $this->t('Required'), 'autofocus autocomplete="one-time-code" placeholder="000000" inputmode="numeric" pattern="[0-9]*"'],
'$verify_label' => $this->t('Verify code and complete login'),
]);
}
}