Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-27 21:50:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #9823 from MrPetovan/task/9677-2fa-remember-device

Browse source 
Add "Remember this device" feature to two factor authentication
This commit is contained in:
Michael Vogel 2021-01-27 22:32:08 +01:00 committed by GitHub
commit 199f72ee3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
48 changed files with 988 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

153
src/Model/TwoFactor/AppSpecificPassword.php
View file

@ -1,153 +0,0 @@
<?php
/**
* @copyright Copyright (C) 2020, Friendica
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Model\TwoFactor;
use Friendica\Database\DBA;
use Friendica\Model\User;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Temporal;
use PragmaRX\Random\Random;
/**
* Manages users' two-factor recovery hashed_passwords in the 2fa_app_specific_passwords table
*/
class AppSpecificPassword
{
public static function countForUser($uid)
{
return DBA::count('2fa_app_specific_password', ['uid' => $uid]);
}
public static function checkDuplicateForUser($uid, $description)
{
return DBA::exists('2fa_app_specific_password', ['uid' => $uid, 'description' => $description]);
}
/**
* Checks the provided hashed_password is available to use for login by the provided user
*
* @param int $uid User ID
* @param string $plaintextPassword
* @return bool
* @throws \Exception
*/
public static function authenticateUser($uid, $plaintextPassword)
{
$appSpecificPasswords = self::getListForUser($uid);
$return = false;
foreach ($appSpecificPasswords as $appSpecificPassword) {
if (password_verify($plaintextPassword, $appSpecificPassword['hashed_password'])) {
$fields = ['last_used' => DateTimeFormat::utcNow()];
if (password_needs_rehash($appSpecificPassword['hashed_password'], PASSWORD_DEFAULT)) {
$fields['hashed_password'] = User::hashPassword($plaintextPassword);
}
self::update($appSpecificPassword['id'], $fields);
$return |= true;
}
}
return $return;
}
/**
* Returns a complete list of all recovery hashed_passwords for the provided user, including the used status
*
* @param int $uid User ID
* @return array
* @throws \Exception
*/
public static function getListForUser($uid)
{
$appSpecificPasswordsStmt = DBA::select('2fa_app_specific_password', ['id', 'description', 'hashed_password', 'last_used'], ['uid' => $uid]);
$appSpecificPasswords = DBA::toArray($appSpecificPasswordsStmt);
array_walk($appSpecificPasswords, function (&$value) {
$value['ago'] = Temporal::getRelativeDate($value['last_used']);
});
return $appSpecificPasswords;
}
/**
* Generates a new app specific password for the provided user and hashes it in the database.
*
* @param int $uid User ID
* @param string $description Password description
* @return array The new app-specific password data structure with the plaintext password added
* @throws \Exception
*/
public static function generateForUser(int $uid, $description)
{
$Random = (new Random())->size(40);
$plaintextPassword = $Random->get();
$generated = DateTimeFormat::utcNow();
$fields = [
'uid' => $uid,
'description' => $description,
'hashed_password' => User::hashPassword($plaintextPassword),
'generated' => $generated,
];
DBA::insert('2fa_app_specific_password', $fields);
$fields['id'] = DBA::lastInsertId();
$fields['plaintext_password'] = $plaintextPassword;
return $fields;
}
private static function update($appSpecificPasswordId, $fields)
{
return DBA::update('2fa_app_specific_password', $fields, ['id' => $appSpecificPasswordId]);
}
/**
* Deletes all the recovery hashed_passwords for the provided user.
*
* @param int $uid User ID
* @return bool
* @throws \Exception
*/
public static function deleteAllForUser(int $uid)
{
return DBA::delete('2fa_app_specific_password', ['uid' => $uid]);
}
/**
* @param int $uid
* @param int $app_specific_password_id
* @return bool
* @throws \Exception
*/
public static function deleteForUser(int $uid, int $app_specific_password_id)
{
return DBA::delete('2fa_app_specific_password', ['id' => $app_specific_password_id, 'uid' => $uid]);
}
}

141
src/Model/TwoFactor/RecoveryCode.php
View file

@ -1,141 +0,0 @@
<?php
/**
* @copyright Copyright (C) 2020, Friendica
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Model\TwoFactor;
use Friendica\Database\DBA;
use Friendica\Util\DateTimeFormat;
use PragmaRX\Random\Random;
use PragmaRX\Recovery\Recovery;
/**
* Manages users' two-factor recovery codes in the 2fa_recovery_codes table
*/
class RecoveryCode
{
/**
* Returns the number of code the provided users can still use to replace a TOTP code
*
* @param int $uid User ID
* @return int
* @throws \Exception
*/
public static function countValidForUser($uid)
{
return DBA::count('2fa_recovery_codes', ['uid' => $uid, 'used' => null]);
}
/**
* Checks the provided code is available to use for login by the provided user
*
* @param int $uid User ID
* @param string $code
* @return bool
* @throws \Exception
*/
public static function existsForUser($uid, $code)
{
return DBA::exists('2fa_recovery_codes', ['uid' => $uid, 'code' => $code, 'used' => null]);
}
/**
* Returns a complete list of all recovery codes for the provided user, including the used status
*
* @param int $uid User ID
* @return array
* @throws \Exception
*/
public static function getListForUser($uid)
{
$codesStmt = DBA::select('2fa_recovery_codes', ['code', 'used'], ['uid' => $uid]);
return DBA::toArray($codesStmt);
}
/**
* Marks the provided code as used for the provided user.
* Returns false if the code doesn't exist for the user or it has been used already.
*
* @param int $uid User ID
* @param string $code
* @return bool
* @throws \Exception
*/
public static function markUsedForUser($uid, $code)
{
DBA::update('2fa_recovery_codes', ['used' => DateTimeFormat::utcNow()], ['uid' => $uid, 'code' => $code, 'used' => null]);
return DBA::affectedRows() > 0;
}
/**
* Generates a fresh set of recovery codes for the provided user.
* Generates 12 codes constituted of 2 blocks of 6 characters separated by a dash.
*
* @param int $uid User ID
* @throws \Exception
*/
public static function generateForUser($uid)
{
$Random = (new Random())->pattern('[a-z0-9]');
$RecoveryGenerator = new Recovery($Random);
$codes = $RecoveryGenerator
->setCount(12)
->setBlocks(2)
->setChars(6)
->lowercase(true)
->toArray();
$generated = DateTimeFormat::utcNow();
foreach ($codes as $code) {
DBA::insert('2fa_recovery_codes', [
'uid' => $uid,
'code' => $code,
'generated' => $generated
]);
}
}
/**
* Deletes all the recovery codes for the provided user.
*
* @param int $uid User ID
* @throws \Exception
*/
public static function deleteForUser($uid)
{
DBA::delete('2fa_recovery_codes', ['uid' => $uid]);
}
/**
* Replaces the existing recovery codes for the provided user by a freshly generated set.
*
* @param int $uid User ID
* @throws \Exception
*/
public static function regenerateForUser($uid)
{
self::deleteForUser($uid);
self::generateForUser($uid);
}
}

2
src/Model/User.php
View file

@ -34,7 +34,7 @@ use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\DI;
use Friendica\Model\TwoFactor\AppSpecificPassword;
use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
use Friendica\Network\HTTPException;
use Friendica\Object\Image;
use Friendica\Util\Crypto;

206
src/Model/User/Cookie.php
View file

@ -41,126 +41,118 @@ class Cookie
const HTTPONLY = true;
/** @var string The remote address of this node */
private $remoteAddr = '0.0.0.0';
private $remoteAddr;
/** @var bool True, if the connection is ssl enabled */
private $sslEnabled = false;
private $sslEnabled;
/** @var string The private key of this Friendica node */
private $sitePrivateKey;
/** @var int The default cookie lifetime */
private $lifetime = self::DEFAULT_EXPIRE * 24 * 60 * 60;
/** @var array The $_COOKIE array */
private $cookie;
private $lifetime;
/** @var array The Friendica cookie data array */
private $data;
public function __construct(IConfig $config, App\BaseURL $baseURL, array $server = [], array $cookie = [])
/**
* @param IConfig $config
* @param App\BaseURL $baseURL
* @param array $SERVER The $_SERVER array
* @param array $COOKIE The $_COOKIE array
*/
public function __construct(IConfig $config, App\BaseURL $baseURL, array $SERVER = [], array $COOKIE = [])
{
if (!empty($server['REMOTE_ADDR'])) {
$this->remoteAddr = $server['REMOTE_ADDR'];
}
$this->sslEnabled = $baseURL->getSSLPolicy() === App\BaseURL::SSL_POLICY_FULL;
$this->sitePrivateKey = $config->get('system', 'site_prvkey');
$authCookieDays = $config->get('system', 'auth_cookie_lifetime',
self::DEFAULT_EXPIRE);
$this->lifetime = $authCookieDays * 24 * 60 * 60;
$this->cookie = $cookie;
$this->remoteAddr = ($SERVER['REMOTE_ADDR'] ?? null) ?: '0.0.0.0';
$this->data = json_decode($COOKIE[self::NAME] ?? '[]', true) ?: [];
}
/**
* Checks if the Friendica cookie is set for a user
*
* @param string $hash The cookie hash
* @param string $password The user password
* @param string $privateKey The private Key of the user
*
* @return boolean True, if the cookie is set
* Returns the value for a key of the Friendica cookie
*
* @param string $key
* @param mixed $default
* @return mixed|null The value for the provided cookie key
*/
public function check(string $hash, string $password, string $privateKey)
public function get(string $key, $default = null)
{
return hash_equals(
$this->getHash($password, $privateKey),
$hash
);
return $this->data[$key] ?? $default;
}
/**
* Set the Friendica cookie for a user
* Set a single cookie key value.
* Overwrites an existing value with the same key.
*
* @param int $uid The user id
* @param string $password The user password
* @param string $privateKey The user private key
* @param int|null $seconds optional the seconds
* @param $key
* @param $value
* @return bool
*/
public function set($key, $value): bool
{
return $this->setMultiple([$key => $value]);
}
/**
* Sets multiple cookie key values.
* Overwrites existing values with the same key.
*
* @param array $values
* @return bool
*/
public function setMultiple(array $values): bool
{
$this->data = $values + $this->data;
return $this->send();
}
/**
* Remove a cookie key
*
* @param string $key
*/
public function unset(string $key)
{
if (isset($this->data[$key])) {
unset($this->data[$key]);
$this->send();
}
}
/**
* Clears the Friendica cookie
*/
public function clear(): bool
{
$this->data = [];
// make sure cookie is deleted on browser close, as a security measure
return $this->setCookie( '', -3600, $this->sslEnabled);
}
/**
* Send the cookie, should be called every time $this->data is changed or to refresh the cookie.
*
* @return bool
*/
public function set(int $uid, string $password, string $privateKey, int $seconds = null)
public function send(): bool
{
if (!isset($seconds)) {
$seconds = $this->lifetime + time();
} elseif (isset($seconds) && $seconds != 0) {
$seconds = $seconds + time();
}
$value = json_encode([
'uid' => $uid,
'hash' => $this->getHash($password, $privateKey),
'ip' => $this->remoteAddr,
]);
return $this->setCookie(self::NAME, $value, $seconds, $this->sslEnabled);
}
/**
* Returns the data of the Friendicas user cookie
*
* @return mixed|null The JSON data, null if not set
*/
public function getData()
{
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if (isset($this->cookie[self::NAME])) {
$data = json_decode($this->cookie[self::NAME]);
if (!empty($data)) {
return $data;
}
}
return null;
}
/**
* Clears the Friendica cookie of this user after leaving the page
*/
public function clear()
{
// make sure cookie is deleted on browser close, as a security measure
return $this->setCookie(self::NAME, '', -3600, $this->sslEnabled);
}
/**
* Calculate the hash that is needed for the Friendica cookie
*
* @param string $password The user password
* @param string $privateKey The private key of the user
*
* @return string Hashed data
*/
private function getHash(string $password, string $privateKey)
{
return hash_hmac(
'sha256',
hash_hmac('sha256', $password, $privateKey),
$this->sitePrivateKey
return $this->setCookie(
json_encode(['ip' => $this->remoteAddr] + $this->data),
$this->lifetime + time(),
$this->sslEnabled
);
}
/**
* Send a cookie - protected, internal function for test-mocking possibility
* setcookie() wrapper: protected, internal function for test-mocking possibility
*
* @link https://php.net/manual/en/function.setcookie.php
*
* @param string $name
* @param string $value [optional]
* @param int $expire [optional]
* @param bool $secure [optional]
@ -168,9 +160,43 @@ class Cookie
* @return bool If output exists prior to calling this function,
*
*/
protected function setCookie(string $name, string $value = null, int $expire = null,
bool $secure = null)
protected function setCookie(string $value = null, int $expire = null,
bool $secure = null): bool
{
return setcookie($name, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
return setcookie(self::NAME, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
}
/**
* Calculate a hash of a user's private data for storage in the cookie.
* Hashed twice, with the user's own private key first, then the node's private key second.
*
* @param string $privateData User private data
* @param string $privateKey User private key
*
* @return string Hashed data
*/
public function hashPrivateData(string $privateData, string $privateKey): string
{
return hash_hmac(
'sha256',
hash_hmac('sha256', $privateData, $privateKey),
$this->sitePrivateKey
);
}
/**
* @param string $hash Hash from a cookie key value
* @param string $privateData User private data
* @param string $privateKey User private key
*
* @return boolean
*
*/
public function comparePrivateDataHash(string $hash, string $privateData, string $privateKey): bool
{
return hash_equals(
$this->hashPrivateData($privateData, $privateKey),
$hash
);
}
}