Merge pull request #9823 from MrPetovan/task/9677-2fa-remember-device

Add "Remember this device" feature to two factor authentication

src/Module/Security/Logout.php

@@ -26,6 +26,7 @@ use Friendica\Core\Hook;
 use Friendica\Core\System;
 use Friendica\DI;
 use Friendica\Model\Profile;
+use Friendica\Security\TwoFactor;
 
 /**
  * Logout module
@@ -44,6 +45,13 @@ class Logout extends BaseModule
 		}
 
 		Hook::callAll("logging_out");
+
+		// Remove this trusted browser as it won't be able to be used ever again after the cookie is cleared
+		if (DI::cookie()->get('trusted')) {
+			$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+			$trustedBrowserRepository->removeForUser(local_user(), DI::cookie()->get('trusted'));
+		}
+
 		DI::cookie()->clear();
 		DI::session()->clear();
 

src/Module/Security/TwoFactor/Recovery.php

@@ -25,7 +25,7 @@ use Friendica\BaseModule;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 
 /**
  * // Page 1a: Recovery code verification

src/Module/Security/TwoFactor/Verify.php

@@ -26,6 +26,7 @@ use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
 use PragmaRX\Google2FA\Google2FA;
+use Friendica\Security\TwoFactor;
 
 /**
  * Page 1: Authenticator code verification
@@ -55,6 +56,19 @@ class Verify extends BaseModule
 			if ($valid && Session::get('2fa') !== $code) {
 				Session::set('2fa', $code);
 
+				// Trust this browser feature
+				if (!empty($_REQUEST['trust_browser'])) {
+					$trustedBrowserFactory = new TwoFactor\Factory\TrustedBrowser(DI::logger());
+					$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger(), $trustedBrowserFactory);
+
+					$trustedBrowser = $trustedBrowserFactory->createForUserWithUserAgent(local_user(), $_SERVER['HTTP_USER_AGENT']);
+
+					$trustedBrowserRepository->save($trustedBrowser);
+
+					// The string is sent to the browser to be sent back with each request
+					DI::cookie()->set('trusted', $trustedBrowser->cookie_hash);
+				}
+
 				// Resume normal login workflow
 				DI::auth()->setForUser($a, $a->user, true, true);
 			} else {
@@ -83,6 +97,7 @@ class Verify extends BaseModule
 			'$errors'           => self::$errors,
 			'$recovery_message' => DI::l10n()->t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
 			'$verify_code'      => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'],
+			'$trust_browser'    => ['trust_browser', DI::l10n()->t('This is my two-factor authenticator app device'), !empty($_REQUEST['trust_browser'])],
 			'$verify_label'     => DI::l10n()->t('Verify code and complete login'),
 		]);
 	}

src/Module/Settings/TwoFactor/AppSpecific.php

@@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
 
 use Friendica\Core\Renderer;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\AppSpecificPassword;
+use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
 

src/Module/Settings/TwoFactor/Index.php

@@ -24,8 +24,8 @@ namespace Friendica\Module\Settings\TwoFactor;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\AppSpecificPassword;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 use Friendica\Model\User;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
@@ -78,6 +78,11 @@ class Index extends BaseSettings
 						DI::baseUrl()->redirect('settings/2fa/app_specific?t=' . self::getFormSecurityToken('settings_2fa_password'));
 					}
 					break;
+				case 'trusted':
+					if ($has_secret) {
+						DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
 				case 'configure':
 					if (!$verified) {
 						DI::baseUrl()->redirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
@@ -130,6 +135,7 @@ class Index extends BaseSettings
 			'$disable_label'        => DI::l10n()->t('Disable two-factor authentication'),
 			'$recovery_codes_label' => DI::l10n()->t('Show recovery codes'),
 			'$app_specific_passwords_label' => DI::l10n()->t('Manage app-specific passwords'),
+			'$trusted_browsers_label' => DI::l10n()->t('Manage trusted browsers'),
 			'$configure_label'      => DI::l10n()->t('Finish app configuration'),
 		]);
 	}

src/Module/Settings/TwoFactor/Recovery.php

@@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
 
 use Friendica\Core\Renderer;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
 

src/Module/Settings/TwoFactor/Trusted.php

@@ -0,0 +1,110 @@
+<?php
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+use Friendica\Core\Renderer;
+use Friendica\DI;
+use Friendica\Module\BaseSettings;
+use Friendica\Security\TwoFactor;
+use Friendica\Util\Temporal;
+use UAParser\Parser;
+
+/**
+ * Manages users' two-factor trusted browsers in the 2fa_trusted_browsers table
+ */
+class Trusted extends BaseSettings
+{
+	public static function init(array $parameters = [])
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$verified = DI::pConfig()->get(local_user(), '2fa', 'verified');
+
+		if (!$verified) {
+			DI::baseUrl()->redirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(DI::l10n()->t('Please enter your password to access this page.'));
+			DI::baseUrl()->redirect('settings/2fa');
+		}
+	}
+
+	public static function post(array $parameters = [])
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+
+		if (!empty($_POST['action'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
+
+			switch ($_POST['action']) {
+				case 'remove_all' :
+					$trustedBrowserRepository->removeAllForUser(local_user());
+					info(DI::l10n()->t('Trusted browsers successfully removed.'));
+					DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					break;
+			}
+		}
+
+		if (!empty($_POST['remove_id'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
+
+			if ($trustedBrowserRepository->removeForUser(local_user(), $_POST['remove_id'])) {
+				info(DI::l10n()->t('Trusted browser successfully removed.'));
+			}
+
+			DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+		}
+	}
+
+
+	public static function content(array $parameters = []): string
+	{
+		parent::content($parameters);
+
+		$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+		$trustedBrowsers = $trustedBrowserRepository->selectAllByUid(local_user());
+
+		$parser = Parser::create();
+
+		$trustedBrowserDisplay = array_map(function (TwoFactor\Model\TrustedBrowser $trustedBrowser) use ($parser) {
+			$dates = [
+				'created_ago' => Temporal::getRelativeDate($trustedBrowser->created),
+				'last_used_ago' => Temporal::getRelativeDate($trustedBrowser->last_used),
+			];
+
+			$result = $parser->parse($trustedBrowser->user_agent);
+
+			$uaData = [
+				'os' => $result->os->family,
+				'device' => $result->device->family,
+				'browser' => $result->ua->family,
+			];
+
+			return $trustedBrowser->toArray() + $dates + $uaData;
+		}, $trustedBrowsers->getArrayCopy());
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/trusted_browsers.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa_trusted'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+
+			'$title'               => DI::l10n()->t('Two-factor Trusted Browsers'),
+			'$message'             => DI::l10n()->t('Trusted browsers are individual browsers you chose to skip two-factor authentication to access Friendica. Please use this feature sparingly, as it can negate the benefit of two-factor authentication.'),
+			'$device_label'        => DI::l10n()->t('Device'),
+			'$os_label'            => DI::l10n()->t('OS'),
+			'$browser_label'       => DI::l10n()->t('Browser'),
+			'$created_label'       => DI::l10n()->t('Trusted'),
+			'$last_used_label'     => DI::l10n()->t('Last Use'),
+			'$remove_label'        => DI::l10n()->t('Remove'),
+			'$remove_all_label'    => DI::l10n()->t('Remove All'),
+
+			'$trusted_browsers'    => $trustedBrowserDisplay,
+		]);
+	}
+}