Add two-factor authentication settings

- Add settings aside menu entry
- Add two-factor authentication documentation

src/Module/BaseSettingsModule.php

@@ -0,0 +1,110 @@
+<?php
+
+namespace Friendica\Module;
+
+use Friendica\BaseModule;
+use Friendica\Content\Feature;
+use Friendica\Core\L10n;
+use Friendica\Core\Renderer;
+
+class BaseSettingsModule extends BaseModule
+{
+	public static function content()
+	{
+		$a = self::getApp();
+
+		$tpl = Renderer::getMarkupTemplate('settings/head.tpl');
+		$a->page['htmlhead'] .= Renderer::replaceMacros($tpl, [
+			'$ispublic' => L10n::t('everybody')
+		]);
+
+		$tabs = [];
+
+		$tabs[] = [
+			'label' => L10n::t('Account'),
+			'url' => 'settings',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'settings') ? 'active' : ''),
+			'accesskey' => 'o',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Two-factor authentication'),
+			'url' => 'settings/2fa',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === '2fa') ? 'active' : ''),
+			'accesskey' => 'o',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Profiles'),
+			'url' => 'profiles',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'profiles') ? 'active' : ''),
+			'accesskey' => 'p',
+		];
+
+		if (Feature::get()) {
+			$tabs[] = [
+				'label' => L10n::t('Additional features'),
+				'url' => 'settings/features',
+				'selected' => (($a->argc > 1) && ($a->argv[1] === 'features') ? 'active' : ''),
+				'accesskey' => 't',
+			];
+		}
+
+		$tabs[] = [
+			'label' => L10n::t('Display'),
+			'url' => 'settings/display',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'display') ? 'active' : ''),
+			'accesskey' => 'i',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Social Networks'),
+			'url' => 'settings/connectors',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'connectors') ? 'active' : ''),
+			'accesskey' => 'w',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Addons'),
+			'url' => 'settings/addon',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'addon') ? 'active' : ''),
+			'accesskey' => 'l',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Delegations'),
+			'url' => 'delegate',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'delegate') ? 'active' : ''),
+			'accesskey' => 'd',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Connected apps'),
+			'url' => 'settings/oauth',
+			'selected' => (($a->argc > 1) && ($a->argv[1] === 'oauth') ? 'active' : ''),
+			'accesskey' => 'b',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Export personal data'),
+			'url' => 'uexport',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'uexport') ? 'active' : ''),
+			'accesskey' => 'e',
+		];
+
+		$tabs[] = [
+			'label' => L10n::t('Remove account'),
+			'url' => 'removeme',
+			'selected' => (($a->argc == 1) && ($a->argv[0] === 'removeme') ? 'active' : ''),
+			'accesskey' => 'r',
+		];
+
+
+		$tabtpl = Renderer::getMarkupTemplate("generic_links_widget.tpl");
+		$a->page['aside'] = Renderer::replaceMacros($tabtpl, [
+			'$title' => L10n::t('Settings'),
+			'$class' => 'settings-widget',
+			'$items' => $tabs,
+		]);
+	}
+}

src/Module/Settings/TwoFactor/Index.php

@@ -0,0 +1,111 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use Friendica\Model\TwoFactorRecoveryCode;
+use Friendica\Model\User;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+use PragmaRX\Google2FA\Google2FA;
+
+class Index extends BaseSettingsModule
+{
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		self::checkFormSecurityTokenRedirectOnError('settings/2fa', 'settings_2fa');
+
+		try {
+			User::getIdFromPasswordAuthentication(local_user(), defaults($_POST, 'password', ''));
+
+			$has_secret = (bool) PConfig::get(local_user(), '2fa', 'secret');
+			$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+			switch (defaults($_POST, 'action', '')) {
+				case 'enable':
+					if (!$has_secret && !$verified) {
+						$Google2FA = new Google2FA();
+
+						PConfig::set(local_user(), '2fa', 'secret', $Google2FA->generateSecretKey(32));
+
+						self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+				case 'disable':
+					if ($has_secret) {
+						TwoFactorRecoveryCode::deleteForUser(local_user());
+						PConfig::delete(local_user(), '2fa', 'secret');
+						PConfig::delete(local_user(), '2fa', 'verified');
+						Session::remove('2fa');
+
+						notice(L10n::t('Two-factor authentication successfully disabled.'));
+						self::getApp()->internalRedirect('settings/2fa');
+					}
+					break;
+				case 'recovery':
+					if ($has_secret) {
+						self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+				case 'configure':
+					if (!$verified) {
+						self::getApp()->internalRedirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
+			}
+		} catch (\Exception $e) {
+			notice(L10n::t('Wrong Password'));
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa');
+		}
+
+		parent::content();
+
+		$has_secret = (bool) PConfig::get(local_user(), '2fa', 'secret');
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/index.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa'),
+			'$title' => L10n::t('Two-factor authentication'),
+			'$help_label' => L10n::t('Help'),
+
+			'$status_title' => L10n::t('Status'),
+			'$message' => L10n::t('<p>Use an application on a mobile device to get two-factor authentication codes when prompted on login.</p>'),
+
+			'$has_secret' => $has_secret,
+			'$verified' => $verified,
+
+			'$auth_app_label' => L10n::t('Authenticator app'),
+			'$app_status' => $has_secret ? $verified ? L10n::t('Configured') : L10n::t('Not Configured') : L10n::t('Disabled'),
+			'$not_configured_message' => L10n::t('<p>You haven\'t finished configuring your authenticator app.</p>'),
+			'$configured_message' => L10n::t('<p>Your authenticator app is correctly configured.</p>'),
+
+			'$recovery_codes_title' => L10n::t('Recovery codes'),
+			'$recovery_codes_remaining' => L10n::t('Remaining valid codes'),
+			'$recovery_codes_count' => TwoFactorRecoveryCode::countValidForUser(local_user()),
+			'$recovery_codes_message' => L10n::t('<p>These one-use codes can replace an authenticator app code in case you have lost access to it.</p>'),
+
+			'$action_title' => L10n::t('Actions'),
+			'$password' => ['password', L10n::t('Current password:'), '', L10n::t('You need to provide your current password to change two-factor authentication settings.'), 'required', 'autofocus'],
+
+			'$enable_label' => L10n::t('Enable two-factor authentication'),
+			'$disable_label' => L10n::t('Disable two-factor authentication'),
+			'$recovery_codes_label' => L10n::t('Show recovery codes'),
+			'$configure_label' => L10n::t('Finish app configuration'),
+		]);
+	}
+}

src/Module/Settings/TwoFactor/Recovery.php

@@ -0,0 +1,86 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Model\TwoFactorRecoveryCode;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+
+/**
+ * // Page 3: 2FA enabled but not verified, show recovery codes
+ *
+ * @package Friendica\Module\TwoFactor
+ */
+class Recovery extends BaseSettingsModule
+{
+	public static function init()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+
+		if (!$secret) {
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(L10n::t('Please enter your password to access this page.'));
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+	}
+
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (!empty($_POST['action'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/recovery', 'settings_2fa_recovery');
+
+			if ($_POST['action'] == 'regenerate') {
+				TwoFactorRecoveryCode::regenerateForUser(local_user());
+				notice(L10n::t('New recovery codes successfully generated.'));
+				self::getApp()->internalRedirect('settings/2fa/recovery?t=' . self::getFormSecurityToken('settings_2fa_password'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa/recovery');
+		}
+
+		parent::content();
+
+		if (!TwoFactorRecoveryCode::countValidForUser(local_user())) {
+			TwoFactorRecoveryCode::generateForUser(local_user());
+		}
+
+		$recoveryCodes = TwoFactorRecoveryCode::getListForUser(local_user());
+
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+		
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/recovery.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa_recovery'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+			'$title' => L10n::t('Two-factor recovery codes'),
+			'$help_label' => L10n::t('Help'),
+			'$message' => L10n::t('<p>Recovery codes can be used to access your account in the event you lose access to your device and cannot receive two-factor authentication codes.</p><p><strong>Put these in a safe spot!</strong> If you lose your device and don’t have the recovery codes you will lose access to your account.</p>'),
+			'$recovery_codes' => $recoveryCodes,
+			'$password' => ['password', L10n::t('Please enter your password for verification:'), '', L10n::t('You need to provide your current password to enable or disable two-factor authentication.'), 'required', 'autofocus'],
+			'$regenerate_message' => L10n::t('When you generate new recovery codes, you must copy the new codes. Your old codes won’t work anymore.'),
+			'$regenerate_label' => L10n::t('Generate new recovery codes'),
+			'$verified' => $verified,
+			'$verify_label' => L10n::t('Next: Verification'),
+		]);
+	}
+}

src/Module/Settings/TwoFactor/Verify.php

@@ -0,0 +1,129 @@
+<?php
+
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+
+use BaconQrCode\Renderer\Image\SvgImageBackEnd;
+use BaconQrCode\Renderer\ImageRenderer;
+use BaconQrCode\Renderer\RendererStyle\RendererStyle;
+use BaconQrCode\Writer;
+use Friendica\BaseModule;
+use Friendica\Core\L10n;
+use Friendica\Core\PConfig;
+use Friendica\Core\Renderer;
+use Friendica\Core\Session;
+use Friendica\Module\BaseSettingsModule;
+use Friendica\Module\Login;
+use PragmaRX\Google2FA\Google2FA;
+
+/**
+ * // Page 4: 2FA enabled but not verified, QR code and verification
+ *
+ * @package Friendica\Module\TwoFactor\Settings
+ */
+class Verify extends BaseSettingsModule
+{
+	public static function init()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+		$verified = PConfig::get(local_user(), '2fa', 'verified');
+
+		if ($secret && $verified) {
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(L10n::t('Please enter your password to access this page.'));
+			self::getApp()->internalRedirect('settings/2fa');
+		}
+	}
+
+	public static function post()
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		if (defaults($_POST, 'action', null) == 'verify') {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/verify', 'settings_2fa_verify');
+
+			$google2fa = new Google2FA();
+
+			$valid = $google2fa->verifyKey(PConfig::get(local_user(), '2fa', 'secret'), defaults($_POST, 'verify_code', ''));
+
+			if ($valid) {
+				PConfig::set(local_user(), '2fa', 'verified', true);
+				Session::set('2fa', true);
+
+				notice(L10n::t('Two-factor authentication successfully activated.'));
+
+				self::getApp()->internalRedirect('settings/2fa');
+			} else {
+				notice(L10n::t('Invalid code, please retry.'));
+			}
+		}
+	}
+
+	public static function content()
+	{
+		if (!local_user()) {
+			return Login::form('settings/2fa/verify');
+		}
+
+		parent::content();
+
+		$company = 'Friendica';
+		$holder = Session::get('my_address');
+		$secret = PConfig::get(local_user(), '2fa', 'secret');
+
+		$otpauthUrl = (new Google2FA())->getQRCodeUrl($company, $holder, $secret);
+
+		$renderer = (new \BaconQrCode\Renderer\Image\Svg())
+			->setHeight(256)
+			->setWidth(256);
+
+		$writer = new Writer($renderer);
+
+		$qrcode_image = str_replace('<?xml version="1.0" encoding="UTF-8"?>', '', $writer->writeString($otpauthUrl));
+
+		$shortOtpauthUrl = explode('?', $otpauthUrl)[0];
+
+		$manual_message = L10n::t('<p>Or you can submit the authentication settings manually:</p>
+<dl>
+	<dt>Issuer</dt>
+	<dd>%s</dd>
+	<dt>Account Name</dt>
+	<dd>%s</dd>
+	<dt>Secret Key</dt>
+	<dd>%s</dd>
+	<dt>Type</dt>
+	<dd>Time-based</dd>
+	<dt>Number of digits</dt>
+	<dd>6</dd>
+	<dt>Hashing algorithm</dt>
+	<dd>SHA-1</dd>
+</dl>', $company, $holder, $secret);
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/verify.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa_verify'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+			'$title' => L10n::t('Two-factor code verification'),
+			'$help_label' => L10n::t('Help'),
+			'$message' => L10n::t('<p>Please scan this QR Code with your authenticator app and submit the provided code.</p>'),
+			'$qrcode_image' => $qrcode_image,
+			'$qrcode_url_message' => L10n::t('<p>Or you can open the following URL in your mobile devicde:</p><p><a href="%s">%s</a></p>', $otpauthUrl, $shortOtpauthUrl),
+			'$manual_message' => $manual_message,
+			'$company' => $company,
+			'$holder' => $holder,
+			'$secret' => $secret,
+
+			'$verify_code' => ['verify_code', L10n::t('Please enter a code from your authentication app'), '', '', 'required', 'autofocus placeholder="000000"'],
+			'$verify_label' => L10n::t('Verify code and enable two-factor authentication'),
+		]);
+	}
+}