bookstack/app/Access/Controllers/MfaBackupCodesController.php

<?php

namespace BookStack\Access\Controllers;

use BookStack\Access\LoginService;
use BookStack\Access\Mfa\BackupCodeService;
use BookStack\Access\Mfa\MfaSession;
use BookStack\Access\Mfa\MfaValue;
use BookStack\Activity\ActivityType;
use BookStack\Exceptions\NotFoundException;
use BookStack\Http\Controller;
use Exception;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;

class MfaBackupCodesController extends Controller
{
    use HandlesPartialLogins;

    protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';

    /**
     * Show a view that generates and displays backup codes.
     */
    public function generate(BackupCodeService $codeService)
    {
        $codes = $codeService->generateNewSet();
        session()->put(self::SETUP_SECRET_SESSION_KEY, encrypt($codes));

        $downloadUrl = 'data:application/octet-stream;base64,' . base64_encode(implode("\n\n", $codes));

        $this->setPageTitle(trans('auth.mfa_gen_backup_codes_title'));

        return view('mfa.backup-codes-generate', [
            'codes'       => $codes,
            'downloadUrl' => $downloadUrl,
        ]);
    }

    /**
     * Confirm the setup of backup codes, storing them against the user.
     *
     * @throws Exception
     */
    public function confirm()
    {
        if (!session()->has(self::SETUP_SECRET_SESSION_KEY)) {
            return response('No generated codes found in the session', 500);
        }

        $codes = decrypt(session()->pull(self::SETUP_SECRET_SESSION_KEY));
        MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_BACKUP_CODES, json_encode($codes));

        $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'backup-codes');

        if (!auth()->check()) {
            $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));

            return redirect('/login');
        }

        return redirect('/mfa/setup');
    }

    /**
     * Verify the MFA method submission on check.
     *
     * @throws NotFoundException
     * @throws ValidationException
     */
    public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
    {
        $user = $this->currentOrLastAttemptedUser();
        $codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';

        $this->validate($request, [
            'code' => [
                'required', 'max:12', 'min:8',
                function ($attribute, $value, $fail) use ($codeService, $codes) {
                    if (!$codeService->inputCodeExistsInSet($value, $codes)) {
                        $fail(trans('validation.backup_codes'));
                    }
                },
            ],
        ]);

        $updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);
        MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);

        $mfaSession->markVerifiedForUser($user);
        $loginService->reattemptLoginFor($user);

        if ($codeService->countCodesInSet($updatedCodes) < 5) {
            $this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));
        }

        return redirect()->intended();
    }
}
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Access\Controllers;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Access\LoginService;`
			`use BookStack\Access\Mfa\BackupCodeService;`
			`use BookStack\Access\Mfa\MfaSession;`
			`use BookStack\Access\Mfa\MfaValue;`
			`use BookStack\Activity\ActivityType;`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`use BookStack\Exceptions\NotFoundException;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\Controller;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`use Exception;`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`use Illuminate\Http\Request;`
			`use Illuminate\Validation\ValidationException;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
			`class MfaBackupCodesController extends Controller`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use HandlesPartialLogins;`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';`

			`/**`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`* Show a view that generates and displays backup codes.`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`*/`
			`public function generate(BackupCodeService $codeService)`
			`{`
			`$codes = $codeService->generateNewSet();`
			`session()->put(self::SETUP_SECRET_SESSION_KEY, encrypt($codes));`

			`$downloadUrl = 'data:application/octet-stream;base64,' . base64_encode(implode("\n\n", $codes));`

Added page titles to many missing app areas Many pages were missing their unique tab/page titles so this change is just to distribute them back over many common areas where they were missing. 2022-01-04 21:33:24 +08:00			`$this->setPageTitle(trans('auth.mfa_gen_backup_codes_title'));`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return view('mfa.backup-codes-generate', [`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`'codes' => $codes,`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`'downloadUrl' => $downloadUrl,`
			`]);`
			`}`

			`/**`
			`* Confirm the setup of backup codes, storing them against the user.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`* @throws Exception`
			`*/`
			`public function confirm()`
			`{`
			`if (!session()->has(self::SETUP_SECRET_SESSION_KEY)) {`
			`return response('No generated codes found in the session', 500);`
			`}`

			`$codes = decrypt(session()->pull(self::SETUP_SECRET_SESSION_KEY));`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_BACKUP_CODES, json_encode($codes));`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
			`$this->logActivity(ActivityType::MFA_SETUP_METHOD, 'backup-codes');`
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00
			`if (!auth()->check()) {`
			`$this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));`
Applied stylci changes 2021-09-01 05:03:51 +08:00
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`return redirect('/login');`
			`}`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return redirect('/mfa/setup');`
			`}`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00
			`/**`
			`* Verify the MFA method submission on check.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`* @throws NotFoundException`
			`* @throws ValidationException`
			`*/`
			`public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)`
			`{`
			`$user = $this->currentOrLastAttemptedUser();`
			`$codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';`

			`$this->validate($request, [`
			`'code' => [`
Standardised laravel validation to be array based Converted from string-only-based validation. Array based validation works nicer once you have validation classess or advanced validation options. 2021-11-05 08:26:55 +08:00			`'required', 'max:12', 'min:8',`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`function ($attribute, $value, $fail) use ($codeService, $codes) {`
			`if (!$codeService->inputCodeExistsInSet($value, $codes)) {`
			`$fail(trans('validation.backup_codes'));`
			`}`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`},`
			`],`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`]);`

			`$updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);`
			`MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);`

			`$mfaSession->markVerifiedForUser($user);`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$loginService->reattemptLoginFor($user);`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00
			`if ($codeService->countCodesInSet($updatedCodes) < 5) {`
Extracted text to translation files Also aligned mfa method delete route to align with others. 2021-08-08 21:24:44 +08:00			`$this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`}`

			`return redirect()->intended();`
			`}`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`}`