bookstack/app/Access/Controllers/MfaController.php

<?php

namespace BookStack\Access\Controllers;

use BookStack\Access\Mfa\MfaValue;
use BookStack\Activity\ActivityType;
use BookStack\Http\Controller;
use Illuminate\Http\Request;

class MfaController extends Controller
{
    use HandlesPartialLogins;

    /**
     * Show the view to setup MFA for the current user.
     */
    public function setup()
    {
        $userMethods = $this->currentOrLastAttemptedUser()
            ->mfaValues()
            ->get(['id', 'method'])
            ->groupBy('method');

        $this->setPageTitle(trans('auth.mfa_setup'));

        return view('mfa.setup', [
            'userMethods' => $userMethods,
        ]);
    }

    /**
     * Remove an MFA method for the current user.
     *
     * @throws \Exception
     */
    public function remove(string $method)
    {
        if (in_array($method, MfaValue::allMethods())) {
            $value = user()->mfaValues()->where('method', '=', $method)->first();
            if ($value) {
                $value->delete();
                $this->logActivity(ActivityType::MFA_REMOVE_METHOD, $method);
            }
        }

        return redirect('/mfa/setup');
    }

    /**
     * Show the page to start an MFA verification.
     */
    public function verify(Request $request)
    {
        $desiredMethod = $request->get('method');
        $userMethods = $this->currentOrLastAttemptedUser()
            ->mfaValues()
            ->get(['id', 'method'])
            ->groupBy('method');

        // Basic search for the default option for a user.
        // (Prioritises totp over backup codes)
        $method = $userMethods->has($desiredMethod) ? $desiredMethod : $userMethods->keys()->sort()->reverse()->first();
        $otherMethods = $userMethods->keys()->filter(function ($userMethod) use ($method) {
            return $method !== $userMethod;
        })->all();

        return view('mfa.verify', [
            'userMethods'  => $userMethods,
            'method'       => $method,
            'otherMethods' => $otherMethods,
        ]);
    }
}
Started barebones work of MFA system 2021-06-29 05:02:45 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Access\Controllers;`
Started barebones work of MFA system 2021-06-29 05:02:45 +08:00
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Access\Mfa\MfaValue;`
			`use BookStack\Activity\ActivityType;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\Controller;`
Added Backup code verification logic Also added testing to cover as part of this in addition to adding the core backup code handling required. Also added the standardised translations for switching mfa mode and adding testing for this switching. 2021-08-02 23:35:37 +08:00			`use Illuminate\Http\Request;`
Started barebones work of MFA system 2021-06-29 05:02:45 +08:00
			`class MfaController extends Controller`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use HandlesPartialLogins;`

Started barebones work of MFA system 2021-06-29 05:02:45 +08:00			`/**`
			`* Show the view to setup MFA for the current user.`
			`*/`
			`public function setup()`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`$userMethods = $this->currentOrLastAttemptedUser()`
			`->mfaValues()`
Complete base flow for TOTP setup - Includes DB storage and code validation. - Extracted TOTP work to its own service file. - Still needs testing to cover this side of things. 2021-07-01 05:10:02 +08:00			`->get(['id', 'method'])`
			`->groupBy('method');`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00
Added page titles to many missing app areas Many pages were missing their unique tab/page titles so this change is just to distribute them back over many common areas where they were missing. 2022-01-04 21:33:24 +08:00			`$this->setPageTitle(trans('auth.mfa_setup'));`

Complete base flow for TOTP setup - Includes DB storage and code validation. - Extracted TOTP work to its own service file. - Still needs testing to cover this side of things. 2021-07-01 05:10:02 +08:00			`return view('mfa.setup', [`
			`'userMethods' => $userMethods,`
			`]);`
Started barebones work of MFA system 2021-06-29 05:02:45 +08:00			`}`
Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00
			`/**`
			`* Remove an MFA method for the current user.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added the ability to remove an MFA method Includes testing to cover 2021-07-15 04:27:21 +08:00			`* @throws \Exception`
			`*/`
			`public function remove(string $method)`
			`{`
			`if (in_array($method, MfaValue::allMethods())) {`
			`$value = user()->mfaValues()->where('method', '=', $method)->first();`
			`if ($value) {`
			`$value->delete();`
			`$this->logActivity(ActivityType::MFA_REMOVE_METHOD, $method);`
			`}`
			`}`

			`return redirect('/mfa/setup');`
			`}`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00
			`/**`
			`* Show the page to start an MFA verification.`
			`*/`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`public function verify(Request $request)`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`$desiredMethod = $request->get('method');`
			`$userMethods = $this->currentOrLastAttemptedUser()`
			`->mfaValues()`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`->get(['id', 'method'])`
			`->groupBy('method');`

Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`// Basic search for the default option for a user.`
			`// (Prioritises totp over backup codes)`
			`$method = $userMethods->has($desiredMethod) ? $desiredMethod : $userMethods->keys()->sort()->reverse()->first();`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`$otherMethods = $userMethods->keys()->filter(function ($userMethod) use ($method) {`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`return $method !== $userMethod;`
			`})->all();`

Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`return view('mfa.verify', [`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`'userMethods' => $userMethods,`
			`'method' => $method,`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`'otherMethods' => $otherMethods,`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`]);`
			`}`
Started barebones work of MFA system 2021-06-29 05:02:45 +08:00			`}`