bookstack/app/Access/Controllers/MfaTotpController.php

<?php

namespace BookStack\Access\Controllers;

use BookStack\Access\LoginService;
use BookStack\Access\Mfa\MfaSession;
use BookStack\Access\Mfa\MfaValue;
use BookStack\Access\Mfa\TotpService;
use BookStack\Access\Mfa\TotpValidationRule;
use BookStack\Activity\ActivityType;
use BookStack\Exceptions\NotFoundException;
use BookStack\Http\Controller;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;

class MfaTotpController extends Controller
{
    use HandlesPartialLogins;

    protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';

    public function __construct(
        protected TotpService $totp
    ) {
    }

    /**
     * Show a view that generates and displays a TOTP QR code.
     */
    public function generate()
    {
        if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {
            $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
        } else {
            $totpSecret = $this->totp->generateSecret();
            session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
        }

        $qrCodeUrl = $this->totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
        $svg = $this->totp->generateQrCodeSvg($qrCodeUrl);

        $this->setPageTitle(trans('auth.mfa_gen_totp_title'));

        return view('mfa.totp-generate', [
            'url' => $qrCodeUrl,
            'svg' => $svg,
        ]);
    }

    /**
     * Confirm the setup of TOTP and save the auth method secret
     * against the current user.
     *
     * @throws ValidationException
     * @throws NotFoundException
     */
    public function confirm(Request $request)
    {
        $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
        $this->validate($request, [
            'code' => [
                'required',
                'max:12', 'min:4',
                new TotpValidationRule($totpSecret, $this->totp),
            ],
        ]);

        MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_TOTP, $totpSecret);
        session()->remove(static::SETUP_SECRET_SESSION_KEY);
        $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'totp');

        if (!auth()->check()) {
            $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));

            return redirect('/login');
        }

        return redirect('/mfa/setup');
    }

    /**
     * Verify the MFA method submission on check.
     *
     * @throws NotFoundException
     */
    public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
    {
        $user = $this->currentOrLastAttemptedUser();
        $totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);

        $this->validate($request, [
            'code' => [
                'required',
                'max:12', 'min:4',
                new TotpValidationRule($totpSecret, $this->totp),
            ],
        ]);

        $mfaSession->markVerifiedForUser($user);
        $loginService->reattemptLoginFor($user);

        return redirect()->intended();
    }
}
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Access\Controllers;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Access\LoginService;`
			`use BookStack\Access\Mfa\MfaSession;`
			`use BookStack\Access\Mfa\MfaValue;`
			`use BookStack\Access\Mfa\TotpService;`
			`use BookStack\Access\Mfa\TotpValidationRule;`
			`use BookStack\Activity\ActivityType;`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use BookStack\Exceptions\NotFoundException;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\Controller;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`use Illuminate\Http\Request;`
			`use Illuminate\Validation\ValidationException;`

			`class MfaTotpController extends Controller`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use HandlesPartialLogins;`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';`

Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`public function __construct(`
			`protected TotpService $totp`
			`) {`
			`}`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`/**`
			`* Show a view that generates and displays a TOTP QR code.`
			`*/`
Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`public function generate()`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`{`
			`if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {`
			`$totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));`
			`} else {`
Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`$totpSecret = $this->totp->generateSecret();`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));`
			`}`

Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`$qrCodeUrl = $this->totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());`
			`$svg = $this->totp->generateQrCodeSvg($qrCodeUrl);`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00
Added page titles to many missing app areas Many pages were missing their unique tab/page titles so this change is just to distribute them back over many common areas where they were missing. 2022-01-04 21:33:24 +08:00			`$this->setPageTitle(trans('auth.mfa_gen_totp_title'));`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return view('mfa.totp-generate', [`
Made the TOTP URL visible during setup Useful for some non-scanner type apps. Closes #2908 2021-09-02 03:58:19 +08:00			`'url' => $qrCodeUrl,`
			`'svg' => $svg,`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`
			`}`

			`/**`
			`* Confirm the setup of TOTP and save the auth method secret`
			`* against the current user.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`* @throws ValidationException`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`* @throws NotFoundException`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`*/`
			`public function confirm(Request $request)`
			`{`
			`$totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));`
			`$this->validate($request, [`
			`'code' => [`
			`'required',`
			`'max:12', 'min:4',`
Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`new TotpValidationRule($totpSecret, $this->totp),`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`],`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`

Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_TOTP, $totpSecret);`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`session()->remove(static::SETUP_SECRET_SESSION_KEY);`
			`$this->logActivity(ActivityType::MFA_SETUP_METHOD, 'totp');`

Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`if (!auth()->check()) {`
			`$this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`return redirect('/login');`
			`}`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return redirect('/mfa/setup');`
			`}`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00
			`/**`
			`* Verify the MFA method submission on check.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00			`* @throws NotFoundException`
			`*/`
			`public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)`
			`{`
			`$user = $this->currentOrLastAttemptedUser();`
			`$totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);`

			`$this->validate($request, [`
			`'code' => [`
			`'required',`
			`'max:12', 'min:4',`
Framework: Addressed deprecations 2024-03-18 00:52:19 +08:00			`new TotpValidationRule($totpSecret, $this->totp),`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`],`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00			`]);`

			`$mfaSession->markVerifiedForUser($user);`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$loginService->reattemptLoginFor($user);`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00
			`return redirect()->intended();`
			`}`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`}`