bookstack/app/Http/Controllers/Auth/MfaTotpController.php

<?php

namespace BookStack\Http\Controllers\Auth;

use BookStack\Actions\ActivityType;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\Mfa\MfaSession;
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Auth\Access\Mfa\TotpService;
use BookStack\Auth\Access\Mfa\TotpValidationRule;
use BookStack\Exceptions\NotFoundException;
use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;

class MfaTotpController extends Controller
{
    use HandlesPartialLogins;

    protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';

    /**
     * Show a view that generates and displays a TOTP QR code.
     */
    public function generate(TotpService $totp)
    {
        if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {
            $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
        } else {
            $totpSecret = $totp->generateSecret();
            session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
        }

        $qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());
        $svg = $totp->generateQrCodeSvg($qrCodeUrl);

        $this->setPageTitle(trans('auth.mfa_gen_totp_title'));

        return view('mfa.totp-generate', [
            'url' => $qrCodeUrl,
            'svg' => $svg,
        ]);
    }

    /**
     * Confirm the setup of TOTP and save the auth method secret
     * against the current user.
     *
     * @throws ValidationException
     * @throws NotFoundException
     */
    public function confirm(Request $request)
    {
        $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
        $this->validate($request, [
            'code' => [
                'required',
                'max:12', 'min:4',
                new TotpValidationRule($totpSecret),
            ],
        ]);

        MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_TOTP, $totpSecret);
        session()->remove(static::SETUP_SECRET_SESSION_KEY);
        $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'totp');

        if (!auth()->check()) {
            $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));

            return redirect('/login');
        }

        return redirect('/mfa/setup');
    }

    /**
     * Verify the MFA method submission on check.
     *
     * @throws NotFoundException
     */
    public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
    {
        $user = $this->currentOrLastAttemptedUser();
        $totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);

        $this->validate($request, [
            'code' => [
                'required',
                'max:12', 'min:4',
                new TotpValidationRule($totpSecret),
            ],
        ]);

        $mfaSession->markVerifiedForUser($user);
        $loginService->reattemptLoginFor($user);

        return redirect()->intended();
    }
}
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`<?php`

			`namespace BookStack\Http\Controllers\Auth;`

			`use BookStack\Actions\ActivityType;`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00			`use BookStack\Auth\Access\LoginService;`
			`use BookStack\Auth\Access\Mfa\MfaSession;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`use BookStack\Auth\Access\Mfa\MfaValue;`
			`use BookStack\Auth\Access\Mfa\TotpService;`
			`use BookStack\Auth\Access\Mfa\TotpValidationRule;`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use BookStack\Exceptions\NotFoundException;`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`use BookStack\Http\Controllers\Controller;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Validation\ValidationException;`

			`class MfaTotpController extends Controller`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`use HandlesPartialLogins;`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';`

			`/**`
			`* Show a view that generates and displays a TOTP QR code.`
			`*/`
			`public function generate(TotpService $totp)`
			`{`
			`if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {`
			`$totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));`
			`} else {`
			`$totpSecret = $totp->generateSecret();`
			`session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));`
			`}`

Fixed guest user email showing in TOTP setup url - Occured during enforced MFA setup upon login. - Added test to cover. Fixes #2971 2021-10-15 01:02:16 +08:00			`$qrCodeUrl = $totp->generateUrl($totpSecret, $this->currentOrLastAttemptedUser());`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`$svg = $totp->generateQrCodeSvg($qrCodeUrl);`

Added page titles to many missing app areas Many pages were missing their unique tab/page titles so this change is just to distribute them back over many common areas where they were missing. 2022-01-04 21:33:24 +08:00			`$this->setPageTitle(trans('auth.mfa_gen_totp_title'));`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return view('mfa.totp-generate', [`
Made the TOTP URL visible during setup Useful for some non-scanner type apps. Closes #2908 2021-09-02 03:58:19 +08:00			`'url' => $qrCodeUrl,`
			`'svg' => $svg,`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`
			`}`

			`/**`
			`* Confirm the setup of TOTP and save the auth method secret`
			`* against the current user.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`* @throws ValidationException`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`* @throws NotFoundException`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`*/`
			`public function confirm(Request $request)`
			`{`
			`$totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));`
			`$this->validate($request, [`
			`'code' => [`
			`'required',`
			`'max:12', 'min:4',`
			`new TotpValidationRule($totpSecret),`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`],`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`]);`

Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_TOTP, $totpSecret);`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`session()->remove(static::SETUP_SECRET_SESSION_KEY);`
			`$this->logActivity(ActivityType::MFA_SETUP_METHOD, 'totp');`

Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`if (!auth()->check()) {`
			`$this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00
Improved login redirect and setup experience - Updated auth system for mfa to not update intended URL so that the user is not redirected to mfa setup after eventual login. - Added notification for users setting up MFA, after setup when redirected back to login screen to advise that MFA setup was complete but they need to login again. - Updated some bits of wording to display better. 2021-08-21 22:14:24 +08:00			`return redirect('/login');`
			`}`

Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`return redirect('/mfa/setup');`
			`}`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00
			`/**`
			`* Verify the MFA method submission on check.`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`*`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00			`* @throws NotFoundException`
			`*/`
			`public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)`
			`{`
			`$user = $this->currentOrLastAttemptedUser();`
			`$totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);`

			`$this->validate($request, [`
			`'code' => [`
			`'required',`
			`'max:12', 'min:4',`
			`new TotpValidationRule($totpSecret),`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`],`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00			`]);`

			`$mfaSession->markVerifiedForUser($user);`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`$loginService->reattemptLoginFor($user);`
Added TOTP verification upon access 2021-08-02 22:04:43 +08:00
			`return redirect()->intended();`
			`}`
Added backup code setup flow - Includes testing to cover flow. - Moved TOTP logic to its own controller. - Added some extra totp tests. 2021-07-03 03:53:33 +08:00			`}`