bookstack/app/Auth/Access/Mfa/MfaSession.php

<?php

namespace BookStack\Auth\Access\Mfa;

use BookStack\Auth\User;

class MfaSession
{
    /**
     * Check if MFA is required for the given user.
     */
    public function isRequiredForUser(User $user): bool
    {
        // TODO - Test both these cases
        return $user->mfaValues()->exists() || $this->userRoleEnforcesMfa($user);
    }

    /**
     * Check if the given user is pending MFA setup.
     * (MFA required but not yet configured).
     */
    public function isPendingMfaSetup(User $user): bool
    {
        return $this->isRequiredForUser($user) && !$user->mfaValues()->exists();
    }

    /**
     * Check if a role of the given user enforces MFA.
     */
    protected function userRoleEnforcesMfa(User $user): bool
    {
        return $user->roles()
            ->where('mfa_enforced', '=', true)
            ->exists();
    }

    /**
     * Check if the current MFA session has already been verified for the given user.
     */
    public function isVerifiedForUser(User $user): bool
    {
        return session()->get($this->getMfaVerifiedSessionKey($user)) === 'true';
    }

    /**
     * Mark the current session as MFA-verified.
     */
    public function markVerifiedForUser(User $user): void
    {
        session()->put($this->getMfaVerifiedSessionKey($user), 'true');
    }

    /**
     * Get the session key in which the MFA verification status is stored.
     */
    protected function getMfaVerifiedSessionKey(User $user): string
    {
        return 'mfa-verification-passed:' . $user->id;
    }

}
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`<?php`

			`namespace BookStack\Auth\Access\Mfa;`

Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`use BookStack\Auth\User;`

Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`class MfaSession`
			`{`
			`/**`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`* Check if MFA is required for the given user.`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`*/`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`public function isRequiredForUser(User $user): bool`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`{`
			`// TODO - Test both these cases`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`return $user->mfaValues()->exists() \|\| $this->userRoleEnforcesMfa($user);`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`}`

Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-03 05:02:25 +08:00			`/**`
			`* Check if the given user is pending MFA setup.`
			`* (MFA required but not yet configured).`
			`*/`
			`public function isPendingMfaSetup(User $user): bool`
			`{`
			`return $this->isRequiredForUser($user) && !$user->mfaValues()->exists();`
			`}`

Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`/**`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`* Check if a role of the given user enforces MFA.`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`*/`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`protected function userRoleEnforcesMfa(User $user): bool`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`{`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`return $user->roles()`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`->where('mfa_enforced', '=', true)`
			`->exists();`
			`}`

			`/**`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`* Check if the current MFA session has already been verified for the given user.`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`*/`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`public function isVerifiedForUser(User $user): bool`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`{`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`return session()->get($this->getMfaVerifiedSessionKey($user)) === 'true';`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`}`

			`/**`
			`* Mark the current session as MFA-verified.`
			`*/`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`public function markVerifiedForUser(User $user): void`
			`{`
			`session()->put($this->getMfaVerifiedSessionKey($user), 'true');`
			`}`

			`/**`
			`* Get the session key in which the MFA verification status is stored.`
			`*/`
			`protected function getMfaVerifiedSessionKey(User $user): string`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`{`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`return 'mfa-verification-passed:' . $user->id;`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-17 06:23:36 +08:00			`}`

			`}`