diff --git a/app/Auth/Access/LoginService.php b/app/Auth/Access/LoginService.php index cc0cb06f3..f6ea7517f 100644 --- a/app/Auth/Access/LoginService.php +++ b/app/Auth/Access/LoginService.php @@ -10,6 +10,7 @@ use BookStack\Facades\Activity; use BookStack\Facades\Theme; use BookStack\Theming\ThemeEvents; use Exception; +use phpDocumentor\Reflection\DocBlock\Tags\Method; class LoginService { @@ -33,7 +34,7 @@ class LoginService public function login(User $user, string $method): void { if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) { - $this->setLastLoginAttemptedForUser($user); + $this->setLastLoginAttemptedForUser($user, $method); throw new StoppedAuthenticationException($user, $this); // TODO - Does 'remember' still work? Probably not right now. @@ -41,12 +42,6 @@ class LoginService // Old MFA middleware todos: - // TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED - // Might need to change up such routes to start with /configure/ for such identification. - // (Can't allow access to those if already configured) - // Or, More likely, Need to add defence to those to prevent access unless - // logged in or during partial auth. - // TODO - Handle email confirmation handling // Left BookStack\Http\Middleware\Authenticate@emailConfirmationErrorResponse in which needs // be removed as an example of old behaviour. @@ -70,13 +65,13 @@ class LoginService * Reattempt a system login after a previous stopped attempt. * @throws Exception */ - public function reattemptLoginFor(User $user, string $method) + public function reattemptLoginFor(User $user) { if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) { throw new Exception('Login reattempt user does align with current session state'); } - $this->login($user, $method); + $this->login($user, $this->getLastLoginAttemptMethod()); } /** @@ -86,12 +81,38 @@ class LoginService */ public function getLastLoginAttemptUser(): ?User { - $id = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY); - if (!$id) { - return null; + $id = $this->getLastLoginAttemptDetails()['user_id']; + return User::query()->where('id', '=', $id)->first(); + } + + /** + * Get the method for the last login attempt. + */ + protected function getLastLoginAttemptMethod(): ?string + { + return $this->getLastLoginAttemptDetails()['method']; + } + + /** + * Get the details of the last login attempt. + * Checks upon a ttl of about 1 hour since that last attempted login. + * @return array{user_id: ?string, method: ?string} + */ + protected function getLastLoginAttemptDetails(): array + { + $value = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY); + if (!$value) { + return ['user_id' => null, 'method' => null]; } - return User::query()->where('id', '=', $id)->first(); + [$id, $method, $time] = explode(':', $value); + $hourAgo = time() - (60*60); + if ($time < $hourAgo) { + $this->clearLastLoginAttempted(); + return ['user_id' => null, 'method' => null]; + } + + return ['user_id' => $id, 'method' => $method]; } /** @@ -99,9 +120,12 @@ class LoginService * Must be only used when credentials are correct and a login could be * achieved but a secondary factor has stopped the login. */ - protected function setLastLoginAttemptedForUser(User $user) + protected function setLastLoginAttemptedForUser(User $user, string $method) { - session()->put(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY, $user->id); + session()->put( + self::LAST_LOGIN_ATTEMPTED_SESSION_KEY, + implode(':', [$user->id, $method, time()]) + ); } /** diff --git a/app/Auth/Access/Mfa/MfaSession.php b/app/Auth/Access/Mfa/MfaSession.php index dabd568f7..8821dbb9d 100644 --- a/app/Auth/Access/Mfa/MfaSession.php +++ b/app/Auth/Access/Mfa/MfaSession.php @@ -15,6 +15,15 @@ class MfaSession return $user->mfaValues()->exists() || $this->userRoleEnforcesMfa($user); } + /** + * Check if the given user is pending MFA setup. + * (MFA required but not yet configured). + */ + public function isPendingMfaSetup(User $user): bool + { + return $this->isRequiredForUser($user) && !$user->mfaValues()->exists(); + } + /** * Check if a role of the given user enforces MFA. */ diff --git a/app/Http/Controllers/Auth/MfaBackupCodesController.php b/app/Http/Controllers/Auth/MfaBackupCodesController.php index 1353d4562..41c161d7c 100644 --- a/app/Http/Controllers/Auth/MfaBackupCodesController.php +++ b/app/Http/Controllers/Auth/MfaBackupCodesController.php @@ -78,7 +78,7 @@ class MfaBackupCodesController extends Controller MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes); $mfaSession->markVerifiedForUser($user); - $loginService->reattemptLoginFor($user, 'mfa-backup_codes'); + $loginService->reattemptLoginFor($user); if ($codeService->countCodesInSet($updatedCodes) < 5) { $this->showWarningNotification('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.'); diff --git a/app/Http/Controllers/Auth/MfaTotpController.php b/app/Http/Controllers/Auth/MfaTotpController.php index dd1651970..a1701c4ce 100644 --- a/app/Http/Controllers/Auth/MfaTotpController.php +++ b/app/Http/Controllers/Auth/MfaTotpController.php @@ -82,7 +82,7 @@ class MfaTotpController extends Controller ]); $mfaSession->markVerifiedForUser($user); - $loginService->reattemptLoginFor($user, 'mfa-totp'); + $loginService->reattemptLoginFor($user); return redirect()->intended(); } diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 4f9bfc1e6..d1f5de917 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -53,5 +53,6 @@ class Kernel extends HttpKernel 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'perm' => \BookStack\Http\Middleware\PermissionMiddleware::class, 'guard' => \BookStack\Http\Middleware\CheckGuard::class, + 'mfa-setup' => \BookStack\Http\Middleware\AuthenticatedOrPendingMfa::class, ]; } diff --git a/app/Http/Middleware/Authenticate.php b/app/Http/Middleware/Authenticate.php index c687c75a2..b9b5545f2 100644 --- a/app/Http/Middleware/Authenticate.php +++ b/app/Http/Middleware/Authenticate.php @@ -15,9 +15,8 @@ class Authenticate if (!hasAppAccess()) { if ($request->ajax()) { return response('Unauthorized.', 401); - } else { - return redirect()->guest(url('/login')); } + return redirect()->guest(url('/login')); } return $next($request); diff --git a/app/Http/Middleware/AuthenticatedOrPendingMfa.php b/app/Http/Middleware/AuthenticatedOrPendingMfa.php new file mode 100644 index 000000000..2d68a2a57 --- /dev/null +++ b/app/Http/Middleware/AuthenticatedOrPendingMfa.php @@ -0,0 +1,41 @@ +loginService = $loginService; + $this->mfaSession = $mfaSession; + } + + + /** + * Handle an incoming request. + * + * @param \Illuminate\Http\Request $request + * @param \Closure $next + * @return mixed + */ + public function handle($request, Closure $next) + { + $user = auth()->user(); + $loggedIn = $user !== null; + $lastAttemptUser = $this->loginService->getLastLoginAttemptUser(); + + if ($loggedIn || ($lastAttemptUser && $this->mfaSession->isPendingMfaSetup($lastAttemptUser))) { + return $next($request); + } + + return redirect()->guest(url('/login')); + } +} diff --git a/resources/views/mfa/backup-codes-generate.blade.php b/resources/views/mfa/backup-codes-generate.blade.php index 8b437846e..6a491fc07 100644 --- a/resources/views/mfa/backup-codes-generate.blade.php +++ b/resources/views/mfa/backup-codes-generate.blade.php @@ -27,7 +27,7 @@ Each code can only be used once

-
+ {{ csrf_field() }}
{{ trans('common.cancel') }} diff --git a/resources/views/mfa/setup.blade.php b/resources/views/mfa/setup.blade.php index 2ec8d0f77..f670541bf 100644 --- a/resources/views/mfa/setup.blade.php +++ b/resources/views/mfa/setup.blade.php @@ -25,7 +25,7 @@ @icon('check-circle') Already configured
- Reconfigure + Reconfigure
@@ -38,7 +38,7 @@
@else - Setup + Setup @endif @@ -57,7 +57,7 @@ @icon('check-circle') Already configured - Reconfigure + Reconfigure
@@ -70,7 +70,7 @@
@else - Setup + Setup @endif diff --git a/resources/views/mfa/totp-generate.blade.php b/resources/views/mfa/totp-generate.blade.php index c1e7547d5..2ed2677d1 100644 --- a/resources/views/mfa/totp-generate.blade.php +++ b/resources/views/mfa/totp-generate.blade.php @@ -24,7 +24,7 @@ Verify that all is working by entering a code, generated within your authentication app, in the input box below:

- + {{ csrf_field() }} - + {{ csrf_field() }} - + {{ csrf_field() }} 'auth'], function () { Route::put('/roles/{id}', 'RoleController@update'); }); - // MFA (Auth Mandatory) - Route::delete('/mfa/remove/{method}', 'Auth\MfaController@remove'); }); -// MFA (Auth Optional) -Route::get('/mfa/setup', 'Auth\MfaController@setup'); -Route::get('/mfa/totp-generate', 'Auth\MfaTotpController@generate'); -Route::post('/mfa/totp-confirm', 'Auth\MfaTotpController@confirm'); -Route::get('/mfa/backup-codes-generate', 'Auth\MfaBackupCodesController@generate'); -Route::post('/mfa/backup-codes-confirm', 'Auth\MfaBackupCodesController@confirm'); -Route::get('/mfa/verify', 'Auth\MfaController@verify'); -Route::post('/mfa/verify/totp', 'Auth\MfaTotpController@verify'); -Route::post('/mfa/verify/backup_codes', 'Auth\MfaBackupCodesController@verify'); +// MFA routes +Route::group(['middleware' => 'mfa-setup'], function() { + Route::get('/mfa/setup', 'Auth\MfaController@setup'); + Route::get('/mfa/totp/generate', 'Auth\MfaTotpController@generate'); + Route::post('/mfa/totp/confirm', 'Auth\MfaTotpController@confirm'); + Route::get('/mfa/backup_codes/generate', 'Auth\MfaBackupCodesController@generate'); + Route::post('/mfa/backup_codes/confirm', 'Auth\MfaBackupCodesController@confirm'); +}); +Route::group(['middleware' => 'guest'], function() { + Route::get('/mfa/verify', 'Auth\MfaController@verify'); + Route::post('/mfa/totp/verify', 'Auth\MfaTotpController@verify'); + Route::post('/mfa/backup_codes/verify', 'Auth\MfaBackupCodesController@verify'); +}); +Route::delete('/mfa/remove/{method}', 'Auth\MfaController@remove')->middleware('auth'); // Social auth routes Route::get('/login/service/{socialDriver}', 'Auth\SocialController@login'); Route::get('/login/service/{socialDriver}/callback', 'Auth\SocialController@callback'); -Route::group(['middleware' => 'auth'], function () { - Route::post('/login/service/{socialDriver}/detach', 'Auth\SocialController@detach'); -}); +Route::post('/login/service/{socialDriver}/detach', 'Auth\SocialController@detach')->middleware('auth'); Route::get('/register/service/{socialDriver}', 'Auth\SocialController@register'); // Login/Logout routes diff --git a/tests/Auth/MfaConfigurationTest.php b/tests/Auth/MfaConfigurationTest.php index a8ca815fb..63a5fa4dd 100644 --- a/tests/Auth/MfaConfigurationTest.php +++ b/tests/Auth/MfaConfigurationTest.php @@ -18,21 +18,21 @@ class MfaConfigurationTest extends TestCase // Setup page state $resp = $this->actingAs($editor)->get('/mfa/setup'); - $resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Setup'); + $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Setup'); // Generate page access - $resp = $this->get('/mfa/totp-generate'); + $resp = $this->get('/mfa/totp/generate'); $resp->assertSee('Mobile App Setup'); $resp->assertSee('Verify Setup'); - $resp->assertElementExists('form[action$="/mfa/totp-confirm"] button'); + $resp->assertElementExists('form[action$="/mfa/totp/confirm"] button'); $this->assertSessionHas('mfa-setup-totp-secret'); $svg = $resp->getElementHtml('#main-content .card svg'); // Validation error, code should remain the same - $resp = $this->post('/mfa/totp-confirm', [ + $resp = $this->post('/mfa/totp/confirm', [ 'code' => 'abc123', ]); - $resp->assertRedirect('/mfa/totp-generate'); + $resp->assertRedirect('/mfa/totp/generate'); $resp = $this->followRedirects($resp); $resp->assertSee('The provided code is not valid or has expired.'); $revisitSvg = $resp->getElementHtml('#main-content .card svg'); @@ -42,7 +42,7 @@ class MfaConfigurationTest extends TestCase $google2fa = new Google2FA(); $secret = decrypt(session()->get('mfa-setup-totp-secret')); $otp = $google2fa->getCurrentOtp($secret); - $resp = $this->post('/mfa/totp-confirm', [ + $resp = $this->post('/mfa/totp/confirm', [ 'code' => $otp, ]); $resp->assertRedirect('/mfa/setup'); @@ -50,7 +50,7 @@ class MfaConfigurationTest extends TestCase // Confirmation of setup $resp = $this->followRedirects($resp); $resp->assertSee('Multi-factor method successfully configured'); - $resp->assertElementContains('a[href$="/mfa/totp-generate"]', 'Reconfigure'); + $resp->assertElementContains('a[href$="/mfa/totp/generate"]', 'Reconfigure'); $this->assertDatabaseHas('mfa_values', [ 'user_id' => $editor->id, @@ -69,12 +69,12 @@ class MfaConfigurationTest extends TestCase // Setup page state $resp = $this->actingAs($editor)->get('/mfa/setup'); - $resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Setup'); + $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Setup'); // Generate page access - $resp = $this->get('/mfa/backup-codes-generate'); + $resp = $this->get('/mfa/backup_codes/generate'); $resp->assertSee('Backup Codes'); - $resp->assertElementContains('form[action$="/mfa/backup-codes-confirm"]', 'Confirm and Enable'); + $resp->assertElementContains('form[action$="/mfa/backup_codes/confirm"]', 'Confirm and Enable'); $this->assertSessionHas('mfa-setup-backup-codes'); $codes = decrypt(session()->get('mfa-setup-backup-codes')); // Check code format @@ -84,13 +84,13 @@ class MfaConfigurationTest extends TestCase $resp->assertSee(base64_encode(implode("\n\n", $codes))); // Confirm submit - $resp = $this->post('/mfa/backup-codes-confirm'); + $resp = $this->post('/mfa/backup_codes/confirm'); $resp->assertRedirect('/mfa/setup'); // Confirmation of setup $resp = $this->followRedirects($resp); $resp->assertSee('Multi-factor method successfully configured'); - $resp->assertElementContains('a[href$="/mfa/backup-codes-generate"]', 'Reconfigure'); + $resp->assertElementContains('a[href$="/mfa/backup_codes/generate"]', 'Reconfigure'); $this->assertDatabaseHas('mfa_values', [ 'user_id' => $editor->id, @@ -104,7 +104,7 @@ class MfaConfigurationTest extends TestCase public function test_backup_codes_cannot_be_confirmed_if_not_previously_generated() { - $resp = $this->asEditor()->post('/mfa/backup-codes-confirm'); + $resp = $this->asEditor()->post('/mfa/backup_codes/confirm'); $resp->assertStatus(500); } diff --git a/tests/Auth/MfaVerificationTest.php b/tests/Auth/MfaVerificationTest.php index 3f272cffb..d007fa490 100644 --- a/tests/Auth/MfaVerificationTest.php +++ b/tests/Auth/MfaVerificationTest.php @@ -2,9 +2,12 @@ namespace Tests\Auth; +use BookStack\Auth\Access\LoginService; use BookStack\Auth\Access\Mfa\MfaValue; use BookStack\Auth\Access\Mfa\TotpService; +use BookStack\Auth\Role; use BookStack\Auth\User; +use BookStack\Exceptions\StoppedAuthenticationException; use Illuminate\Support\Facades\Hash; use PragmaRX\Google2FA\Google2FA; use Tests\TestCase; @@ -20,10 +23,10 @@ class MfaVerificationTest extends TestCase $resp = $this->get('/mfa/verify'); $resp->assertSee('Verify Access'); $resp->assertSee('Enter the code, generated using your mobile app, below:'); - $resp->assertElementExists('form[action$="/mfa/verify/totp"] input[name="code"]'); + $resp->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"]'); $google2fa = new Google2FA(); - $resp = $this->post('/mfa/verify/totp', [ + $resp = $this->post('/mfa/totp/verify', [ 'code' => $google2fa->getCurrentOtp($secret), ]); $resp->assertRedirect('/'); @@ -35,7 +38,7 @@ class MfaVerificationTest extends TestCase [$user, $secret, $loginResp] = $this->startTotpLogin(); $resp = $this->get('/mfa/verify'); - $resp = $this->post('/mfa/verify/totp', [ + $resp = $this->post('/mfa/totp/verify', [ 'code' => '', ]); $resp->assertRedirect('/mfa/verify'); @@ -44,7 +47,7 @@ class MfaVerificationTest extends TestCase $resp->assertSeeText('The code field is required.'); $this->assertNull(auth()->user()); - $resp = $this->post('/mfa/verify/totp', [ + $resp = $this->post('/mfa/totp/verify', [ 'code' => '123321', ]); $resp->assertRedirect('/mfa/verify'); @@ -63,9 +66,9 @@ class MfaVerificationTest extends TestCase $resp->assertSee('Verify Access'); $resp->assertSee('Backup Code'); $resp->assertSee('Enter one of your remaining backup codes below:'); - $resp->assertElementExists('form[action$="/mfa/verify/backup_codes"] input[name="code"]'); + $resp->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]'); - $resp = $this->post('/mfa/verify/backup_codes', [ + $resp = $this->post('/mfa/backup_codes/verify', [ 'code' => $codes[1], ]); @@ -82,7 +85,7 @@ class MfaVerificationTest extends TestCase [$user, $codes, $loginResp] = $this->startBackupCodeLogin(); $resp = $this->get('/mfa/verify'); - $resp = $this->post('/mfa/verify/backup_codes', [ + $resp = $this->post('/mfa/backup_codes/verify', [ 'code' => '', ]); $resp->assertRedirect('/mfa/verify'); @@ -91,7 +94,7 @@ class MfaVerificationTest extends TestCase $resp->assertSeeText('The code field is required.'); $this->assertNull(auth()->user()); - $resp = $this->post('/mfa/verify/backup_codes', [ + $resp = $this->post('/mfa/backup_codes/verify', [ 'code' => 'ab123-ab456', ]); $resp->assertRedirect('/mfa/verify'); @@ -105,7 +108,7 @@ class MfaVerificationTest extends TestCase { [$user, $codes, $loginResp] = $this->startBackupCodeLogin(); - $this->post('/mfa/verify/backup_codes', [ + $this->post('/mfa/backup_codes/verify', [ 'code' => $codes[0], ]); $this->assertNotNull(auth()->user()); @@ -114,7 +117,7 @@ class MfaVerificationTest extends TestCase $this->post('/login', ['email' => $user->email, 'password' => 'password']); $this->get('/mfa/verify'); - $resp = $this->post('/mfa/verify/backup_codes', [ + $resp = $this->post('/mfa/backup_codes/verify', [ 'code' => $codes[0], ]); $resp->assertRedirect('/mfa/verify'); @@ -128,7 +131,7 @@ class MfaVerificationTest extends TestCase { [$user, $codes, $loginResp] = $this->startBackupCodeLogin(['abc12-def45', 'abc12-def46']); - $resp = $this->post('/mfa/verify/backup_codes', [ + $resp = $this->post('/mfa/backup_codes/verify', [ 'code' => $codes[0], ]); $resp = $this->followRedirects($resp); @@ -151,16 +154,88 @@ class MfaVerificationTest extends TestCase ]); // Totp shown by default - $mfaView->assertElementExists('form[action$="/mfa/verify/totp"] input[name="code"]'); + $mfaView->assertElementExists('form[action$="/mfa/totp/verify"] input[name="code"]'); $mfaView->assertElementContains('a[href$="/mfa/verify?method=backup_codes"]', 'Verify using a backup code'); // Ensure can view backup_codes view $resp = $this->get('/mfa/verify?method=backup_codes'); - $resp->assertElementExists('form[action$="/mfa/verify/backup_codes"] input[name="code"]'); + $resp->assertElementExists('form[action$="/mfa/backup_codes/verify"] input[name="code"]'); $resp->assertElementContains('a[href$="/mfa/verify?method=totp"]', 'Verify using a mobile app'); } - // TODO !! - Test no-existing MFA + public function test_mfa_required_with_no_methods_leads_to_setup() + { + $user = $this->getEditor(); + $user->password = Hash::make('password'); + $user->save(); + /** @var Role $role */ + $role = $user->roles->first(); + $role->mfa_enforced = true; + $role->save(); + + $this->assertDatabaseMissing('mfa_values', [ + 'user_id' => $user->id, + ]); + + /** @var TestResponse $resp */ + $resp = $this->followingRedirects()->post('/login', [ + 'email' => $user->email, + 'password' => 'password', + ]); + + $resp->assertSeeText('No Methods Configured'); + $resp->assertElementContains('a[href$="/mfa/setup"]', 'Configure'); + + $this->get('/mfa/backup_codes/generate'); + $this->followingRedirects()->post('/mfa/backup_codes/confirm'); + $this->assertDatabaseHas('mfa_values', [ + 'user_id' => $user->id, + ]); + + $resp = $this->followingRedirects()->post('/login', [ + 'email' => $user->email, + 'password' => 'password', + ]); + $resp->assertSeeText('Enter one of your remaining backup codes below:'); + } + + public function test_mfa_setup_route_access() + { + $routes = [ + ['get', '/mfa/setup'], + ['get', '/mfa/totp/generate'], + ['post', '/mfa/totp/confirm'], + ['get', '/mfa/backup_codes/generate'], + ['post', '/mfa/backup_codes/confirm'], + ]; + + // Non-auth access + foreach ($routes as [$method, $path]) { + $resp = $this->call($method, $path); + $resp->assertRedirect('/login'); + } + + // Attempted login user, who has configured mfa, access + // Sets up user that has MFA required after attempted login. + $loginService = $this->app->make(LoginService::class); + $user = $this->getEditor(); + /** @var Role $role */ + $role = $user->roles->first(); + $role->mfa_enforced = true; + $role->save(); + try { + $loginService->login($user, 'testing'); + } catch (StoppedAuthenticationException $e) { + } + $this->assertNotNull($loginService->getLastLoginAttemptUser()); + + MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, '[]'); + foreach ($routes as [$method, $path]) { + $resp = $this->call($method, $path); + $resp->assertRedirect('/login'); + } + + } /** * @return Array