-
Notifications
You must be signed in to change notification settings - Fork 327
/
handle_mfa_totp.go
210 lines (175 loc) · 4.9 KB
/
handle_mfa_totp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
package handlers
import (
"encoding/base32"
"fmt"
"math/rand"
"net/url"
"github.com/cortezaproject/corteza/server/auth/request"
"github.com/cortezaproject/corteza/server/pkg/auth"
"github.com/cortezaproject/corteza/server/pkg/errors"
"github.com/cortezaproject/corteza/server/system/types"
"go.uber.org/zap"
"rsc.io/qr"
)
const (
// session key where the secret is kept between requests
totpSecretKey = "totpSecret"
)
// Handles MFA TOTP configuration form
//
// Where the TOTP QR & code are displayed and where
func (h AuthHandlers) mfaTotpConfigForm(req *request.AuthReq) (err error) {
var (
rawSecret [10]byte
secret string
// this is more for debugging & development purposes
// but it does not hurt to keep it here
_, fresh = req.Request.URL.Query()["fresh"]
)
if s, has := req.Session.Values[totpSecretKey]; has && !fresh {
// secret is already in the session and
// there's no explicit request to change it
secret = s.(string)
} else {
rand.Read(rawSecret[:])
secret = base32.StdEncoding.EncodeToString(rawSecret[:])
req.Session.Values[totpSecretKey] = secret
}
req.Data["secret"] = secret
req.Data["enforced"] = h.Settings.MultiFactor.TOTP.Enforced
req.Data["form"] = req.PopKV()
req.Template = TmplMfaTotp
return nil
}
// Handles MFA OTP form processing
func (h AuthHandlers) mfaTotpConfigProc(req *request.AuthReq) (err error) {
req.RedirectTo = GetLinks().MfaTotpNewSecret
req.SetKV(nil)
var (
user *types.User
secret, has = req.Session.Values[totpSecretKey]
)
if !has {
return fmt.Errorf("no TOTP secret in session")
}
// Here is where code validation is done and where the secret is stored
user, err = h.AuthService.ConfigureTOTP(
auth.SetIdentityToContext(req.Context(), req.AuthUser.User),
secret.(string),
req.Request.PostFormValue("code"),
)
t := translator(req, "auth")
if err == nil {
req.NewAlerts = append(req.NewAlerts, request.Alert{
Type: "primary",
Text: t("mfa-totp.alerts.text-MFA-enabled"),
})
// Make sure we update User's data in the session
req.AuthUser.User = user
req.AuthUser.CompleteTOTP()
req.AuthUser.Save(req.Session)
h.Log.Info("TOTP code verified")
req.RedirectTo = GetLinks().Security
delete(req.Session.Values, totpSecretKey)
return nil
}
switch {
case errors.IsInvalidData(err):
req.SetKV(map[string]string{
"error": t("mfa-totp.errors.invalid-code-format"),
})
return nil
case errors.IsUnauthenticated(err):
req.SetKV(map[string]string{
"error": t("mfa-totp.errors.invalid-code"),
})
return nil
default:
// Just in case, delete secret if something unexpected happend
delete(req.Session.Values, totpSecretKey)
h.Log.Error("unhandled error", zap.Error(err))
return err
}
}
// Displays the QR PNG image
func (h AuthHandlers) mfaTotpConfigQR(req *request.AuthReq) (err error) {
var (
issuer = h.Settings.MultiFactor.TOTP.Issuer
secret, has = req.Session.Values[totpSecretKey]
)
if !has {
return fmt.Errorf("no secret in session")
}
if len(issuer) == 0 {
issuer = "Corteza"
}
account := req.AuthUser.User.Handle
if len(account) == 0 {
account = req.AuthUser.User.Email
}
URL, err := url.Parse("otpauth://totp")
if err != nil {
panic(err)
}
URL.Path += "/" + url.PathEscape(issuer) + ":" + url.PathEscape(account)
params := url.Values{}
params.Add("secret", secret.(string))
params.Add("issuer", issuer)
URL.RawQuery = params.Encode()
code, err := qr.Encode(URL.String(), qr.Q)
if err != nil {
panic(err)
}
req.Status = -1
_, err = req.Response.Write(code.PNG())
return
}
// Handles MFA TOTP configuration form
//
// Where the TOTP QR & code are displayed and where
func (h AuthHandlers) mfaTotpDisableForm(req *request.AuthReq) (err error) {
req.Data["form"] = req.PopKV()
req.Template = TmplMfaTotpDisable
return nil
}
// Handles MFA OTP form processing
func (h AuthHandlers) mfaTotpDisableProc(req *request.AuthReq) (err error) {
req.RedirectTo = GetLinks().MfaTotpDisable
req.SetKV(nil)
var user *types.User
// Here is where code validation is done and where the secret is stored
user, err = h.AuthService.RemoveTOTP(
req.Context(),
req.AuthUser.User.ID,
req.Request.PostFormValue("code"),
)
t := translator(req, "auth")
if err == nil {
req.NewAlerts = append(req.NewAlerts, request.Alert{
Type: "primary",
Text: t("mfa-totp.alerts.text-MFA_disabled"),
})
// Make sure we update User's data in the session
req.AuthUser.User = user
req.AuthUser.ResetTOTP()
req.AuthUser.Save(req.Session)
h.Log.Info("TOTP disabled")
req.RedirectTo = GetLinks().Security
return nil
}
switch {
case errors.IsInvalidData(err):
req.SetKV(map[string]string{
"error": t("mfa-totp.errors.invalid-code-format"),
})
return nil
case errors.IsUnauthenticated(err):
req.SetKV(map[string]string{
"error": t("mfa-totp.errors.invalid-code"),
})
return nil
default:
h.Log.Error("unhandled error", zap.Error(err))
return err
}
}