Merge branch 'develop' into webhooks

migrations/db/schemas/20180220023248_create_users_table.php

@@ -107,6 +107,13 @@ public function change()
             'default' => null
         ]);
 
+        $table->addColumn('2fa_secret', 'string', [
+            'limit' => 100,
+            'encoding' => 'utf8',
+            'null' => true,
+            'default' => null
+        ]);
+
         $table->addIndex('email', [
             'unique' => true,
             'name' => 'idx_users_email'

migrations/db/schemas/20190912072543_create_user_sessions.php

@@ -42,7 +42,7 @@ public function change()
         ]);
 
         $table->addColumn('token', 'string', [
-            'limit' => 255,
+            'limit' => 520,
             'encoding' => 'utf8',
             'null' => true,
             'default' => null

migrations/upgrades/schemas/20190912072543_create_user_sessions.php

@@ -37,7 +37,7 @@ public function change()
         ]);
 
         $table->addColumn('token', 'string', [
-            'limit' => 255,
+            'limit' => 520,
             'encoding' => 'utf8',
             'null' => true,
             'default' => null

src/core/Directus/Application/Http/Middleware/AuthenticationMiddleware.php

@@ -47,7 +47,7 @@ public function __invoke(Request $request, Response $response, callable $next)
 
         try {
             $user = $this->authenticate($request);
-            
+
             $hookEmitter = $this->container->get('hook_emitter');
             if (!$user && !$publicRoleId) {
                 $exception = new UserNotAuthenticatedException();
@@ -110,7 +110,7 @@ public function __invoke(Request $request, Response $response, callable $next)
             $hookEmitter->run('auth.fail', [$exception]);
             throw $exception;
         }
-       
+
         // TODO: Adding an user should auto set its ID and GROUP
         // TODO: User data should be casted to its data type
         // TODO: Make sure that the group is not empty
@@ -139,7 +139,7 @@ protected function authenticate(Request $request)
 
             $user = $authService->authenticateWithToken($authToken, $request->getAttribute('ignore_origin'));
         }
-        
+
         return $user;
     }
 
@@ -226,8 +226,11 @@ protected function targetIsUserEdit(Request $request, int $id) {
 
         if ($num_elements > 3
             &&$target_array[$num_elements - 3] == 'users'
-            && $target_array[$num_elements - 2] == strval($id)
-            && $target_array[$num_elements - 1] == 'activate2FA') {
+            && (
+                $target_array[$num_elements - 2] == strval($id) ||
+                $target_array[$num_elements - 2] == 'me'
+            )
+            && $target_array[$num_elements - 1] == 'activate_2fa') {
             return true;
         }
 

src/core/Directus/Authentication/Exception/SsoNotAllowedException.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace Directus\Authentication\Exception;
+
+use Directus\Exception\UnauthorizedException;
+
+class SsoNotAllowedException extends UnauthorizedException
+{
+    const ERROR_CODE = 115;
+
+    public function __construct()
+    {
+        parent::__construct('SSO not allowed with 2FA enabled');
+    }
+}

src/core/Directus/Authentication/Exception/TFAEnforcedException.php

@@ -7,9 +7,10 @@
 class TFAEnforcedException extends UnauthorizedException
 {
     const ERROR_CODE = 113;
+    const ERROR_MESSAGE = "2FA enforced but not activated for user";
 
     public function __construct()
     {
-        parent::__construct('2FA enforced but not activated for user');
+        parent::__construct(ERROR_MESSAGE);
     }
 }

src/core/Directus/Authentication/Provider.php

@@ -430,17 +430,14 @@ public function getUserProvider()
      *
      * @return string
      */
-    public function generateAuthToken(UserInterface $user, $needs2FA = false)
+    public function generateAuthToken(UserInterface $user)
     {
         $payload = [
             'id' => (int) $user->getId(),
             // 'group' => $user->getGroupId(),
             'exp' => $this->getNewExpirationTime()
         ];
 
-        if ($needs2FA == true) {
-            $payload['needs2FA'] = true;
-        }
 
         return $this->generateToken(JWTUtils::TYPE_AUTH, $payload);
     }

src/core/Directus/Config/Exception/UnknownProjectException.php

@@ -6,7 +6,7 @@
 
 class UnknownProjectException extends ErrorException
 {
-    const ERROR_CODE = 22;
+    const ERROR_CODE = 24;
 
     public function __construct($project, $previous = null)
     {

src/core/Directus/Services/AuthService.php

@@ -10,6 +10,7 @@
 use Directus\Authentication\Exception\InvalidResetPasswordTokenException;
 use Directus\Authentication\Exception\UserNotFoundException;
 use Directus\Authentication\Exception\UserWithEmailNotFoundException;
+use Directus\Authentication\Exception\TFAEnforcedException;
 use Directus\Authentication\Sso\OneSocialProvider;
 use Directus\Authentication\Provider;
 use Directus\Authentication\Sso\Social;
@@ -73,16 +74,26 @@ public function loginWithCredentials($email, $password, $otp=null, $mode = null)
                 break;
             case DirectusUserSessionsTableGateway::TOKEN_JWT : 
             default : 
-                $needs2FA = $tfa_enforced && $user->get2FASecret() == null;
-                $token = $this->generateAuthToken($user,$needs2FA);
+                $token = $this->generateAuthToken($user);
+                $user = $user->toArray();
                 $responseData = [
                     'token' => $token,
-                    'user' => $user->toArray()
+                    'user' => $user
                 ];
+
         }
-        return [
-            'data' => $responseData
-        ];
+        $responseObject['data'] = $responseData;
+
+        if(!is_null($user)){
+            $needs2FA = $tfa_enforced && $user['2fa_secret'] == null;
+            if($needs2FA){
+                $responseObject['error'] = [
+                    'code' => TFAEnforcedException::ERROR_CODE,
+                    'message' => TFAEnforcedException::ERROR_MESSAGE
+                ];
+            }
+        }
+        return $responseObject;
     }
 
     /**
@@ -95,7 +106,7 @@ public function findOrCreateStaticToken(&$user)
     {
         $user = $user->toArray();
         if(empty($user['token'])){
-            $token = StringUtils::randomString(6,false);
+            $token = StringUtils::randomString(24,false);
             $userTable = $this->createTableGateway(SchemaManager::COLLECTION_USERS, false);
             $Update = new Update(SchemaManager::COLLECTION_USERS);
             $Update->set(['token' => $token]);
@@ -342,16 +353,14 @@ public function authenticateWithSsoRequestToken($token)
      *
      * @param UserInterface $user
      *
-     * @param bool $needs2FA Whether the user needs 2FA
-     *
      * @return string
      */
-    public function generateAuthToken(UserInterface $user, bool $needs2FA = false)
+    public function generateAuthToken(UserInterface $user)
     {
         /** @var Provider $auth */
         $auth = $this->container->get('auth');
 
-        return $auth->generateAuthToken($user, $needs2FA);
+        return $auth->generateAuthToken($user);
     }
 
     /**

src/core/Directus/Services/ProjectService.php

@@ -24,7 +24,7 @@ public function create(array $data)
 
         $this->validate($data,[
             'project' => 'required|string|regex:/^[0-9a-z_-]+$/i',
-
+            'private' => 'bool',
             'force' => 'bool',
             'existing' => 'bool',
             'super_admin_token' => 'required',

src/core/Directus/Services/UsersService.php

@@ -429,8 +429,8 @@ protected function enforceLastAdmin($id)
     public function activate2FA($id, $tfa_secret, $otp)
     {
         $this->validate(
-            ['tfa_secret' => $tfa_secret, 'otp' => $otp],
-            ['tfa_secret' => 'required|string', 'otp' => 'required|string']
+            ['2fa_secret' => $tfa_secret, 'otp' => $otp],
+            ['2fa_secret' => 'required|string', 'otp' => 'required|string']
         );
 
         $ga = new Google2FA();

src/core/Directus/Services/UtilsService.php

@@ -69,6 +69,10 @@ public function generate2FASecret()
     {
         $ga = new Google2FA();
         $tfa_secret = $ga->generateSecretKey();
-        return ['2fa_secret' => $tfa_secret];
+        return [
+            'data' => [
+                '2fa_secret' => $tfa_secret
+            ]
+        ];
     }
 }

src/core/Directus/Util/DateTimeUtils.php

@@ -113,6 +113,9 @@ public static function nowInTimezone()
         if(!is_null($projectName)){
             $config = get_project_config($projectName);
             return static::now($config->get('app.timezone'));
+        } else {
+            // If there's no project config (f.e. when creating projects), default to UTC
+            return static::now('UTC');
         }
     }