MFA

David Shen · David Shen · commit 910fcb209171 · 2020-04-12T20:49:13.000+10:00
diff --git a/README.md b/README.md
@@ -39,18 +39,16 @@ php artisan vendor:publish --provider="Sicaboy\LaravelSecurity\LaravelSecuritySe
 Siaboy\LaravelSecurity\LaravelSecurityServiceProvider::class,
 ```
 
-# Validators
 
-## Available Rules
+# Features
 
-- [NotCommonPassword](src/Rules/NotCommonPassword.php) - Avoid user to use a common used password
-
-- [NotAUsedPassword](src/Rules/NotAUsedPassword.php) - Avoid user to use a password which has been used before
+## Disallow user to use a common password or a used password
 
+#### Available validators rules
 
-## Features
+- [NotCommonPassword](src/Rules/NotCommonPassword.php) - Avoid user to use a common used password
 
-### Disallow user to use a common password or a used password
+- [NotAUsedPassword](src/Rules/NotAUsedPassword.php) - Avoid user to use a password which has been used before
 
 ```php
 // Add rule instance to the field validation rules list
@@ -85,15 +83,17 @@ While there is an extra event you should add to call explicitly.
 event(new \Illuminate\Auth\Events\PasswordReset($user));
 ```
 
-### Password Policy
+## Password Policies
+
+#### Available policies
 
 - Delete accounts with days of no activity
 - Lock out accounts with days of no activity
 - Force change password
 
-You can enable function needed by setting config `enabled` to `true` in `config/laravel-security.php`
+1. Enable function needed by setting config `enabled` to `true` in `config/laravel-security.php`
 
-```
+```php
 'password_policy' => [
     // Delete accounts with days of no activity
     'auto_delete_inactive_accounts' => [
@@ -115,6 +115,54 @@ You can enable function needed by setting config `enabled` to `true` in `config/
 ]
 ```
 
+2. If you force user change password every x days, you will need to use this middleware
+
+```php
+Route::middleware(['security'])->group(function () {
+    ...
+});
+```
+
+
+3. Add the following commands to `app/Console/Kernel.php` of your application
+
+```php
+protected function schedule(Schedule $schedule)
+{
+    $schedule->command(\Sicaboy\LaravelSecurity\Console\Commands\DeleteInactiveAccounts::class)
+             ->hourly();
+    $schedule->command(\Sicaboy\LaravelSecurity\Console\Commands\LockoutInactiveAccounts::class)
+             ->hourly();
+    ...
+}
+```
+3. Make sure you add the [Laravel scheduler](https://laravel.com/docs/7.x/scheduling#introduction) in your crontab 
+
+```
+* * * * * cd /path-to-your-project && php artisan schedule:run >> /dev/null 2>&1
+```  
+
+## Multi-factor Authentication
+
+1. Enable function needed by setting config `enabled` to `true` in `config/laravel-security.php`
+
+```php
+'multi_factor_authentication' => [
+    'enabled' => false,
+    ...
+]
+```
+
+2. Attach the middleware to your routes to protect your pages.
+
+```php
+
+Route::middleware(['mfa'])->group(function () {
+    ...
+});
+```
+
+
 ## Change log
 
 Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.
diff --git a/config/laravel-security.php b/config/laravel-security.php
@@ -4,12 +4,15 @@
 
     'multi_factor_authentication' => [
         'enabled' => false,
-        'email_notification' => [
-            'enabled' => true,
+        'template' => 'laravel-security.mfa.form',
+        'code_expire_after_minutes' => 10,
+        'email' => [
             //'mailable' => Sicaboy\LaravelSecurity\Mail\AuthenticationCodeMailable::class,
-            'template' => 'laravel-security.emails.authentication-code',
+            'template' => 'laravel-security::emails.authentication-code',
             'subject' => 'Login authentication code',
         ],
+        // @todo
+        // 'sms' => []
     ],
 
     'password_policy' => [
@@ -20,7 +23,7 @@
             'email_notification' => [
                 'enabled' => true,
                 //'mailable' => Sicaboy\LaravelSecurity\Mail\AccountTerminatedMailable::class,
-                'template' => 'laravel-security.emails.account-terminated',
+                'template' => 'laravel-security::emails.account-terminated',
                 'subject' => 'Your account has been terminated',
             ],
         ],
@@ -32,7 +35,7 @@
             'email_notification' => [
                 'enabled' => true,
                 //'mailable' => Sicaboy\LaravelSecurity\Mail\AccountLockedMailable::class,
-                'template' => 'laravel-security.emails.account-locked',
+                'template' => 'laravel-security::emails.account-locked',
                 'subject' => 'Your account has been locked due to no activity',
             ],
         ],
diff --git a/resources/views/emails/account-locked.blade.php b/resources/views/emails/account-locked.blade.php
@@ -1,4 +1,4 @@
-@extends('laravel-security.emails.base')
+@extends('laravel-security::emails.base')
 
 @section('content')
     <p class="lead">
diff --git a/resources/views/emails/account-terminated.blade.php b/resources/views/emails/account-terminated.blade.php
@@ -1,4 +1,4 @@
-@extends('laravel-security.emails.base')
+@extends('laravel-security::emails.base')
 
 @section('content')
     <p class="lead">
diff --git a/resources/views/emails/authentication-code.blade.php b/resources/views/emails/authentication-code.blade.php
@@ -1,4 +1,4 @@
-@extends('laravel-security.emails.base')
+@extends('laravel-security::emails.base')
 
 @section('content')
     <p class="lead">
diff --git a/resources/views/emails/base.blade.php b/resources/views/emails/base.blade.php
@@ -117,10 +117,12 @@
                     <tr>
                         <td>
                             {{--<img src="{{ config('app.url') }}/images/logo-mail.png" />--}}
+                            <h3 class="collapse">
+                                {{ config('app.name') }}
+                            </h3>
                         </td>
                         <td align="right">
                             <h6 class="collapse">
-                                {{ config('app.name') }}
                             </h6>
                         </td>
                     </tr>
diff --git a/resources/views/mfa/form.blade.php b/resources/views/mfa/form.blade.php
@@ -0,0 +1,63 @@
+@extends('layouts.app')
+
+@section('content')
+    <div class="container">
+        <div class="row justify-content-center">
+            <div class="col-md-8">
+                <div class="card">
+                    <div class="card-header">{{ __('Multi-factor Authentication') }}</div>
+
+                    <div class="card-body">
+                        <form method="POST" action="" aria-label="{{ __('Multi-factor Authentication') }}">
+                            @csrf
+
+                            <input type="hidden" name="referer" value="{{ $referer }}">
+
+                            <div class="alert alert-secondary" role="alert">
+                                {{ __("The authentication code has been sent to your e-mail and the code will expire after :minutes minutes.", ['minutes' => $minutes]) }}
+                            </div>
+                            <div class="form-group row">
+                                <label for="code" class="col-md-4 col-form-label text-md-right">{{ __('Auth Code') }}</label>
+
+                                <div class="col-md-6">
+                                    <input id="code" type="text" class="form-control{{ $errors->has('code') ? ' is-invalid' : '' }}" name="code" value="{{ $code ?? old('code') }}" required autofocus>
+                                    @if ($errors->has('code'))
+                                        <span class="invalid-feedback" role="alert">
+                                        <strong>{{ $errors->first('code') }}</strong>
+                                    </span>
+                                    @endif
+                                </div>
+                            </div>
+                            <div class="form-group row mb-10" id="re_send_code_hint" style="visibility: hidden">
+                                <div class="col-md-6 offset-md-4">
+                                    <span class="text-muted">
+                                        {{ __("Haven't received the code? Try ") }}
+                                    </span>
+                                    <a id="re_send_code_link" href="{{route('security.mfa', ['referer' => $referer])}}">
+                                        {{ __('re-send auth code') }}
+                                    </a>
+                                </div>
+                            </div>
+                            <div class="form-group row mb-0">
+                                <div class="col-md-6 offset-md-4">
+                                    <button type="submit" class="btn btn-primary">
+                                        {{ __('Submit') }}
+                                    </button>
+                                </div>
+                            </div>
+
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+<script>
+setTimeout(function() {
+    document.getElementById('re_send_code_hint').style.visibility = 'unset';
+    document.getElementById("re_send_code_link").addEventListener("click", function(){
+        document.getElementById('re_send_code_hint').style.visibility = 'hidden';
+    });
+}, 10000);
+</script>
+@endsection
diff --git a/routes/web.php b/routes/web.php
@@ -7,6 +7,7 @@
 //Route::get('/scripts/{script}', 'ScriptController@show')->middleware(CheckResponseForModifications::class);
 //Route::get('/styles/{style}', 'StyleController@show')->middleware(CheckResponseForModifications::class);
 
-Route::get('/mfa', function() {return 'hihihi';})->name('mfa');
-Route::post('/mfa', function() {return 'hihihi';});
-Route::post('/d', function() {return 'hihihi';});
+Route::get('/mfa', 'MFAController@getIndex')->name('mfa');
+Route::get('/mfa/form', 'MFAController@getForm')->name('mfa-form');
+Route::post('/mfa/form', 'MFAController@postForm');
+
diff --git a/src/Http/Controllers/MFAController.php b/src/Http/Controllers/MFAController.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace Sicaboy\LaravelSecurity\Http\Controllers;
+
+use Illuminate\Routing\Controller;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\Support\Facades\Session;
+
+class MFAController extends Controller
+{
+
+    const MFA_CODE_KEY = 'mfa_code';
+
+    public function getIndex(Request $request) {
+
+//        if (!Session::has('mfa_completed')) {
+        $config = config('laravel-security.multi_factor_authentication');
+
+        $user = Auth::user();
+
+        $code = rand(100000, 999999);
+
+        $minutes = config('laravel-security.multi_factor_authentication.code_expire_after_minutes', 10);
+
+        Cache::put(self::MFA_CODE_KEY, $code, $minutes);
+
+        Mail::send($config['email']['template'], [
+            'user' => $user,
+            'code' => $code,
+            'minutes' => $minutes,
+        ], function($message) use ($user, $config) {
+            $message->to($user->email);
+            $message->subject($config['email']['subject']);
+        });
+
+        return redirect()->route('security.mfa-form', [
+            'referer' => $request->get('referer')
+        ]);
+//        }
+    }
+
+    public function getForm(Request $request) {
+
+        $config = config('laravel-security.multi_factor_authentication');
+
+        $minutes = config('laravel-security.multi_factor_authentication.code_expire_after_minutes', 10);
+
+        return view('laravel-security::mfa.form', [
+            'referer' => $request->get('referer'),
+            'minutes' => $minutes,
+        ]);
+    }
+
+    public function postForm(Request $request) {
+
+        $config = config('laravel-security.multi_factor_authentication');
+
+        $minutes = config('laravel-security.multi_factor_authentication.code_expire_after_minutes', 10);
+
+        $code = Cache::get(self::MFA_CODE_KEY);
+
+        if (!$code || trim($request->get('code')) != $code) {
+            return redirect()->back()->withErrors([
+                'code' => __('The code is not correct.')
+            ]);
+        }
+
+        Session::put('mfa_completed', true);
+        
+        return redirect()->to($request->get('referer', '/'));
+    }
+
+}
diff --git a/src/Http/Middleware/MFA.php b/src/Http/Middleware/MFA.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Sicaboy\LaravelSecurity\Http\Middleware;
+
+use Closure;
+use Illuminate\Routing\UrlGenerator;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Session;
+
+class MFA
+{
+
+    protected $generator;
+
+
+    public function __construct(UrlGenerator $generator)
+    {
+        $this->generator = $generator;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (config('laravel-security.multi_factor_authentication.enabled') !== true) {
+            return $next($request);
+        }
+
+        $user = Auth::user();
+        if (!$user) {
+            return redirect()->route('login');
+        }
+
+        if (!Session::has('mfa_completed')) {
+            return redirect()->route('security.mfa', [
+                'referer' => $this->generator->previous()
+            ]);
+        }
+        return $next($request);
+    }
+}
diff --git a/src/Http/Middleware/Security.php b/src/Http/Middleware/Security.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Sicaboy\LaravelSecurity\Http\Middleware;
+
+use Closure;
+use Illuminate\Support\Facades\Auth;
+
+class Security
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        return $next($request);
+        if (config('laravel-security.multi_factor_authentication.enabled') !== true) {
+
+        }
+    }
+}
diff --git a/src/LaravelSecurityServiceProvider.php b/src/LaravelSecurityServiceProvider.php
diff --git a/src/Mail/AccountLockedMailable.php b/src/Mail/AccountLockedMailable.php
diff --git a/src/Mail/AccountTerminatedMailable.php b/src/Mail/AccountTerminatedMailable.php
diff --git a/src/Mail/AuthenticationCodeMailable.php b/src/Mail/AuthenticationCodeMailable.php
diff --git a/src/Middlewares/MFAMiddleware.php b/src/Middlewares/MFAMiddleware.php

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-@extends('laravel-security.emails.base')`
	`1`	`+@extends('laravel-security::emails.base')`
`2`	`2`
`3`	`3`	`@section('content')`
`4`	`4`	`<p class="lead">`