BookStack Code Mirror - bookstack/blob - app/Http/Controllers/Auth/MfaTotpController.php

   1 <?php
   2
   3 namespace BookStack\Http\Controllers\Auth;
   4
   5 use BookStack\Actions\ActivityType;
   6 use BookStack\Auth\Access\LoginService;
   7 use BookStack\Auth\Access\Mfa\MfaSession;
   8 use BookStack\Auth\Access\Mfa\MfaValue;
   9 use BookStack\Auth\Access\Mfa\TotpService;
  10 use BookStack\Auth\Access\Mfa\TotpValidationRule;
  11 use BookStack\Exceptions\NotFoundException;
  12 use BookStack\Http\Controllers\Controller;
  13 use Illuminate\Http\Request;
  14 use Illuminate\Validation\ValidationException;
  15
  16 class MfaTotpController extends Controller
  17 {
  18     use HandlesPartialLogins;
  19
  20     protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-totp-secret';
  21
  22     /**
  23      * Show a view that generates and displays a TOTP QR code.
  24      */
  25     public function generate(TotpService $totp)
  26     {
  27         if (session()->has(static::SETUP_SECRET_SESSION_KEY)) {
  28             $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
  29         } else {
  30             $totpSecret = $totp->generateSecret();
  31             session()->put(static::SETUP_SECRET_SESSION_KEY, encrypt($totpSecret));
  32         }
  33
  34         $qrCodeUrl = $totp->generateUrl($totpSecret);
  35         $svg = $totp->generateQrCodeSvg($qrCodeUrl);
  36
  37         return view('mfa.totp-generate', [
  38             'url' => $qrCodeUrl,
  39             'svg' => $svg,
  40         ]);
  41     }
  42
  43     /**
  44      * Confirm the setup of TOTP and save the auth method secret
  45      * against the current user.
  46      *
  47      * @throws ValidationException
  48      * @throws NotFoundException
  49      */
  50     public function confirm(Request $request)
  51     {
  52         $totpSecret = decrypt(session()->get(static::SETUP_SECRET_SESSION_KEY));
  53         $this->validate($request, [
  54             'code' => [
  55                 'required',
  56                 'max:12', 'min:4',
  57                 new TotpValidationRule($totpSecret),
  58             ],
  59         ]);
  60
  61         MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_TOTP, $totpSecret);
  62         session()->remove(static::SETUP_SECRET_SESSION_KEY);
  63         $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'totp');
  64
  65         if (!auth()->check()) {
  66             $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));
  67
  68             return redirect('/login');
  69         }
  70
  71         return redirect('/mfa/setup');
  72     }
  73
  74     /**
  75      * Verify the MFA method submission on check.
  76      *
  77      * @throws NotFoundException
  78      */
  79     public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
  80     {
  81         $user = $this->currentOrLastAttemptedUser();
  82         $totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);
  83
  84         $this->validate($request, [
  85             'code' => [
  86                 'required',
  87                 'max:12', 'min:4',
  88                 new TotpValidationRule($totpSecret),
  89             ],
  90         ]);
  91
  92         $mfaSession->markVerifiedForUser($user);
  93         $loginService->reattemptLoginFor($user);
  94
  95         return redirect()->intended();
  96     }
  97 }