BookStack Code Mirror - bookstack/blob - app/Http/Controllers/Auth/MfaBackupCodesController.php

   1 <?php
   2
   3 namespace BookStack\Http\Controllers\Auth;
   4
   5 use BookStack\Actions\ActivityType;
   6 use BookStack\Auth\Access\LoginService;
   7 use BookStack\Auth\Access\Mfa\BackupCodeService;
   8 use BookStack\Auth\Access\Mfa\MfaSession;
   9 use BookStack\Auth\Access\Mfa\MfaValue;
  10 use BookStack\Exceptions\NotFoundException;
  11 use BookStack\Http\Controllers\Controller;
  12 use Exception;
  13 use Illuminate\Http\Request;
  14 use Illuminate\Validation\ValidationException;
  15
  16 class MfaBackupCodesController extends Controller
  17 {
  18     use HandlesPartialLogins;
  19
  20     protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';
  21
  22     /**
  23      * Show a view that generates and displays backup codes
  24      */
  25     public function generate(BackupCodeService $codeService)
  26     {
  27         $codes = $codeService->generateNewSet();
  28         session()->put(self::SETUP_SECRET_SESSION_KEY, encrypt($codes));
  29
  30         $downloadUrl = 'data:application/octet-stream;base64,' . base64_encode(implode("\n\n", $codes));
  31
  32         return view('mfa.backup-codes-generate', [
  33             'codes' => $codes,
  34             'downloadUrl' => $downloadUrl,
  35         ]);
  36     }
  37
  38     /**
  39      * Confirm the setup of backup codes, storing them against the user.
  40      * @throws Exception
  41      */
  42     public function confirm()
  43     {
  44         if (!session()->has(self::SETUP_SECRET_SESSION_KEY)) {
  45             return response('No generated codes found in the session', 500);
  46         }
  47
  48         $codes = decrypt(session()->pull(self::SETUP_SECRET_SESSION_KEY));
  49         MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_BACKUP_CODES, json_encode($codes));
  50
  51         $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'backup-codes');
  52         return redirect('/mfa/setup');
  53     }
  54
  55     /**
  56      * Verify the MFA method submission on check.
  57      * @throws NotFoundException
  58      * @throws ValidationException
  59      */
  60     public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
  61     {
  62         $user = $this->currentOrLastAttemptedUser();
  63         $codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';
  64
  65         $this->validate($request, [
  66             'code' => [
  67                 'required',
  68                 'max:12', 'min:8',
  69                 function ($attribute, $value, $fail) use ($codeService, $codes) {
  70                     if (!$codeService->inputCodeExistsInSet($value, $codes)) {
  71                         $fail(trans('validation.backup_codes'));
  72                     }
  73                 }
  74             ]
  75         ]);
  76
  77         $updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);
  78         MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);
  79
  80         $mfaSession->markVerifiedForUser($user);
  81         $loginService->reattemptLoginFor($user, 'mfa-backup_codes');
  82
  83         if ($codeService->countCodesInSet($updatedCodes) < 5) {
  84             $this->showWarningNotification('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.');
  85         }
  86
  87         return redirect()->intended();
  88     }
  89 }