BookStack Code Mirror - bookstack/blob - app/Http/Controllers/Auth/MfaBackupCodesController.php

   1 <?php
   2
   3 namespace BookStack\Http\Controllers\Auth;
   4
   5 use BookStack\Actions\ActivityType;
   6 use BookStack\Auth\Access\LoginService;
   7 use BookStack\Auth\Access\Mfa\BackupCodeService;
   8 use BookStack\Auth\Access\Mfa\MfaSession;
   9 use BookStack\Auth\Access\Mfa\MfaValue;
  10 use BookStack\Exceptions\NotFoundException;
  11 use BookStack\Http\Controllers\Controller;
  12 use Exception;
  13 use Illuminate\Http\Request;
  14 use Illuminate\Validation\ValidationException;
  15
  16 class MfaBackupCodesController extends Controller
  17 {
  18     use HandlesPartialLogins;
  19
  20     protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';
  21
  22     /**
  23      * Show a view that generates and displays backup codes.
  24      */
  25     public function generate(BackupCodeService $codeService)
  26     {
  27         $codes = $codeService->generateNewSet();
  28         session()->put(self::SETUP_SECRET_SESSION_KEY, encrypt($codes));
  29
  30         $downloadUrl = 'data:application/octet-stream;base64,' . base64_encode(implode("\n\n", $codes));
  31
  32         $this->setPageTitle(trans('auth.mfa_gen_backup_codes_title'));
  33
  34         return view('mfa.backup-codes-generate', [
  35             'codes'       => $codes,
  36             'downloadUrl' => $downloadUrl,
  37         ]);
  38     }
  39
  40     /**
  41      * Confirm the setup of backup codes, storing them against the user.
  42      *
  43      * @throws Exception
  44      */
  45     public function confirm()
  46     {
  47         if (!session()->has(self::SETUP_SECRET_SESSION_KEY)) {
  48             return response('No generated codes found in the session', 500);
  49         }
  50
  51         $codes = decrypt(session()->pull(self::SETUP_SECRET_SESSION_KEY));
  52         MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_BACKUP_CODES, json_encode($codes));
  53
  54         $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'backup-codes');
  55
  56         if (!auth()->check()) {
  57             $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));
  58
  59             return redirect('/login');
  60         }
  61
  62         return redirect('/mfa/setup');
  63     }
  64
  65     /**
  66      * Verify the MFA method submission on check.
  67      *
  68      * @throws NotFoundException
  69      * @throws ValidationException
  70      */
  71     public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
  72     {
  73         $user = $this->currentOrLastAttemptedUser();
  74         $codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';
  75
  76         $this->validate($request, [
  77             'code' => [
  78                 'required', 'max:12', 'min:8',
  79                 function ($attribute, $value, $fail) use ($codeService, $codes) {
  80                     if (!$codeService->inputCodeExistsInSet($value, $codes)) {
  81                         $fail(trans('validation.backup_codes'));
  82                     }
  83                 },
  84             ],
  85         ]);
  86
  87         $updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);
  88         MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);
  89
  90         $mfaSession->markVerifiedForUser($user);
  91         $loginService->reattemptLoginFor($user);
  92
  93         if ($codeService->countCodesInSet($updatedCodes) < 5) {
  94             $this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));
  95         }
  96
  97         return redirect()->intended();
  98     }
  99 }