BookStack Code Mirror - bookstack/blob - app/Http/Controllers/Auth/MfaBackupCodesController.php

   1 <?php
   2
   3 namespace BookStack\Http\Controllers\Auth;
   4
   5 use BookStack\Actions\ActivityType;
   6 use BookStack\Auth\Access\LoginService;
   7 use BookStack\Auth\Access\Mfa\BackupCodeService;
   8 use BookStack\Auth\Access\Mfa\MfaSession;
   9 use BookStack\Auth\Access\Mfa\MfaValue;
  10 use BookStack\Exceptions\NotFoundException;
  11 use BookStack\Http\Controllers\Controller;
  12 use Exception;
  13 use Illuminate\Http\Request;
  14 use Illuminate\Validation\ValidationException;
  15
  16 class MfaBackupCodesController extends Controller
  17 {
  18     use HandlesPartialLogins;
  19
  20     protected const SETUP_SECRET_SESSION_KEY = 'mfa-setup-backup-codes';
  21
  22     /**
  23      * Show a view that generates and displays backup codes.
  24      */
  25     public function generate(BackupCodeService $codeService)
  26     {
  27         $codes = $codeService->generateNewSet();
  28         session()->put(self::SETUP_SECRET_SESSION_KEY, encrypt($codes));
  29
  30         $downloadUrl = 'data:application/octet-stream;base64,' . base64_encode(implode("\n\n", $codes));
  31
  32         return view('mfa.backup-codes-generate', [
  33             'codes'       => $codes,
  34             'downloadUrl' => $downloadUrl,
  35         ]);
  36     }
  37
  38     /**
  39      * Confirm the setup of backup codes, storing them against the user.
  40      *
  41      * @throws Exception
  42      */
  43     public function confirm()
  44     {
  45         if (!session()->has(self::SETUP_SECRET_SESSION_KEY)) {
  46             return response('No generated codes found in the session', 500);
  47         }
  48
  49         $codes = decrypt(session()->pull(self::SETUP_SECRET_SESSION_KEY));
  50         MfaValue::upsertWithValue($this->currentOrLastAttemptedUser(), MfaValue::METHOD_BACKUP_CODES, json_encode($codes));
  51
  52         $this->logActivity(ActivityType::MFA_SETUP_METHOD, 'backup-codes');
  53
  54         if (!auth()->check()) {
  55             $this->showSuccessNotification(trans('auth.mfa_setup_login_notification'));
  56             return redirect('/login');
  57         }
  58
  59         return redirect('/mfa/setup');
  60     }
  61
  62     /**
  63      * Verify the MFA method submission on check.
  64      *
  65      * @throws NotFoundException
  66      * @throws ValidationException
  67      */
  68     public function verify(Request $request, BackupCodeService $codeService, MfaSession $mfaSession, LoginService $loginService)
  69     {
  70         $user = $this->currentOrLastAttemptedUser();
  71         $codes = MfaValue::getValueForUser($user, MfaValue::METHOD_BACKUP_CODES) ?? '[]';
  72
  73         $this->validate($request, [
  74             'code' => [
  75                 'required',
  76                 'max:12', 'min:8',
  77                 function ($attribute, $value, $fail) use ($codeService, $codes) {
  78                     if (!$codeService->inputCodeExistsInSet($value, $codes)) {
  79                         $fail(trans('validation.backup_codes'));
  80                     }
  81                 },
  82             ],
  83         ]);
  84
  85         $updatedCodes = $codeService->removeInputCodeFromSet($request->get('code'), $codes);
  86         MfaValue::upsertWithValue($user, MfaValue::METHOD_BACKUP_CODES, $updatedCodes);
  87
  88         $mfaSession->markVerifiedForUser($user);
  89         $loginService->reattemptLoginFor($user);
  90
  91         if ($codeService->countCodesInSet($updatedCodes) < 5) {
  92             $this->showWarningNotification(trans('auth.mfa_backup_codes_usage_limit_warning'));
  93         }
  94
  95         return redirect()->intended();
  96     }
  97 }