diff options
| author | Kevin Decherf <kevin@kdecherf.com> | 2019-01-30 01:02:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-30 01:02:27 +0100 |
| commit | 2e5b3fa361098498a9e42a65396a27e1eb487fba (patch) | |
| tree | f20677c3d68c1ea756f0835ff179a0d7d3431a67 /src/Wallabag/UserBundle | |
| parent | c6024246b744e411175318065f7c396bbb5a213e (diff) | |
| parent | 4654a83b6438b88e3b7062a21d18999d9df2fb8e (diff) | |
| download | wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.gz wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.zst wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.zip | |
Merge pull request #3798 from wallabag/update-two-factor-bundle
Enable OTP 2FA
Diffstat (limited to 'src/Wallabag/UserBundle')
6 files changed, 172 insertions, 47 deletions
diff --git a/src/Wallabag/UserBundle/Controller/ManageController.php b/src/Wallabag/UserBundle/Controller/ManageController.php index a9746fb4..63a06206 100644 --- a/src/Wallabag/UserBundle/Controller/ManageController.php +++ b/src/Wallabag/UserBundle/Controller/ManageController.php | |||
| @@ -62,14 +62,29 @@ class ManageController extends Controller | |||
| 62 | */ | 62 | */ |
| 63 | public function editAction(Request $request, User $user) | 63 | public function editAction(Request $request, User $user) |
| 64 | { | 64 | { |
| 65 | $userManager = $this->container->get('fos_user.user_manager'); | ||
| 66 | |||
| 65 | $deleteForm = $this->createDeleteForm($user); | 67 | $deleteForm = $this->createDeleteForm($user); |
| 66 | $editForm = $this->createForm('Wallabag\UserBundle\Form\UserType', $user); | 68 | $form = $this->createForm('Wallabag\UserBundle\Form\UserType', $user); |
| 67 | $editForm->handleRequest($request); | 69 | $form->handleRequest($request); |
| 68 | 70 | ||
| 69 | if ($editForm->isSubmitted() && $editForm->isValid()) { | 71 | // `googleTwoFactor` isn't a field within the User entity, we need to define it's value in a different way |
| 70 | $em = $this->getDoctrine()->getManager(); | 72 | if ($this->getParameter('twofactor_auth') && true === $user->isGoogleAuthenticatorEnabled() && false === $form->isSubmitted()) { |
| 71 | $em->persist($user); | 73 | $form->get('googleTwoFactor')->setData(true); |
| 72 | $em->flush(); | 74 | } |
| 75 | |||
| 76 | if ($form->isSubmitted() && $form->isValid()) { | ||
| 77 | // handle creation / reset of the OTP secret if checkbox changed from the previous state | ||
| 78 | if ($this->getParameter('twofactor_auth')) { | ||
| 79 | if (true === $form->get('googleTwoFactor')->getData() && false === $user->isGoogleAuthenticatorEnabled()) { | ||
| 80 | $user->setGoogleAuthenticatorSecret($this->get('scheb_two_factor.security.google_authenticator')->generateSecret()); | ||
| 81 | $user->setEmailTwoFactor(false); | ||
| 82 | } elseif (false === $form->get('googleTwoFactor')->getData() && true === $user->isGoogleAuthenticatorEnabled()) { | ||
| 83 | $user->setGoogleAuthenticatorSecret(null); | ||
| 84 | } | ||
| 85 | } | ||
| 86 | |||
| 87 | $userManager->updateUser($user); | ||
| 73 | 88 | ||
| 74 | $this->get('session')->getFlashBag()->add( | 89 | $this->get('session')->getFlashBag()->add( |
| 75 | 'notice', | 90 | 'notice', |
| @@ -81,7 +96,7 @@ class ManageController extends Controller | |||
| 81 | 96 | ||
| 82 | return $this->render('WallabagUserBundle:Manage:edit.html.twig', [ | 97 | return $this->render('WallabagUserBundle:Manage:edit.html.twig', [ |
| 83 | 'user' => $user, | 98 | 'user' => $user, |
| 84 | 'edit_form' => $editForm->createView(), | 99 | 'edit_form' => $form->createView(), |
| 85 | 'delete_form' => $deleteForm->createView(), | 100 | 'delete_form' => $deleteForm->createView(), |
| 86 | 'twofactor_auth' => $this->getParameter('twofactor_auth'), | 101 | 'twofactor_auth' => $this->getParameter('twofactor_auth'), |
| 87 | ]); | 102 | ]); |
| @@ -131,8 +146,6 @@ class ManageController extends Controller | |||
| 131 | $form->handleRequest($request); | 146 | $form->handleRequest($request); |
| 132 | 147 | ||
| 133 | if ($form->isSubmitted() && $form->isValid()) { | 148 | if ($form->isSubmitted() && $form->isValid()) { |
| 134 | $this->get('logger')->info('searching users'); | ||
| 135 | |||
| 136 | $searchTerm = (isset($request->get('search_user')['term']) ? $request->get('search_user')['term'] : ''); | 149 | $searchTerm = (isset($request->get('search_user')['term']) ? $request->get('search_user')['term'] : ''); |
| 137 | 150 | ||
| 138 | $qb = $em->getRepository('WallabagUserBundle:User')->getQueryBuilderForSearch($searchTerm); | 151 | $qb = $em->getRepository('WallabagUserBundle:User')->getQueryBuilderForSearch($searchTerm); |
| @@ -157,7 +170,7 @@ class ManageController extends Controller | |||
| 157 | } | 170 | } |
| 158 | 171 | ||
| 159 | /** | 172 | /** |
| 160 | * Creates a form to delete a User entity. | 173 | * Create a form to delete a User entity. |
| 161 | * | 174 | * |
| 162 | * @param User $user The User entity | 175 | * @param User $user The User entity |
| 163 | * | 176 | * |
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php index 48446e3c..43fa6a80 100644 --- a/src/Wallabag/UserBundle/Entity/User.php +++ b/src/Wallabag/UserBundle/Entity/User.php | |||
| @@ -8,8 +8,9 @@ use FOS\UserBundle\Model\User as BaseUser; | |||
| 8 | use JMS\Serializer\Annotation\Accessor; | 8 | use JMS\Serializer\Annotation\Accessor; |
| 9 | use JMS\Serializer\Annotation\Groups; | 9 | use JMS\Serializer\Annotation\Groups; |
| 10 | use JMS\Serializer\Annotation\XmlRoot; | 10 | use JMS\Serializer\Annotation\XmlRoot; |
| 11 | use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface; | 11 | use Scheb\TwoFactorBundle\Model\BackupCodeInterface; |
| 12 | use Scheb\TwoFactorBundle\Model\TrustedComputerInterface; | 12 | use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface as EmailTwoFactorInterface; |
| 13 | use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface as GoogleTwoFactorInterface; | ||
| 13 | use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity; | 14 | use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity; |
| 14 | use Symfony\Component\Security\Core\User\UserInterface; | 15 | use Symfony\Component\Security\Core\User\UserInterface; |
| 15 | use Wallabag\ApiBundle\Entity\Client; | 16 | use Wallabag\ApiBundle\Entity\Client; |
| @@ -28,7 +29,7 @@ use Wallabag\CoreBundle\Helper\EntityTimestampsTrait; | |||
| 28 | * @UniqueEntity("email") | 29 | * @UniqueEntity("email") |
| 29 | * @UniqueEntity("username") | 30 | * @UniqueEntity("username") |
| 30 | */ | 31 | */ |
| 31 | class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface | 32 | class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorInterface, BackupCodeInterface |
| 32 | { | 33 | { |
| 33 | use EntityTimestampsTrait; | 34 | use EntityTimestampsTrait; |
| 34 | 35 | ||
| @@ -123,16 +124,21 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf | |||
| 123 | private $authCode; | 124 | private $authCode; |
| 124 | 125 | ||
| 125 | /** | 126 | /** |
| 126 | * @var bool | 127 | * @ORM\Column(name="googleAuthenticatorSecret", type="string", nullable=true) |
| 127 | * | ||
| 128 | * @ORM\Column(type="boolean") | ||
| 129 | */ | 128 | */ |
| 130 | private $twoFactorAuthentication = false; | 129 | private $googleAuthenticatorSecret; |
| 131 | 130 | ||
| 132 | /** | 131 | /** |
| 133 | * @ORM\Column(type="json_array", nullable=true) | 132 | * @ORM\Column(type="json_array", nullable=true) |
| 134 | */ | 133 | */ |
| 135 | private $trusted; | 134 | private $backupCodes; |
| 135 | |||
| 136 | /** | ||
| 137 | * @var bool | ||
| 138 | * | ||
| 139 | * @ORM\Column(type="boolean") | ||
| 140 | */ | ||
| 141 | private $emailTwoFactor = false; | ||
| 136 | 142 | ||
| 137 | public function __construct() | 143 | public function __construct() |
| 138 | { | 144 | { |
| @@ -233,49 +239,119 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf | |||
| 233 | /** | 239 | /** |
| 234 | * @return bool | 240 | * @return bool |
| 235 | */ | 241 | */ |
| 236 | public function isTwoFactorAuthentication() | 242 | public function isEmailTwoFactor() |
| 237 | { | 243 | { |
| 238 | return $this->twoFactorAuthentication; | 244 | return $this->emailTwoFactor; |
| 239 | } | 245 | } |
| 240 | 246 | ||
| 241 | /** | 247 | /** |
| 242 | * @param bool $twoFactorAuthentication | 248 | * @param bool $emailTwoFactor |
| 243 | */ | 249 | */ |
| 244 | public function setTwoFactorAuthentication($twoFactorAuthentication) | 250 | public function setEmailTwoFactor($emailTwoFactor) |
| 245 | { | 251 | { |
| 246 | $this->twoFactorAuthentication = $twoFactorAuthentication; | 252 | $this->emailTwoFactor = $emailTwoFactor; |
| 247 | } | 253 | } |
| 248 | 254 | ||
| 249 | public function isEmailAuthEnabled() | 255 | /** |
| 256 | * Used in the user config form to be "like" the email option. | ||
| 257 | */ | ||
| 258 | public function isGoogleTwoFactor() | ||
| 259 | { | ||
| 260 | return $this->isGoogleAuthenticatorEnabled(); | ||
| 261 | } | ||
| 262 | |||
| 263 | /** | ||
| 264 | * {@inheritdoc} | ||
| 265 | */ | ||
| 266 | public function isEmailAuthEnabled(): bool | ||
| 250 | { | 267 | { |
| 251 | return $this->twoFactorAuthentication; | 268 | return $this->emailTwoFactor; |
| 252 | } | 269 | } |
| 253 | 270 | ||
| 254 | public function getEmailAuthCode() | 271 | /** |
| 272 | * {@inheritdoc} | ||
| 273 | */ | ||
| 274 | public function getEmailAuthCode(): string | ||
| 255 | { | 275 | { |
| 256 | return $this->authCode; | 276 | return $this->authCode; |
| 257 | } | 277 | } |
| 258 | 278 | ||
| 259 | public function setEmailAuthCode($authCode) | 279 | /** |
| 280 | * {@inheritdoc} | ||
| 281 | */ | ||
| 282 | public function setEmailAuthCode(string $authCode): void | ||
| 260 | { | 283 | { |
| 261 | $this->authCode = $authCode; | 284 | $this->authCode = $authCode; |
| 262 | } | 285 | } |
| 263 | 286 | ||
| 264 | public function addTrustedComputer($token, \DateTime $validUntil) | 287 | /** |
| 288 | * {@inheritdoc} | ||
| 289 | */ | ||
| 290 | public function getEmailAuthRecipient(): string | ||
| 265 | { | 291 | { |
| 266 | $this->trusted[$token] = $validUntil->format('r'); | 292 | return $this->email; |
| 267 | } | 293 | } |
| 268 | 294 | ||
| 269 | public function isTrustedComputer($token) | 295 | /** |
| 296 | * {@inheritdoc} | ||
| 297 | */ | ||
| 298 | public function isGoogleAuthenticatorEnabled(): bool | ||
| 270 | { | 299 | { |
| 271 | if (isset($this->trusted[$token])) { | 300 | return $this->googleAuthenticatorSecret ? true : false; |
| 272 | $now = new \DateTime(); | 301 | } |
| 273 | $validUntil = new \DateTime($this->trusted[$token]); | ||
| 274 | 302 | ||
| 275 | return $now < $validUntil; | 303 | /** |
| 276 | } | 304 | * {@inheritdoc} |
| 305 | */ | ||
| 306 | public function getGoogleAuthenticatorUsername(): string | ||
| 307 | { | ||
| 308 | return $this->username; | ||
| 309 | } | ||
| 277 | 310 | ||
| 278 | return false; | 311 | /** |
| 312 | * {@inheritdoc} | ||
| 313 | */ | ||
| 314 | public function getGoogleAuthenticatorSecret(): string | ||
| 315 | { | ||
| 316 | return $this->googleAuthenticatorSecret; | ||
| 317 | } | ||
| 318 | |||
| 319 | /** | ||
| 320 | * {@inheritdoc} | ||
| 321 | */ | ||
| 322 | public function setGoogleAuthenticatorSecret(?string $googleAuthenticatorSecret): void | ||
| 323 | { | ||
| 324 | $this->googleAuthenticatorSecret = $googleAuthenticatorSecret; | ||
| 325 | } | ||
| 326 | |||
| 327 | public function setBackupCodes(array $codes = null) | ||
| 328 | { | ||
| 329 | $this->backupCodes = $codes; | ||
| 330 | } | ||
| 331 | |||
| 332 | public function getBackupCodes() | ||
| 333 | { | ||
| 334 | return $this->backupCodes; | ||
| 335 | } | ||
| 336 | |||
| 337 | /** | ||
| 338 | * {@inheritdoc} | ||
| 339 | */ | ||
| 340 | public function isBackupCode(string $code): bool | ||
| 341 | { | ||
| 342 | return false === $this->findBackupCode($code) ? false : true; | ||
| 343 | } | ||
| 344 | |||
| 345 | /** | ||
| 346 | * {@inheritdoc} | ||
| 347 | */ | ||
| 348 | public function invalidateBackupCode(string $code): void | ||
| 349 | { | ||
| 350 | $key = $this->findBackupCode($code); | ||
| 351 | |||
| 352 | if (false !== $key) { | ||
| 353 | unset($this->backupCodes[$key]); | ||
| 354 | } | ||
| 279 | } | 355 | } |
| 280 | 356 | ||
| 281 | /** | 357 | /** |
| @@ -309,4 +385,24 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf | |||
| 309 | return $this->clients->first(); | 385 | return $this->clients->first(); |
| 310 | } | 386 | } |
| 311 | } | 387 | } |
| 388 | |||
| 389 | /** | ||
| 390 | * Try to find a backup code from the list of backup codes of the current user. | ||
| 391 | * | ||
| 392 | * @param string $code Given code from the user | ||
| 393 | * | ||
| 394 | * @return string|false | ||
| 395 | */ | ||
| 396 | private function findBackupCode(string $code) | ||
| 397 | { | ||
| 398 | foreach ($this->backupCodes as $key => $backupCode) { | ||
| 399 | // backup code are hashed using `password_hash` | ||
| 400 | // see ConfigController->otpAppAction | ||
| 401 | if (password_verify($code, $backupCode)) { | ||
| 402 | return $key; | ||
| 403 | } | ||
| 404 | } | ||
| 405 | |||
| 406 | return false; | ||
| 407 | } | ||
| 312 | } | 408 | } |
diff --git a/src/Wallabag/UserBundle/Form/UserType.php b/src/Wallabag/UserBundle/Form/UserType.php index 56fea640..026db9a2 100644 --- a/src/Wallabag/UserBundle/Form/UserType.php +++ b/src/Wallabag/UserBundle/Form/UserType.php | |||
| @@ -35,9 +35,14 @@ class UserType extends AbstractType | |||
| 35 | 'required' => false, | 35 | 'required' => false, |
| 36 | 'label' => 'user.form.enabled_label', | 36 | 'label' => 'user.form.enabled_label', |
| 37 | ]) | 37 | ]) |
| 38 | ->add('twoFactorAuthentication', CheckboxType::class, [ | 38 | ->add('emailTwoFactor', CheckboxType::class, [ |
| 39 | 'required' => false, | 39 | 'required' => false, |
| 40 | 'label' => 'user.form.twofactor_label', | 40 | 'label' => 'user.form.twofactor_email_label', |
| 41 | ]) | ||
| 42 | ->add('googleTwoFactor', CheckboxType::class, [ | ||
| 43 | 'required' => false, | ||
| 44 | 'label' => 'user.form.twofactor_google_label', | ||
| 45 | 'mapped' => false, | ||
| 41 | ]) | 46 | ]) |
| 42 | ->add('save', SubmitType::class, [ | 47 | ->add('save', SubmitType::class, [ |
| 43 | 'label' => 'user.form.save', | 48 | 'label' => 'user.form.save', |
diff --git a/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php b/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php index aed805c9..2797efde 100644 --- a/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php +++ b/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php | |||
| @@ -78,7 +78,7 @@ class AuthCodeMailer implements AuthCodeMailerInterface | |||
| 78 | * | 78 | * |
| 79 | * @param TwoFactorInterface $user | 79 | * @param TwoFactorInterface $user |
| 80 | */ | 80 | */ |
| 81 | public function sendAuthCode(TwoFactorInterface $user) | 81 | public function sendAuthCode(TwoFactorInterface $user): void |
| 82 | { | 82 | { |
| 83 | $template = $this->twig->loadTemplate('WallabagUserBundle:TwoFactor:email_auth_code.html.twig'); | 83 | $template = $this->twig->loadTemplate('WallabagUserBundle:TwoFactor:email_auth_code.html.twig'); |
| 84 | 84 | ||
| @@ -97,7 +97,7 @@ class AuthCodeMailer implements AuthCodeMailerInterface | |||
| 97 | 97 | ||
| 98 | $message = new \Swift_Message(); | 98 | $message = new \Swift_Message(); |
| 99 | $message | 99 | $message |
| 100 | ->setTo($user->getEmail()) | 100 | ->setTo($user->getEmailAuthRecipient()) |
| 101 | ->setFrom($this->senderEmail, $this->senderName) | 101 | ->setFrom($this->senderEmail, $this->senderName) |
| 102 | ->setSubject($subject) | 102 | ->setSubject($subject) |
| 103 | ->setBody($bodyText, 'text/plain') | 103 | ->setBody($bodyText, 'text/plain') |
diff --git a/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig b/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig index c8471bdd..47a5cb78 100644 --- a/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig +++ b/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig | |||
| @@ -1,7 +1,8 @@ | |||
| 1 | {# Override `vendor/scheb/two-factor-bundle/Resources/views/Authentication/form.html.twig` #} | ||
| 1 | {% extends "WallabagUserBundle::layout.html.twig" %} | 2 | {% extends "WallabagUserBundle::layout.html.twig" %} |
| 2 | 3 | ||
| 3 | {% block fos_user_content %} | 4 | {% block fos_user_content %} |
| 4 | <form class="form" action="" method="post"> | 5 | <form class="form" action="{{ path("2fa_login_check") }}" method="post"> |
| 5 | <div class="card-content"> | 6 | <div class="card-content"> |
| 6 | <div class="row"> | 7 | <div class="row"> |
| 7 | 8 | ||
| @@ -9,14 +10,19 @@ | |||
| 9 | <p class="error">{{ flashMessage|trans }}</p> | 10 | <p class="error">{{ flashMessage|trans }}</p> |
| 10 | {% endfor %} | 11 | {% endfor %} |
| 11 | 12 | ||
| 13 | {# Authentication errors #} | ||
| 14 | {% if authenticationError %} | ||
| 15 | <p class="error">{{ authenticationError|trans(authenticationErrorData) }}</p> | ||
| 16 | {% endif %} | ||
| 17 | |||
| 12 | <div class="input-field col s12"> | 18 | <div class="input-field col s12"> |
| 13 | <label for="_auth_code">{{ "scheb_two_factor.auth_code"|trans }}</label> | 19 | <label for="_auth_code">{{ "scheb_two_factor.auth_code"|trans }}</label> |
| 14 | <input id="_auth_code" type="text" autocomplete="off" name="_auth_code" /> | 20 | <input id="_auth_code" type="text" autocomplete="off" name="{{ authCodeParameterName }}" /> |
| 15 | </div> | 21 | </div> |
| 16 | 22 | ||
| 17 | {% if useTrustedOption %} | 23 | {% if displayTrustedOption %} |
| 18 | <div class="input-field col s12"> | 24 | <div class="input-field col s12"> |
| 19 | <input id="_trusted" type="checkbox" name="_trusted" /> | 25 | <input id="_trusted" type="checkbox" name="{{ trustedParameterName }}" /> |
| 20 | <label for="_trusted">{{ "scheb_two_factor.trusted"|trans }}</label> | 26 | <label for="_trusted">{{ "scheb_two_factor.trusted"|trans }}</label> |
| 21 | </div> | 27 | </div> |
| 22 | {% endif %} | 28 | {% endif %} |
diff --git a/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig b/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig index 3ffd15f5..2de8f3a5 100644 --- a/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig +++ b/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig | |||
| @@ -50,9 +50,14 @@ | |||
| 50 | {% if twofactor_auth %} | 50 | {% if twofactor_auth %} |
| 51 | <div class="row"> | 51 | <div class="row"> |
| 52 | <div class="input-field col s12"> | 52 | <div class="input-field col s12"> |
| 53 | {{ form_widget(edit_form.twoFactorAuthentication) }} | 53 | {{ form_widget(edit_form.emailTwoFactor) }} |
| 54 | {{ form_label(edit_form.twoFactorAuthentication) }} | 54 | {{ form_label(edit_form.emailTwoFactor) }} |
| 55 | {{ form_errors(edit_form.twoFactorAuthentication) }} | 55 | {{ form_errors(edit_form.emailTwoFactor) }} |
| 56 | </div> | ||
| 57 | <div class="input-field col s12"> | ||
| 58 | {{ form_widget(edit_form.googleTwoFactor) }} | ||
| 59 | {{ form_label(edit_form.googleTwoFactor) }} | ||
| 60 | {{ form_errors(edit_form.googleTwoFactor) }} | ||
| 56 | </div> | 61 | </div> |
| 57 | </div> | 62 | </div> |
| 58 | {% endif %} | 63 | {% endif %} |