From 4654a83b6438b88e3b7062a21d18999d9df2fb8e Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Wed, 23 Jan 2019 14:43:39 +0100 Subject: Hash backup codes in the database using `password_hash` --- .../CoreBundle/Controller/ConfigController.php | 21 ++++++++++++------- .../views/themes/baggy/Config/otp_app.html.twig | 2 +- .../views/themes/material/Config/otp_app.html.twig | 2 +- src/Wallabag/UserBundle/Entity/User.php | 24 ++++++++++++++++++++-- 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php index ed92c999..9257ab18 100644 --- a/src/Wallabag/CoreBundle/Controller/ConfigController.php +++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php @@ -197,18 +197,25 @@ class ConfigController extends Controller } $user = $this->getUser(); + $secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret(); - if (!$user->isGoogleTwoFactor()) { - $secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret(); + $user->setGoogleAuthenticatorSecret($secret); + $user->setEmailTwoFactor(false); - $user->setGoogleAuthenticatorSecret($secret); - $user->setEmailTwoFactor(false); - $user->setBackupCodes((new BackupCodes())->toArray()); + $backupCodes = (new BackupCodes())->toArray(); + $backupCodesHashed = array_map( + function ($backupCode) { + return password_hash($backupCode, PASSWORD_DEFAULT); + }, + $backupCodes + ); - $this->container->get('fos_user.user_manager')->updateUser($user, true); - } + $user->setBackupCodes($backupCodesHashed); + + $this->container->get('fos_user.user_manager')->updateUser($user, true); return $this->render('WallabagCoreBundle:Config:otp_app.html.twig', [ + 'backupCodes' => $backupCodes, 'qr_code' => $this->get('scheb_two_factor.security.google_authenticator')->getQRContent($user), ]); } diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig index 2e4442e3..0919646e 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig @@ -20,7 +20,7 @@
  • {{ 'config.otp.app.two_factor_code_description_3'|trans }}

    -

    {{ app.user.getBackupCodes|join("\n")|nl2br }}

    +

    {{ backupCodes|join("\n")|nl2br }}

  • {{ 'config.otp.app.two_factor_code_description_4'|trans }}

    diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig index 6aef355e..7875d787 100644 --- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig @@ -24,7 +24,7 @@
  • {{ 'config.otp.app.two_factor_code_description_3'|trans }}

    -

    {{ app.user.getBackupCodes|join("\n")|nl2br }}

    +

    {{ backupCodes|join("\n")|nl2br }}

  • {{ 'config.otp.app.two_factor_code_description_4'|trans }}

    diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php index ab34e2bf..43fa6a80 100644 --- a/src/Wallabag/UserBundle/Entity/User.php +++ b/src/Wallabag/UserBundle/Entity/User.php @@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI */ public function isBackupCode(string $code): bool { - return \in_array($code, $this->backupCodes, true); + return false === $this->findBackupCode($code) ? false : true; } /** @@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI */ public function invalidateBackupCode(string $code): void { - $key = array_search($code, $this->backupCodes, true); + $key = $this->findBackupCode($code); if (false !== $key) { unset($this->backupCodes[$key]); @@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI return $this->clients->first(); } } + + /** + * Try to find a backup code from the list of backup codes of the current user. + * + * @param string $code Given code from the user + * + * @return string|false + */ + private function findBackupCode(string $code) + { + foreach ($this->backupCodes as $key => $backupCode) { + // backup code are hashed using `password_hash` + // see ConfigController->otpAppAction + if (password_verify($code, $backupCode)) { + return $key; + } + } + + return false; + } } -- cgit v1.2.3