Added TOTP verification upon access

2025-07-30 04:23:11 +03:00 · 2021-08-02 15:04:43 +01:00
parent 1af5bbf3f7
commit a3f19ebe96
8 changed files with 146 additions and 17 deletions
--- a/app/Auth/Access/LoginService.php
+++ b/app/Auth/Access/LoginService.php
@ -70,7 +70,7 @@ class LoginService
     */
    public function reattemptLoginFor(User $user, string $method)
    {
-        if ($user->id !== $this->getLastLoginAttemptUser()) {
+        if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) {
            throw new Exception('Login reattempt user does align with current session state');
        }

--- a/app/Auth/Access/Mfa/MfaValue.php
+++ b/app/Auth/Access/Mfa/MfaValue.php
@ -44,10 +44,24 @@ class MfaValue extends Model
        $mfaVal->save();
    }

+    /**
+     * Easily get the decrypted MFA value for the given user and method.
+     */
+    public static function getValueForUser(User $user, string $method): ?string
+    {
+        /** @var MfaValue $mfaVal */
+        $mfaVal = static::query()
+            ->where('user_id', '=', $user->id)
+            ->where('method', '=', $method)
+            ->first();
+
+        return $mfaVal ? $mfaVal->getValue() : null;
+    }
+
    /**
     * Decrypt the value attribute upon access.
     */
-    public function getValue(): string
+    protected function getValue(): string
    {
        return decrypt($this->value);
    }
@ -55,7 +69,7 @@ class MfaValue extends Model
    /**
     * Encrypt the value attribute upon access.
     */
-    public function setValue($value): void
+    protected function setValue($value): void
    {
        $this->value = encrypt($value);
    }
--- a/app/Http/Controllers/Auth/HandlesPartialLogins.php
+++ b/app/Http/Controllers/Auth/HandlesPartialLogins.php
@ -8,6 +8,9 @@ use BookStack\Exceptions\NotFoundException;

 trait HandlesPartialLogins
 {
+    /**
+     * @throws NotFoundException
+     */
    protected function currentOrLastAttemptedUser(): User
    {
        $loginService = app()->make(LoginService::class);
--- a/app/Http/Controllers/Auth/MfaTotpController.php
+++ b/app/Http/Controllers/Auth/MfaTotpController.php
@ -3,6 +3,8 @@
 namespace BookStack\Http\Controllers\Auth;

 use BookStack\Actions\ActivityType;
+use BookStack\Auth\Access\LoginService;
+use BookStack\Auth\Access\Mfa\MfaSession;
 use BookStack\Auth\Access\Mfa\MfaValue;
 use BookStack\Auth\Access\Mfa\TotpService;
 use BookStack\Auth\Access\Mfa\TotpValidationRule;
@ -61,4 +63,27 @@ class MfaTotpController extends Controller

        return redirect('/mfa/setup');
    }
+
+    /**
+     * Verify the MFA method submission on check.
+     * @throws NotFoundException
+     */
+    public function verify(Request $request, LoginService $loginService, MfaSession $mfaSession)
+    {
+        $user = $this->currentOrLastAttemptedUser();
+        $totpSecret = MfaValue::getValueForUser($user, MfaValue::METHOD_TOTP);
+
+        $this->validate($request, [
+            'code' => [
+                'required',
+                'max:12', 'min:4',
+                new TotpValidationRule($totpSecret),
+            ]
+        ]);
+
+        $mfaSession->markVerifiedForUser($user);
+        $loginService->reattemptLoginFor($user, 'mfa-totp');
+
+        return redirect()->intended();
+    }
 }