snappymail/plugins/two-factor-auth/index.php

363 lines
10 KiB
PHP
Raw Normal View History

2021-04-13 17:42:06 +08:00
<?php
use \RainLoop\Exceptions\ClientException;
2021-11-18 20:51:11 +08:00
use \RainLoop\Model\MainAccount;
2021-04-13 17:42:06 +08:00
class TwoFactorAuthPlugin extends \RainLoop\Plugins\AbstractPlugin
{
const
NAME = 'Two Factor Authentication',
2023-04-11 19:57:28 +08:00
VERSION = '2.16.2',
RELEASE = '2023-04-11',
2022-05-20 18:36:30 +08:00
REQUIRED = '2.15.2',
2021-04-14 16:11:09 +08:00
CATEGORY = 'Login',
DESCRIPTION = 'Provides support for TOTP 2FA';
2021-04-13 17:42:06 +08:00
public function Init() : void
{
$this->UseLangs(true);
2021-07-23 19:36:38 +08:00
$this->addJs('js/TwoFactorAuthLogin.js');
2021-04-13 17:42:06 +08:00
$this->addJs('js/TwoFactorAuthSettings.js');
2021-04-14 21:24:57 +08:00
2021-04-14 21:33:37 +08:00
$this->addHook('login.success', 'DoLogin');
$this->addHook('filter.app-data', 'FilterAppData');
2021-04-13 17:42:06 +08:00
$this->addJsonHook('GetTwoFactorInfo', 'DoGetTwoFactorInfo');
$this->addJsonHook('CreateTwoFactorSecret', 'DoCreateTwoFactorSecret');
$this->addJsonHook('ShowTwoFactorSecret', 'DoShowTwoFactorSecret');
$this->addJsonHook('EnableTwoFactor', 'DoEnableTwoFactor');
2021-04-14 16:11:09 +08:00
$this->addJsonHook('VerifyTwoFactorCode', 'DoVerifyTwoFactorCode');
2021-04-13 17:42:06 +08:00
$this->addJsonHook('ClearTwoFactorInfo', 'DoClearTwoFactorInfo');
$this->addTemplate('templates/TwoFactorAuthSettings.html');
$this->addTemplate('templates/PopupsTwoFactorAuthTest.html');
}
public function configMapping() : array
{
return [
\RainLoop\Plugins\Property::NewInstance("force_two_factor_auth")
// ->SetLabel('PLUGIN_TWO_FACTOR/LABEL_FORCE')
->SetLabel('Enforce 2-Step Verification')
->SetType(\RainLoop\Enumerations\PluginPropertyType::BOOL),
];
}
public function FilterAppData($bAdmin, &$aResult)
{
if (!$bAdmin && \is_array($aResult)/* && isset($aResult['Auth']) && !$aResult['Auth']*/) {
2022-04-29 19:23:04 +08:00
$aResult['RequireTwoFactor'] = (bool) $this->Config()->Get('plugin', 'force_two_factor_auth', false);
$aResult['SetupTwoFactor'] = false;
if ($aResult['RequireTwoFactor'] && !empty($aResult['Auth'])) {
$aData = $this->getTwoFactorInfo($this->getMainAccountFromToken());
2022-05-20 18:36:30 +08:00
$aResult['SetupTwoFactor'] = empty($aData['IsSet']) || empty($aData['Enable']) || empty($aData['Secret']);
2022-04-29 19:23:04 +08:00
}
}
}
2021-11-18 20:51:11 +08:00
public function DoLogin(MainAccount $oAccount)
2021-04-14 21:24:57 +08:00
{
2021-04-14 21:33:37 +08:00
if ($this->TwoFactorAuthProvider($oAccount)) {
2021-04-14 21:24:57 +08:00
$aData = $this->getTwoFactorInfo($oAccount);
2022-04-29 19:23:04 +08:00
if (isset($aData['IsSet'], $aData['Enable']) && !empty($aData['Secret']) && $aData['IsSet'] && $aData['Enable']) {
2021-07-23 19:36:38 +08:00
$sCode = \trim($this->jsonParam('totp_code', ''));
if (empty($sCode)) {
2021-11-18 20:51:11 +08:00
$this->Logger()->Write("TFA: Code required for {$oAccount->Email()}");
2021-07-23 22:18:23 +08:00
throw new ClientException(\RainLoop\Notifications::AuthError);
2021-07-23 21:58:54 +08:00
}
2021-04-14 21:24:57 +08:00
2021-07-23 21:58:54 +08:00
$bUseBackupCode = false;
if (6 < \strlen($sCode) && !empty($aData['BackupCodes'])) {
$aBackupCodes = \explode(' ', \trim(\preg_replace('/[^\d]+/', ' ', $aData['BackupCodes'])));
$bUseBackupCode = \in_array($sCode, $aBackupCodes);
if ($bUseBackupCode) {
2021-11-18 20:51:11 +08:00
$this->removeBackupCodeFromTwoFactorInfo($oAccount->Email(), $sCode);
2021-07-23 19:36:38 +08:00
}
2021-07-23 21:58:54 +08:00
}
2021-04-14 21:24:57 +08:00
2021-07-23 21:58:54 +08:00
if (!$bUseBackupCode && !$this->TwoFactorAuthProvider($oAccount)->VerifyCode($aData['Secret'], $sCode)) {
$this->Manager()->Actions()->LoggerAuthHelper($oAccount);
2021-11-18 20:51:11 +08:00
$this->Logger()->Write("TFA: Code failed for {$oAccount->Email()}");
2021-07-23 22:18:23 +08:00
throw new ClientException(\RainLoop\Notifications::AuthError);
2021-04-14 21:24:57 +08:00
}
2021-11-18 20:51:11 +08:00
$this->Logger()->Write("TFA: Code verified for {$oAccount->Email()}");
2021-04-14 21:24:57 +08:00
}
}
}
2021-04-13 17:42:06 +08:00
public function DoGetTwoFactorInfo() : array
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, $this->getTwoFactorInfo($oAccount, true));
2021-04-13 17:42:06 +08:00
}
public function DoCreateTwoFactorSecret() : array
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
2021-11-18 20:51:11 +08:00
$sEmail = $oAccount->Email();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
$sSecret = $this->TwoFactorAuthProvider($oAccount)->CreateSecret();
2021-04-13 17:42:06 +08:00
$aCodes = array();
for ($iIndex = 9; $iIndex > 0; $iIndex--)
{
$aCodes[] = \rand(100000000, 900000000);
}
$this->StorageProvider()->Put($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor',
2022-03-04 18:53:36 +08:00
\json_encode(array(
2021-04-13 17:42:06 +08:00
'User' => $sEmail,
'Enable' => false,
'Secret' => $sSecret,
2022-04-25 21:20:37 +08:00
'QRCode' => static::getQRCode($sEmail, $sSecret),
2021-04-13 17:42:06 +08:00
'BackupCodes' => \implode(' ', $aCodes)
))
);
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, $this->getTwoFactorInfo($oAccount));
2021-04-13 17:42:06 +08:00
}
2022-04-25 21:20:37 +08:00
private static function getQRCode(string $email, string $secret) : string
{
$email = \rawurlencode($email);
// $issuer = \rawurlencode(\RainLoop\API::Config()->Get('webmail', 'title', 'SnappyMail'));
$QR = \SnappyMail\QRCode::getMinimumQRCode(
// "otpauth://totp/{$issuer}:{$email}?secret={$secret}&issuer={$issuer}",
"otpauth://totp/{$email}?secret={$secret}",
\SnappyMail\QRCode::ERROR_CORRECT_LEVEL_M
);
return $QR->__toString();
}
2021-04-13 17:42:06 +08:00
public function DoShowTwoFactorSecret() : array
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
$aResult = $this->getTwoFactorInfo($oAccount);
unset($aResult['BackupCodes']);
2022-04-25 21:20:37 +08:00
$aResult['QRCode'] = static::getQRCode($oAccount->Email(), $aResult['Secret']);
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, $aResult);
2021-04-13 17:42:06 +08:00
}
public function DoEnableTwoFactor() : array
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
2023-04-11 19:57:28 +08:00
$oActions = $this->Manager()->Actions();
if ($oActions->HasActionParam('EnableTwoFactor')) {
$sValue = $oActions->GetActionParam('EnableTwoFactor', '');
$oActions->SettingsProvider()->Load($oAccount)->SetConf('EnableTwoFactor', !empty($sValue));
2021-04-14 21:24:57 +08:00
}
2021-04-13 17:42:06 +08:00
2021-11-18 20:51:11 +08:00
$sEmail = $oAccount->Email();
2021-04-13 17:42:06 +08:00
$bResult = false;
$mData = $this->getTwoFactorInfo($oAccount);
if (isset($mData['Secret'], $mData['BackupCodes']))
{
$bResult = $this->StorageProvider()->Put($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor',
2022-03-04 18:53:36 +08:00
\json_encode(array(
2021-04-13 17:42:06 +08:00
'User' => $sEmail,
'Enable' => '1' === \trim($this->jsonParam('Enable', '0')),
'Secret' => $mData['Secret'],
'BackupCodes' => $mData['BackupCodes']
))
);
}
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, $bResult);
2021-04-13 17:42:06 +08:00
}
2021-04-14 16:11:09 +08:00
public function DoVerifyTwoFactorCode() : array
2021-04-13 17:42:06 +08:00
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
$sCode = \trim($this->jsonParam('Code', ''));
$aData = $this->getTwoFactorInfo($oAccount);
$sSecret = !empty($aData['Secret']) ? $aData['Secret'] : '';
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__,
2021-04-14 21:24:57 +08:00
$this->TwoFactorAuthProvider($oAccount)->VerifyCode($sSecret, $sCode));
2021-04-13 17:42:06 +08:00
}
public function DoClearTwoFactorInfo() : array
{
2021-11-18 20:51:11 +08:00
$oAccount = $this->getMainAccountFromToken();
2021-04-13 17:42:06 +08:00
2021-04-14 21:24:57 +08:00
if (!$this->TwoFactorAuthProvider($oAccount)) {
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, false);
2021-04-13 17:42:06 +08:00
}
$this->StorageProvider()->Clear($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor'
);
2021-07-23 19:36:38 +08:00
return $this->jsonResponse(__FUNCTION__, $this->getTwoFactorInfo($oAccount, true));
2021-04-14 21:24:57 +08:00
}
2021-07-23 21:58:54 +08:00
protected function Logger() : \MailSo\Log\Logger
2021-04-14 21:24:57 +08:00
{
return $this->Manager()->Actions()->Logger();
}
2021-11-18 20:51:11 +08:00
protected function getMainAccountFromToken() : MainAccount
2021-04-14 21:24:57 +08:00
{
2021-11-18 20:51:11 +08:00
return $this->Manager()->Actions()->getMainAccountFromToken();
2021-04-14 21:24:57 +08:00
}
protected function StorageProvider() : \RainLoop\Providers\Storage
{
return $this->Manager()->Actions()->StorageProvider();
2021-04-13 17:42:06 +08:00
}
2021-04-14 21:24:57 +08:00
private $oTwoFactorAuthProvider;
2021-11-18 20:51:11 +08:00
protected function TwoFactorAuthProvider(MainAccount $oAccount) : ?TwoFactorAuthInterface
2021-04-13 17:42:06 +08:00
{
2021-07-23 19:36:38 +08:00
if (!$this->oTwoFactorAuthProvider) {
2021-04-13 17:42:06 +08:00
require __DIR__ . '/providers/interface.php';
require __DIR__ . '/providers/totp.php';
$this->oTwoFactorAuthProvider = new TwoFactorAuthTotp();
}
return $this->oTwoFactorAuthProvider;
}
2021-11-18 20:51:11 +08:00
protected function getTwoFactorInfo(MainAccount $oAccount, bool $bRemoveSecret = false) : array
2021-04-13 17:42:06 +08:00
{
2021-11-18 20:51:11 +08:00
$sEmail = $oAccount->Email();
2021-04-13 17:42:06 +08:00
$mData = null;
$aResult = array(
'User' => '',
'IsSet' => false,
'Enable' => false,
'Secret' => '',
'BackupCodes' => ''
);
if (!empty($sEmail))
{
$aResult['User'] = $sEmail;
$sData = $this->StorageProvider()->Get($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor'
);
if ($sData)
{
2022-03-04 18:53:36 +08:00
$mData = static::DecodeKeyValues($sData);
2021-04-13 17:42:06 +08:00
}
}
if (!empty($aResult['User']) &&
!empty($mData['User']) && !empty($mData['Secret']) &&
!empty($mData['BackupCodes']) && $sEmail === $mData['User'])
{
$aResult['IsSet'] = true;
$aResult['Enable'] = isset($mData['Enable']) ? !!$mData['Enable'] : false;
$aResult['Secret'] = $mData['Secret'];
$aResult['BackupCodes'] = $mData['BackupCodes'];
2022-04-25 21:20:37 +08:00
$aResult['QRCode'] = static::getQRCode($oAccount->Email(), $mData['Secret']);
2021-04-13 17:42:06 +08:00
}
if ($bRemoveSecret)
{
if (isset($aResult['Secret']))
{
unset($aResult['Secret']);
}
if (isset($aResult['BackupCodes']))
{
unset($aResult['BackupCodes']);
}
}
return $aResult;
}
2021-11-18 20:51:11 +08:00
protected function removeBackupCodeFromTwoFactorInfo(MainAccount $oAccount, string $sCode) : bool
2021-04-13 17:42:06 +08:00
{
if (!$oAccount || empty($sCode))
{
return false;
}
$sData = $this->StorageProvider()->Get($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor'
);
if ($sData)
{
2022-03-04 18:53:36 +08:00
$mData = static::DecodeKeyValues($sData);
2021-04-13 17:42:06 +08:00
if (!empty($mData['BackupCodes']))
{
$sBackupCodes = \preg_replace('/[^\d]+/', ' ', ' '.$mData['BackupCodes'].' ');
$sBackupCodes = \str_replace(' '.$sCode.' ', '', $sBackupCodes);
$mData['BackupCodes'] = \trim(\preg_replace('/[^\d]+/', ' ', $sBackupCodes));
return $this->StorageProvider()->Put($oAccount,
\RainLoop\Providers\Storage\Enumerations\StorageType::CONFIG,
'two_factor',
2022-03-04 18:53:36 +08:00
\json_encode($mData)
2021-04-13 17:42:06 +08:00
);
}
}
return false;
}
2022-03-04 18:53:36 +08:00
private static function DecodeKeyValues(string $sData) : array
{
if (!\str_contains($sData, 'User')) {
$sData = \MailSo\Base\Utils::UrlSafeBase64Decode($sData);
if (!\strlen($sData)) {
return '';
}
$sKey = \md5(APP_SALT);
$sData = \is_callable('xxtea_decrypt')
? \xxtea_decrypt($sData, $sKey)
: \MailSo\Base\Xxtea::decrypt($sData, $sKey);
}
try {
return \json_decode($sData, true, 512, JSON_THROW_ON_ERROR) ?: array();
} catch (\Throwable $e) {
return \unserialize($sData) ?: array();
}
}
2021-04-13 17:42:06 +08:00
}