discourse/app/models/concerns/second_factor_manager.rb

# frozen_string_literal: true

module SecondFactorManager
  extend ActiveSupport::Concern

  def create_totp(opts = {})
    UserSecondFactor.create!({
                               user_id: self.id,
                               method: UserSecondFactor.methods[:totp],
                               data: ROTP::Base32.random_base32
                             }.merge(opts))
  end

  def get_totp_object(data)
    ROTP::TOTP.new(data, issuer: SiteSetting.title)
  end

  def totp_provisioning_uri(data)
    get_totp_object(data).provisioning_uri(self.email)
  end

  def authenticate_totp(token)
    totps = self&.user_second_factors.totps
    authenticated = false
    totps.each do |totp|

      last_used = 0

      if totp.last_used
        last_used = totp.last_used.to_i
      end

      authenticated = !token.blank? && totp.get_totp_object.verify_with_drift_and_prior(token, 30, last_used)
      if authenticated
        totp.update!(last_used: DateTime.now)
        break
      end
    end
    !!authenticated
  end

  def totp_enabled?
    !SiteSetting.enable_sso &&
      SiteSetting.enable_local_logins &&
      self&.user_second_factors.totps.exists?
  end

  def backup_codes_enabled?
    !SiteSetting.enable_sso &&
      SiteSetting.enable_local_logins &&
      self&.user_second_factors.backup_codes.exists?
  end

  def remaining_backup_codes
    self&.user_second_factors&.backup_codes&.count
  end

  def authenticate_second_factor(token, second_factor_method)
    if second_factor_method == UserSecondFactor.methods[:totp]
      authenticate_totp(token)
    elsif second_factor_method == UserSecondFactor.methods[:backup_codes]
      authenticate_backup_code(token)
    end
  end

  def generate_backup_codes
    codes = []
    10.times do
      codes << SecureRandom.hex(8)
    end

    codes_json = codes.map do |code|
      salt = SecureRandom.hex(16)
      { salt: salt,
        code_hash: hash_backup_code(code, salt)
      }
    end

    if self.user_second_factors.backup_codes.empty?
      create_backup_codes(codes_json)
    else
      self.user_second_factors.where(method: UserSecondFactor.methods[:backup_codes]).destroy_all
      create_backup_codes(codes_json)
    end

    codes
  end

  def create_backup_codes(codes)
    codes.each do |code|
      UserSecondFactor.create!(
        user_id: self.id,
        data: code.to_json,
        enabled: true,
        method: UserSecondFactor.methods[:backup_codes]
      )
    end
  end

  def authenticate_backup_code(backup_code)
    if !backup_code.blank?
      codes = self&.user_second_factors&.backup_codes

      codes.each do |code|
        stored_code = JSON.parse(code.data)["code_hash"]
        stored_salt = JSON.parse(code.data)["salt"]
        backup_hash = hash_backup_code(backup_code, stored_salt)
        next unless backup_hash == stored_code

        code.update(enabled: false, last_used: DateTime.now)
        return true
      end
      false
    end
    false
  end

  def hash_backup_code(code, salt)
    Pbkdf2.hash_password(code, salt, Rails.configuration.pbkdf2_iterations, Rails.configuration.pbkdf2_algorithm)
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`module SecondFactorManager`
			`extend ActiveSupport::Concern`

FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`def create_totp(opts = {})`
			`UserSecondFactor.create!({`
			`user_id: self.id,`
			`method: UserSecondFactor.methods[:totp],`
			`data: ROTP::Base32.random_base32`
			`}.merge(opts))`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`end`

FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`def get_totp_object(data)`
			`ROTP::TOTP.new(data, issuer: SiteSetting.title)`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`end`

FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`def totp_provisioning_uri(data)`
			`get_totp_object(data).provisioning_uri(self.email)`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`end`

			`def authenticate_totp(token)`
FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`totps = self&.user_second_factors.totps`
			`authenticated = false`
			`totps.each do \|totp\|`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00
FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`last_used = 0`

			`if totp.last_used`
			`last_used = totp.last_used.to_i`
			`end`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00
FEATURE: add ability to have multiple totp factors (#7626) Adds a second factor landing page that centralizes a user's second factor configuration. This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session. 2019-06-27 07:58:06 +08:00			`authenticated = !token.blank? && totp.get_totp_object.verify_with_drift_and_prior(token, 30, last_used)`
			`if authenticated`
			`totp.update!(last_used: DateTime.now)`
			`break`
			`end`
			`end`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`!!authenticated`
			`end`

			`def totp_enabled?`
PERF: Avoid loading ActiveRecord objects when checking for second factor. * Eliminate DB query for sites without local logins and sites that has SSO enabled. 2019-03-15 15:02:04 +08:00			`!SiteSetting.enable_sso &&`
			`SiteSetting.enable_local_logins &&`
			`self&.user_second_factors.totps.exists?`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`end`
FEATURE: Second factor backup 2018-06-28 16:12:32 +08:00
			`def backup_codes_enabled?`
PERF: Avoid loading ActiveRecord objects when checking for second factor. * Eliminate DB query for sites without local logins and sites that has SSO enabled. 2019-03-15 15:02:04 +08:00			`!SiteSetting.enable_sso &&`
			`SiteSetting.enable_local_logins &&`
			`self&.user_second_factors.backup_codes.exists?`
FEATURE: Second factor backup 2018-06-28 16:12:32 +08:00			`end`

FEATURE: shows remaining backup codes in user preferences 2018-07-04 16:45:42 +08:00			`def remaining_backup_codes`
			`self&.user_second_factors&.backup_codes&.count`
			`end`

FEATURE: Second factor backup 2018-06-28 16:12:32 +08:00			`def authenticate_second_factor(token, second_factor_method)`
			`if second_factor_method == UserSecondFactor.methods[:totp]`
			`authenticate_totp(token)`
			`elsif second_factor_method == UserSecondFactor.methods[:backup_codes]`
			`authenticate_backup_code(token)`
			`end`
			`end`

			`def generate_backup_codes`
			`codes = []`
			`10.times do`
			`codes << SecureRandom.hex(8)`
			`end`

			`codes_json = codes.map do \|code\|`
			`salt = SecureRandom.hex(16)`
			`{ salt: salt,`
			`code_hash: hash_backup_code(code, salt)`
			`}`
			`end`

			`if self.user_second_factors.backup_codes.empty?`
			`create_backup_codes(codes_json)`
			`else`
			`self.user_second_factors.where(method: UserSecondFactor.methods[:backup_codes]).destroy_all`
			`create_backup_codes(codes_json)`
			`end`

			`codes`
			`end`

			`def create_backup_codes(codes)`
			`codes.each do \|code\|`
			`UserSecondFactor.create!(`
			`user_id: self.id,`
			`data: code.to_json,`
			`enabled: true,`
			`method: UserSecondFactor.methods[:backup_codes]`
			`)`
			`end`
			`end`

			`def authenticate_backup_code(backup_code)`
			`if !backup_code.blank?`
			`codes = self&.user_second_factors&.backup_codes`

			`codes.each do \|code\|`
			`stored_code = JSON.parse(code.data)["code_hash"]`
			`stored_salt = JSON.parse(code.data)["salt"]`
			`backup_hash = hash_backup_code(backup_code, stored_salt)`
			`next unless backup_hash == stored_code`

			`code.update(enabled: false, last_used: DateTime.now)`
			`return true`
			`end`
			`false`
			`end`
			`false`
			`end`

			`def hash_backup_code(code, salt)`
			`Pbkdf2.hash_password(code, salt, Rails.configuration.pbkdf2_iterations, Rails.configuration.pbkdf2_algorithm)`
			`end`
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3. 2018-02-20 14:44:51 +08:00			`end`