From 234bb6425021b72f0db71667191b2c36dc593791 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Wed, 8 Mar 2023 10:04:29 +0000
Subject: port totp mfa from streams with some adjustions

---
 Zotlabs/Module/Settings/Multifactor.php | 72 +++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 Zotlabs/Module/Settings/Multifactor.php

(limited to 'Zotlabs/Module/Settings/Multifactor.php')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
new file mode 100644
index 000000000..e1d8e1c97
--- /dev/null
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -0,0 +1,72 @@
+<?php
+
+namespace Zotlabs\Module\Settings;
+
+use App;
+use chillerlan\QRCode\QRCode;
+use Zotlabs\Lib\AConfig;
+use Zotlabs\Lib\System;
+use OTPHP\TOTP;
+use ParagonIE\ConstantTime\Base32;
+
+
+class Multifactor {
+	public function post() {
+		$account = App::get_account();
+		if (!$account) {
+			return;
+		}
+		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
+		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
+	}
+
+	public function get() {
+		$account = App::get_account();
+		if (!$account) {
+			return '';
+		}
+
+		if (!$account['account_external']) {
+			$otp = TOTP::create();
+			$otp->setLabel($account['account_email']);
+			// $otp->setLabel(rawurlencode(System::get_platform_name()));
+			$otp->setIssuer(rawurlencode(System::get_platform_name()));
+
+			$mySecret = trim(Base32::encodeUpper(random_bytes(32)), '=');
+			$otp = TOTP::create($mySecret);
+			q("UPDATE account set account_external = '%s' where account_id = %d",
+				dbesc($otp->getSecret()),
+				intval($account['account_id'])
+			);
+			$account['account_external'] = $otp->getSecret();
+		}
+
+		$otp = TOTP::create($account['account_external']);
+		$otp->setLabel($account['account_email']);
+		$otp->setIssuer(rawurlencode(System::get_platform_name()));
+		$uri = $otp->getProvisioningUri();
+		return replace_macros(get_markup_template('totp_setup.tpl'),
+			[
+				'$form_security_token' => get_form_security_token("settings_mfa"),
+				'$title' => t('Multifactor Settings'),
+				'$totp_setup_text' => t('Multi-Factor Authentication Setup'),
+				'$secret_text' => t('This is your generated secret. This may be used in some cases if the QR image cannot be read. Please save it.'),
+				'$test_title' => t('Please enter the code from your authenticator'),
+				'$qrcode' => (new QRCode())->render($uri),
+				'$uri' => $uri,
+				'$secret' => ($account['account_external'] ?? ''),
+				'$test_pass' => t("That code is correct."),
+				'$test_fail' => t("Incorrect code."),
+				'$enable_mfa' => [
+					'enable_mfa',
+					t('Enable Multi-factor Authentication'),
+					AConfig::Get($account['account_id'], 'system', 'mfa_enabled'),
+					'',
+					[t('No'), t('Yes')]
+				],
+				'$submit' => t('Submit'),
+				'$test' => t('Test')
+			]
+		);
+	}
+}
-- 
cgit v1.2.3


From 8af5788fc193a245c8aeed3b554a79baaa1bde3a Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Wed, 8 Mar 2023 17:29:56 +0000
Subject: more mfa cleanup, set the value in session if mfa is enabled and only
 allow enabling mfa after a test passed

---
 Zotlabs/Module/Settings/Multifactor.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'Zotlabs/Module/Settings/Multifactor.php')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index e1d8e1c97..5ac47be09 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -18,6 +18,9 @@ class Multifactor {
 		}
 		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
 		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
+		if ($enable_mfa) {
+			$_SESSION['2FA_VERIFIED'] = true;
+		}
 	}
 
 	public function get() {
@@ -48,10 +51,11 @@ class Multifactor {
 		return replace_macros(get_markup_template('totp_setup.tpl'),
 			[
 				'$form_security_token' => get_form_security_token("settings_mfa"),
-				'$title' => t('Multifactor Settings'),
+				'$title' => t(' Account Multifactor Settings'),
 				'$totp_setup_text' => t('Multi-Factor Authentication Setup'),
-				'$secret_text' => t('This is your generated secret. This may be used in some cases if the QR image cannot be read. Please save it.'),
+				'$secret_text' => t('This is your generated secret. It may be used in some cases if the QR image cannot be read. Please save it.'),
 				'$test_title' => t('Please enter the code from your authenticator'),
+				'$test_title_sub' => t('You will only be able to enable MFA if the test passes'),
 				'$qrcode' => (new QRCode())->render($uri),
 				'$uri' => $uri,
 				'$secret' => ($account['account_external'] ?? ''),
-- 
cgit v1.2.3


From 203d9d651f799710cc38824312b29ba341f1ea0f Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Thu, 9 Mar 2023 15:48:03 +0000
Subject: mfa strings update

---
 Zotlabs/Module/Settings/Multifactor.php | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'Zotlabs/Module/Settings/Multifactor.php')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index 5ac47be09..191055e2c 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -51,10 +51,9 @@ class Multifactor {
 		return replace_macros(get_markup_template('totp_setup.tpl'),
 			[
 				'$form_security_token' => get_form_security_token("settings_mfa"),
-				'$title' => t(' Account Multifactor Settings'),
-				'$totp_setup_text' => t('Multi-Factor Authentication Setup'),
-				'$secret_text' => t('This is your generated secret. It may be used in some cases if the QR image cannot be read. Please save it.'),
-				'$test_title' => t('Please enter the code from your authenticator'),
+				'$title' => t('Account Multi-Factor Authentication'),
+				'$secret_text' => t('This is your generated secret. It may be used in some cases if the QR image cannot be read. Please store it in a safe place.'),
+				'$test_title' => t('Please enter the code from your authenticator app'),
 				'$test_title_sub' => t('You will only be able to enable MFA if the test passes'),
 				'$qrcode' => (new QRCode())->render($uri),
 				'$uri' => $uri,
@@ -63,9 +62,9 @@ class Multifactor {
 				'$test_fail' => t("Incorrect code."),
 				'$enable_mfa' => [
 					'enable_mfa',
-					t('Enable Multi-factor Authentication'),
+					t('Enable Multi-Factor Authentication'),
 					AConfig::Get($account['account_id'], 'system', 'mfa_enabled'),
-					'',
+					t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
 					[t('No'), t('Yes')]
 				],
 				'$submit' => t('Submit'),
-- 
cgit v1.2.3


From ac9c33fb3b31f4a3801fbdf7c723b923d699964d Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Sat, 11 Mar 2023 20:24:56 +0000
Subject: check form security token and require password to enable/diable mfa

---
 Zotlabs/Module/Settings/Multifactor.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'Zotlabs/Module/Settings/Multifactor.php')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index 191055e2c..4df718c6a 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -12,10 +12,24 @@ use ParagonIE\ConstantTime\Base32;
 
 class Multifactor {
 	public function post() {
+		check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa');
+
 		$account = App::get_account();
 		if (!$account) {
 			return;
 		}
+
+		if (empty($_POST['password'])) {
+			notice(t('Password is required') . EOL);
+			return;
+		}
+
+		$password = trim($_POST['password']);
+		if(!account_verify_password($account['account_email'], $password)) {
+			notice(t('The provided password is not correct') . EOL);
+			return;
+		}
+
 		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
 		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
 		if ($enable_mfa) {
@@ -67,6 +81,7 @@ class Multifactor {
 					t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
 					[t('No'), t('Yes')]
 				],
+				'$password' => ['password', t('Please enter your password'), '', t('Required')],
 				'$submit' => t('Submit'),
 				'$test' => t('Test')
 			]
-- 
cgit v1.2.3


From 5fada6a497ad5123668f282deb508db00e628bda Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Sat, 11 Mar 2023 20:40:32 +0000
Subject: more strings and provide mfa feedback via jgrowl

---
 Zotlabs/Module/Settings/Multifactor.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'Zotlabs/Module/Settings/Multifactor.php')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
index 4df718c6a..8b91bc87a 100644
--- a/Zotlabs/Module/Settings/Multifactor.php
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -72,16 +72,16 @@ class Multifactor {
 				'$qrcode' => (new QRCode())->render($uri),
 				'$uri' => $uri,
 				'$secret' => ($account['account_external'] ?? ''),
-				'$test_pass' => t("That code is correct."),
-				'$test_fail' => t("Incorrect code."),
+				'$test_pass' => t("Congratulations, the provided code was correct"),
+				'$test_fail' => t("Incorrect code"),
 				'$enable_mfa' => [
 					'enable_mfa',
 					t('Enable Multi-Factor Authentication'),
 					AConfig::Get($account['account_id'], 'system', 'mfa_enabled'),
-					t('Logging in will require you to be in possession of your smartphone with an authenticator app'),
+					t('Logging in will require you to be in possession of your smartphone'),
 					[t('No'), t('Yes')]
 				],
-				'$password' => ['password', t('Please enter your password'), '', t('Required')],
+				'$password' => ['password', t('Your account password'), '', t('Required')],
 				'$submit' => t('Submit'),
 				'$test' => t('Test')
 			]
-- 
cgit v1.2.3