From 234bb6425021b72f0db71667191b2c36dc593791 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Wed, 8 Mar 2023 10:04:29 +0000
Subject: port totp mfa from streams with some adjustions

---
 Zotlabs/Module/Settings/Multifactor.php | 72 ++++++++++++++++++++++++++
 Zotlabs/Module/Totp_check.php           | 90 +++++++++++++++++++++++++++++++++
 2 files changed, 162 insertions(+)
 create mode 100644 Zotlabs/Module/Settings/Multifactor.php
 create mode 100644 Zotlabs/Module/Totp_check.php

(limited to 'Zotlabs/Module')

diff --git a/Zotlabs/Module/Settings/Multifactor.php b/Zotlabs/Module/Settings/Multifactor.php
new file mode 100644
index 000000000..e1d8e1c97
--- /dev/null
+++ b/Zotlabs/Module/Settings/Multifactor.php
@@ -0,0 +1,72 @@
+<?php
+
+namespace Zotlabs\Module\Settings;
+
+use App;
+use chillerlan\QRCode\QRCode;
+use Zotlabs\Lib\AConfig;
+use Zotlabs\Lib\System;
+use OTPHP\TOTP;
+use ParagonIE\ConstantTime\Base32;
+
+
+class Multifactor {
+	public function post() {
+		$account = App::get_account();
+		if (!$account) {
+			return;
+		}
+		$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
+		AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
+	}
+
+	public function get() {
+		$account = App::get_account();
+		if (!$account) {
+			return '';
+		}
+
+		if (!$account['account_external']) {
+			$otp = TOTP::create();
+			$otp->setLabel($account['account_email']);
+			// $otp->setLabel(rawurlencode(System::get_platform_name()));
+			$otp->setIssuer(rawurlencode(System::get_platform_name()));
+
+			$mySecret = trim(Base32::encodeUpper(random_bytes(32)), '=');
+			$otp = TOTP::create($mySecret);
+			q("UPDATE account set account_external = '%s' where account_id = %d",
+				dbesc($otp->getSecret()),
+				intval($account['account_id'])
+			);
+			$account['account_external'] = $otp->getSecret();
+		}
+
+		$otp = TOTP::create($account['account_external']);
+		$otp->setLabel($account['account_email']);
+		$otp->setIssuer(rawurlencode(System::get_platform_name()));
+		$uri = $otp->getProvisioningUri();
+		return replace_macros(get_markup_template('totp_setup.tpl'),
+			[
+				'$form_security_token' => get_form_security_token("settings_mfa"),
+				'$title' => t('Multifactor Settings'),
+				'$totp_setup_text' => t('Multi-Factor Authentication Setup'),
+				'$secret_text' => t('This is your generated secret. This may be used in some cases if the QR image cannot be read. Please save it.'),
+				'$test_title' => t('Please enter the code from your authenticator'),
+				'$qrcode' => (new QRCode())->render($uri),
+				'$uri' => $uri,
+				'$secret' => ($account['account_external'] ?? ''),
+				'$test_pass' => t("That code is correct."),
+				'$test_fail' => t("Incorrect code."),
+				'$enable_mfa' => [
+					'enable_mfa',
+					t('Enable Multi-factor Authentication'),
+					AConfig::Get($account['account_id'], 'system', 'mfa_enabled'),
+					'',
+					[t('No'), t('Yes')]
+				],
+				'$submit' => t('Submit'),
+				'$test' => t('Test')
+			]
+		);
+	}
+}
diff --git a/Zotlabs/Module/Totp_check.php b/Zotlabs/Module/Totp_check.php
new file mode 100644
index 000000000..3f6549382
--- /dev/null
+++ b/Zotlabs/Module/Totp_check.php
@@ -0,0 +1,90 @@
+<?php
+
+namespace Zotlabs\Module;
+
+use App;
+use Zotlabs\Web\Controller;
+use OTPHP\TOTP;
+
+class Totp_check extends Controller {
+
+	public function post() {
+		$retval = ['status' => false];
+		$static = $_POST['totp_code_static'] ?? false;
+
+		if (!local_channel()) {
+			if ($static) {
+				goaway(z_root());
+			}
+
+			json_return_and_die($retval);
+		}
+
+		$account = App::get_account();
+		if (!$account) {
+			json_return_and_die($retval);
+		}
+
+		$secret = $account['account_external'];
+		$input = (isset($_POST['totp_code'])) ? trim($_POST['totp_code']) : '';
+
+		if ($secret && $input) {
+			$otp = TOTP::create($secret); // create TOTP object from the secret.
+			if ($otp->verify($_POST['totp_code']) || $input === $secret ) {
+				logger('otp_success');
+				$_SESSION['2FA_VERIFIED'] = true;
+
+				if ($static) {
+					goaway(z_root());
+				}
+
+				$retval['status'] = true;
+				json_return_and_die($retval);
+			}
+			logger('otp_fail');
+		}
+
+		if ($static) {
+			if(empty($_SESSION['totp_try_count'])) {
+				$_SESSION['totp_try_count'] = 1;
+			}
+
+			if ($_SESSION['totp_try_count'] > 2) {
+				goaway('logout');
+			}
+
+			$_SESSION['totp_try_count']++;
+			goaway(z_root());
+		}
+
+		json_return_and_die($retval);
+	}
+
+	public function get() {
+
+		if (!local_channel()) {
+			return;
+		}
+
+		$account = App::get_account();
+		if (!$account) {
+			return t('Account not found.');
+		}
+
+		$id = $account['account_email'];
+
+		return replace_macros(get_markup_template('totp.tpl'),
+			[
+				'$header' => t('Multifactor Verification'),
+				'$id' => $id,
+				'$desc'   => t('Please enter the verification key from your authenticator app'),
+				//'$success' => t('Success!'),
+				//'$fail' => t('Invalid code, please try again.'),
+				//'$maxfails' => t('Too many invalid codes...'),
+				'$submit' => t('Verify'),
+				'$static' => $static
+			]
+		);
+	}
+}
+
-- 
cgit v1.2.3