1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
<?php
namespace Zotlabs\Module\Settings;
use App;
use chillerlan\QRCode\QRCode;
use Zotlabs\Lib\AConfig;
use Zotlabs\Lib\System;
use OTPHP\TOTP;
use ParagonIE\ConstantTime\Base32;
class Multifactor {
public function post() {
check_form_security_token_redirectOnErr('/settings/multifactor', 'settings_mfa');
$account = App::get_account();
if (!$account) {
return;
}
if (empty($_POST['password'])) {
notice(t('Password is required') . EOL);
return;
}
$password = trim($_POST['password']);
if(!account_verify_password($account['account_email'], $password)) {
notice(t('The provided password is not correct') . EOL);
return;
}
$enable_mfa = isset($_POST['enable_mfa']) ? (int) $_POST['enable_mfa'] : false;
AConfig::Set($account['account_id'], 'system', 'mfa_enabled', $enable_mfa);
if ($enable_mfa) {
$_SESSION['2FA_VERIFIED'] = true;
}
}
public function get() {
$account = App::get_account();
if (!$account) {
return '';
}
if (!$account['account_external']) {
$otp = TOTP::create();
$otp->setLabel($account['account_email']);
// $otp->setLabel(rawurlencode(System::get_platform_name()));
$otp->setIssuer(rawurlencode(System::get_platform_name()));
$mySecret = trim(Base32::encodeUpper(random_bytes(32)), '=');
$otp = TOTP::create($mySecret);
q("UPDATE account set account_external = '%s' where account_id = %d",
dbesc($otp->getSecret()),
intval($account['account_id'])
);
$account['account_external'] = $otp->getSecret();
}
$otp = TOTP::create($account['account_external']);
$otp->setLabel($account['account_email']);
$otp->setIssuer(rawurlencode(System::get_platform_name()));
$uri = $otp->getProvisioningUri();
return replace_macros(get_markup_template('totp_setup.tpl'),
[
'$form_security_token' => get_form_security_token("settings_mfa"),
'$title' => t('Account Multi-Factor Authentication'),
'$secret_text' => t('This is your generated secret. It may be used in some cases if the QR image cannot be read. Please store it in a safe place.'),
'$test_title' => t('Please enter the code from your authenticator app'),
'$test_title_sub' => t('You will only be able to enable MFA if the test passes'),
'$qrcode' => (new QRCode())->render($uri),
'$uri' => $uri,
'$secret' => ($account['account_external'] ?? ''),
'$test_pass' => t("Congratulations, the provided code was correct"),
'$test_fail' => t("Incorrect code"),
'$enable_mfa' => [
'enable_mfa',
t('Enable Multi-Factor Authentication'),
AConfig::Get($account['account_id'], 'system', 'mfa_enabled'),
t('Logging in will require you to be in possession of your smartphone'),
[t('No'), t('Yes')]
],
'$password' => ['password', t('Your account password'), '', t('Required')],
'$submit' => t('Submit'),
'$test' => t('Test')
]
);
}
}
|
