Merge pull request #9823 from MrPetovan/task/9677-2fa-remember-device
Add "Remember this device" feature to two factor authentication
This commit is contained in:
commit
199f72ee3c
|
@ -48,6 +48,7 @@
|
|||
"psr/container": "^1.0",
|
||||
"seld/cli-prompt": "^1.0",
|
||||
"smarty/smarty": "^3.1",
|
||||
"ua-parser/uap-php": "^3.9",
|
||||
"xemlock/htmlpurifier-html5": "^0.1.11",
|
||||
"fxp/composer-asset-plugin": "^1.4",
|
||||
"bower-asset/base64": "^1.0",
|
||||
|
|
129
composer.lock
generated
129
composer.lock
generated
|
@ -4,7 +4,7 @@
|
|||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "7d8031c9b95fd94d8872804759a26509",
|
||||
"content-hash": "c66de8307eed717b4e23fcf386aa17ef",
|
||||
"packages": [
|
||||
{
|
||||
"name": "asika/simple-console",
|
||||
|
@ -253,6 +253,76 @@
|
|||
},
|
||||
"type": "bower-asset-library"
|
||||
},
|
||||
{
|
||||
"name": "composer/ca-bundle",
|
||||
"version": "1.2.8",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/composer/ca-bundle.git",
|
||||
"reference": "8a7ecad675253e4654ea05505233285377405215"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/composer/ca-bundle/zipball/8a7ecad675253e4654ea05505233285377405215",
|
||||
"reference": "8a7ecad675253e4654ea05505233285377405215",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ext-openssl": "*",
|
||||
"ext-pcre": "*",
|
||||
"php": "^5.3.2 || ^7.0 || ^8.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "^4.8.35 || ^5.7 || 6.5 - 8",
|
||||
"psr/log": "^1.0",
|
||||
"symfony/process": "^2.5 || ^3.0 || ^4.0 || ^5.0"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-master": "1.x-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"Composer\\CaBundle\\": "src"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Jordi Boggiano",
|
||||
"email": "j.boggiano@seld.be",
|
||||
"homepage": "http://seld.be"
|
||||
}
|
||||
],
|
||||
"description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.",
|
||||
"keywords": [
|
||||
"cabundle",
|
||||
"cacert",
|
||||
"certificate",
|
||||
"ssl",
|
||||
"tls"
|
||||
],
|
||||
"funding": [
|
||||
{
|
||||
"url": "https://packagist.com",
|
||||
"type": "custom"
|
||||
},
|
||||
{
|
||||
"url": "https://github.com/composer",
|
||||
"type": "github"
|
||||
},
|
||||
{
|
||||
"url": "https://tidelift.com/funding/github/packagist/composer/composer",
|
||||
"type": "tidelift"
|
||||
}
|
||||
],
|
||||
"time": "2020-08-23T12:54:47+00:00"
|
||||
},
|
||||
{
|
||||
"name": "divineomega/do-file-cache",
|
||||
"version": "v2.0.6",
|
||||
|
@ -3432,6 +3502,63 @@
|
|||
],
|
||||
"time": "2020-05-12T16:14:59+00:00"
|
||||
},
|
||||
{
|
||||
"name": "ua-parser/uap-php",
|
||||
"version": "v3.9.7",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/ua-parser/uap-php.git",
|
||||
"reference": "7efc2f05b7d9817a59132e5d2e5ca91a1c071f6a"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/ua-parser/uap-php/zipball/7efc2f05b7d9817a59132e5d2e5ca91a1c071f6a",
|
||||
"reference": "7efc2f05b7d9817a59132e5d2e5ca91a1c071f6a",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"composer/ca-bundle": "^1.1",
|
||||
"php": ">=5.3.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "<8",
|
||||
"symfony/console": "^2.0 || ^3.0 || ^4.0",
|
||||
"symfony/filesystem": "^2.0 || ^3.0 || ^4.0",
|
||||
"symfony/finder": "^2.0 || ^3.0 || ^4.0",
|
||||
"symfony/yaml": "^2.0 || ^3.0 || ^4.0"
|
||||
},
|
||||
"suggest": {
|
||||
"symfony/console": "Required for CLI usage - ^2.0 || ^3.0 || ^4.0",
|
||||
"symfony/filesystem": "Required for CLI usage - 2.0 || ^3.0 || ^4.0",
|
||||
"symfony/finder": "Required for CLI usage - ^2.0 || ^3.0 || ^4.0",
|
||||
"symfony/yaml": "Required for CLI usage - ^4.0 || ^5.0"
|
||||
},
|
||||
"bin": [
|
||||
"bin/uaparser"
|
||||
],
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"UAParser\\": "src"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Dave Olsen",
|
||||
"email": "dmolsen@gmail.com"
|
||||
},
|
||||
{
|
||||
"name": "Lars Strojny",
|
||||
"email": "lars@strojny.net"
|
||||
}
|
||||
],
|
||||
"description": "A multi-language port of Browserscope's user agent parser.",
|
||||
"time": "2020-02-21T09:54:14+00:00"
|
||||
},
|
||||
{
|
||||
"name": "xemlock/htmlpurifier-html5",
|
||||
"version": "v0.1.11",
|
||||
|
|
16
database.sql
16
database.sql
|
@ -283,10 +283,24 @@ CREATE TABLE IF NOT EXISTS `2fa_recovery_codes` (
|
|||
`code` varchar(50) NOT NULL COMMENT 'Recovery code string',
|
||||
`generated` datetime NOT NULL COMMENT 'Datetime the code was generated',
|
||||
`used` datetime COMMENT 'Datetime the code was used',
|
||||
PRIMARY KEY(`uid`,`code`),
|
||||
PRIMARY KEY(`uid`,`code`),
|
||||
FOREIGN KEY (`uid`) REFERENCES `user` (`uid`) ON UPDATE RESTRICT ON DELETE CASCADE
|
||||
) DEFAULT COLLATE utf8mb4_general_ci COMMENT='Two-factor authentication recovery codes';
|
||||
|
||||
--
|
||||
-- TABLE 2fa_trusted_browser
|
||||
--
|
||||
CREATE TABLE IF NOT EXISTS `2fa_trusted_browser` (
|
||||
`cookie_hash` varchar(80) NOT NULL COMMENT 'Trusted cookie hash',
|
||||
`uid` mediumint unsigned NOT NULL COMMENT 'User ID',
|
||||
`user_agent` text COMMENT 'User agent string',
|
||||
`created` datetime NOT NULL COMMENT 'Datetime the trusted browser was recorded',
|
||||
`last_used` datetime COMMENT 'Datetime the trusted browser was last used',
|
||||
PRIMARY KEY(`cookie_hash`),
|
||||
INDEX `uid` (`uid`),
|
||||
FOREIGN KEY (`uid`) REFERENCES `user` (`uid`) ON UPDATE RESTRICT ON DELETE CASCADE
|
||||
) DEFAULT COLLATE utf8mb4_general_ci COMMENT='Two-factor authentication trusted browsers';
|
||||
|
||||
--
|
||||
-- TABLE addon
|
||||
--
|
||||
|
|
|
@ -72,3 +72,10 @@ We recommend generating a single app-specific password for each separate third-p
|
|||
|
||||
You can also revoke any and all app-specific password you generated this way.
|
||||
This may log you out of the third-party application(s) you used the revoked app-specific password to log in with.
|
||||
|
||||
## Trusted browsers
|
||||
|
||||
As a convenience, during two-factor authentication it is possible to identify a browser as trusted.
|
||||
This will skip all further two-factor authentication prompt on this browser.
|
||||
|
||||
You can remove any or all of these trusted browsers in the two-factor authentication settings.
|
||||
|
|
52
src/BaseDataTransferObject.php
Normal file
52
src/BaseDataTransferObject.php
Normal file
|
@ -0,0 +1,52 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (C) 2020, Friendica
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Friendica;
|
||||
|
||||
/**
|
||||
* These data transfer object classes are meant for API representations. As such, their members should be protected.
|
||||
* Then the JsonSerializable interface ensures the protected members will be included in a JSON encode situation.
|
||||
*
|
||||
* Constructors are supposed to take as arguments the Friendica dependencies/model/collection/data it needs to
|
||||
* populate the class members.
|
||||
*/
|
||||
abstract class BaseDataTransferObject implements \JsonSerializable
|
||||
{
|
||||
/**
|
||||
* Returns the current entity as an json array
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function jsonSerialize(): array
|
||||
{
|
||||
return $this->toArray();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the current entity as an array
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray(): array
|
||||
{
|
||||
return get_object_vars($this);
|
||||
}
|
||||
}
|
|
@ -21,32 +21,36 @@
|
|||
|
||||
namespace Friendica;
|
||||
|
||||
use Friendica\Network\HTTPException;
|
||||
|
||||
/**
|
||||
* The API entity classes are meant as data transfer objects. As such, their member should be protected.
|
||||
* Then the JsonSerializable interface ensures the protected members will be included in a JSON encode situation.
|
||||
* The Entity classes directly inheriting from this abstract class are meant to represent a single business entity.
|
||||
* Their properties may or may not correspond with the database fields of the table we use to represent it.
|
||||
* Each model method must correspond to a business action being performed on this entity.
|
||||
* Only these methods will be allowed to alter the model data.
|
||||
*
|
||||
* Constructors are supposed to take as arguments the Friendica dependencies/model/collection/data it needs to
|
||||
* populate the class members.
|
||||
* To persist such a model, the associated Repository must be instantiated and the "save" method must be called
|
||||
* and passed the entity as a parameter.
|
||||
*
|
||||
* Ideally, the constructor should only be called in the associated Factory which will instantiate entities depending
|
||||
* on the provided data.
|
||||
*
|
||||
* Since these objects aren't meant to be using any dependency, including logging, unit tests can and must be
|
||||
* written for each and all of their methods
|
||||
*/
|
||||
abstract class BaseEntity implements \JsonSerializable
|
||||
abstract class BaseEntity extends BaseDataTransferObject
|
||||
{
|
||||
/**
|
||||
* Returns the current entity as an json array
|
||||
*
|
||||
* @return array
|
||||
* @param string $name
|
||||
* @return mixed
|
||||
* @throws HTTPException\InternalServerErrorException
|
||||
*/
|
||||
public function jsonSerialize()
|
||||
public function __get(string $name)
|
||||
{
|
||||
return $this->toArray();
|
||||
}
|
||||
if (!property_exists($this, $name)) {
|
||||
throw new HTTPException\InternalServerErrorException('Unknown property ' . $name . ' in Entity ' . static::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the current entity as an array
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
{
|
||||
return get_object_vars($this);
|
||||
return $this->$name;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -31,7 +31,7 @@ use Psr\Log\LoggerInterface;
|
|||
*
|
||||
* @property int id
|
||||
*/
|
||||
abstract class BaseModel extends BaseEntity
|
||||
abstract class BaseModel extends BaseDataTransferObject
|
||||
{
|
||||
/** @var Database */
|
||||
protected $dba;
|
||||
|
@ -67,7 +67,7 @@ abstract class BaseModel extends BaseEntity
|
|||
$this->originalData = $data;
|
||||
}
|
||||
|
||||
public function getOriginalData()
|
||||
public function getOriginalData(): array
|
||||
{
|
||||
return $this->originalData;
|
||||
}
|
||||
|
@ -84,7 +84,7 @@ abstract class BaseModel extends BaseEntity
|
|||
* @param array $data
|
||||
* @return BaseModel
|
||||
*/
|
||||
public static function createFromPrototype(BaseModel $prototype, array $data)
|
||||
public static function createFromPrototype(BaseModel $prototype, array $data): BaseModel
|
||||
{
|
||||
$model = clone $prototype;
|
||||
$model->data = $data;
|
||||
|
@ -100,7 +100,7 @@ abstract class BaseModel extends BaseEntity
|
|||
* @param $name
|
||||
* @return bool
|
||||
*/
|
||||
public function __isset($name)
|
||||
public function __isset($name): bool
|
||||
{
|
||||
return in_array($name, array_merge(array_keys($this->data), array_keys(get_object_vars($this))));
|
||||
}
|
||||
|
@ -126,15 +126,19 @@ abstract class BaseModel extends BaseEntity
|
|||
}
|
||||
|
||||
/**
|
||||
* * Magic setter. This allows to set model fields with the following syntax:
|
||||
* - $model->field = $value (outside of class)
|
||||
* - $this->field = $value (inside of class)
|
||||
*
|
||||
* @param string $name
|
||||
* @param mixed $value
|
||||
* @param mixed $value
|
||||
*/
|
||||
public function __set($name, $value)
|
||||
public function __set(string $name, $value)
|
||||
{
|
||||
$this->data[$name] = $value;
|
||||
}
|
||||
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
return $this->data;
|
||||
}
|
||||
|
|
|
@ -34,7 +34,7 @@ use Friendica\Core\System;
|
|||
use Friendica\Core\Worker;
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\TwoFactor\AppSpecificPassword;
|
||||
use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
|
||||
use Friendica\Network\HTTPException;
|
||||
use Friendica\Object\Image;
|
||||
use Friendica\Util\Crypto;
|
||||
|
|
|
@ -41,126 +41,118 @@ class Cookie
|
|||
const HTTPONLY = true;
|
||||
|
||||
/** @var string The remote address of this node */
|
||||
private $remoteAddr = '0.0.0.0';
|
||||
private $remoteAddr;
|
||||
/** @var bool True, if the connection is ssl enabled */
|
||||
private $sslEnabled = false;
|
||||
private $sslEnabled;
|
||||
/** @var string The private key of this Friendica node */
|
||||
private $sitePrivateKey;
|
||||
/** @var int The default cookie lifetime */
|
||||
private $lifetime = self::DEFAULT_EXPIRE * 24 * 60 * 60;
|
||||
/** @var array The $_COOKIE array */
|
||||
private $cookie;
|
||||
private $lifetime;
|
||||
/** @var array The Friendica cookie data array */
|
||||
private $data;
|
||||
|
||||
public function __construct(IConfig $config, App\BaseURL $baseURL, array $server = [], array $cookie = [])
|
||||
/**
|
||||
* @param IConfig $config
|
||||
* @param App\BaseURL $baseURL
|
||||
* @param array $SERVER The $_SERVER array
|
||||
* @param array $COOKIE The $_COOKIE array
|
||||
*/
|
||||
public function __construct(IConfig $config, App\BaseURL $baseURL, array $SERVER = [], array $COOKIE = [])
|
||||
{
|
||||
if (!empty($server['REMOTE_ADDR'])) {
|
||||
$this->remoteAddr = $server['REMOTE_ADDR'];
|
||||
}
|
||||
|
||||
$this->sslEnabled = $baseURL->getSSLPolicy() === App\BaseURL::SSL_POLICY_FULL;
|
||||
$this->sitePrivateKey = $config->get('system', 'site_prvkey');
|
||||
|
||||
$authCookieDays = $config->get('system', 'auth_cookie_lifetime',
|
||||
self::DEFAULT_EXPIRE);
|
||||
$this->lifetime = $authCookieDays * 24 * 60 * 60;
|
||||
$this->cookie = $cookie;
|
||||
|
||||
$this->remoteAddr = ($SERVER['REMOTE_ADDR'] ?? null) ?: '0.0.0.0';
|
||||
|
||||
$this->data = json_decode($COOKIE[self::NAME] ?? '[]', true) ?: [];
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the Friendica cookie is set for a user
|
||||
*
|
||||
* @param string $hash The cookie hash
|
||||
* @param string $password The user password
|
||||
* @param string $privateKey The private Key of the user
|
||||
*
|
||||
* @return boolean True, if the cookie is set
|
||||
* Returns the value for a key of the Friendica cookie
|
||||
*
|
||||
* @param string $key
|
||||
* @param mixed $default
|
||||
* @return mixed|null The value for the provided cookie key
|
||||
*/
|
||||
public function check(string $hash, string $password, string $privateKey)
|
||||
public function get(string $key, $default = null)
|
||||
{
|
||||
return hash_equals(
|
||||
$this->getHash($password, $privateKey),
|
||||
$hash
|
||||
);
|
||||
return $this->data[$key] ?? $default;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the Friendica cookie for a user
|
||||
* Set a single cookie key value.
|
||||
* Overwrites an existing value with the same key.
|
||||
*
|
||||
* @param int $uid The user id
|
||||
* @param string $password The user password
|
||||
* @param string $privateKey The user private key
|
||||
* @param int|null $seconds optional the seconds
|
||||
* @param $key
|
||||
* @param $value
|
||||
* @return bool
|
||||
*/
|
||||
public function set($key, $value): bool
|
||||
{
|
||||
return $this->setMultiple([$key => $value]);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets multiple cookie key values.
|
||||
* Overwrites existing values with the same key.
|
||||
*
|
||||
* @param array $values
|
||||
* @return bool
|
||||
*/
|
||||
public function setMultiple(array $values): bool
|
||||
{
|
||||
$this->data = $values + $this->data;
|
||||
|
||||
return $this->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove a cookie key
|
||||
*
|
||||
* @param string $key
|
||||
*/
|
||||
public function unset(string $key)
|
||||
{
|
||||
if (isset($this->data[$key])) {
|
||||
unset($this->data[$key]);
|
||||
|
||||
$this->send();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Clears the Friendica cookie
|
||||
*/
|
||||
public function clear(): bool
|
||||
{
|
||||
$this->data = [];
|
||||
// make sure cookie is deleted on browser close, as a security measure
|
||||
return $this->setCookie( '', -3600, $this->sslEnabled);
|
||||
}
|
||||
|
||||
/**
|
||||
* Send the cookie, should be called every time $this->data is changed or to refresh the cookie.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function set(int $uid, string $password, string $privateKey, int $seconds = null)
|
||||
public function send(): bool
|
||||
{
|
||||
if (!isset($seconds)) {
|
||||
$seconds = $this->lifetime + time();
|
||||
} elseif (isset($seconds) && $seconds != 0) {
|
||||
$seconds = $seconds + time();
|
||||
}
|
||||
|
||||
$value = json_encode([
|
||||
'uid' => $uid,
|
||||
'hash' => $this->getHash($password, $privateKey),
|
||||
'ip' => $this->remoteAddr,
|
||||
]);
|
||||
|
||||
return $this->setCookie(self::NAME, $value, $seconds, $this->sslEnabled);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the data of the Friendicas user cookie
|
||||
*
|
||||
* @return mixed|null The JSON data, null if not set
|
||||
*/
|
||||
public function getData()
|
||||
{
|
||||
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
|
||||
if (isset($this->cookie[self::NAME])) {
|
||||
$data = json_decode($this->cookie[self::NAME]);
|
||||
if (!empty($data)) {
|
||||
return $data;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Clears the Friendica cookie of this user after leaving the page
|
||||
*/
|
||||
public function clear()
|
||||
{
|
||||
// make sure cookie is deleted on browser close, as a security measure
|
||||
return $this->setCookie(self::NAME, '', -3600, $this->sslEnabled);
|
||||
}
|
||||
|
||||
/**
|
||||
* Calculate the hash that is needed for the Friendica cookie
|
||||
*
|
||||
* @param string $password The user password
|
||||
* @param string $privateKey The private key of the user
|
||||
*
|
||||
* @return string Hashed data
|
||||
*/
|
||||
private function getHash(string $password, string $privateKey)
|
||||
{
|
||||
return hash_hmac(
|
||||
'sha256',
|
||||
hash_hmac('sha256', $password, $privateKey),
|
||||
$this->sitePrivateKey
|
||||
return $this->setCookie(
|
||||
json_encode(['ip' => $this->remoteAddr] + $this->data),
|
||||
$this->lifetime + time(),
|
||||
$this->sslEnabled
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Send a cookie - protected, internal function for test-mocking possibility
|
||||
* setcookie() wrapper: protected, internal function for test-mocking possibility
|
||||
*
|
||||
* @link https://php.net/manual/en/function.setcookie.php
|
||||
*
|
||||
* @param string $name
|
||||
* @param string $value [optional]
|
||||
* @param int $expire [optional]
|
||||
* @param bool $secure [optional]
|
||||
|
@ -168,9 +160,43 @@ class Cookie
|
|||
* @return bool If output exists prior to calling this function,
|
||||
*
|
||||
*/
|
||||
protected function setCookie(string $name, string $value = null, int $expire = null,
|
||||
bool $secure = null)
|
||||
protected function setCookie(string $value = null, int $expire = null,
|
||||
bool $secure = null): bool
|
||||
{
|
||||
return setcookie($name, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
|
||||
return setcookie(self::NAME, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
|
||||
}
|
||||
|
||||
/**
|
||||
* Calculate a hash of a user's private data for storage in the cookie.
|
||||
* Hashed twice, with the user's own private key first, then the node's private key second.
|
||||
*
|
||||
* @param string $privateData User private data
|
||||
* @param string $privateKey User private key
|
||||
*
|
||||
* @return string Hashed data
|
||||
*/
|
||||
public function hashPrivateData(string $privateData, string $privateKey): string
|
||||
{
|
||||
return hash_hmac(
|
||||
'sha256',
|
||||
hash_hmac('sha256', $privateData, $privateKey),
|
||||
$this->sitePrivateKey
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $hash Hash from a cookie key value
|
||||
* @param string $privateData User private data
|
||||
* @param string $privateKey User private key
|
||||
*
|
||||
* @return boolean
|
||||
*
|
||||
*/
|
||||
public function comparePrivateDataHash(string $hash, string $privateData, string $privateKey): bool
|
||||
{
|
||||
return hash_equals(
|
||||
$this->hashPrivateData($privateData, $privateKey),
|
||||
$hash
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,6 +26,7 @@ use Friendica\Core\Hook;
|
|||
use Friendica\Core\System;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\Profile;
|
||||
use Friendica\Security\TwoFactor;
|
||||
|
||||
/**
|
||||
* Logout module
|
||||
|
@ -44,6 +45,13 @@ class Logout extends BaseModule
|
|||
}
|
||||
|
||||
Hook::callAll("logging_out");
|
||||
|
||||
// Remove this trusted browser as it won't be able to be used ever again after the cookie is cleared
|
||||
if (DI::cookie()->get('trusted')) {
|
||||
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
|
||||
$trustedBrowserRepository->removeForUser(local_user(), DI::cookie()->get('trusted'));
|
||||
}
|
||||
|
||||
DI::cookie()->clear();
|
||||
DI::session()->clear();
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ use Friendica\BaseModule;
|
|||
use Friendica\Core\Renderer;
|
||||
use Friendica\Core\Session;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\TwoFactor\RecoveryCode;
|
||||
use Friendica\Security\TwoFactor\Model\RecoveryCode;
|
||||
|
||||
/**
|
||||
* // Page 1a: Recovery code verification
|
||||
|
|
|
@ -26,6 +26,7 @@ use Friendica\Core\Renderer;
|
|||
use Friendica\Core\Session;
|
||||
use Friendica\DI;
|
||||
use PragmaRX\Google2FA\Google2FA;
|
||||
use Friendica\Security\TwoFactor;
|
||||
|
||||
/**
|
||||
* Page 1: Authenticator code verification
|
||||
|
@ -55,6 +56,19 @@ class Verify extends BaseModule
|
|||
if ($valid && Session::get('2fa') !== $code) {
|
||||
Session::set('2fa', $code);
|
||||
|
||||
// Trust this browser feature
|
||||
if (!empty($_REQUEST['trust_browser'])) {
|
||||
$trustedBrowserFactory = new TwoFactor\Factory\TrustedBrowser(DI::logger());
|
||||
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger(), $trustedBrowserFactory);
|
||||
|
||||
$trustedBrowser = $trustedBrowserFactory->createForUserWithUserAgent(local_user(), $_SERVER['HTTP_USER_AGENT']);
|
||||
|
||||
$trustedBrowserRepository->save($trustedBrowser);
|
||||
|
||||
// The string is sent to the browser to be sent back with each request
|
||||
DI::cookie()->set('trusted', $trustedBrowser->cookie_hash);
|
||||
}
|
||||
|
||||
// Resume normal login workflow
|
||||
DI::auth()->setForUser($a, $a->user, true, true);
|
||||
} else {
|
||||
|
@ -83,6 +97,7 @@ class Verify extends BaseModule
|
|||
'$errors' => self::$errors,
|
||||
'$recovery_message' => DI::l10n()->t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
|
||||
'$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'],
|
||||
'$trust_browser' => ['trust_browser', DI::l10n()->t('This is my two-factor authenticator app device'), !empty($_REQUEST['trust_browser'])],
|
||||
'$verify_label' => DI::l10n()->t('Verify code and complete login'),
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
|
|||
|
||||
use Friendica\Core\Renderer;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\TwoFactor\AppSpecificPassword;
|
||||
use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
|
||||
use Friendica\Module\BaseSettings;
|
||||
use Friendica\Module\Security\Login;
|
||||
|
||||
|
|
|
@ -24,8 +24,8 @@ namespace Friendica\Module\Settings\TwoFactor;
|
|||
use Friendica\Core\Renderer;
|
||||
use Friendica\Core\Session;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\TwoFactor\AppSpecificPassword;
|
||||
use Friendica\Model\TwoFactor\RecoveryCode;
|
||||
use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
|
||||
use Friendica\Security\TwoFactor\Model\RecoveryCode;
|
||||
use Friendica\Model\User;
|
||||
use Friendica\Module\BaseSettings;
|
||||
use Friendica\Module\Security\Login;
|
||||
|
@ -78,6 +78,11 @@ class Index extends BaseSettings
|
|||
DI::baseUrl()->redirect('settings/2fa/app_specific?t=' . self::getFormSecurityToken('settings_2fa_password'));
|
||||
}
|
||||
break;
|
||||
case 'trusted':
|
||||
if ($has_secret) {
|
||||
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
|
||||
}
|
||||
break;
|
||||
case 'configure':
|
||||
if (!$verified) {
|
||||
DI::baseUrl()->redirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
|
||||
|
@ -130,6 +135,7 @@ class Index extends BaseSettings
|
|||
'$disable_label' => DI::l10n()->t('Disable two-factor authentication'),
|
||||
'$recovery_codes_label' => DI::l10n()->t('Show recovery codes'),
|
||||
'$app_specific_passwords_label' => DI::l10n()->t('Manage app-specific passwords'),
|
||||
'$trusted_browsers_label' => DI::l10n()->t('Manage trusted browsers'),
|
||||
'$configure_label' => DI::l10n()->t('Finish app configuration'),
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
|
|||
|
||||
use Friendica\Core\Renderer;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\TwoFactor\RecoveryCode;
|
||||
use Friendica\Security\TwoFactor\Model\RecoveryCode;
|
||||
use Friendica\Module\BaseSettings;
|
||||
use Friendica\Module\Security\Login;
|
||||
|
||||
|
|
110
src/Module/Settings/TwoFactor/Trusted.php
Normal file
110
src/Module/Settings/TwoFactor/Trusted.php
Normal file
|
@ -0,0 +1,110 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Module\Settings\TwoFactor;
|
||||
|
||||
use Friendica\Core\Renderer;
|
||||
use Friendica\DI;
|
||||
use Friendica\Module\BaseSettings;
|
||||
use Friendica\Security\TwoFactor;
|
||||
use Friendica\Util\Temporal;
|
||||
use UAParser\Parser;
|
||||
|
||||
/**
|
||||
* Manages users' two-factor trusted browsers in the 2fa_trusted_browsers table
|
||||
*/
|
||||
class Trusted extends BaseSettings
|
||||
{
|
||||
public static function init(array $parameters = [])
|
||||
{
|
||||
if (!local_user()) {
|
||||
return;
|
||||
}
|
||||
|
||||
$verified = DI::pConfig()->get(local_user(), '2fa', 'verified');
|
||||
|
||||
if (!$verified) {
|
||||
DI::baseUrl()->redirect('settings/2fa');
|
||||
}
|
||||
|
||||
if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
|
||||
notice(DI::l10n()->t('Please enter your password to access this page.'));
|
||||
DI::baseUrl()->redirect('settings/2fa');
|
||||
}
|
||||
}
|
||||
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
if (!local_user()) {
|
||||
return;
|
||||
}
|
||||
|
||||
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
|
||||
|
||||
if (!empty($_POST['action'])) {
|
||||
self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
|
||||
|
||||
switch ($_POST['action']) {
|
||||
case 'remove_all' :
|
||||
$trustedBrowserRepository->removeAllForUser(local_user());
|
||||
info(DI::l10n()->t('Trusted browsers successfully removed.'));
|
||||
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!empty($_POST['remove_id'])) {
|
||||
self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
|
||||
|
||||
if ($trustedBrowserRepository->removeForUser(local_user(), $_POST['remove_id'])) {
|
||||
info(DI::l10n()->t('Trusted browser successfully removed.'));
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public static function content(array $parameters = []): string
|
||||
{
|
||||
parent::content($parameters);
|
||||
|
||||
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
|
||||
$trustedBrowsers = $trustedBrowserRepository->selectAllByUid(local_user());
|
||||
|
||||
$parser = Parser::create();
|
||||
|
||||
$trustedBrowserDisplay = array_map(function (TwoFactor\Model\TrustedBrowser $trustedBrowser) use ($parser) {
|
||||
$dates = [
|
||||
'created_ago' => Temporal::getRelativeDate($trustedBrowser->created),
|
||||
'last_used_ago' => Temporal::getRelativeDate($trustedBrowser->last_used),
|
||||
];
|
||||
|
||||
$result = $parser->parse($trustedBrowser->user_agent);
|
||||
|
||||
$uaData = [
|
||||
'os' => $result->os->family,
|
||||
'device' => $result->device->family,
|
||||
'browser' => $result->ua->family,
|
||||
];
|
||||
|
||||
return $trustedBrowser->toArray() + $dates + $uaData;
|
||||
}, $trustedBrowsers->getArrayCopy());
|
||||
|
||||
return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/trusted_browsers.tpl'), [
|
||||
'$form_security_token' => self::getFormSecurityToken('settings_2fa_trusted'),
|
||||
'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
|
||||
|
||||
'$title' => DI::l10n()->t('Two-factor Trusted Browsers'),
|
||||
'$message' => DI::l10n()->t('Trusted browsers are individual browsers you chose to skip two-factor authentication to access Friendica. Please use this feature sparingly, as it can negate the benefit of two-factor authentication.'),
|
||||
'$device_label' => DI::l10n()->t('Device'),
|
||||
'$os_label' => DI::l10n()->t('OS'),
|
||||
'$browser_label' => DI::l10n()->t('Browser'),
|
||||
'$created_label' => DI::l10n()->t('Trusted'),
|
||||
'$last_used_label' => DI::l10n()->t('Last Use'),
|
||||
'$remove_label' => DI::l10n()->t('Remove'),
|
||||
'$remove_all_label' => DI::l10n()->t('Remove All'),
|
||||
|
||||
'$trusted_browsers' => $trustedBrowserDisplay,
|
||||
]);
|
||||
}
|
||||
}
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
namespace Friendica\Object\Api\Friendica;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Content\Text\BBCode;
|
||||
use Friendica\Content\Text\HTML;
|
||||
use Friendica\Model\Notification as NotificationModel;
|
||||
|
@ -33,7 +33,7 @@ use Friendica\Util\Temporal;
|
|||
*
|
||||
* @see https://github.com/friendica/friendica/blob/develop/doc/API-Entities.md#notification
|
||||
*/
|
||||
class Notification extends BaseEntity
|
||||
class Notification extends BaseDataTransferObject
|
||||
{
|
||||
/** @var integer */
|
||||
protected $id;
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\App\BaseURL;
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Collection\Api\Mastodon\Fields;
|
||||
use Friendica\Content\Text\BBCode;
|
||||
use Friendica\Database\DBA;
|
||||
|
@ -34,7 +34,7 @@ use Friendica\Util\DateTimeFormat;
|
|||
*
|
||||
* @see https://docs.joinmastodon.org/entities/account
|
||||
*/
|
||||
class Account extends BaseEntity
|
||||
class Account extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $id;
|
||||
|
@ -138,7 +138,7 @@ class Account extends BaseEntity
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
$account = parent::toArray();
|
||||
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Activity
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/activity
|
||||
*/
|
||||
class Activity extends BaseEntity
|
||||
class Activity extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string (UNIX Timestamp) */
|
||||
protected $week;
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Application
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/application
|
||||
*/
|
||||
class Application extends BaseEntity
|
||||
class Application extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $name;
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Attachment
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/attachment
|
||||
*/
|
||||
class Attachment extends BaseEntity
|
||||
class Attachment extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $id;
|
||||
|
@ -67,7 +67,7 @@ class Attachment extends BaseEntity
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
$attachment = parent::toArray();
|
||||
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Card
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/card
|
||||
*/
|
||||
class Card extends BaseEntity
|
||||
class Card extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $url;
|
||||
|
@ -67,10 +67,10 @@ class Card extends BaseEntity
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
if (empty($this->url)) {
|
||||
return null;
|
||||
return [];
|
||||
}
|
||||
|
||||
return parent::toArray();
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Emoji
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/emoji/
|
||||
*/
|
||||
class Emoji extends BaseEntity
|
||||
class Emoji extends BaseDataTransferObject
|
||||
{
|
||||
//Required attributes
|
||||
/** @var string */
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Error
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/error
|
||||
*/
|
||||
class Error extends BaseEntity
|
||||
class Error extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $error;
|
||||
|
@ -53,7 +53,7 @@ class Error extends BaseEntity
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
$error = parent::toArray();
|
||||
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Field
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/field/
|
||||
*/
|
||||
class Field extends BaseEntity
|
||||
class Field extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $name;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\DI;
|
||||
use Friendica\Model\User;
|
||||
|
@ -32,7 +32,7 @@ use Friendica\Module\Register;
|
|||
*
|
||||
* @see https://docs.joinmastodon.org/api/entities/#instance
|
||||
*/
|
||||
class Instance extends BaseEntity
|
||||
class Instance extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string (URL) */
|
||||
protected $uri;
|
||||
|
|
|
@ -22,14 +22,14 @@
|
|||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\App\BaseURL;
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Mention
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/mention
|
||||
*/
|
||||
class Mention extends BaseEntity
|
||||
class Mention extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $id;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Model\Contact;
|
||||
use Friendica\Util\Network;
|
||||
|
||||
|
@ -30,7 +30,7 @@ use Friendica\Util\Network;
|
|||
*
|
||||
* @see https://docs.joinmastodon.org/api/entities/#relationship
|
||||
*/
|
||||
class Relationship extends BaseEntity
|
||||
class Relationship extends BaseDataTransferObject
|
||||
{
|
||||
/** @var int */
|
||||
protected $id;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Core\Protocol;
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\DI;
|
||||
|
@ -31,7 +31,7 @@ use Friendica\DI;
|
|||
*
|
||||
* @see https://docs.joinmastodon.org/api/entities/#stats
|
||||
*/
|
||||
class Stats extends BaseEntity
|
||||
class Stats extends BaseDataTransferObject
|
||||
{
|
||||
/** @var int */
|
||||
protected $user_count = 0;
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Content\Text\BBCode;
|
||||
use Friendica\Object\Api\Mastodon\Status\Counts;
|
||||
use Friendica\Object\Api\Mastodon\Status\UserAttributes;
|
||||
|
@ -32,7 +32,7 @@ use Friendica\Util\DateTimeFormat;
|
|||
*
|
||||
* @see https://docs.joinmastodon.org/entities/status
|
||||
*/
|
||||
class Status extends BaseEntity
|
||||
class Status extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $id;
|
||||
|
@ -143,7 +143,7 @@ class Status extends BaseEntity
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function toArray()
|
||||
public function toArray(): array
|
||||
{
|
||||
$status = parent::toArray();
|
||||
|
||||
|
|
|
@ -22,14 +22,14 @@
|
|||
namespace Friendica\Object\Api\Mastodon;
|
||||
|
||||
use Friendica\App\BaseURL;
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
|
||||
/**
|
||||
* Class Tag
|
||||
*
|
||||
* @see https://docs.joinmastodon.org/entities/tag
|
||||
*/
|
||||
class Tag extends BaseEntity
|
||||
class Tag extends BaseDataTransferObject
|
||||
{
|
||||
/** @var string */
|
||||
protected $name;
|
||||
|
|
|
@ -21,14 +21,14 @@
|
|||
|
||||
namespace Friendica\Object\Api\Twitter;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\BaseDataTransferObject;
|
||||
use Friendica\Content\ContactSelector;
|
||||
use Friendica\Content\Text\BBCode;
|
||||
|
||||
/**
|
||||
* @see https://developer.twitter.com/en/docs/tweets/data-dictionary/overview/user-object
|
||||
*/
|
||||
class User extends BaseEntity
|
||||
class User extends BaseDataTransferObject
|
||||
{
|
||||
/** @var int */
|
||||
protected $id;
|
||||
|
|
|
@ -33,6 +33,7 @@ use Friendica\Database\DBA;
|
|||
use Friendica\DI;
|
||||
use Friendica\Model\User;
|
||||
use Friendica\Network\HTTPException;
|
||||
use Friendica\Security\TwoFactor\Repository\TrustedBrowser;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Network;
|
||||
use Friendica\Util\Strings;
|
||||
|
@ -100,16 +101,13 @@ class Authentication
|
|||
*/
|
||||
public function withSession(App $a)
|
||||
{
|
||||
$data = $this->cookie->getData();
|
||||
|
||||
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
|
||||
if (isset($data->uid)) {
|
||||
|
||||
if ($this->cookie->get('uid')) {
|
||||
$user = $this->dba->selectFirst(
|
||||
'user',
|
||||
[],
|
||||
[
|
||||
'uid' => $data->uid,
|
||||
'uid' => $this->cookie->get('uid'),
|
||||
'blocked' => false,
|
||||
'account_expired' => false,
|
||||
'account_removed' => false,
|
||||
|
@ -117,24 +115,25 @@ class Authentication
|
|||
]
|
||||
);
|
||||
if ($this->dba->isResult($user)) {
|
||||
if (!$this->cookie->check($data->hash,
|
||||
if (!$this->cookie->comparePrivateDataHash($this->cookie->get('hash'),
|
||||
$user['password'] ?? '',
|
||||
$user['prvkey'] ?? '')) {
|
||||
$this->logger->notice("Hash doesn't fit.", ['user' => $data->uid]);
|
||||
$user['prvkey'] ?? '')
|
||||
) {
|
||||
$this->logger->notice("Hash doesn't fit.", ['user' => $this->cookie->get('uid')]);
|
||||
$this->session->clear();
|
||||
$this->cookie->clear();
|
||||
$this->baseUrl->redirect();
|
||||
}
|
||||
|
||||
// Renew the cookie
|
||||
$this->cookie->set($user['uid'], $user['password'], $user['prvkey']);
|
||||
$this->cookie->send();
|
||||
|
||||
// Do the authentification if not done by now
|
||||
if (!$this->session->get('authenticated')) {
|
||||
$this->setForUser($a, $user);
|
||||
|
||||
if ($this->config->get('system', 'paranoia')) {
|
||||
$this->session->set('addr', $data->ip);
|
||||
$this->session->set('addr', $this->cookie->get('ip'));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -377,12 +376,15 @@ class Authentication
|
|||
*/
|
||||
if ($this->session->get('remember')) {
|
||||
$this->logger->info('Injecting cookie for remembered user ' . $user_record['nickname']);
|
||||
$this->cookie->set($user_record['uid'], $user_record['password'], $user_record['prvkey']);
|
||||
$this->cookie->setMultiple([
|
||||
'uid' => $user_record['uid'],
|
||||
'hash' => $this->cookie->hashPrivateData($user_record['password'], $user_record['prvkey']),
|
||||
]);
|
||||
$this->session->remove('remember');
|
||||
}
|
||||
}
|
||||
|
||||
$this->twoFactorCheck($user_record['uid'], $a);
|
||||
$this->redirectForTwoFactorAuthentication($user_record['uid'], $a);
|
||||
|
||||
if ($interactive) {
|
||||
if ($user_record['login_date'] <= DBA::NULL_DATETIME) {
|
||||
|
@ -404,28 +406,59 @@ class Authentication
|
|||
}
|
||||
|
||||
/**
|
||||
* Decides whether to redirect the user to two-factor authentication.
|
||||
* All return calls in this method skip two-factor authentication
|
||||
*
|
||||
* @param int $uid The User Identified
|
||||
* @param App $a The Friendica Application context
|
||||
*
|
||||
* @throws HTTPException\ForbiddenException In case the two factor authentication is forbidden (e.g. for AJAX calls)
|
||||
* @throws HTTPException\InternalServerErrorException
|
||||
*/
|
||||
private function twoFactorCheck(int $uid, App $a)
|
||||
private function redirectForTwoFactorAuthentication(int $uid, App $a)
|
||||
{
|
||||
// Check user setting, if 2FA disabled return
|
||||
if (!$this->pConfig->get($uid, '2fa', 'verified')) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Check current path, if 2fa authentication module return
|
||||
// Check current path, if public or 2fa module return
|
||||
if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Case 1: 2FA session present and valid: return
|
||||
// Case 1a: 2FA session already present: return
|
||||
if ($this->session->get('2fa')) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Case 1b: Check for trusted browser
|
||||
if ($this->cookie->get('trusted')) {
|
||||
// Retrieve a trusted_browser model based on cookie hash
|
||||
$trustedBrowserRepository = new TrustedBrowser($this->dba, $this->logger);
|
||||
try {
|
||||
$trustedBrowser = $trustedBrowserRepository->selectOneByHash($this->cookie->get('trusted'));
|
||||
// Verify record ownership
|
||||
if ($trustedBrowser->uid === $uid) {
|
||||
// Update last_used date
|
||||
$trustedBrowser->recordUse();
|
||||
|
||||
// Save it to the database
|
||||
$trustedBrowserRepository->save($trustedBrowser);
|
||||
|
||||
// Set 2fa session key and return
|
||||
$this->session->set('2fa', true);
|
||||
|
||||
return;
|
||||
} else {
|
||||
// Invalid trusted cookie value, removing it
|
||||
$this->cookie->unset('trusted');
|
||||
}
|
||||
} catch (\Throwable $e) {
|
||||
// Local trusted browser record was probably removed by the user, we carry on with 2FA
|
||||
}
|
||||
}
|
||||
|
||||
// Case 2: No valid 2FA session: redirect to code verification page
|
||||
if ($this->mode->isAjax()) {
|
||||
throw new HTTPException\ForbiddenException();
|
||||
|
|
10
src/Security/TwoFactor/Collection/TrustedBrowsers.php
Normal file
10
src/Security/TwoFactor/Collection/TrustedBrowsers.php
Normal file
|
@ -0,0 +1,10 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Security\TwoFactor\Collection;
|
||||
|
||||
use Friendica\BaseCollection;
|
||||
|
||||
class TrustedBrowsers extends BaseCollection
|
||||
{
|
||||
|
||||
}
|
33
src/Security/TwoFactor/Factory/TrustedBrowser.php
Normal file
33
src/Security/TwoFactor/Factory/TrustedBrowser.php
Normal file
|
@ -0,0 +1,33 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Security\TwoFactor\Factory;
|
||||
|
||||
use Friendica\BaseFactory;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Strings;
|
||||
|
||||
class TrustedBrowser extends BaseFactory
|
||||
{
|
||||
public function createForUserWithUserAgent($uid, $userAgent): \Friendica\Security\TwoFactor\Model\TrustedBrowser
|
||||
{
|
||||
$trustedHash = Strings::getRandomHex();
|
||||
|
||||
return new \Friendica\Security\TwoFactor\Model\TrustedBrowser(
|
||||
$trustedHash,
|
||||
$uid,
|
||||
$userAgent,
|
||||
DateTimeFormat::utcNow()
|
||||
);
|
||||
}
|
||||
|
||||
public function createFromTableRow(array $row): \Friendica\Security\TwoFactor\Model\TrustedBrowser
|
||||
{
|
||||
return new \Friendica\Security\TwoFactor\Model\TrustedBrowser(
|
||||
$row['cookie_hash'],
|
||||
$row['uid'],
|
||||
$row['user_agent'],
|
||||
$row['created'],
|
||||
$row['last_used']
|
||||
);
|
||||
}
|
||||
}
|
|
@ -19,7 +19,7 @@
|
|||
*
|
||||
*/
|
||||
|
||||
namespace Friendica\Model\TwoFactor;
|
||||
namespace Friendica\Security\TwoFactor\Model;
|
||||
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\Model\User;
|
|
@ -19,7 +19,7 @@
|
|||
*
|
||||
*/
|
||||
|
||||
namespace Friendica\Model\TwoFactor;
|
||||
namespace Friendica\Security\TwoFactor\Model;
|
||||
|
||||
use Friendica\Database\DBA;
|
||||
use Friendica\Util\DateTimeFormat;
|
51
src/Security/TwoFactor/Model/TrustedBrowser.php
Normal file
51
src/Security/TwoFactor/Model/TrustedBrowser.php
Normal file
|
@ -0,0 +1,51 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Security\TwoFactor\Model;
|
||||
|
||||
use Friendica\BaseEntity;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
|
||||
/**
|
||||
* Class TrustedBrowser
|
||||
*
|
||||
*
|
||||
* @property-read $cookie_hash
|
||||
* @property-read $uid
|
||||
* @property-read $user_agent
|
||||
* @property-read $created
|
||||
* @property-read $last_used
|
||||
* @package Friendica\Model\TwoFactor
|
||||
*/
|
||||
class TrustedBrowser extends BaseEntity
|
||||
{
|
||||
protected $cookie_hash;
|
||||
protected $uid;
|
||||
protected $user_agent;
|
||||
protected $created;
|
||||
protected $last_used;
|
||||
|
||||
/**
|
||||
* Please do not use this constructor directly, instead use one of the method of the TrustedBroser factory.
|
||||
*
|
||||
* @see \Friendica\Security\TwoFactor\Factory\TrustedBrowser
|
||||
*
|
||||
* @param string $cookie_hash
|
||||
* @param int $uid
|
||||
* @param string $user_agent
|
||||
* @param string $created
|
||||
* @param string|null $last_used
|
||||
*/
|
||||
public function __construct(string $cookie_hash, int $uid, string $user_agent, string $created, string $last_used = null)
|
||||
{
|
||||
$this->cookie_hash = $cookie_hash;
|
||||
$this->uid = $uid;
|
||||
$this->user_agent = $user_agent;
|
||||
$this->created = $created;
|
||||
$this->last_used = $last_used;
|
||||
}
|
||||
|
||||
public function recordUse()
|
||||
{
|
||||
$this->last_used = DateTimeFormat::utcNow();
|
||||
}
|
||||
}
|
98
src/Security/TwoFactor/Repository/TrustedBrowser.php
Normal file
98
src/Security/TwoFactor/Repository/TrustedBrowser.php
Normal file
|
@ -0,0 +1,98 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Security\TwoFactor\Repository;
|
||||
|
||||
use Friendica\Security\TwoFactor\Model;
|
||||
use Friendica\Security\TwoFactor\Collection\TrustedBrowsers;
|
||||
use Friendica\Database\Database;
|
||||
use Friendica\Network\HTTPException\NotFoundException;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
class TrustedBrowser
|
||||
{
|
||||
/** @var Database */
|
||||
protected $db;
|
||||
|
||||
/** @var LoggerInterface */
|
||||
protected $logger;
|
||||
|
||||
/** @var \Friendica\Security\TwoFactor\Factory\TrustedBrowser */
|
||||
protected $factory;
|
||||
|
||||
protected static $table_name = '2fa_trusted_browser';
|
||||
|
||||
public function __construct(Database $database, LoggerInterface $logger, \Friendica\Security\TwoFactor\Factory\TrustedBrowser $factory = null)
|
||||
{
|
||||
$this->db = $database;
|
||||
$this->logger = $logger;
|
||||
$this->factory = $factory ?? new \Friendica\Security\TwoFactor\Factory\TrustedBrowser($logger);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $cookie_hash
|
||||
* @return Model\TrustedBrowser|null
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function selectOneByHash(string $cookie_hash): Model\TrustedBrowser
|
||||
{
|
||||
$fields = $this->db->selectFirst(self::$table_name, [], ['cookie_hash' => $cookie_hash]);
|
||||
if (!$this->db->isResult($fields)) {
|
||||
throw new NotFoundException('');
|
||||
}
|
||||
|
||||
return $this->factory->createFromTableRow($fields);
|
||||
}
|
||||
|
||||
public function selectAllByUid(int $uid): TrustedBrowsers
|
||||
{
|
||||
$rows = $this->db->selectToArray(self::$table_name, [], ['uid' => $uid]);
|
||||
|
||||
$trustedBrowsers = [];
|
||||
foreach ($rows as $fields) {
|
||||
$trustedBrowsers[] = $this->factory->createFromTableRow($fields);
|
||||
}
|
||||
|
||||
return new TrustedBrowsers($trustedBrowsers);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Model\TrustedBrowser $trustedBrowser
|
||||
* @return bool
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function save(Model\TrustedBrowser $trustedBrowser): bool
|
||||
{
|
||||
return $this->db->insert(self::$table_name, $trustedBrowser->toArray(), $this->db::INSERT_UPDATE);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Model\TrustedBrowser $trustedBrowser
|
||||
* @return bool
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function remove(Model\TrustedBrowser $trustedBrowser): bool
|
||||
{
|
||||
return $this->db->delete(self::$table_name, ['cookie_hash' => $trustedBrowser->cookie_hash]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param int $local_user
|
||||
* @param string $cookie_hash
|
||||
* @return bool
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function removeForUser(int $local_user, string $cookie_hash): bool
|
||||
{
|
||||
return $this->db->delete(self::$table_name, ['cookie_hash' => $cookie_hash,'uid' => $local_user]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param int $local_user
|
||||
* @return bool
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function removeAllForUser(int $local_user): bool
|
||||
{
|
||||
return $this->db->delete(self::$table_name, ['uid' => $local_user]);
|
||||
}
|
||||
}
|
|
@ -348,6 +348,20 @@ return [
|
|||
"PRIMARY" => ["uid", "code"]
|
||||
]
|
||||
],
|
||||
"2fa_trusted_browser" => [
|
||||
"comment" => "Two-factor authentication trusted browsers",
|
||||
"fields" => [
|
||||
"cookie_hash" => ["type" => "varchar(80)", "not null" => "1", "primary" => "1", "comment" => "Trusted cookie hash"],
|
||||
"uid" => ["type" => "mediumint unsigned", "not null" => "1", "foreign" => ["user" => "uid"], "comment" => "User ID"],
|
||||
"user_agent" => ["type" => "text", "comment" => "User agent string"],
|
||||
"created" => ["type" => "datetime", "not null" => "1", "comment" => "Datetime the trusted browser was recorded"],
|
||||
"last_used" => ["type" => "datetime", "comment" => "Datetime the trusted browser was last used"],
|
||||
],
|
||||
"indexes" => [
|
||||
"PRIMARY" => ["cookie_hash"],
|
||||
"uid" => ["uid"],
|
||||
]
|
||||
],
|
||||
"addon" => [
|
||||
"comment" => "registered addons",
|
||||
"fields" => [
|
||||
|
|
|
@ -386,6 +386,7 @@ return [
|
|||
'/recovery' => [Module\Settings\TwoFactor\Recovery::class, [R::GET, R::POST]],
|
||||
'/app_specific' => [Module\Settings\TwoFactor\AppSpecific::class, [R::GET, R::POST]],
|
||||
'/verify' => [Module\Settings\TwoFactor\Verify::class, [R::GET, R::POST]],
|
||||
'/trusted' => [Module\Settings\TwoFactor\Trusted::class, [R::GET, R::POST]],
|
||||
],
|
||||
'/delegation[/{action}/{user_id}]' => [Module\Settings\Delegation::class, [R::GET, R::POST]],
|
||||
'/display' => [Module\Settings\Display::class, [R::GET, R::POST]],
|
||||
|
|
|
@ -35,22 +35,24 @@ class StaticCookie extends Cookie
|
|||
|
||||
/**
|
||||
* Send a cookie - protected, internal function for test-mocking possibility
|
||||
* @see Cookie::setCookie()
|
||||
*
|
||||
* @link https://php.net/manual/en/function.setcookie.php
|
||||
*
|
||||
* @param string $name
|
||||
* @param string $value [optional]
|
||||
* @param int $expire [optional]
|
||||
* @param bool $secure [optional]
|
||||
* @return bool
|
||||
*
|
||||
* @noinspection PhpMissingParentCallCommonInspection
|
||||
*
|
||||
* @link https://php.net/manual/en/function.setcookie.php
|
||||
*
|
||||
* @see Cookie::setCookie()
|
||||
*/
|
||||
protected function setCookie(string $name, string $value = null, int $expire = null, bool $secure = null)
|
||||
protected function setCookie(string $value = null, int $expire = null, bool $secure = null): bool
|
||||
{
|
||||
self::$_COOKIE[$name] = $value;
|
||||
self::$_COOKIE[self::NAME] = $value;
|
||||
self::$_EXPIRE = $expire;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public static function clearStatic()
|
||||
|
|
|
@ -128,30 +128,20 @@ class CookieTest extends MockedTest
|
|||
$cookie = new Cookie($this->config, $this->baseUrl, [], $cookieData);
|
||||
self::assertInstanceOf(Cookie::class, $cookie);
|
||||
|
||||
$assertData = $cookie->getData();
|
||||
|
||||
if (!$hasValues) {
|
||||
self::assertEmpty($assertData);
|
||||
if (isset($uid)) {
|
||||
self::assertEquals($uid, $cookie->get('uid'));
|
||||
} else {
|
||||
self::assertNotEmpty($assertData);
|
||||
if (isset($uid)) {
|
||||
self::assertObjectHasAttribute('uid', $assertData);
|
||||
self::assertEquals($uid, $assertData->uid);
|
||||
} else {
|
||||
self::assertObjectNotHasAttribute('uid', $assertData);
|
||||
}
|
||||
if (isset($hash)) {
|
||||
self::assertObjectHasAttribute('hash', $assertData);
|
||||
self::assertEquals($hash, $assertData->hash);
|
||||
} else {
|
||||
self::assertObjectNotHasAttribute('hash', $assertData);
|
||||
}
|
||||
if (isset($ip)) {
|
||||
self::assertObjectHasAttribute('ip', $assertData);
|
||||
self::assertEquals($ip, $assertData->ip);
|
||||
} else {
|
||||
self::assertObjectNotHasAttribute('ip', $assertData);
|
||||
}
|
||||
self::assertNull($cookie->get('uid'));
|
||||
}
|
||||
if (isset($hash)) {
|
||||
self::assertEquals($hash, $cookie->get('hash'));
|
||||
} else {
|
||||
self::assertNull($cookie->get('hash'));
|
||||
}
|
||||
if (isset($ip)) {
|
||||
self::assertEquals($ip, $cookie->get('ip'));
|
||||
} else {
|
||||
self::assertNull($cookie->get('ip'));
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -196,7 +186,7 @@ class CookieTest extends MockedTest
|
|||
$cookie = new Cookie($this->config, $this->baseUrl);
|
||||
self::assertInstanceOf(Cookie::class, $cookie);
|
||||
|
||||
self::assertEquals($assertTrue, $cookie->check($assertHash, $password, $userPrivateKey));
|
||||
self::assertEquals($assertTrue, $cookie->comparePrivateDataHash($assertHash, $password, $userPrivateKey));
|
||||
}
|
||||
|
||||
public function dataSet()
|
||||
|
@ -210,7 +200,6 @@ class CookieTest extends MockedTest
|
|||
'assertHash' => 'b657a15cfe7ed1f7289c9aa51af14a9a26c966f4ddd74e495fba103d8e872a39',
|
||||
'remoteIp' => '0.0.0.0',
|
||||
'serverArray' => [],
|
||||
'lifetime' => null,
|
||||
],
|
||||
'withServerArray' => [
|
||||
'serverKey' => 23,
|
||||
|
@ -220,32 +209,11 @@ class CookieTest extends MockedTest
|
|||
'assertHash' => 'b657a15cfe7ed1f7289c9aa51af14a9a26c966f4ddd74e495fba103d8e872a39',
|
||||
'remoteIp' => '1.2.3.4',
|
||||
'serverArray' => ['REMOTE_ADDR' => '1.2.3.4',],
|
||||
'lifetime' => null,
|
||||
],
|
||||
'withLifetime0' => [
|
||||
'serverKey' => 23,
|
||||
'uid' => 0,
|
||||
'password' => '234',
|
||||
'privateKey' => '124',
|
||||
'assertHash' => 'b657a15cfe7ed1f7289c9aa51af14a9a26c966f4ddd74e495fba103d8e872a39',
|
||||
'remoteIp' => '1.2.3.4',
|
||||
'serverArray' => ['REMOTE_ADDR' => '1.2.3.4',],
|
||||
'lifetime' => 0,
|
||||
],
|
||||
'withLifetime' => [
|
||||
'serverKey' => 23,
|
||||
'uid' => 0,
|
||||
'password' => '234',
|
||||
'privateKey' => '124',
|
||||
'assertHash' => 'b657a15cfe7ed1f7289c9aa51af14a9a26c966f4ddd74e495fba103d8e872a39',
|
||||
'remoteIp' => '1.2.3.4',
|
||||
'serverArray' => ['REMOTE_ADDR' => '1.2.3.4',],
|
||||
'lifetime' => 2 * 24 * 60 * 60,
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
public function assertCookie($uid, $hash, $remoteIp, $lifetime)
|
||||
public function assertCookie($uid, $hash, $remoteIp)
|
||||
{
|
||||
self::assertArrayHasKey(Cookie::NAME, StaticCookie::$_COOKIE);
|
||||
|
||||
|
@ -258,11 +226,7 @@ class CookieTest extends MockedTest
|
|||
self::assertObjectHasAttribute('ip', $data);
|
||||
self::assertEquals($remoteIp, $data->ip);
|
||||
|
||||
if (isset($lifetime) && $lifetime !== 0) {
|
||||
self::assertLessThanOrEqual(time() + $lifetime, StaticCookie::$_EXPIRE);
|
||||
} else {
|
||||
self::assertLessThanOrEqual(time() + Cookie::DEFAULT_EXPIRE * 24 * 60 * 60, StaticCookie::$_EXPIRE);
|
||||
}
|
||||
self::assertLessThanOrEqual(time() + Cookie::DEFAULT_EXPIRE * 24 * 60 * 60, StaticCookie::$_EXPIRE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -270,7 +234,7 @@ class CookieTest extends MockedTest
|
|||
*
|
||||
* @dataProvider dataSet
|
||||
*/
|
||||
public function testSet($serverKey, $uid, $password, $privateKey, $assertHash, $remoteIp, $serverArray, $lifetime)
|
||||
public function testSet($serverKey, $uid, $password, $privateKey, $assertHash, $remoteIp, $serverArray)
|
||||
{
|
||||
$this->baseUrl->shouldReceive('getSSLPolicy')->andReturn(true)->once();
|
||||
$this->config->shouldReceive('get')->with('system', 'site_prvkey')->andReturn($serverKey)->once();
|
||||
|
@ -279,17 +243,20 @@ class CookieTest extends MockedTest
|
|||
$cookie = new StaticCookie($this->config, $this->baseUrl, $serverArray);
|
||||
self::assertInstanceOf(Cookie::class, $cookie);
|
||||
|
||||
$cookie->set($uid, $password, $privateKey, $lifetime);
|
||||
$cookie->setMultiple([
|
||||
'uid' => $uid,
|
||||
'hash' => $assertHash,
|
||||
]);
|
||||
|
||||
self::assertCookie($uid, $assertHash, $remoteIp, $lifetime);
|
||||
self::assertCookie($uid, $assertHash, $remoteIp);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test two different set() of the cookie class (first set is invalid)
|
||||
* Test the set() method of the cookie class
|
||||
*
|
||||
* @dataProvider dataSet
|
||||
*/
|
||||
public function testDoubleSet($serverKey, $uid, $password, $privateKey, $assertHash, $remoteIp, $serverArray, $lifetime)
|
||||
public function testDoubleSet($serverKey, $uid, $password, $privateKey, $assertHash, $remoteIp, $serverArray)
|
||||
{
|
||||
$this->baseUrl->shouldReceive('getSSLPolicy')->andReturn(true)->once();
|
||||
$this->config->shouldReceive('get')->with('system', 'site_prvkey')->andReturn($serverKey)->once();
|
||||
|
@ -298,12 +265,10 @@ class CookieTest extends MockedTest
|
|||
$cookie = new StaticCookie($this->config, $this->baseUrl, $serverArray);
|
||||
self::assertInstanceOf(Cookie::class, $cookie);
|
||||
|
||||
// Invalid set, should get overwritten
|
||||
$cookie->set(-1, 'invalid', 'nothing', -234);
|
||||
$cookie->set('uid', $uid);
|
||||
$cookie->set('hash', $assertHash);
|
||||
|
||||
$cookie->set($uid, $password, $privateKey, $lifetime);
|
||||
|
||||
self::assertCookie($uid, $assertHash, $remoteIp, $lifetime);
|
||||
self::assertCookie($uid, $assertHash, $remoteIp);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
62
tests/src/Security/TwoFactor/Factory/TrustedBrowserTest.php
Normal file
62
tests/src/Security/TwoFactor/Factory/TrustedBrowserTest.php
Normal file
|
@ -0,0 +1,62 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Test\src\Security\TwoFactor\Factory;
|
||||
|
||||
use Friendica\Security\TwoFactor\Factory\TrustedBrowser;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Logger\VoidLogger;
|
||||
use Friendica\Util\Strings;
|
||||
|
||||
class TrustedBrowserTest extends \PHPUnit_Framework_TestCase
|
||||
{
|
||||
public function testCreateFromTableRowSuccess()
|
||||
{
|
||||
$factory = new TrustedBrowser(new VoidLogger());
|
||||
|
||||
$row = [
|
||||
'cookie_hash' => Strings::getRandomHex(),
|
||||
'uid' => 42,
|
||||
'user_agent' => 'PHPUnit',
|
||||
'created' => DateTimeFormat::utcNow(),
|
||||
'last_used' => null,
|
||||
];
|
||||
|
||||
$trustedBrowser = $factory->createFromTableRow($row);
|
||||
|
||||
$this->assertEquals($row, $trustedBrowser->toArray());
|
||||
}
|
||||
|
||||
public function testCreateFromTableRowMissingData()
|
||||
{
|
||||
$this->expectException(\TypeError::class);
|
||||
|
||||
$factory = new TrustedBrowser(new VoidLogger());
|
||||
|
||||
$row = [
|
||||
'cookie_hash' => null,
|
||||
'uid' => null,
|
||||
'user_agent' => null,
|
||||
'created' => null,
|
||||
'last_used' => null,
|
||||
];
|
||||
|
||||
$trustedBrowser = $factory->createFromTableRow($row);
|
||||
|
||||
$this->assertEquals($row, $trustedBrowser->toArray());
|
||||
}
|
||||
|
||||
public function testCreateForUserWithUserAgent()
|
||||
{
|
||||
$factory = new TrustedBrowser(new VoidLogger());
|
||||
|
||||
$uid = 42;
|
||||
$userAgent = 'PHPUnit';
|
||||
|
||||
$trustedBrowser = $factory->createForUserWithUserAgent($uid, $userAgent);
|
||||
|
||||
$this->assertNotEmpty($trustedBrowser->cookie_hash);
|
||||
$this->assertEquals($uid, $trustedBrowser->uid);
|
||||
$this->assertEquals($userAgent, $trustedBrowser->user_agent);
|
||||
$this->assertNotEmpty($trustedBrowser->created);
|
||||
}
|
||||
}
|
46
tests/src/Security/TwoFactor/Model/TrustedBrowserTest.php
Normal file
46
tests/src/Security/TwoFactor/Model/TrustedBrowserTest.php
Normal file
|
@ -0,0 +1,46 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Test\src\Security\TwoFactor\Model;
|
||||
|
||||
use Friendica\Security\TwoFactor\Model\TrustedBrowser;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Strings;
|
||||
|
||||
class TrustedBrowserTest extends \PHPUnit_Framework_TestCase
|
||||
{
|
||||
public function test__construct()
|
||||
{
|
||||
$hash = Strings::getRandomHex();
|
||||
|
||||
$trustedBrowser = new TrustedBrowser(
|
||||
$hash,
|
||||
42,
|
||||
'PHPUnit',
|
||||
DateTimeFormat::utcNow()
|
||||
);
|
||||
|
||||
$this->assertEquals($hash, $trustedBrowser->cookie_hash);
|
||||
$this->assertEquals(42, $trustedBrowser->uid);
|
||||
$this->assertEquals('PHPUnit', $trustedBrowser->user_agent);
|
||||
$this->assertNotEmpty($trustedBrowser->created);
|
||||
}
|
||||
|
||||
public function testRecordUse()
|
||||
{
|
||||
$hash = Strings::getRandomHex();
|
||||
$past = DateTimeFormat::utc('now - 5 minutes');
|
||||
|
||||
$trustedBrowser = new TrustedBrowser(
|
||||
$hash,
|
||||
42,
|
||||
'PHPUnit',
|
||||
$past,
|
||||
$past
|
||||
);
|
||||
|
||||
$trustedBrowser->recordUse();
|
||||
|
||||
$this->assertEquals($past, $trustedBrowser->created);
|
||||
$this->assertGreaterThan($past, $trustedBrowser->last_used);
|
||||
}
|
||||
}
|
|
@ -30,6 +30,7 @@
|
|||
{{if $has_secret && $verified}}
|
||||
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="recovery">{{$recovery_codes_label}}</button></p>
|
||||
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="app_specific">{{$app_specific_passwords_label}}</button></p>
|
||||
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="trusted">{{$trusted_browsers_label}}</button></p>
|
||||
{{/if}}
|
||||
{{if $has_secret && !$verified}}
|
||||
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="configure">{{$configure_label}}</button></p>
|
||||
|
|
48
view/templates/settings/twofactor/trusted_browsers.tpl
Normal file
48
view/templates/settings/twofactor/trusted_browsers.tpl
Normal file
|
@ -0,0 +1,48 @@
|
|||
<div class="generic-page-wrapper">
|
||||
<h1>{{$title}} <a href="help/Two-Factor-Authentication" title="{{$help_label}}" class="btn btn-default btn-sm"><i aria-hidden="true" class="fa fa-question fa-2x"></i></a></h1>
|
||||
<div>{{$message nofilter}}</div>
|
||||
|
||||
<form action="settings/2fa/trusted?t={{$password_security_token}}" method="post">
|
||||
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
||||
<table class="trusted-passwords table table-hover table-condensed table-striped">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>{{$device_label}}</th>
|
||||
<th>{{$os_label}}</th>
|
||||
<th>{{$browser_label}}</th>
|
||||
<th>{{$created_label}}</th>
|
||||
<th>{{$last_used_label}}</th>
|
||||
<th><button type="submit" name="action" class="btn btn-primary btn-small" value="remove_all">{{$remove_all_label}}</button></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{{foreach $trusted_browsers as $trusted_browser}}
|
||||
<tr{{if $generated_trusted_browser && $trusted_browser.id == $generated_trusted_browser.id}} class="success"{{/if}}>
|
||||
<td>
|
||||
{{$trusted_browser.device}}
|
||||
</td>
|
||||
<td>
|
||||
{{$trusted_browser.os}}
|
||||
</td>
|
||||
<td>
|
||||
{{$trusted_browser.browser}}
|
||||
</td>
|
||||
<td>
|
||||
<span class="time" title="{{$trusted_browser.created}}" data-toggle="tooltip">
|
||||
<time datetime="{{$trusted_browser.created}}">{{$trusted_browser.created_ago}}</time>
|
||||
</span>
|
||||
</td>
|
||||
<td>
|
||||
<span class="time" title="{{$trusted_browser.last_used}}" data-toggle="tooltip">
|
||||
<time datetime="{{$trusted_browser.last_used}}">{{$trusted_browser.last_used_ago}}</time>
|
||||
</span>
|
||||
</td>
|
||||
<td>
|
||||
<button type="submit" name="remove_id" class="btn btn-default btn-small" value="{{$trusted_browser.cookie_hash}}">{{$remove_label}}</button>
|
||||
</td>
|
||||
</tr>
|
||||
{{/foreach}}
|
||||
</tbody>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
|
@ -18,6 +18,8 @@
|
|||
|
||||
{{include file="field_input.tpl" field=$verify_code}}
|
||||
|
||||
{{include file="field_checkbox.tpl" field=$trust_browser}}
|
||||
|
||||
<div class="form-group settings-submit-wrapper">
|
||||
<button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="verify">{{$verify_label}}</button>
|
||||
</div>
|
||||
|
|
Loading…
Reference in a new issue