Merge pull request #9823 from MrPetovan/task/9677-2fa-remember-device

Add "Remember this device" feature to two factor authentication

src/BaseDataTransferObject.php

@@ -0,0 +1,52 @@
+<?php
+/**
+ * @copyright Copyright (C) 2020, Friendica
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Friendica;
+
+/**
+ * These data transfer object classes are meant for API representations. As such, their members should be protected.
+ * Then the JsonSerializable interface ensures the protected members will be included in a JSON encode situation.
+ *
+ * Constructors are supposed to take as arguments the Friendica dependencies/model/collection/data it needs to
+ * populate the class members.
+ */
+abstract class BaseDataTransferObject implements \JsonSerializable
+{
+	/**
+	 * Returns the current entity as an json array
+	 *
+	 * @return array
+	 */
+	public function jsonSerialize(): array
+	{
+		return $this->toArray();
+	}
+
+	/**
+	 * Returns the current entity as an array
+	 *
+	 * @return array
+	 */
+	public function toArray(): array
+	{
+		return get_object_vars($this);
+	}
+}

src/BaseEntity.php

@@ -21,32 +21,36 @@
 
 namespace Friendica;
 
+use Friendica\Network\HTTPException;
+
 /**
- * The API entity classes are meant as data transfer objects. As such, their member should be protected.
- * Then the JsonSerializable interface ensures the protected members will be included in a JSON encode situation.
+ * The Entity classes directly inheriting from this abstract class are meant to represent a single business entity.
+ * Their properties may or may not correspond with the database fields of the table we use to represent it.
+ * Each model method must correspond to a business action being performed on this entity.
+ * Only these methods will be allowed to alter the model data.
  *
- * Constructors are supposed to take as arguments the Friendica dependencies/model/collection/data it needs to
- * populate the class members.
+ * To persist such a model, the associated Repository must be instantiated and the "save" method must be called
+ * and passed the entity as a parameter.
+ *
+ * Ideally, the constructor should only be called in the associated Factory which will instantiate entities depending
+ * on the provided data.
+ *
+ * Since these objects aren't meant to be using any dependency, including logging, unit tests can and must be
+ * written for each and all of their methods
  */
-abstract class BaseEntity implements \JsonSerializable
+abstract class BaseEntity extends BaseDataTransferObject
 {
 	/**
-	 * Returns the current entity as an json array
-	 *
-	 * @return array
+	 * @param string $name
+	 * @return mixed
+	 * @throws HTTPException\InternalServerErrorException
 	 */
-	public function jsonSerialize()
+	public function __get(string $name)
 	{
-		return $this->toArray();
-	}
+		if (!property_exists($this, $name)) {
+			throw new HTTPException\InternalServerErrorException('Unknown property ' . $name . ' in Entity ' . static::class);
+		}
 
-	/**
-	 * Returns the current entity as an array
-	 *
-	 * @return array
-	 */
-	public function toArray()
-	{
-		return get_object_vars($this);
+		return $this->$name;
 	}
 }

src/BaseModel.php

@@ -31,7 +31,7 @@ use Psr\Log\LoggerInterface;
  *
  * @property int id
  */
-abstract class BaseModel extends BaseEntity
+abstract class BaseModel extends BaseDataTransferObject
 {
 	/** @var Database */
 	protected $dba;
@@ -67,7 +67,7 @@ abstract class BaseModel extends BaseEntity
 		$this->originalData = $data;
 	}
 
-	public function getOriginalData()
+	public function getOriginalData(): array
 	{
 		return $this->originalData;
 	}
@@ -84,7 +84,7 @@ abstract class BaseModel extends BaseEntity
 	 * @param array     $data
 	 * @return BaseModel
 	 */
-	public static function createFromPrototype(BaseModel $prototype, array $data)
+	public static function createFromPrototype(BaseModel $prototype, array $data): BaseModel
 	{
 		$model = clone $prototype;
 		$model->data = $data;
@@ -100,7 +100,7 @@ abstract class BaseModel extends BaseEntity
 	 * @param $name
 	 * @return bool
 	 */
-	public function __isset($name)
+	public function __isset($name): bool
 	{
 		return in_array($name, array_merge(array_keys($this->data), array_keys(get_object_vars($this))));
 	}
@@ -126,15 +126,19 @@ abstract class BaseModel extends BaseEntity
 	}
 
 	/**
+	 * * Magic setter. This allows to set model fields with the following syntax:
+	 * - $model->field = $value (outside of class)
+	 * - $this->field = $value (inside of class)
+	 *
 	 * @param string $name
-	 * @param mixed $value
+	 * @param mixed  $value
 	 */
-	public function __set($name, $value)
+	public function __set(string $name, $value)
 	{
 		$this->data[$name] = $value;
 	}
 
-	public function toArray()
+	public function toArray(): array
 	{
 		return $this->data;
 	}

src/Model/User.php

@@ -34,7 +34,7 @@ use Friendica\Core\System;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\AppSpecificPassword;
+use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
 use Friendica\Network\HTTPException;
 use Friendica\Object\Image;
 use Friendica\Util\Crypto;

src/Model/User/Cookie.php

@@ -41,126 +41,118 @@ class Cookie
 	const HTTPONLY = true;
 
 	/** @var string The remote address of this node */
-	private $remoteAddr = '0.0.0.0';
+	private $remoteAddr;
 	/** @var bool True, if the connection is ssl enabled */
-	private $sslEnabled = false;
+	private $sslEnabled;
 	/** @var string The private key of this Friendica node */
 	private $sitePrivateKey;
 	/** @var int The default cookie lifetime */
-	private $lifetime = self::DEFAULT_EXPIRE * 24 * 60 * 60;
-	/** @var array The $_COOKIE array */
-	private $cookie;
+	private $lifetime;
+	/** @var array The Friendica cookie data array */
+	private $data;
 
-	public function __construct(IConfig $config, App\BaseURL $baseURL, array $server = [], array $cookie = [])
+	/**
+	 * @param IConfig     $config
+	 * @param App\BaseURL $baseURL
+	 * @param array       $SERVER The $_SERVER array
+	 * @param array       $COOKIE The $_COOKIE array
+	 */
+	public function __construct(IConfig $config, App\BaseURL $baseURL, array $SERVER = [], array $COOKIE = [])
 	{
-		if (!empty($server['REMOTE_ADDR'])) {
-			$this->remoteAddr = $server['REMOTE_ADDR'];
-		}
-
 		$this->sslEnabled     = $baseURL->getSSLPolicy() === App\BaseURL::SSL_POLICY_FULL;
 		$this->sitePrivateKey = $config->get('system', 'site_prvkey');
 
 		$authCookieDays = $config->get('system', 'auth_cookie_lifetime',
 			self::DEFAULT_EXPIRE);
 		$this->lifetime = $authCookieDays * 24 * 60 * 60;
-		$this->cookie   = $cookie;
+
+		$this->remoteAddr = ($SERVER['REMOTE_ADDR'] ?? null) ?: '0.0.0.0';
+
+		$this->data = json_decode($COOKIE[self::NAME] ?? '[]', true) ?: [];
 	}
 
 	/**
-	 * Checks if the Friendica cookie is set for a user
-	 *
-	 * @param string $hash       The cookie hash
-	 * @param string $password   The user password
-	 * @param string $privateKey The private Key of the user
-	 *
-	 * @return boolean True, if the cookie is set
+	 * Returns the value for a key of the Friendica cookie
 	 *
+	 * @param string $key
+	 * @param mixed  $default
+	 * @return mixed|null The value for the provided cookie key
 	 */
-	public function check(string $hash, string $password, string $privateKey)
+	public function get(string $key, $default = null)
 	{
-		return hash_equals(
-			$this->getHash($password, $privateKey),
-			$hash
-		);
+		return $this->data[$key] ?? $default;
 	}
 
 	/**
-	 * Set the Friendica cookie for a user
+	 * Set a single cookie key value.
+	 * Overwrites an existing value with the same key.
 	 *
-	 * @param int      $uid        The user id
-	 * @param string   $password   The user password
-	 * @param string   $privateKey The user private key
-	 * @param int|null $seconds    optional the seconds
+	 * @param $key
+	 * @param $value
+	 * @return bool
+	 */
+	public function set($key, $value): bool
+	{
+		return $this->setMultiple([$key => $value]);
+	}
+
+	/**
+	 * Sets multiple cookie key values.
+	 * Overwrites existing values with the same key.
+	 *
+	 * @param array $values
+	 * @return bool
+	 */
+	public function setMultiple(array $values): bool
+	{
+		$this->data = $values + $this->data;
+
+		return $this->send();
+	}
+
+	/**
+	 * Remove a cookie key
+	 *
+	 * @param string $key
+	 */
+	public function unset(string $key)
+	{
+		if (isset($this->data[$key])) {
+			unset($this->data[$key]);
+
+			$this->send();
+		}
+	}
+
+	/**
+	 * Clears the Friendica cookie
+	 */
+	public function clear(): bool
+	{
+		$this->data = [];
+		// make sure cookie is deleted on browser close, as a security measure
+		return $this->setCookie( '', -3600, $this->sslEnabled);
+	}
+
+	/**
+	 * Send the cookie, should be called every time $this->data is changed or to refresh the cookie.
 	 *
 	 * @return bool
 	 */
-	public function set(int $uid, string $password, string $privateKey, int $seconds = null)
+	public function send(): bool
 	{
-		if (!isset($seconds)) {
-			$seconds = $this->lifetime + time();
-		} elseif (isset($seconds) && $seconds != 0) {
-			$seconds = $seconds + time();
-		}
-
-		$value = json_encode([
-			'uid'  => $uid,
-			'hash' => $this->getHash($password, $privateKey),
-			'ip'   => $this->remoteAddr,
-		]);
-
-		return $this->setCookie(self::NAME, $value, $seconds, $this->sslEnabled);
-	}
-
-	/**
-	 * Returns the data of the Friendicas user cookie
-	 *
-	 * @return mixed|null The JSON data, null if not set
-	 */
-	public function getData()
-	{
-		// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
-		if (isset($this->cookie[self::NAME])) {
-			$data = json_decode($this->cookie[self::NAME]);
-			if (!empty($data)) {
-				return $data;
-			}
-		}
-
-		return null;
-	}
-
-	/**
-	 * Clears the Friendica cookie of this user after leaving the page
-	 */
-	public function clear()
-	{
-		// make sure cookie is deleted on browser close, as a security measure
-		return $this->setCookie(self::NAME, '', -3600, $this->sslEnabled);
-	}
-
-	/**
-	 * Calculate the hash that is needed for the Friendica cookie
-	 *
-	 * @param string $password   The user password
-	 * @param string $privateKey The private key of the user
-	 *
-	 * @return string Hashed data
-	 */
-	private function getHash(string $password, string $privateKey)
-	{
-		return hash_hmac(
-			'sha256',
-			hash_hmac('sha256', $password, $privateKey),
-			$this->sitePrivateKey
+		return $this->setCookie(
+			json_encode(['ip' => $this->remoteAddr] + $this->data),
+			$this->lifetime + time(),
+			$this->sslEnabled
 		);
 	}
 
 	/**
-	 * Send a cookie - protected, internal function for test-mocking possibility
+	 * setcookie() wrapper: protected, internal function for test-mocking possibility
 	 *
 	 * @link  https://php.net/manual/en/function.setcookie.php
 	 *
-	 * @param string $name
 	 * @param string $value  [optional]
 	 * @param int    $expire [optional]
 	 * @param bool   $secure [optional]
@@ -168,9 +160,43 @@ class Cookie
 	 * @return bool If output exists prior to calling this function,
 	 *
 	 */
-	protected function setCookie(string $name, string $value = null, int $expire = null,
-	                             bool $secure = null)
+	protected function setCookie(string $value = null, int $expire = null,
+	                             bool $secure = null): bool
 	{
-		return setcookie($name, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
+		return setcookie(self::NAME, $value, $expire, self::PATH, self::DOMAIN, $secure, self::HTTPONLY);
+	}
+
+	/**
+	 * Calculate a hash of a user's private data for storage in the cookie.
+	 * Hashed twice, with the user's own private key first, then the node's private key second.
+	 *
+	 * @param string $privateData User private data
+	 * @param string $privateKey  User private key
+	 *
+	 * @return string Hashed data
+	 */
+	public function hashPrivateData(string $privateData, string $privateKey): string
+	{
+		return hash_hmac(
+			'sha256',
+			hash_hmac('sha256', $privateData, $privateKey),
+			$this->sitePrivateKey
+		);
+	}
+
+	/**
+	 * @param string $hash        Hash from a cookie key value
+	 * @param string $privateData User private data
+	 * @param string $privateKey  User private key
+	 *
+	 * @return boolean
+	 *
+	 */
+	public function comparePrivateDataHash(string $hash, string $privateData, string $privateKey): bool
+	{
+		return hash_equals(
+			$this->hashPrivateData($privateData, $privateKey),
+			$hash
+		);
 	}
 }

src/Module/Security/Logout.php

@@ -26,6 +26,7 @@ use Friendica\Core\Hook;
 use Friendica\Core\System;
 use Friendica\DI;
 use Friendica\Model\Profile;
+use Friendica\Security\TwoFactor;
 
 /**
  * Logout module
@@ -44,6 +45,13 @@ class Logout extends BaseModule
 		}
 
 		Hook::callAll("logging_out");
+
+		// Remove this trusted browser as it won't be able to be used ever again after the cookie is cleared
+		if (DI::cookie()->get('trusted')) {
+			$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+			$trustedBrowserRepository->removeForUser(local_user(), DI::cookie()->get('trusted'));
+		}
+
 		DI::cookie()->clear();
 		DI::session()->clear();
 

src/Module/Security/TwoFactor/Recovery.php

@@ -25,7 +25,7 @@ use Friendica\BaseModule;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 
 /**
  * // Page 1a: Recovery code verification

src/Module/Security/TwoFactor/Verify.php

@@ -26,6 +26,7 @@ use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
 use PragmaRX\Google2FA\Google2FA;
+use Friendica\Security\TwoFactor;
 
 /**
  * Page 1: Authenticator code verification
@@ -55,6 +56,19 @@ class Verify extends BaseModule
 			if ($valid && Session::get('2fa') !== $code) {
 				Session::set('2fa', $code);
 
+				// Trust this browser feature
+				if (!empty($_REQUEST['trust_browser'])) {
+					$trustedBrowserFactory = new TwoFactor\Factory\TrustedBrowser(DI::logger());
+					$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger(), $trustedBrowserFactory);
+
+					$trustedBrowser = $trustedBrowserFactory->createForUserWithUserAgent(local_user(), $_SERVER['HTTP_USER_AGENT']);
+
+					$trustedBrowserRepository->save($trustedBrowser);
+
+					// The string is sent to the browser to be sent back with each request
+					DI::cookie()->set('trusted', $trustedBrowser->cookie_hash);
+				}
+
 				// Resume normal login workflow
 				DI::auth()->setForUser($a, $a->user, true, true);
 			} else {
@@ -83,6 +97,7 @@ class Verify extends BaseModule
 			'$errors'           => self::$errors,
 			'$recovery_message' => DI::l10n()->t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
 			'$verify_code'      => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'],
+			'$trust_browser'    => ['trust_browser', DI::l10n()->t('This is my two-factor authenticator app device'), !empty($_REQUEST['trust_browser'])],
 			'$verify_label'     => DI::l10n()->t('Verify code and complete login'),
 		]);
 	}

src/Module/Settings/TwoFactor/AppSpecific.php

@@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
 
 use Friendica\Core\Renderer;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\AppSpecificPassword;
+use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
 

src/Module/Settings/TwoFactor/Index.php

@@ -24,8 +24,8 @@ namespace Friendica\Module\Settings\TwoFactor;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\AppSpecificPassword;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\AppSpecificPassword;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 use Friendica\Model\User;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
@@ -78,6 +78,11 @@ class Index extends BaseSettings
 						DI::baseUrl()->redirect('settings/2fa/app_specific?t=' . self::getFormSecurityToken('settings_2fa_password'));
 					}
 					break;
+				case 'trusted':
+					if ($has_secret) {
+						DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					}
+					break;
 				case 'configure':
 					if (!$verified) {
 						DI::baseUrl()->redirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
@@ -130,6 +135,7 @@ class Index extends BaseSettings
 			'$disable_label'        => DI::l10n()->t('Disable two-factor authentication'),
 			'$recovery_codes_label' => DI::l10n()->t('Show recovery codes'),
 			'$app_specific_passwords_label' => DI::l10n()->t('Manage app-specific passwords'),
+			'$trusted_browsers_label' => DI::l10n()->t('Manage trusted browsers'),
 			'$configure_label'      => DI::l10n()->t('Finish app configuration'),
 		]);
 	}

src/Module/Settings/TwoFactor/Recovery.php

@@ -23,7 +23,7 @@ namespace Friendica\Module\Settings\TwoFactor;
 
 use Friendica\Core\Renderer;
 use Friendica\DI;
-use Friendica\Model\TwoFactor\RecoveryCode;
+use Friendica\Security\TwoFactor\Model\RecoveryCode;
 use Friendica\Module\BaseSettings;
 use Friendica\Module\Security\Login;
 

src/Module/Settings/TwoFactor/Trusted.php

@@ -0,0 +1,110 @@
+<?php
+
+namespace Friendica\Module\Settings\TwoFactor;
+
+use Friendica\Core\Renderer;
+use Friendica\DI;
+use Friendica\Module\BaseSettings;
+use Friendica\Security\TwoFactor;
+use Friendica\Util\Temporal;
+use UAParser\Parser;
+
+/**
+ * Manages users' two-factor trusted browsers in the 2fa_trusted_browsers table
+ */
+class Trusted extends BaseSettings
+{
+	public static function init(array $parameters = [])
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$verified = DI::pConfig()->get(local_user(), '2fa', 'verified');
+
+		if (!$verified) {
+			DI::baseUrl()->redirect('settings/2fa');
+		}
+
+		if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
+			notice(DI::l10n()->t('Please enter your password to access this page.'));
+			DI::baseUrl()->redirect('settings/2fa');
+		}
+	}
+
+	public static function post(array $parameters = [])
+	{
+		if (!local_user()) {
+			return;
+		}
+
+		$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+
+		if (!empty($_POST['action'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
+
+			switch ($_POST['action']) {
+				case 'remove_all' :
+					$trustedBrowserRepository->removeAllForUser(local_user());
+					info(DI::l10n()->t('Trusted browsers successfully removed.'));
+					DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+					break;
+			}
+		}
+
+		if (!empty($_POST['remove_id'])) {
+			self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
+
+			if ($trustedBrowserRepository->removeForUser(local_user(), $_POST['remove_id'])) {
+				info(DI::l10n()->t('Trusted browser successfully removed.'));
+			}
+
+			DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
+		}
+	}
+
+
+	public static function content(array $parameters = []): string
+	{
+		parent::content($parameters);
+
+		$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+		$trustedBrowsers = $trustedBrowserRepository->selectAllByUid(local_user());
+
+		$parser = Parser::create();
+
+		$trustedBrowserDisplay = array_map(function (TwoFactor\Model\TrustedBrowser $trustedBrowser) use ($parser) {
+			$dates = [
+				'created_ago' => Temporal::getRelativeDate($trustedBrowser->created),
+				'last_used_ago' => Temporal::getRelativeDate($trustedBrowser->last_used),
+			];
+
+			$result = $parser->parse($trustedBrowser->user_agent);
+
+			$uaData = [
+				'os' => $result->os->family,
+				'device' => $result->device->family,
+				'browser' => $result->ua->family,
+			];
+
+			return $trustedBrowser->toArray() + $dates + $uaData;
+		}, $trustedBrowsers->getArrayCopy());
+
+		return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/trusted_browsers.tpl'), [
+			'$form_security_token' => self::getFormSecurityToken('settings_2fa_trusted'),
+			'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
+
+			'$title'               => DI::l10n()->t('Two-factor Trusted Browsers'),
+			'$message'             => DI::l10n()->t('Trusted browsers are individual browsers you chose to skip two-factor authentication to access Friendica. Please use this feature sparingly, as it can negate the benefit of two-factor authentication.'),
+			'$device_label'        => DI::l10n()->t('Device'),
+			'$os_label'            => DI::l10n()->t('OS'),
+			'$browser_label'       => DI::l10n()->t('Browser'),
+			'$created_label'       => DI::l10n()->t('Trusted'),
+			'$last_used_label'     => DI::l10n()->t('Last Use'),
+			'$remove_label'        => DI::l10n()->t('Remove'),
+			'$remove_all_label'    => DI::l10n()->t('Remove All'),
+
+			'$trusted_browsers'    => $trustedBrowserDisplay,
+		]);
+	}
+}

src/Object/Api/Friendica/Notification.php

@@ -21,7 +21,7 @@
 
 namespace Friendica\Object\Api\Friendica;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Content\Text\BBCode;
 use Friendica\Content\Text\HTML;
 use Friendica\Model\Notification as NotificationModel;
@@ -33,7 +33,7 @@ use Friendica\Util\Temporal;
  *
  * @see https://github.com/friendica/friendica/blob/develop/doc/API-Entities.md#notification
  */
-class Notification extends BaseEntity
+class Notification extends BaseDataTransferObject
 {
 	/** @var integer */
 	protected $id;

src/Object/Api/Mastodon/Account.php

@@ -22,7 +22,7 @@
 namespace Friendica\Object\Api\Mastodon;
 
 use Friendica\App\BaseURL;
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Collection\Api\Mastodon\Fields;
 use Friendica\Content\Text\BBCode;
 use Friendica\Database\DBA;
@@ -34,7 +34,7 @@ use Friendica\Util\DateTimeFormat;
  *
  * @see https://docs.joinmastodon.org/entities/account
  */
-class Account extends BaseEntity
+class Account extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $id;
@@ -138,7 +138,7 @@ class Account extends BaseEntity
 	 *
 	 * @return array
 	 */
-	public function toArray()
+	public function toArray(): array
 	{
 		$account = parent::toArray();
 

src/Object/Api/Mastodon/Activity.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Activity
  *
  * @see https://docs.joinmastodon.org/entities/activity
  */
-class Activity extends BaseEntity
+class Activity extends BaseDataTransferObject
 {
 	/** @var string (UNIX Timestamp) */
 	protected $week;

src/Object/Api/Mastodon/Application.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Application
  *
  * @see https://docs.joinmastodon.org/entities/application
  */
-class Application extends BaseEntity
+class Application extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $name;

src/Object/Api/Mastodon/Attachment.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Attachment
  *
  * @see https://docs.joinmastodon.org/entities/attachment
  */
-class Attachment extends BaseEntity
+class Attachment extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $id;
@@ -67,7 +67,7 @@ class Attachment extends BaseEntity
 	 *
 	 * @return array
 	 */
-	public function toArray()
+	public function toArray(): array
 	{
 		$attachment = parent::toArray();
 

src/Object/Api/Mastodon/Card.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Card
  *
  * @see https://docs.joinmastodon.org/entities/card
  */
-class Card extends BaseEntity
+class Card extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $url;
@@ -67,10 +67,10 @@ class Card extends BaseEntity
 	 *
 	 * @return array
 	 */
-	public function toArray()
+	public function toArray(): array
 	{
 		if (empty($this->url)) {
-			return null;
+			return [];
 		}
 
 		return parent::toArray();

src/Object/Api/Mastodon/Emoji.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Emoji
  *
  * @see https://docs.joinmastodon.org/entities/emoji/
  */
-class Emoji extends BaseEntity
+class Emoji extends BaseDataTransferObject
 {
 	//Required attributes
 	/** @var string */

src/Object/Api/Mastodon/Error.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Error
  *
  * @see https://docs.joinmastodon.org/entities/error
  */
-class Error extends BaseEntity
+class Error extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $error;
@@ -53,7 +53,7 @@ class Error extends BaseEntity
 	 *
 	 * @return array
 	 */
-	public function toArray()
+	public function toArray(): array
 	{
 		$error = parent::toArray();
 

src/Object/Api/Mastodon/Field.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Field
  *
  * @see https://docs.joinmastodon.org/entities/field/
  */
-class Field extends BaseEntity
+class Field extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $name;

src/Object/Api/Mastodon/Instance.php

@@ -21,7 +21,7 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Database\DBA;
 use Friendica\DI;
 use Friendica\Model\User;
@@ -32,7 +32,7 @@ use Friendica\Module\Register;
  *
  * @see https://docs.joinmastodon.org/api/entities/#instance
  */
-class Instance extends BaseEntity
+class Instance extends BaseDataTransferObject
 {
 	/** @var string (URL) */
 	protected $uri;

src/Object/Api/Mastodon/Mention.php

@@ -22,14 +22,14 @@
 namespace Friendica\Object\Api\Mastodon;
 
 use Friendica\App\BaseURL;
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Mention
  *
  * @see https://docs.joinmastodon.org/entities/mention
  */
-class Mention extends BaseEntity
+class Mention extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $id;

src/Object/Api/Mastodon/Relationship.php

@@ -21,7 +21,7 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Model\Contact;
 use Friendica\Util\Network;
 
@@ -30,7 +30,7 @@ use Friendica\Util\Network;
  *
  * @see https://docs.joinmastodon.org/api/entities/#relationship
  */
-class Relationship extends BaseEntity
+class Relationship extends BaseDataTransferObject
 {
 	/** @var int */
 	protected $id;

src/Object/Api/Mastodon/Stats.php

@@ -21,7 +21,7 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Core\Protocol;
 use Friendica\Database\DBA;
 use Friendica\DI;
@@ -31,7 +31,7 @@ use Friendica\DI;
  *
  * @see https://docs.joinmastodon.org/api/entities/#stats
  */
-class Stats extends BaseEntity
+class Stats extends BaseDataTransferObject
 {
 	/** @var int */
 	protected $user_count = 0;

src/Object/Api/Mastodon/Status.php

@@ -21,7 +21,7 @@
 
 namespace Friendica\Object\Api\Mastodon;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Content\Text\BBCode;
 use Friendica\Object\Api\Mastodon\Status\Counts;
 use Friendica\Object\Api\Mastodon\Status\UserAttributes;
@@ -32,7 +32,7 @@ use Friendica\Util\DateTimeFormat;
  *
  * @see https://docs.joinmastodon.org/entities/status
  */
-class Status extends BaseEntity
+class Status extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $id;
@@ -143,7 +143,7 @@ class Status extends BaseEntity
 	 *
 	 * @return array
 	 */
-	public function toArray()
+	public function toArray(): array
 	{
 		$status = parent::toArray();
 

src/Object/Api/Mastodon/Tag.php

@@ -22,14 +22,14 @@
 namespace Friendica\Object\Api\Mastodon;
 
 use Friendica\App\BaseURL;
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 
 /**
  * Class Tag
  *
  * @see https://docs.joinmastodon.org/entities/tag
  */
-class Tag extends BaseEntity
+class Tag extends BaseDataTransferObject
 {
 	/** @var string */
 	protected $name;

src/Object/Api/Twitter/User.php

@@ -21,14 +21,14 @@
 
 namespace Friendica\Object\Api\Twitter;
 
-use Friendica\BaseEntity;
+use Friendica\BaseDataTransferObject;
 use Friendica\Content\ContactSelector;
 use Friendica\Content\Text\BBCode;
 
 /**
  * @see https://developer.twitter.com/en/docs/tweets/data-dictionary/overview/user-object
  */
-class User extends BaseEntity
+class User extends BaseDataTransferObject
 {
 	/** @var int */
 	protected $id;

src/Security/Authentication.php

@@ -33,6 +33,7 @@ use Friendica\Database\DBA;
 use Friendica\DI;
 use Friendica\Model\User;
 use Friendica\Network\HTTPException;
+use Friendica\Security\TwoFactor\Repository\TrustedBrowser;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Network;
 use Friendica\Util\Strings;
@@ -100,16 +101,13 @@ class Authentication
 	 */
 	public function withSession(App $a)
 	{
-		$data = $this->cookie->getData();
-
 		// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
-		if (isset($data->uid)) {
-
+		if ($this->cookie->get('uid')) {
 			$user = $this->dba->selectFirst(
 				'user',
 				[],
 				[
-					'uid'             => $data->uid,
+					'uid'             => $this->cookie->get('uid'),
 					'blocked'         => false,
 					'account_expired' => false,
 					'account_removed' => false,
@@ -117,24 +115,25 @@ class Authentication
 				]
 			);
 			if ($this->dba->isResult($user)) {
-				if (!$this->cookie->check($data->hash,
+				if (!$this->cookie->comparePrivateDataHash($this->cookie->get('hash'),
 					$user['password'] ?? '',
-					$user['prvkey'] ?? '')) {
-					$this->logger->notice("Hash doesn't fit.", ['user' => $data->uid]);
+					$user['prvkey'] ?? '')
+				) {
+					$this->logger->notice("Hash doesn't fit.", ['user' => $this->cookie->get('uid')]);
 					$this->session->clear();
 					$this->cookie->clear();
 					$this->baseUrl->redirect();
 				}
 
 				// Renew the cookie
-				$this->cookie->set($user['uid'], $user['password'], $user['prvkey']);
+				$this->cookie->send();
 
 				// Do the authentification if not done by now
 				if (!$this->session->get('authenticated')) {
 					$this->setForUser($a, $user);
 
 					if ($this->config->get('system', 'paranoia')) {
-						$this->session->set('addr', $data->ip);
+						$this->session->set('addr', $this->cookie->get('ip'));
 					}
 				}
 			}
@@ -377,12 +376,15 @@ class Authentication
 			 */
 			if ($this->session->get('remember')) {
 				$this->logger->info('Injecting cookie for remembered user ' . $user_record['nickname']);
-				$this->cookie->set($user_record['uid'], $user_record['password'], $user_record['prvkey']);
+				$this->cookie->setMultiple([
+					'uid'  => $user_record['uid'],
+					'hash' => $this->cookie->hashPrivateData($user_record['password'], $user_record['prvkey']),
+				]);
 				$this->session->remove('remember');
 			}
 		}
 
-		$this->twoFactorCheck($user_record['uid'], $a);
+		$this->redirectForTwoFactorAuthentication($user_record['uid'], $a);
 
 		if ($interactive) {
 			if ($user_record['login_date'] <= DBA::NULL_DATETIME) {
@@ -404,28 +406,59 @@ class Authentication
 	}
 
 	/**
+	 * Decides whether to redirect the user to two-factor authentication.
+	 * All return calls in this method skip two-factor authentication
+	 *
 	 * @param int $uid The User Identified
 	 * @param App $a   The Friendica Application context
 	 *
 	 * @throws HTTPException\ForbiddenException In case the two factor authentication is forbidden (e.g. for AJAX calls)
+	 * @throws HTTPException\InternalServerErrorException
 	 */
-	private function twoFactorCheck(int $uid, App $a)
+	private function redirectForTwoFactorAuthentication(int $uid, App $a)
 	{
 		// Check user setting, if 2FA disabled return
 		if (!$this->pConfig->get($uid, '2fa', 'verified')) {
 			return;
 		}
 
-		// Check current path, if 2fa authentication module return
+		// Check current path, if public or 2fa module return
 		if ($a->argc > 0 && in_array($a->argv[0], ['2fa', 'view', 'help', 'api', 'proxy', 'logout'])) {
 			return;
 		}
 
-		// Case 1: 2FA session present and valid: return
+		// Case 1a: 2FA session already present: return
 		if ($this->session->get('2fa')) {
 			return;
 		}
 
+		// Case 1b: Check for trusted browser
+		if ($this->cookie->get('trusted')) {
+			// Retrieve a trusted_browser model based on cookie hash
+			$trustedBrowserRepository = new TrustedBrowser($this->dba, $this->logger);
+			try {
+				$trustedBrowser = $trustedBrowserRepository->selectOneByHash($this->cookie->get('trusted'));
+				// Verify record ownership
+				if ($trustedBrowser->uid === $uid) {
+					// Update last_used date
+					$trustedBrowser->recordUse();
+
+					// Save it to the database
+					$trustedBrowserRepository->save($trustedBrowser);
+
+					// Set 2fa session key and return
+					$this->session->set('2fa', true);
+
+					return;
+				} else {
+					// Invalid trusted cookie value, removing it
+					$this->cookie->unset('trusted');
+				}
+			} catch (\Throwable $e) {
+				// Local trusted browser record was probably removed by the user, we carry on with 2FA
+			}
+		}
+
 		// Case 2: No valid 2FA session: redirect to code verification page
 		if ($this->mode->isAjax()) {
 			throw new HTTPException\ForbiddenException();

src/Security/TwoFactor/Collection/TrustedBrowsers.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Friendica\Security\TwoFactor\Collection;
+
+use Friendica\BaseCollection;
+
+class TrustedBrowsers extends BaseCollection
+{
+
+}

src/Security/TwoFactor/Factory/TrustedBrowser.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace Friendica\Security\TwoFactor\Factory;
+
+use Friendica\BaseFactory;
+use Friendica\Util\DateTimeFormat;
+use Friendica\Util\Strings;
+
+class TrustedBrowser extends BaseFactory
+{
+	public function createForUserWithUserAgent($uid, $userAgent): \Friendica\Security\TwoFactor\Model\TrustedBrowser
+	{
+		$trustedHash = Strings::getRandomHex();
+
+		return new \Friendica\Security\TwoFactor\Model\TrustedBrowser(
+			$trustedHash,
+			$uid,
+			$userAgent,
+			DateTimeFormat::utcNow()
+		);
+	}
+
+	public function createFromTableRow(array $row): \Friendica\Security\TwoFactor\Model\TrustedBrowser
+	{
+		return new \Friendica\Security\TwoFactor\Model\TrustedBrowser(
+			$row['cookie_hash'],
+			$row['uid'],
+			$row['user_agent'],
+			$row['created'],
+			$row['last_used']
+		);
+	}
+}

src/Security/TwoFactor/Model/AppSpecificPassword.php

@@ -19,7 +19,7 @@
  *
  */
 
-namespace Friendica\Model\TwoFactor;
+namespace Friendica\Security\TwoFactor\Model;
 
 use Friendica\Database\DBA;
 use Friendica\Model\User;

src/Security/TwoFactor/Model/RecoveryCode.php

@@ -19,7 +19,7 @@
  *
  */
 
-namespace Friendica\Model\TwoFactor;
+namespace Friendica\Security\TwoFactor\Model;
 
 use Friendica\Database\DBA;
 use Friendica\Util\DateTimeFormat;

src/Security/TwoFactor/Model/TrustedBrowser.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace Friendica\Security\TwoFactor\Model;
+
+use Friendica\BaseEntity;
+use Friendica\Util\DateTimeFormat;
+
+/**
+ * Class TrustedBrowser
+ *
+ *
+ * @property-read $cookie_hash
+ * @property-read $uid
+ * @property-read $user_agent
+ * @property-read $created
+ * @property-read $last_used
+ * @package Friendica\Model\TwoFactor
+ */
+class TrustedBrowser extends BaseEntity
+{
+	protected $cookie_hash;
+	protected $uid;
+	protected $user_agent;
+	protected $created;
+	protected $last_used;
+
+	/**
+	 * Please do not use this constructor directly, instead use one of the method of the TrustedBroser factory.
+	 *
+	 * @see \Friendica\Security\TwoFactor\Factory\TrustedBrowser
+	 *
+	 * @param string      $cookie_hash
+	 * @param int         $uid
+	 * @param string      $user_agent
+	 * @param string      $created
+	 * @param string|null $last_used
+	 */
+	public function __construct(string $cookie_hash, int $uid, string $user_agent, string $created, string $last_used = null)
+	{
+		$this->cookie_hash = $cookie_hash;
+		$this->uid = $uid;
+		$this->user_agent = $user_agent;
+		$this->created = $created;
+		$this->last_used = $last_used;
+	}
+
+	public function recordUse()
+	{
+		$this->last_used = DateTimeFormat::utcNow();
+	}
+}

src/Security/TwoFactor/Repository/TrustedBrowser.php

@@ -0,0 +1,98 @@
+<?php
+
+namespace Friendica\Security\TwoFactor\Repository;
+
+use Friendica\Security\TwoFactor\Model;
+use Friendica\Security\TwoFactor\Collection\TrustedBrowsers;
+use Friendica\Database\Database;
+use Friendica\Network\HTTPException\NotFoundException;
+use Psr\Log\LoggerInterface;
+
+class TrustedBrowser
+{
+	/** @var Database  */
+	protected $db;
+
+	/** @var LoggerInterface  */
+	protected $logger;
+
+	/** @var \Friendica\Security\TwoFactor\Factory\TrustedBrowser  */
+	protected $factory;
+
+	protected static $table_name = '2fa_trusted_browser';
+
+	public function __construct(Database $database, LoggerInterface $logger, \Friendica\Security\TwoFactor\Factory\TrustedBrowser $factory = null)
+	{
+		$this->db = $database;
+		$this->logger = $logger;
+		$this->factory = $factory ?? new \Friendica\Security\TwoFactor\Factory\TrustedBrowser($logger);
+	}
+
+	/**
+	 * @param string $cookie_hash
+	 * @return Model\TrustedBrowser|null
+	 * @throws \Exception
+	 */
+	public function selectOneByHash(string $cookie_hash): Model\TrustedBrowser
+	{
+		$fields = $this->db->selectFirst(self::$table_name, [], ['cookie_hash' => $cookie_hash]);
+		if (!$this->db->isResult($fields)) {
+			throw new NotFoundException('');
+		}
+
+		return $this->factory->createFromTableRow($fields);
+	}
+
+	public function selectAllByUid(int $uid): TrustedBrowsers
+	{
+		$rows = $this->db->selectToArray(self::$table_name, [], ['uid' => $uid]);
+
+		$trustedBrowsers = [];
+		foreach ($rows as $fields) {
+			$trustedBrowsers[] = $this->factory->createFromTableRow($fields);
+		}
+
+		return new TrustedBrowsers($trustedBrowsers);
+	}
+
+	/**
+	 * @param Model\TrustedBrowser $trustedBrowser
+	 * @return bool
+	 * @throws \Exception
+	 */
+	public function save(Model\TrustedBrowser $trustedBrowser): bool
+	{
+		return $this->db->insert(self::$table_name, $trustedBrowser->toArray(), $this->db::INSERT_UPDATE);
+	}
+
+	/**
+	 * @param Model\TrustedBrowser $trustedBrowser
+	 * @return bool
+	 * @throws \Exception
+	 */
+	public function remove(Model\TrustedBrowser $trustedBrowser): bool
+	{
+		return $this->db->delete(self::$table_name, ['cookie_hash' => $trustedBrowser->cookie_hash]);
+	}
+
+	/**
+	 * @param int    $local_user
+	 * @param string $cookie_hash
+	 * @return bool
+	 * @throws \Exception
+	 */
+	public function removeForUser(int $local_user, string $cookie_hash): bool
+	{
+		return $this->db->delete(self::$table_name, ['cookie_hash' => $cookie_hash,'uid' => $local_user]);
+	}
+
+	/**
+	 * @param int $local_user
+	 * @return bool
+	 * @throws \Exception
+	 */
+	public function removeAllForUser(int $local_user): bool
+	{
+		return $this->db->delete(self::$table_name, ['uid' => $local_user]);
+	}
+}