feat-wip: 2FA integration

limanmys · Oct 13, 2023 · f6ba894 · f6ba894
1 parent 4810cda
commit f6ba894
Show file tree

Hide file tree

Showing 11 changed files with 191 additions and 41 deletions.
diff --git a/app/Http/Controllers/API/AuthController.php b/app/Http/Controllers/API/AuthController.php
@@ -17,12 +17,14 @@
 use App\User;
 use Carbon\Carbon;
 use GuzzleHttp\Client;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Str;
 use mervick\aesEverywhere\AES256;
+use RobThree\Auth\TwoFactorAuth;
 
 class AuthController extends Controller
 {
@@ -33,7 +35,7 @@ class AuthController extends Controller
      */
     public function __construct()
     {
-        $this->middleware('auth:api', ['except' => ['login', 'forceChangePassword']]);
+        $this->middleware('auth:api', ['except' => ['login', 'forceChangePassword', 'setupTwoFactorAuthentication']]);
     }
 
     /**
@@ -91,13 +93,72 @@ public function login(Request $request)
             return response()->json(['message' => 'Kullanıcı adı veya şifreniz yanlış.'], 401);
         }
 
+        if (auth('api')->user()->otp_enabled) {
+            $tfa = new TwoFactorAuth(
+                "Liman", 6, 30, \RobThree\Auth\Algorithm::Sha1
+            );
+
+            if (auth('api')->user()->google2fa_secret == null) {
+                $secret = $tfa->createSecret();
+                return response()->json([
+                    'message' => 'İki faktörlü doğrulama için Google Authenticator uygulaması ile QR kodunu okutunuz.',
+                    'secret' => $secret,
+                    'image' => $secret,
+                ], 402);
+            }
+
+            if (! $request->token) {
+                return response()->json(['message' => 'İki faktörlü doğrulama gerekmektedir.'], 406);
+            } else {
+                if (! $tfa->verifyCode(
+                    auth('api')->user()->google2fa_secret,
+                    $request->token
+                )) {
+                    return response()->json(['message' => 'İki faktörlü doğrulama başarısız.'], 406);
+                }
+            }
+        }
+
         if (auth('api')->user()->forceChange) {
             return response()->json(['message' => 'Şifrenizi değiştirmeniz gerekmektedir.'], 405);
         }
 
         return $this->createNewToken($token, $request);
     }
 
+    /**
+     * Setup Two Factor Authentication
+     * 
+     * @return JsonResponse
+     */
+    public function setupTwoFactorAuthentication(Request $request)
+    {
+        $validator = Validator::make($request->all(), [
+            'email' => 'required|string',
+            'password' => 'required|string',
+            'secret' => 'required'
+        ]);
+
+        if ($validator->fails()) {
+            return response()->json($validator->errors(), 422);
+        }
+
+        $token = auth('api')->attempt([
+            'email' => $validator->validated()["email"],
+            'password' => $validator->validated()["password"],
+        ]);
+        if (! $token) {
+            return response()->json(['message' => 'Kullanıcı adı veya şifreniz yanlış.'], 401);
+        }
+
+        User::find(auth('api')->user()->id)->update([
+            'otp_enabled' => true,
+            'google2fa_secret' => $request->secret
+        ]);
+
+        return response()->json(['message' => '2FA kurulumu başarıyla yapıldı.']);
+    }
+
     /**
      * Log the user out (Invalidate the token).
      *

diff --git a/app/Http/Controllers/API/ProfileController.php b/app/Http/Controllers/API/ProfileController.php
@@ -55,8 +55,15 @@ public function setInformation(Request $request)
         $user->update([
             'name' => $request->name,
             'email' => $request->email,
+            'otp_enabled' => (bool) $request->otp_enabled,
         ]);
 
+        if (! (bool) $request->otp_enabled) {
+            $user->update([
+                'google2fa_secret' => null
+            ]);
+        }
+
         return response()->json([
             'message' => 'Bilgiler başarıyla güncellendi.',
             'user' => $user,

diff --git a/app/Http/Controllers/API/Settings/TweaksController.php b/app/Http/Controllers/API/Settings/TweaksController.php
@@ -18,7 +18,6 @@ public function getConfiguration()
     {
         return response()->json([
             'APP_LANG' => env('APP_LANG'),
-            'OTP_ENABLED' => (bool) env('OTP_ENABLED', 'false'),
             'APP_NOTIFICATION_EMAIL' => env('APP_NOTIFICATION_EMAIL'),
             'APP_URL' => env('APP_URL'),
             'EXTENSION_TIMEOUT' => env('EXTENSION_TIMEOUT', 30),
@@ -48,7 +47,6 @@ public function saveConfiguration(Request $request)
 
         setEnv([
             'APP_LANG' => $request->APP_LANG,
-            'OTP_ENABLED' => (bool) $request->OTP_ENABLED,
             'APP_NOTIFICATION_EMAIL' => $request->APP_NOTIFICATION_EMAIL,
             'APP_URL' => $request->APP_URL,
             'EXTENSION_TIMEOUT' => $request->EXTENSION_TIMEOUT,
@@ -63,7 +61,6 @@ public function saveConfiguration(Request $request)
             'edit',
             [
                 'APP_LANG' => $request->APP_LANG,
-                'OTP_ENABLED' => (bool) $request->OTP_ENABLED,
                 'APP_NOTIFICATION_EMAIL' => $request->APP_NOTIFICATION_EMAIL,
                 'APP_URL' => $request->APP_URL,
                 'EXTENSION_TIMEOUT' => $request->EXTENSION_TIMEOUT,

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -54,8 +54,7 @@ class Kernel extends HttpKernel
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'extension' => \App\Http\Middleware\Extension::class,
         'block_except_limans' => \App\Http\Middleware\BlockExceptLimans::class,
-        'google2fa' => \PragmaRX\Google2FALaravel\Middleware::class,
-        'check_google_two_factor' => \App\Http\Middleware\CheckGoogleTwoFactor::class,
+        'google2fa' => \PragmaRX\Google2FALaravel\MiddlewareStateless::class,
         'upload_token_check' => \App\Http\Middleware\LimanTokenUploadCheck::class,
     ];
 

diff --git a/app/Http/Middleware/CheckGoogleTwoFactor.php b/app/Http/Middleware/CheckGoogleTwoFactor.php
diff --git a/app/User.php b/app/User.php
@@ -49,7 +49,8 @@ class User extends Authenticatable implements JWTSubject
         'last_login_at',
         'last_login_ip',
         'locale',
-        'google2fa_secret'
+        'google2fa_secret',
+        'otp_enabled'
     ];
 
     /**

diff --git a/composer.json b/composer.json
@@ -30,6 +30,7 @@
         "phpseclib/phpseclib": "~3.0",
         "pragmarx/google2fa-laravel": "^2.0",
         "pusher/pusher-php-server": "^7.0",
+        "robthree/twofactorauth": "^2.0",
         "tymon/jwt-auth": "^2.0"
     },
     "require-dev": {

diff --git a/composer.lock b/composer.lock
diff --git a/config/google2fa.php b/config/google2fa.php
@@ -5,7 +5,7 @@
     /*
      * Enable / disable Google2FA.
      */
-    'enabled' => env('OTP_ENABLED', false),
+    'enabled' => env('OTP_ENABLED', true),
 
     /*
      * Lifetime in minutes.
@@ -27,7 +27,7 @@
     /*
      * Guard.
      */
-    'guard' => '',
+    'guard' => 'api',
 
     /*
      * 2FA verified session var.
@@ -37,7 +37,7 @@
     /*
      * One Time Password request input name.
      */
-    'otp_input' => 'one_time_password',
+    'otp_input' => 'token',
 
     /*
      * One Time Password Window.

diff --git a/database/migrations/2023_10_13_091138_add_2fa_enabled_column_to_users_table.php b/database/migrations/2023_10_13_091138_add_2fa_enabled_column_to_users_table.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->boolean('otp_enabled')->default(false)->after('locale');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            //
+        });
+    }
+};
diff --git a/routes/api.php b/routes/api.php
@@ -26,6 +26,7 @@
     'prefix' => 'auth'
 ], function () {
     Route::post('/login', [AuthController::class, 'login']);
+    Route::post('/setup_mfa', [AuthController::class, 'setupTwoFactorAuthentication']);
     Route::post('/register', [AuthController::class, 'register']);
     Route::post('/logout', [AuthController::class, 'logout']);
     Route::post('/refresh', [AuthController::class, 'refresh']);