2FA Two Authentication Factor #164

.env.example

@@ -98,3 +98,6 @@ AWS_SECRET=
 AWS_REGION=us-east-1
 AWS_BUCKET=
 AWS_SERVER=
+
+# Enable Two Factor Authentication
+2FA_ENABLED=false

.env.travis

@@ -10,3 +10,5 @@ DB_TEST_PASSWORD=
 CACHE_DRIVER=array
 SESSION_DRIVER=array
 QUEUE_DRIVER=sync
+
+2FA_ENABLED=false

.gitignore

@@ -11,3 +11,4 @@ monica.sublime-workspace
 /storage/oauth-private.key
 /storage/oauth-public.key
 .DS_Store
+npm-debug.log.*

CHANGELOG

@@ -4,6 +4,7 @@ UNRELEASED CHANGES:
 * Display missing page when loading a contact that does not exist
 * Add ability to filter contacts by more than one tag
 * Change the structure of the dashboard
+* Add two factor authentication ability
 
 RELEASED VERSIONS:
 

CONTRIBUTORS

@@ -24,4 +24,4 @@ Scott Williams @scott-joe
 Craig Davison @davisonio <[email protected]>
 Michael Heap @mheap <[email protected]>
 Matthew Du Pont @mattdp <[email protected]>
-Alexis Saettler @asbiin
+Alexis Saettler @asbiin <[email protected]>

app/Console/Commands/Deactivate2FA.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\User;
+use Illuminate\Console\Command;
+
+class Deactivate2FA extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = '2fa:deactivate {--email= : The email of the user to deactivate 2FA} {--force : run without asking for confirmation}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Deactivate 2FA for this user';
+
+    /**
+     * Create a new command instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    /**
+     * Execute the console command.
+     *
+     * @return mixed
+     */
+    public function handle()
+    {
+        // retrieve the email from the option
+        $email = $this->option('email');
+
+        // if no email was passed to the option, prompt the user to enter the email
+        if (! $email) {
+            $email = $this->ask('what is the user\'s email?');
+        }
+
+        // retrieve the user with the specified email
+        $user = User::where('email', $email)->first();
+
+        if (! $user) {
+            // show an error and exist if the user does not exist
+            $this->error('No user with that email.');
+
+            return;
+        }
+        if (is_null($user->google2fa_secret)) {
+            // show an error and exist if the user does not exist
+            $this->error('2FA is currently not activated for this user.');
+
+            return;
+        }
+
+        // Print a warning
+        $this->info('2FA will be deactivated for '.$user->email);
+        $this->info('This action can\'t be cancelled.');
+
+        // ask for confirmation if not forced
+        if (! $this->option('force') && ! $this->confirm('Do you wish to continue?')) {
+            return;
+        }
+
+        // remove google2fa_secret key
+        $user->google2fa_secret = null;
+
+        // save the user
+        $user->save();
+
+        // show the new secret key
+        $this->info('2FA has been deactivated for '.$user->email);
+    }
+}

app/Console/Kernel.php

@@ -21,6 +21,7 @@ class Kernel extends ConsoleKernel
         'App\Console\Commands\ImportVCards',
         'App\Console\Commands\PingVersionServer',
         'App\Console\Commands\SetupTest',
+        'App\Console\Commands\Deactivate2FA',
         'App\Console\Commands\GetVersion',
     ];
 

app/Http/Controllers/Auth/PasswordChangeController.php

@@ -17,7 +17,7 @@ class PasswordChangeController extends Controller
 {
     use RedirectsUsers;
 
-    protected $redirectTo = '/settings';
+    protected $redirectTo = '/settings/security';
 
     /**
      * Get usefull parameters from request.

app/Http/Controllers/Settings/MultiFAController.php

@@ -0,0 +1,144 @@
+<?php
+
+namespace App\Http\Controllers\Settings;
+
+use Google2FA;
+use Illuminate\Http\Request;
+use App\Http\Controllers\Controller;
+use Illuminate\Foundation\Auth\RedirectsUsers;
+use PragmaRX\Google2FALaravel\Support\Authenticator;
+
+class MultiFAController extends Controller
+{
+    use RedirectsUsers;
+
+    protected $redirectTo = '/settings/security';
+
+    /**
+     * Session var name to store secret code.
+     */
+    private const SESSION_TFA_SECRET = '2FA_secret';
+
+    /**
+     * Create a new authentication controller instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        $this->middleware('web');
+    }
+
+    /**
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\Response
+     */
+    public function enableTwoFactor(Request $request)
+    {
+        //generate new secret
+        $secret = $this->generateSecret();
+
+        $user = $request->user();
+
+        //generate image for QR barcode
+        $imageDataUri = Google2FA::getQRCodeInline(
+            $request->getHttpHost(),
+            $user->email,
+            $secret,
+            200
+        );
+
+        $request->session()->put(self::SESSION_TFA_SECRET, $secret);
+
+        return view('settings.security.2fa-enable', ['image' => $imageDataUri, 'secret' => $secret]);
+    }
+
+    /**
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\Response
+     */
+    public function validateTwoFactor(Request $request)
+    {
+        $this->validate($request, [
+            'one_time_password' => 'required',
+        ]);
+
+        //retrieve secret
+        $secret = $request->session()->pull(self::SESSION_TFA_SECRET);
+
+        $authenticator = app(Authenticator::class)->boot($request);
+
+        if ($authenticator->verifyGoogle2FA($secret, $request['one_time_password'])) {
+            //get user
+            $user = $request->user();
+
+            //encrypt and then save secret
+            $user->google2fa_secret = $secret;
+            $user->save();
+
+            $authenticator->login();
+
+            return redirect($this->redirectPath())
+                ->with('status', trans('settings.2fa_enable_success'));
+        }
+
+        $authenticator->logout();
+
+        return redirect($this->redirectPath())
+            ->withErrors(trans('settings.2fa_enable_error'));
+    }
+
+    /**
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\Response
+     */
+    public function disableTwoFactor(Request $request)
+    {
+        return view('settings.security.2fa-disable');
+    }
+
+    /**
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\Response
+     */
+    public function deactivateTwoFactor(Request $request)
+    {
+        $this->validate($request, [
+            'one_time_password' => 'required',
+        ]);
+
+        $user = $request->user();
+
+        //retrieve secret
+        $secret = $user->google2fa_secret;
+
+        $authenticator = app(Authenticator::class)->boot($request);
+
+        if ($authenticator->verifyGoogle2FA($secret, $request['one_time_password'])) {
+
+            //make secret column blank
+            $user->google2fa_secret = null;
+            $user->save();
+
+            $authenticator->logout();
+
+            return redirect($this->redirectPath())
+                ->with('status', trans('settings.2fa_disable_success'));
+        }
+
+        return redirect($this->redirectPath())
+            ->withErrors(trans('settings.2fa_disable_error'));
+    }
+
+    /**
+     * Generate a secret key in Base32 format.
+     *
+     * @return string
+     */
+    private function generateSecret()
+    {
+        $google2fa = app('pragmarx.google2fa');
+
+        return $google2fa->generateSecretKey(32);
+    }
+}

app/Http/Controllers/SettingsController.php

@@ -18,6 +18,7 @@
 use App\Http\Requests\SettingsRequest;
 use Illuminate\Support\Facades\Storage;
 use App\Http\Requests\InvitationRequest;
+use PragmaRX\Google2FALaravel\Support\Authenticator;
 
 class SettingsController extends Controller
 {
@@ -430,4 +431,9 @@ public function api()
     {
         return view('settings.api.index');
     }
+
+    public function security(Request $request)
+    {
+        return view('settings.security.index', ['is2FAActivated' => (new Authenticator($request))->isActivated()]);
+    }
 }

app/Http/Kernel.php

@@ -56,5 +56,6 @@ class Kernel extends HttpKernel
         //'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'throttle' => \App\Http\Middleware\ThrottleRequestsMiddleware::class,
         'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
+        '2fa' => \PragmaRX\Google2FALaravel\Middleware::class,
     ];
 }

app/User.php

@@ -18,7 +18,7 @@ class User extends Authenticatable
      * @var array
      */
     protected $fillable = [
-        'first_name', 'last_name', 'email', 'password', 'timezone', 'locale', 'currency_id', 'fluid_container', 'name_order',
+        'first_name', 'last_name', 'email', 'password', 'timezone', 'locale', 'currency_id', 'fluid_container', 'name_order', 'google2fa_secret',
     ];
 
     /**
@@ -32,7 +32,7 @@ class User extends Authenticatable
      * @var array
      */
     protected $hidden = [
-        'password', 'remember_token',
+        'password', 'remember_token', 'google2fa_secret',
     ];
 
     /**
@@ -145,4 +145,30 @@ public function hasAlreadyRatedToday()
 
         return true;
     }
+
+    /**
+     * Ecrypt the user's google_2fa secret.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public function setGoogle2faSecretAttribute($value)
+    {
+        $this->attributes['google2fa_secret'] = encrypt($value);
+    }
+
+    /**
+     * Decrypt the user's google_2fa secret.
+     *
+     * @param  string  $value
+     * @return string
+     */
+    public function getGoogle2faSecretAttribute($value)
+    {
+        if (is_null($value)) {
+            return $value;
+        }
+
+        return decrypt($value);
+    }
 }