Add Mfa controller and a template for it

andk · charsbar · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024
commit e6f7b1a049eca3dd32b688e7df7cb9a8890414b4
diff --git a/lib/pause_2017/PAUSE/Web/Controller/User/Mfa.pm b/lib/pause_2017/PAUSE/Web/Controller/User/Mfa.pm
@@ -0,0 +1,80 @@
+package PAUSE::Web::Controller::User::Mfa;
+
+use Mojo::Base "Mojolicious::Controller";
+use Auth::GoogleAuth;
+use PAUSE::Crypt;
+use Crypt::URandom qw(urandom);
+use Convert::Base32 qw(encode_base32);
+
+sub edit {
+  my $c = shift;
+  my $pause = $c->stash(".pause");
+  my $mgr = $c->app->pause;
+  my $req = $c->req;
+  my $u = $c->active_user_record;
+
+  my $auth = $c->app->pause->authenticator_for($u);
+  $pause->{mfa_qrcode} = $auth->qr_code;
+  if (!$u->{mfa_secret32}) {
+    my $dbh = $mgr->authen_connect;
+    my $tbl = $PAUSE::Config->{AUTHEN_USER_TABLE};
+    my $sql = "UPDATE $tbl SET mfa_secret32 = ?, changed = ?, changedby = ? WHERE user = ?";
+    $dbh->do($sql, undef, $auth->secret32, time, $pause->{User}{userid}, $u->{userid})
+      or push @{$pause->{ERROR}}, sprintf(qq{Could not enter the data into the database: <i>%s</i>.},$dbh->errstr);
+  }
+
+  if (uc $req->method eq 'POST' and $req->param("pause99_mfa_sub")) {
+    my $code = $req->param("pause99_mfa_code");
+    $req->param("pause99_mfa_code", undef);
+    if ($code =~ /\A[0-9]{6}\z/ && !$auth->verify($code)) {
+        $pause->{error}{invalid_code} = 1;
+        return;
+    } elsif ($code =~ /\A[a-z0-9]{5}\-[a-z0-9]{5}\z/ && $u->{mfa_recovery_codes} && $req->param("pause99_mfa_reset")) {
+        my @recovery_codes = split / /, $u->{mfa_recovery_codes} // '';
+        if (!grep { PAUSE::Crypt::password_verify($code, $_) } @recovery_codes) {
+            $pause->{error}{invalid_code} = 1;
+            return;
+        }
+    }
+    my ($mfa, $secret32, $recovery_codes);
+    if ($req->param("pause99_mfa_reset")) {
+        $mfa = 0;
+        $secret32 = undef;
+        $recovery_codes = undef;
+        $c->flash(mfa_disabled => 1);
+    } else {
+        $mfa = 1;
+        $secret32 = $auth->secret32;
+        $c->flash(mfa_enabled => 1);
+        my @codes = _generate_recovery_codes();
+        $c->flash(recovery_codes => \@codes);
+        $recovery_codes = join " ", map { PAUSE::Crypt::hash_password($_) } @codes;
+    }
+    my $dbh = $mgr->authen_connect;
+    my $tbl = $PAUSE::Config->{AUTHEN_USER_TABLE};
+    my $sql = "UPDATE $tbl SET mfa = ?, mfa_secret32 = ?, mfa_recovery_codes = ?, changed = ?, changedby = ? WHERE user = ?";
+    if ($dbh->do($sql, undef, $mfa, $secret32, $recovery_codes, time, $pause->{User}{userid}, $u->{userid})) {
+      my $mailblurb = $c->render_to_string("email/user/mfa/edit", format => "email");
+      my $header = {Subject => "User update for $u->{userid}"};
+      my @to = $u->{secretemail};
+      $mgr->send_mail_multi(\@to, $header, $mailblurb);
+    } else {
+      push @{$pause->{ERROR}}, sprintf(qq{Could not enter the data
+        into the database: <i>%s</i>.},$dbh->errstr);
+    }
+    $c->redirect_to('/authenquery?ACTION=mfa');
+  }
+}
+
+sub _generate_recovery_codes {
+    my @codes;
+    for (1 .. 8) {
+        my $code = encode_base32(urandom(6));
+        $code =~ tr/lo/89/;
+        $code =~ s/^(.{5})/$1-/;
+        push @codes, $code;
+    }
+    @codes;
+}
+
+1;
diff --git a/lib/pause_2017/templates/user/mfa/edit.html.ep b/lib/pause_2017/templates/user/mfa/edit.html.ep
@@ -0,0 +1,59 @@
+% layout 'layout';
+% my $pause = stash(".pause") || {};
+% my $cpan_alias = lc($pause->{HiddenUser}{userid}) . '@cpan.org';
+
+<input type="hidden" name="HIDDENNAME" value="<%= $pause->{HiddenUser}{userid} %>">
+
+% if (flash('mfa_enabled')) {
+<div class="messagebox info">
+<p><b>Multifactor Authentication is enabled.</b></p>
+<p>Recovery codes:</p>
+<code>
+<ul>
+% for my $code (@{ flash('recovery_codes') }) {
+<li><%= $code %>
+% }
+</ul>
+</code>
+<p>Please write down these codes, as they will not show again.</p>
+</div>
+% } elsif (flash('mfa_disabled')) {
+<div class="messagebox info">
+<p>Multifactor Authentication is disabled.</p>
+</div>
+% }
+
+<h3><% if (!$pause->{HiddenUser}{mfa}) { %>Enable<% } else { %>Disable<% } %> Multifactor Authentication for <%= $pause->{HiddenUser}{userid} %>
+% if (exists $pause->{UserGroups}{admin}) {
+ (lastvisit <%= $pause->{HiddenUser}{lastvisit} || "before 2005-12-02" %>)
+% }
+</h3>
+
+% if (my $error = $pause->{error}) {
+<div class="messagebox error">
+<b>ERROR</b>:
+%   if ($error->{invalid_code}) {
+Verification Code is invalid.
+%   }
+</div>
+<hr>
+% }
+% if (!$pause->{HiddenUser}{mfa}) {
+<div>
+<p>Submit 6-digit code to enable Multifactor Authentication.</p>
+<img src="<%= $pause->{mfa_qrcode} %>">
+</div>
+% } else {
+<p>Submit 6-digit code to disable Multifactor Authentication.</p>
+<%= hidden_field "pause99_mfa_reset" => 1 %>
+% }
+
+<div>
+<p>CODE: <%= text_field "pause99_mfa_code" => '',
+    size => 10,
+    maxlength => 10,
+%>
+<input type="submit" name="pause99_mfa_sub" value="Submit"></p>
+</div>
+
+%= csrf_field