11.5/_totp_provider_8php_source.html

<?php


declare(strict_types=1);


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


namespace ‪TYPO3\CMS\Core\Authentication\Mfa\Provider;


use BaconQrCode\Renderer\Image\SvgImageBackEnd;

use BaconQrCode\Renderer\ImageRenderer;

use BaconQrCode\Renderer\RendererStyle\RendererStyle;

use BaconQrCode\Writer;

use Psr\Http\Message\ResponseInterface;

use Psr\Http\Message\ServerRequestInterface;

use ‪TYPO3\CMS\Core\Authentication\Mfa\MfaProviderInterface;

use ‪TYPO3\CMS\Core\Authentication\Mfa\MfaProviderPropertyManager;

use ‪TYPO3\CMS\Core\Authentication\Mfa\MfaViewType;

use ‪TYPO3\CMS\Core\Context\Context;

use ‪TYPO3\CMS\Core\Http\HtmlResponse;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

use ‪TYPO3\CMS\Fluid\View\StandaloneView;


class ‪TotpProvider implements ‪MfaProviderInterface

{

    private const ‪MAX_ATTEMPTS = 3;


    protected ‪Context ‪$context;


    public function ‪__construct(‪Context ‪$context)

    {

        $this->context = ‪$context;

    }


    public function ‪canProcess(ServerRequestInterface $request): bool

    {

        return $this->‪getTotp($request) !== '';

    }


    public function ‪isActive(‪MfaProviderPropertyManager $propertyManager): bool

    {

        return (bool)$propertyManager->‪getProperty('active')

            && $propertyManager->‪getProperty('secret', '') !== '';

    }


    public function ‪isLocked(‪MfaProviderPropertyManager $propertyManager): bool

    {

        $attempts = (int)$propertyManager->‪getProperty('attempts', 0);


        // Assume the provider is locked in case the maximum attempts are exceeded.

        // A provider however can only be locked if set up - an entry exists in database.

        return $propertyManager->‪hasProviderEntry() && $attempts >= ‪self::MAX_ATTEMPTS;

    }


    public function ‪verify(ServerRequestInterface $request, ‪MfaProviderPropertyManager $propertyManager): bool

    {

        if (!$this->‪isActive($propertyManager) || $this->‪isLocked($propertyManager)) {

            // Can not verify an inactive or locked provider

            return false;

        }


        $totp = $this->‪getTotp($request);

        $secret = $propertyManager->‪getProperty('secret', '');

        $verified = GeneralUtility::makeInstance(Totp::class, $secret)->verifyTotp($totp, 2);

        if (!$verified) {

            $attempts = $propertyManager->‪getProperty('attempts', 0);

            $propertyManager->‪updateProperties(['attempts' => ++$attempts]);

            return false;

        }

        $propertyManager->‪updateProperties([

            'attempts' => 0,

            'lastUsed' => $this->context->getPropertyFromAspect('date', 'timestamp'),

        ]);

        return true;

    }


    public function ‪activate(ServerRequestInterface $request, ‪MfaProviderPropertyManager $propertyManager): bool

    {

        if ($this->‪isActive($propertyManager)) {

            // Can not activate an active provider

            return false;

        }


        if (!$this->‪canProcess($request)) {

            // Return since the request can not be processed by this provider

            return false;

        }


        $secret = (string)($request->getParsedBody()['secret'] ?? '');

        $checksum = (string)($request->getParsedBody()['checksum'] ?? '');

        if ($secret === '' || !hash_equals(GeneralUtility::hmac($secret, 'totp-setup'), $checksum)) {

            // Return since the request does not contain the initially created secret

            return false;

        }


        $totpInstance = GeneralUtility::makeInstance(Totp::class, $secret);

        if (!$totpInstance->verifyTotp($this->getTotp($request), 2)) {

            // Return since the given TOTP could not be verified

            return false;

        }


        // If valid, prepare the provider properties to be stored

        $properties = ['secret' => $secret, 'active' => true];

        if (($name = (string)($request->getParsedBody()['name'] ?? '')) !== '') {

            $properties['name'] = $name;

        }


        // Usually there should be no entry if the provider is not activated, but to prevent the

        // provider from being unable to activate again, we update the existing entry in such case.

        return $propertyManager->‪hasProviderEntry()

            ? $propertyManager->‪updateProperties($properties)

            : $propertyManager->‪createProviderEntry($properties);

    }


    public function ‪update(ServerRequestInterface $request, ‪MfaProviderPropertyManager $propertyManager): bool

    {

        if (!$this->‪isActive($propertyManager) || $this->‪isLocked($propertyManager)) {

            // Can not update an inactive or locked provider

            return false;

        }


        $name = (string)($request->getParsedBody()['name'] ?? '');

        if ($name !== '') {

            return $propertyManager->‪updateProperties(['name' => $name]);

        }


        // Provider properties successfully updated

        return true;

    }


    public function ‪unlock(ServerRequestInterface $request, ‪MfaProviderPropertyManager $propertyManager): bool

    {

        if (!$this->‪isActive($propertyManager) || !$this->‪isLocked($propertyManager)) {

            // Can not unlock an inactive or not locked provider

            return false;

        }


        // Reset the attempts

        return $propertyManager->‪updateProperties(['attempts' => 0]);

    }


    public function ‪deactivate(ServerRequestInterface $request, ‪MfaProviderPropertyManager $propertyManager): bool

    {

        if (!$this->‪isActive($propertyManager)) {

            // Can not deactivate an inactive provider

            return false;

        }


        // Delete the provider entry

        return $propertyManager->‪deleteProviderEntry();

    }


    public function ‪handleRequest(

        ServerRequestInterface $request,

        ‪MfaProviderPropertyManager $propertyManager,

        string $type

    ): ResponseInterface {

        $view = GeneralUtility::makeInstance(StandaloneView::class);

        $view->setTemplateRootPaths(['EXT:core/Resources/Private/Templates/Authentication/MfaProvider/Totp']);

        switch ($type) {

            case ‪MfaViewType::SETUP:

                $this->‪prepareSetupView($view, $propertyManager);

                break;

            case ‪MfaViewType::EDIT:

                $this->‪prepareEditView($view, $propertyManager);

                break;

            case ‪MfaViewType::AUTH:

                $this->‪prepareAuthView($view, $propertyManager);

                break;

        }

        return new ‪HtmlResponse($view->assign('providerIdentifier', $propertyManager->‪getIdentifier())->render());

    }


    protected function ‪prepareSetupView(‪StandaloneView $view, ‪MfaProviderPropertyManager $propertyManager): void

    {

        $userData = $propertyManager->‪getUser()->user ?? [];

        $secret = ‪Totp::generateEncodedSecret([(string)($userData['uid'] ?? ''), (string)($userData['username'] ?? '')]);

        $totpInstance = GeneralUtility::makeInstance(Totp::class, $secret);

        $totpAuthUrl = $totpInstance->getTotpAuthUrl(

            (string)(‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] ?? 'TYPO3'),

            (string)($userData['email'] ?? '') ?: (string)($userData['username'] ?? '')

        );

        $view->‪setTemplate('Setup');

        $view->‪assignMultiple([

            'secret' => $secret,

            'totpAuthUrl' => $totpAuthUrl,

            'qrCode' => $this->‪getSvgQrCode($totpAuthUrl),

            // Generate hmac of the secret to prevent it from being changed in the setup from

            'checksum' => GeneralUtility::hmac($secret, 'totp-setup'),

        ]);

    }


    protected function ‪prepareEditView(‪StandaloneView $view, ‪MfaProviderPropertyManager $propertyManager): void

    {

        $view->‪setTemplate('Edit');

        $view->‪assignMultiple([

            'name' => $propertyManager->‪getProperty('name'),

            'lastUsed' => $this->getDateTime($propertyManager->‪getProperty('lastUsed', 0)),

            'updated' => $this->getDateTime($propertyManager->‪getProperty('updated', 0)),

        ]);

    }


    protected function ‪prepareAuthView(‪StandaloneView $view, ‪MfaProviderPropertyManager $propertyManager): void

    {

        $view->‪setTemplate('Auth');

        $view->‪assign('isLocked', $this->‪isLocked($propertyManager));

    }


    protected function ‪getTotp(ServerRequestInterface $request): string

    {

        return trim((string)($request->getQueryParams()['totp'] ?? $request->getParsedBody()['totp'] ?? ''));

    }


    protected function ‪getSvgQrCode(string $content): string

    {

        $qrCodeRenderer = new ImageRenderer(

            new RendererStyle(225, 4),

            new SvgImageBackEnd()

        );


        return (new Writer($qrCodeRenderer))->writeString($content);

    }


    protected function ‪getDateTime(int $timestamp): string

    {

        if ($timestamp === 0) {

            return '';

        }


        return date(

            ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['ddmmyy'] . ' ' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['hhmm'],

            $timestamp

        ) ?: '';

    }

}