xref: /plugin/twofactor/action/login.php (revision 0d5f8055738a357f61ff2ac0fb6b0dcce64108f7) 
1fca58076SAndreas Gohr<?php
28b7620a8SAndreas Gohr
38b7620a8SAndreas Gohruse dokuwiki\plugin\twofactor\Manager;
46c996db8SAndreas Gohruse dokuwiki\plugin\twofactor\Provider;
58b7620a8SAndreas Gohr
630625b49SAndreas Gohr/**
730625b49SAndreas Gohr * DokuWiki Plugin twofactor (Action Component)
830625b49SAndreas Gohr *
930625b49SAndreas Gohr * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html
1030625b49SAndreas Gohr */
11fca58076SAndreas Gohrclass action_plugin_twofactor_login extends DokuWiki_Action_Plugin
12fca58076SAndreas Gohr{
13848a9be0SAndreas Gohr    const TWOFACTOR_COOKIE = '2FA' . DOKU_COOKIE;
14848a9be0SAndreas Gohr
15fca58076SAndreas Gohr    /**
16fca58076SAndreas Gohr     * Registers the event handlers.
17fca58076SAndreas Gohr     */
18fca58076SAndreas Gohr    public function register(Doku_Event_Handler $controller)
19fca58076SAndreas Gohr    {
20a386a536SAndreas Gohr        // check 2fa requirements and either move to profile or login handling
21a386a536SAndreas Gohr        $controller->register_hook(
22a386a536SAndreas Gohr            'ACTION_ACT_PREPROCESS',
23a386a536SAndreas Gohr            'BEFORE',
24a386a536SAndreas Gohr            $this,
25a386a536SAndreas Gohr            'handleActionPreProcess',
26a386a536SAndreas Gohr            null,
275f8f561aSAndreas Gohr            Manager::EVENT_PRIORITY
28a386a536SAndreas Gohr        );
29fca58076SAndreas Gohr
30a386a536SAndreas Gohr        // display login form
31a386a536SAndreas Gohr        $controller->register_hook(
32a386a536SAndreas Gohr            'TPL_ACT_UNKNOWN',
33a386a536SAndreas Gohr            'BEFORE',
34a386a536SAndreas Gohr            $this,
35a386a536SAndreas Gohr            'handleLoginDisplay'
36a386a536SAndreas Gohr        );
37a386a536SAndreas Gohr
38210d81e3SAndreas Gohr        // disable user in all non-main screens (media, detail, ajax, ...)
39210d81e3SAndreas Gohr        $controller->register_hook(
40210d81e3SAndreas Gohr            'DOKUWIKI_INIT_DONE',
41210d81e3SAndreas Gohr            'BEFORE',
42210d81e3SAndreas Gohr            $this,
43210d81e3SAndreas Gohr            'handleInitDone'
44210d81e3SAndreas Gohr        );
45fca58076SAndreas Gohr    }
46fca58076SAndreas Gohr
47fca58076SAndreas Gohr    /**
48a386a536SAndreas Gohr     * Decide if any 2fa handling needs to be done for the current user
49a386a536SAndreas Gohr     *
50a386a536SAndreas Gohr     * @param Doku_Event $event
51a386a536SAndreas Gohr     */
52a386a536SAndreas Gohr    public function handleActionPreProcess(Doku_Event $event)
53a386a536SAndreas Gohr    {
545f8f561aSAndreas Gohr        $manager = Manager::getInstance();
555f8f561aSAndreas Gohr        if (!$manager->isReady()) return;
56a386a536SAndreas Gohr
57a386a536SAndreas Gohr        global $INPUT;
58a386a536SAndreas Gohr
59a386a536SAndreas Gohr        // already in a 2fa login?
60a386a536SAndreas Gohr        if ($event->data === 'twofactor_login') {
61848a9be0SAndreas Gohr            if ($this->verify(
62848a9be0SAndreas Gohr                $INPUT->str('2fa_code'),
63848a9be0SAndreas Gohr                $INPUT->str('2fa_provider'),
64848a9be0SAndreas Gohr                $INPUT->bool('sticky')
65848a9be0SAndreas Gohr            )) {
66a386a536SAndreas Gohr                $event->data = 'show';
67848a9be0SAndreas Gohr                return;
68a386a536SAndreas Gohr            } else {
69a386a536SAndreas Gohr                // show form
70a386a536SAndreas Gohr                $event->preventDefault();
71a386a536SAndreas Gohr                return;
72a386a536SAndreas Gohr            }
73a386a536SAndreas Gohr        }
74a386a536SAndreas Gohr
75857c5abcSAndreas Gohr        // clear cookie on logout
76857c5abcSAndreas Gohr        if ($event->data === 'logout') {
77857c5abcSAndreas Gohr            $this->deAuth();
78857c5abcSAndreas Gohr            return;
79857c5abcSAndreas Gohr        }
80857c5abcSAndreas Gohr
81a386a536SAndreas Gohr        // authed already, continue
82a386a536SAndreas Gohr        if ($this->isAuthed()) {
83a386a536SAndreas Gohr            return;
84a386a536SAndreas Gohr        }
85a386a536SAndreas Gohr
865f8f561aSAndreas Gohr        if (count($manager->getUserProviders())) {
87a386a536SAndreas Gohr            // user has already 2fa set up - they need to authenticate before anything else
88a386a536SAndreas Gohr            $event->data = 'twofactor_login';
89a386a536SAndreas Gohr            $event->preventDefault();
90a386a536SAndreas Gohr            $event->stopPropagation();
91a386a536SAndreas Gohr            return;
92a386a536SAndreas Gohr        }
93a386a536SAndreas Gohr
945f8f561aSAndreas Gohr        if ($manager->isRequired()) {
95a386a536SAndreas Gohr            // 2fa is required - they need to set it up now
96a386a536SAndreas Gohr            // this will be handled by action/profile.php
97a386a536SAndreas Gohr            $event->data = 'twofactor_profile';
98a386a536SAndreas Gohr        }
99a386a536SAndreas Gohr
100a386a536SAndreas Gohr        // all good. proceed
101a386a536SAndreas Gohr    }
102a386a536SAndreas Gohr
103a386a536SAndreas Gohr    /**
104a386a536SAndreas Gohr     * Show a 2fa login screen
105a386a536SAndreas Gohr     *
106a386a536SAndreas Gohr     * @param Doku_Event $event
107a386a536SAndreas Gohr     */
108a386a536SAndreas Gohr    public function handleLoginDisplay(Doku_Event $event)
109a386a536SAndreas Gohr    {
110a386a536SAndreas Gohr        if ($event->data !== 'twofactor_login') return;
1115f8f561aSAndreas Gohr        $manager = Manager::getInstance();
1125f8f561aSAndreas Gohr        if (!$manager->isReady()) return;
1135f8f561aSAndreas Gohr
114a386a536SAndreas Gohr        $event->preventDefault();
115a386a536SAndreas Gohr        $event->stopPropagation();
116a386a536SAndreas Gohr
117a386a536SAndreas Gohr        global $INPUT;
118c9e42a8dSAndreas Gohr        global $ID;
119c9e42a8dSAndreas Gohr
120a386a536SAndreas Gohr        $providerID = $INPUT->str('2fa_provider');
1215f8f561aSAndreas Gohr        $providers = $manager->getUserProviders();
1225f8f561aSAndreas Gohr        $provider = $providers[$providerID] ?? $manager->getUserDefaultProvider();
123b6119621SAndreas Gohr        // remove current provider from list
124b6119621SAndreas Gohr        unset($providers[$provider->getProviderID()]);
125a386a536SAndreas Gohr
1260407d282SAndreas Gohr        echo '<div class="plugin_twofactor_login">';
1270407d282SAndreas Gohr        echo inlineSVG(__DIR__ . '/../admin.svg');
128857c5abcSAndreas Gohr        echo $this->locale_xhtml('login');
129848a9be0SAndreas Gohr        $form = new dokuwiki\Form\Form(['method' => 'POST']);
130848a9be0SAndreas Gohr        $form->setHiddenField('do', 'twofactor_login');
131a386a536SAndreas Gohr        $form->setHiddenField('2fa_provider', $provider->getProviderID());
132a386a536SAndreas Gohr        $form->addFieldsetOpen($provider->getLabel());
133a386a536SAndreas Gohr        try {
134a386a536SAndreas Gohr            $code = $provider->generateCode();
135a386a536SAndreas Gohr            $info = $provider->transmitMessage($code);
136a386a536SAndreas Gohr            $form->addHTML('<p>' . hsc($info) . '</p>');
137848a9be0SAndreas Gohr            $form->addTextInput('2fa_code', 'Your Code')->val('');
138848a9be0SAndreas Gohr            $form->addCheckbox('sticky', 'Remember this browser'); // reuse same name as login
1390407d282SAndreas Gohr            $form->addTagOpen('div')->addClass('buttons');
140a386a536SAndreas Gohr            $form->addButton('2fa', 'Submit')->attr('type', 'submit');
1410407d282SAndreas Gohr            $form->addTagClose('div');
1425f8f561aSAndreas Gohr        } catch (Exception $e) {
143a386a536SAndreas Gohr            msg(hsc($e->getMessage()), -1); // FIXME better handling
144a386a536SAndreas Gohr        }
145a386a536SAndreas Gohr        $form->addFieldsetClose();
146a386a536SAndreas Gohr
147a386a536SAndreas Gohr        if (count($providers)) {
148a386a536SAndreas Gohr            $form->addFieldsetOpen('Alternative methods');
149a386a536SAndreas Gohr            foreach ($providers as $prov) {
150c9e42a8dSAndreas Gohr                $url = wl($ID, [
151c9e42a8dSAndreas Gohr                    'do' => 'twofactor_login',
152c9e42a8dSAndreas Gohr                    '2fa_provider' => $prov->getProviderID(),
153c9e42a8dSAndreas Gohr                ]);
154f6b61423SAndreas Gohr                $form->addHTML('<a href="' . $url . '">' . hsc($prov->getLabel()) . '</a>');
155a386a536SAndreas Gohr            }
156a386a536SAndreas Gohr            $form->addFieldsetClose();
157a386a536SAndreas Gohr        }
158a386a536SAndreas Gohr
159a386a536SAndreas Gohr        echo $form->toHTML();
1600407d282SAndreas Gohr        echo '</div>';
161a386a536SAndreas Gohr    }
162a386a536SAndreas Gohr
163a386a536SAndreas Gohr    /**
164210d81e3SAndreas Gohr     * Remove user info from non-main entry points while we wait for 2fa
165210d81e3SAndreas Gohr     *
166210d81e3SAndreas Gohr     * @param Doku_Event $event
167210d81e3SAndreas Gohr     */
168210d81e3SAndreas Gohr    public function handleInitDone(Doku_Event $event)
169210d81e3SAndreas Gohr    {
170210d81e3SAndreas Gohr        global $INPUT;
171210d81e3SAndreas Gohr
172210d81e3SAndreas Gohr        if (!(Manager::getInstance())->isReady()) return;
173210d81e3SAndreas Gohr        if (basename($INPUT->server->str('SCRIPT_NAME')) == DOKU_SCRIPT) return;
174210d81e3SAndreas Gohr        if ($this->isAuthed()) return;
175210d81e3SAndreas Gohr
176*0d5f8055SAnna Dabrowska        if ($this->getConf('optinout') !== 'mandatory' && empty(Manager::getInstance()->getUserProviders())) return;
177*0d5f8055SAnna Dabrowska
178210d81e3SAndreas Gohr        // temporarily remove user info from environment
179210d81e3SAndreas Gohr        $INPUT->server->remove('REMOTE_USER');
180210d81e3SAndreas Gohr        unset($_SESSION[DOKU_COOKIE]['auth']);
181210d81e3SAndreas Gohr        unset($GLOBALS['USERINFO']);
182210d81e3SAndreas Gohr    }
183210d81e3SAndreas Gohr
184210d81e3SAndreas Gohr    /**
185a386a536SAndreas Gohr     * Has the user already authenticated with the second factor?
186a386a536SAndreas Gohr     * @return bool
187a386a536SAndreas Gohr     */
188a386a536SAndreas Gohr    protected function isAuthed()
189a386a536SAndreas Gohr    {
190848a9be0SAndreas Gohr        if (!isset($_COOKIE[self::TWOFACTOR_COOKIE])) return false;
191848a9be0SAndreas Gohr        $data = unserialize(base64_decode($_COOKIE[self::TWOFACTOR_COOKIE]));
192848a9be0SAndreas Gohr        if (!is_array($data)) return false;
1936c996db8SAndreas Gohr        list($providerID, $hash,) = $data;
194848a9be0SAndreas Gohr
195848a9be0SAndreas Gohr        try {
1965f8f561aSAndreas Gohr            $provider = (Manager::getInstance())->getUserProvider($providerID);
1976c996db8SAndreas Gohr            if ($this->cookieHash($provider) !== $hash) return false;
198848a9be0SAndreas Gohr            return true;
1995f8f561aSAndreas Gohr        } catch (Exception $ignored) {
200a386a536SAndreas Gohr            return false;
201a386a536SAndreas Gohr        }
202848a9be0SAndreas Gohr    }
203a386a536SAndreas Gohr
204a386a536SAndreas Gohr    /**
205857c5abcSAndreas Gohr     * Deletes the cookie
206857c5abcSAndreas Gohr     *
207857c5abcSAndreas Gohr     * @return void
208857c5abcSAndreas Gohr     */
209857c5abcSAndreas Gohr    protected function deAuth()
210857c5abcSAndreas Gohr    {
211857c5abcSAndreas Gohr        global $conf;
212857c5abcSAndreas Gohr
213857c5abcSAndreas Gohr        $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
214857c5abcSAndreas Gohr        $time = time() - 60 * 60 * 24 * 365; // one year in the past
215857c5abcSAndreas Gohr        setcookie(self::TWOFACTOR_COOKIE, null, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
216857c5abcSAndreas Gohr    }
217857c5abcSAndreas Gohr
218857c5abcSAndreas Gohr    /**
219a386a536SAndreas Gohr     * Verify a given code
220a386a536SAndreas Gohr     *
221a386a536SAndreas Gohr     * @return bool
222a386a536SAndreas Gohr     * @throws Exception
223a386a536SAndreas Gohr     */
224848a9be0SAndreas Gohr    protected function verify($code, $providerID, $sticky)
225a386a536SAndreas Gohr    {
226848a9be0SAndreas Gohr        global $conf;
227848a9be0SAndreas Gohr
228a386a536SAndreas Gohr        if (!$code) return false;
229a386a536SAndreas Gohr        if (!$providerID) return false;
2305f8f561aSAndreas Gohr        $provider = (Manager::getInstance())->getUserProvider($providerID);
231a386a536SAndreas Gohr        $ok = $provider->checkCode($code);
23216ed3964SAndreas Gohr        if (!$ok) return false;
233a386a536SAndreas Gohr
234848a9be0SAndreas Gohr        // store cookie
2356c996db8SAndreas Gohr        $hash = $this->cookieHash($provider);
2366c996db8SAndreas Gohr        $data = base64_encode(serialize([$providerID, $hash, time()]));
237848a9be0SAndreas Gohr        $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
238848a9be0SAndreas Gohr        $time = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year
239848a9be0SAndreas Gohr        setcookie(self::TWOFACTOR_COOKIE, $data, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
240a386a536SAndreas Gohr
241a386a536SAndreas Gohr        return true;
242a386a536SAndreas Gohr    }
2436c996db8SAndreas Gohr
2446c996db8SAndreas Gohr    /**
2456c996db8SAndreas Gohr     * Create a hash that validates the cookie
2466c996db8SAndreas Gohr     *
2476c996db8SAndreas Gohr     * @param Provider $provider
2486c996db8SAndreas Gohr     * @return string
2496c996db8SAndreas Gohr     */
2506c996db8SAndreas Gohr    protected function cookieHash($provider)
2516c996db8SAndreas Gohr    {
2526c996db8SAndreas Gohr        return sha1(join("\n", [
2536c996db8SAndreas Gohr            $provider->getProviderID(),
2545f8f561aSAndreas Gohr            (Manager::getInstance())->getUser(),
2556c996db8SAndreas Gohr            $provider->getSecret(),
2566c996db8SAndreas Gohr            auth_browseruid(),
2576c996db8SAndreas Gohr            auth_cookiesalt(false, true),
2586c996db8SAndreas Gohr        ]));
2596c996db8SAndreas Gohr    }
260fca58076SAndreas Gohr}
261