xref: /plugin/twofactor/action/login.php (revision 782799782a73adfaf125d1db2c1ebbc7a76fb7ca) 
1fca58076SAndreas Gohr<?php
28b7620a8SAndreas Gohr
38b7620a8SAndreas Gohruse dokuwiki\plugin\twofactor\Manager;
46c996db8SAndreas Gohruse dokuwiki\plugin\twofactor\Provider;
58b7620a8SAndreas Gohr
630625b49SAndreas Gohr/**
730625b49SAndreas Gohr * DokuWiki Plugin twofactor (Action Component)
830625b49SAndreas Gohr *
930625b49SAndreas Gohr * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html
1030625b49SAndreas Gohr */
11fca58076SAndreas Gohrclass action_plugin_twofactor_login extends DokuWiki_Action_Plugin
12fca58076SAndreas Gohr{
13848a9be0SAndreas Gohr    const TWOFACTOR_COOKIE = '2FA' . DOKU_COOKIE;
14848a9be0SAndreas Gohr
15fca58076SAndreas Gohr    /**
16fca58076SAndreas Gohr     * Registers the event handlers.
17fca58076SAndreas Gohr     */
18fca58076SAndreas Gohr    public function register(Doku_Event_Handler $controller)
19fca58076SAndreas Gohr    {
20a386a536SAndreas Gohr        // check 2fa requirements and either move to profile or login handling
21a386a536SAndreas Gohr        $controller->register_hook(
22a386a536SAndreas Gohr            'ACTION_ACT_PREPROCESS',
23a386a536SAndreas Gohr            'BEFORE',
24a386a536SAndreas Gohr            $this,
25a386a536SAndreas Gohr            'handleActionPreProcess',
26a386a536SAndreas Gohr            null,
275f8f561aSAndreas Gohr            Manager::EVENT_PRIORITY
28a386a536SAndreas Gohr        );
29fca58076SAndreas Gohr
30a386a536SAndreas Gohr        // display login form
31a386a536SAndreas Gohr        $controller->register_hook(
32a386a536SAndreas Gohr            'TPL_ACT_UNKNOWN',
33a386a536SAndreas Gohr            'BEFORE',
34a386a536SAndreas Gohr            $this,
35a386a536SAndreas Gohr            'handleLoginDisplay'
36a386a536SAndreas Gohr        );
37a386a536SAndreas Gohr
38210d81e3SAndreas Gohr        // disable user in all non-main screens (media, detail, ajax, ...)
39210d81e3SAndreas Gohr        $controller->register_hook(
40210d81e3SAndreas Gohr            'DOKUWIKI_INIT_DONE',
41210d81e3SAndreas Gohr            'BEFORE',
42210d81e3SAndreas Gohr            $this,
43210d81e3SAndreas Gohr            'handleInitDone'
44210d81e3SAndreas Gohr        );
45fca58076SAndreas Gohr    }
46fca58076SAndreas Gohr
47fca58076SAndreas Gohr    /**
48a386a536SAndreas Gohr     * Decide if any 2fa handling needs to be done for the current user
49a386a536SAndreas Gohr     *
50a386a536SAndreas Gohr     * @param Doku_Event $event
51a386a536SAndreas Gohr     */
52a386a536SAndreas Gohr    public function handleActionPreProcess(Doku_Event $event)
53a386a536SAndreas Gohr    {
545f8f561aSAndreas Gohr        $manager = Manager::getInstance();
555f8f561aSAndreas Gohr        if (!$manager->isReady()) return;
56a386a536SAndreas Gohr
57a386a536SAndreas Gohr        global $INPUT;
58a386a536SAndreas Gohr
59a386a536SAndreas Gohr        // already in a 2fa login?
60a386a536SAndreas Gohr        if ($event->data === 'twofactor_login') {
61848a9be0SAndreas Gohr            if ($this->verify(
62848a9be0SAndreas Gohr                $INPUT->str('2fa_code'),
63848a9be0SAndreas Gohr                $INPUT->str('2fa_provider'),
64848a9be0SAndreas Gohr                $INPUT->bool('sticky')
65848a9be0SAndreas Gohr            )) {
66a386a536SAndreas Gohr                $event->data = 'show';
67848a9be0SAndreas Gohr                return;
68a386a536SAndreas Gohr            } else {
69a386a536SAndreas Gohr                // show form
70a386a536SAndreas Gohr                $event->preventDefault();
71a386a536SAndreas Gohr                return;
72a386a536SAndreas Gohr            }
73a386a536SAndreas Gohr        }
74a386a536SAndreas Gohr
75857c5abcSAndreas Gohr        // clear cookie on logout
76857c5abcSAndreas Gohr        if ($event->data === 'logout') {
77857c5abcSAndreas Gohr            $this->deAuth();
78857c5abcSAndreas Gohr            return;
79857c5abcSAndreas Gohr        }
80857c5abcSAndreas Gohr
81a386a536SAndreas Gohr        // authed already, continue
82a386a536SAndreas Gohr        if ($this->isAuthed()) {
83a386a536SAndreas Gohr            return;
84a386a536SAndreas Gohr        }
85a386a536SAndreas Gohr
865f8f561aSAndreas Gohr        if (count($manager->getUserProviders())) {
87a386a536SAndreas Gohr            // user has already 2fa set up - they need to authenticate before anything else
88a386a536SAndreas Gohr            $event->data = 'twofactor_login';
89a386a536SAndreas Gohr            $event->preventDefault();
90a386a536SAndreas Gohr            $event->stopPropagation();
91a386a536SAndreas Gohr            return;
92a386a536SAndreas Gohr        }
93a386a536SAndreas Gohr
945f8f561aSAndreas Gohr        if ($manager->isRequired()) {
95a386a536SAndreas Gohr            // 2fa is required - they need to set it up now
96a386a536SAndreas Gohr            // this will be handled by action/profile.php
97a386a536SAndreas Gohr            $event->data = 'twofactor_profile';
98a386a536SAndreas Gohr        }
99a386a536SAndreas Gohr
100a386a536SAndreas Gohr        // all good. proceed
101a386a536SAndreas Gohr    }
102a386a536SAndreas Gohr
103a386a536SAndreas Gohr    /**
104a386a536SAndreas Gohr     * Show a 2fa login screen
105a386a536SAndreas Gohr     *
106a386a536SAndreas Gohr     * @param Doku_Event $event
107a386a536SAndreas Gohr     */
108a386a536SAndreas Gohr    public function handleLoginDisplay(Doku_Event $event)
109a386a536SAndreas Gohr    {
110a386a536SAndreas Gohr        if ($event->data !== 'twofactor_login') return;
1115f8f561aSAndreas Gohr        $manager = Manager::getInstance();
1125f8f561aSAndreas Gohr        if (!$manager->isReady()) return;
1135f8f561aSAndreas Gohr
114a386a536SAndreas Gohr        $event->preventDefault();
115a386a536SAndreas Gohr        $event->stopPropagation();
116a386a536SAndreas Gohr
117a386a536SAndreas Gohr        global $INPUT;
118c9e42a8dSAndreas Gohr        global $ID;
119c9e42a8dSAndreas Gohr
120a386a536SAndreas Gohr        $providerID = $INPUT->str('2fa_provider');
1215f8f561aSAndreas Gohr        $providers = $manager->getUserProviders();
1225f8f561aSAndreas Gohr        $provider = $providers[$providerID] ?? $manager->getUserDefaultProvider();
123b6119621SAndreas Gohr        // remove current provider from list
124b6119621SAndreas Gohr        unset($providers[$provider->getProviderID()]);
125a386a536SAndreas Gohr
1260407d282SAndreas Gohr        echo '<div class="plugin_twofactor_login">';
1270407d282SAndreas Gohr        echo inlineSVG(__DIR__ . '/../admin.svg');
128857c5abcSAndreas Gohr        echo $this->locale_xhtml('login');
129848a9be0SAndreas Gohr        $form = new dokuwiki\Form\Form(['method' => 'POST']);
130848a9be0SAndreas Gohr        $form->setHiddenField('do', 'twofactor_login');
131a386a536SAndreas Gohr        $form->setHiddenField('2fa_provider', $provider->getProviderID());
132a386a536SAndreas Gohr        $form->addFieldsetOpen($provider->getLabel());
133a386a536SAndreas Gohr        try {
134a386a536SAndreas Gohr            $code = $provider->generateCode();
135a386a536SAndreas Gohr            $info = $provider->transmitMessage($code);
136a386a536SAndreas Gohr            $form->addHTML('<p>' . hsc($info) . '</p>');
137848a9be0SAndreas Gohr            $form->addTextInput('2fa_code', 'Your Code')->val('');
138848a9be0SAndreas Gohr            $form->addCheckbox('sticky', 'Remember this browser'); // reuse same name as login
1390407d282SAndreas Gohr            $form->addTagOpen('div')->addClass('buttons');
140a386a536SAndreas Gohr            $form->addButton('2fa', 'Submit')->attr('type', 'submit');
1410407d282SAndreas Gohr            $form->addTagClose('div');
1425f8f561aSAndreas Gohr        } catch (Exception $e) {
143a386a536SAndreas Gohr            msg(hsc($e->getMessage()), -1); // FIXME better handling
144a386a536SAndreas Gohr        }
145a386a536SAndreas Gohr        $form->addFieldsetClose();
146a386a536SAndreas Gohr
147a386a536SAndreas Gohr        if (count($providers)) {
148*78279978SAndreas Gohr            $form->addFieldsetOpen('Alternative methods')->addClass('list');
149*78279978SAndreas Gohr            $form->addTagOpen('ul');
150a386a536SAndreas Gohr            foreach ($providers as $prov) {
151c9e42a8dSAndreas Gohr                $url = wl($ID, [
152c9e42a8dSAndreas Gohr                    'do' => 'twofactor_login',
153c9e42a8dSAndreas Gohr                    '2fa_provider' => $prov->getProviderID(),
154c9e42a8dSAndreas Gohr                ]);
155*78279978SAndreas Gohr                $form->addHTML(
156*78279978SAndreas Gohr                    '<li><div class="li"><a href="' . $url . '">' . hsc($prov->getLabel()) . '</a></div></li>'
157*78279978SAndreas Gohr                );
158a386a536SAndreas Gohr            }
159*78279978SAndreas Gohr
160*78279978SAndreas Gohr            $form->addTagClose('ul');
161a386a536SAndreas Gohr            $form->addFieldsetClose();
162a386a536SAndreas Gohr        }
163a386a536SAndreas Gohr
164a386a536SAndreas Gohr        echo $form->toHTML();
1650407d282SAndreas Gohr        echo '</div>';
166a386a536SAndreas Gohr    }
167a386a536SAndreas Gohr
168a386a536SAndreas Gohr    /**
169210d81e3SAndreas Gohr     * Remove user info from non-main entry points while we wait for 2fa
170210d81e3SAndreas Gohr     *
171210d81e3SAndreas Gohr     * @param Doku_Event $event
172210d81e3SAndreas Gohr     */
173210d81e3SAndreas Gohr    public function handleInitDone(Doku_Event $event)
174210d81e3SAndreas Gohr    {
175210d81e3SAndreas Gohr        global $INPUT;
176210d81e3SAndreas Gohr
177210d81e3SAndreas Gohr        if (!(Manager::getInstance())->isReady()) return;
178210d81e3SAndreas Gohr        if (basename($INPUT->server->str('SCRIPT_NAME')) == DOKU_SCRIPT) return;
179210d81e3SAndreas Gohr        if ($this->isAuthed()) return;
180210d81e3SAndreas Gohr
181210d81e3SAndreas Gohr        // temporarily remove user info from environment
182210d81e3SAndreas Gohr        $INPUT->server->remove('REMOTE_USER');
183210d81e3SAndreas Gohr        unset($_SESSION[DOKU_COOKIE]['auth']);
184210d81e3SAndreas Gohr        unset($GLOBALS['USERINFO']);
185210d81e3SAndreas Gohr    }
186210d81e3SAndreas Gohr
187210d81e3SAndreas Gohr    /**
188a386a536SAndreas Gohr     * Has the user already authenticated with the second factor?
189a386a536SAndreas Gohr     * @return bool
190a386a536SAndreas Gohr     */
191a386a536SAndreas Gohr    protected function isAuthed()
192a386a536SAndreas Gohr    {
193848a9be0SAndreas Gohr        if (!isset($_COOKIE[self::TWOFACTOR_COOKIE])) return false;
194848a9be0SAndreas Gohr        $data = unserialize(base64_decode($_COOKIE[self::TWOFACTOR_COOKIE]));
195848a9be0SAndreas Gohr        if (!is_array($data)) return false;
1966c996db8SAndreas Gohr        list($providerID, $hash,) = $data;
197848a9be0SAndreas Gohr
198848a9be0SAndreas Gohr        try {
1995f8f561aSAndreas Gohr            $provider = (Manager::getInstance())->getUserProvider($providerID);
2006c996db8SAndreas Gohr            if ($this->cookieHash($provider) !== $hash) return false;
201848a9be0SAndreas Gohr            return true;
2025f8f561aSAndreas Gohr        } catch (Exception $ignored) {
203a386a536SAndreas Gohr            return false;
204a386a536SAndreas Gohr        }
205848a9be0SAndreas Gohr    }
206a386a536SAndreas Gohr
207a386a536SAndreas Gohr    /**
208857c5abcSAndreas Gohr     * Deletes the cookie
209857c5abcSAndreas Gohr     *
210857c5abcSAndreas Gohr     * @return void
211857c5abcSAndreas Gohr     */
212857c5abcSAndreas Gohr    protected function deAuth()
213857c5abcSAndreas Gohr    {
214857c5abcSAndreas Gohr        global $conf;
215857c5abcSAndreas Gohr
216857c5abcSAndreas Gohr        $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
217857c5abcSAndreas Gohr        $time = time() - 60 * 60 * 24 * 365; // one year in the past
218857c5abcSAndreas Gohr        setcookie(self::TWOFACTOR_COOKIE, null, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
219857c5abcSAndreas Gohr    }
220857c5abcSAndreas Gohr
221857c5abcSAndreas Gohr    /**
222a386a536SAndreas Gohr     * Verify a given code
223a386a536SAndreas Gohr     *
224a386a536SAndreas Gohr     * @return bool
225a386a536SAndreas Gohr     * @throws Exception
226a386a536SAndreas Gohr     */
227848a9be0SAndreas Gohr    protected function verify($code, $providerID, $sticky)
228a386a536SAndreas Gohr    {
229848a9be0SAndreas Gohr        global $conf;
230848a9be0SAndreas Gohr
231a386a536SAndreas Gohr        if (!$code) return false;
232a386a536SAndreas Gohr        if (!$providerID) return false;
2335f8f561aSAndreas Gohr        $provider = (Manager::getInstance())->getUserProvider($providerID);
234a386a536SAndreas Gohr        $ok = $provider->checkCode($code);
23516ed3964SAndreas Gohr        if (!$ok) return false;
236a386a536SAndreas Gohr
237848a9be0SAndreas Gohr        // store cookie
2386c996db8SAndreas Gohr        $hash = $this->cookieHash($provider);
2396c996db8SAndreas Gohr        $data = base64_encode(serialize([$providerID, $hash, time()]));
240848a9be0SAndreas Gohr        $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
241848a9be0SAndreas Gohr        $time = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year
242848a9be0SAndreas Gohr        setcookie(self::TWOFACTOR_COOKIE, $data, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
243a386a536SAndreas Gohr
244a386a536SAndreas Gohr        return true;
245a386a536SAndreas Gohr    }
2466c996db8SAndreas Gohr
2476c996db8SAndreas Gohr    /**
2486c996db8SAndreas Gohr     * Create a hash that validates the cookie
2496c996db8SAndreas Gohr     *
2506c996db8SAndreas Gohr     * @param Provider $provider
2516c996db8SAndreas Gohr     * @return string
2526c996db8SAndreas Gohr     */
2536c996db8SAndreas Gohr    protected function cookieHash($provider)
2546c996db8SAndreas Gohr    {
2556c996db8SAndreas Gohr        return sha1(join("\n", [
2566c996db8SAndreas Gohr            $provider->getProviderID(),
2575f8f561aSAndreas Gohr            (Manager::getInstance())->getUser(),
2586c996db8SAndreas Gohr            $provider->getSecret(),
2596c996db8SAndreas Gohr            auth_browseruid(),
2606c996db8SAndreas Gohr            auth_cookiesalt(false, true),
2616c996db8SAndreas Gohr        ]));
2626c996db8SAndreas Gohr    }
263fca58076SAndreas Gohr}
264