1<?php 2 3use dokuwiki\plugin\twofactor\Manager; 4use dokuwiki\plugin\twofactor\Provider; 5 6/** 7 * DokuWiki Plugin twofactor (Action Component) 8 * 9 * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html 10 */ 11class action_plugin_twofactor_login extends DokuWiki_Action_Plugin 12{ 13 const TWOFACTOR_COOKIE = '2FA' . DOKU_COOKIE; 14 15 /** 16 * Registers the event handlers. 17 */ 18 public function register(Doku_Event_Handler $controller) 19 { 20 // check 2fa requirements and either move to profile or login handling 21 $controller->register_hook( 22 'ACTION_ACT_PREPROCESS', 23 'BEFORE', 24 $this, 25 'handleActionPreProcess', 26 null, 27 Manager::EVENT_PRIORITY 28 ); 29 30 // display login form 31 $controller->register_hook( 32 'TPL_ACT_UNKNOWN', 33 'BEFORE', 34 $this, 35 'handleLoginDisplay' 36 ); 37 38 // FIXME disable user in all non-main screens (media, detail, ajax, ...) 39 } 40 41 /** 42 * Decide if any 2fa handling needs to be done for the current user 43 * 44 * @param Doku_Event $event 45 */ 46 public function handleActionPreProcess(Doku_Event $event) 47 { 48 $manager = Manager::getInstance(); 49 if (!$manager->isReady()) return; 50 51 global $INPUT; 52 53 // already in a 2fa login? 54 if ($event->data === 'twofactor_login') { 55 if ($this->verify( 56 $INPUT->str('2fa_code'), 57 $INPUT->str('2fa_provider'), 58 $INPUT->bool('sticky') 59 )) { 60 $event->data = 'show'; 61 return; 62 } else { 63 // show form 64 $event->preventDefault(); 65 return; 66 } 67 } 68 69 // authed already, continue 70 if ($this->isAuthed()) { 71 return; 72 } 73 74 if (count($manager->getUserProviders())) { 75 // user has already 2fa set up - they need to authenticate before anything else 76 $event->data = 'twofactor_login'; 77 $event->preventDefault(); 78 $event->stopPropagation(); 79 return; 80 } 81 82 if ($manager->isRequired()) { 83 // 2fa is required - they need to set it up now 84 // this will be handled by action/profile.php 85 $event->data = 'twofactor_profile'; 86 } 87 88 // all good. proceed 89 } 90 91 /** 92 * Show a 2fa login screen 93 * 94 * @param Doku_Event $event 95 */ 96 public function handleLoginDisplay(Doku_Event $event) 97 { 98 if ($event->data !== 'twofactor_login') return; 99 $manager = Manager::getInstance(); 100 if (!$manager->isReady()) return; 101 102 $event->preventDefault(); 103 $event->stopPropagation(); 104 105 global $INPUT; 106 global $ID; 107 108 $providerID = $INPUT->str('2fa_provider'); 109 $providers = $manager->getUserProviders(); 110 $provider = $providers[$providerID] ?? $manager->getUserDefaultProvider(); 111 // remove current provider from list 112 unset($providers[$provider->getProviderID()]); 113 114 $form = new dokuwiki\Form\Form(['method' => 'POST']); 115 $form->setHiddenField('do', 'twofactor_login'); 116 $form->setHiddenField('2fa_provider', $provider->getProviderID()); 117 $form->addFieldsetOpen($provider->getLabel()); 118 try { 119 $code = $provider->generateCode(); 120 $info = $provider->transmitMessage($code); 121 $form->addHTML('<p>' . hsc($info) . '</p>'); 122 $form->addTextInput('2fa_code', 'Your Code')->val(''); 123 $form->addCheckbox('sticky', 'Remember this browser'); // reuse same name as login 124 $form->addButton('2fa', 'Submit')->attr('type', 'submit'); 125 } catch (Exception $e) { 126 msg(hsc($e->getMessage()), -1); // FIXME better handling 127 } 128 $form->addFieldsetClose(); 129 130 if (count($providers)) { 131 $form->addFieldsetOpen('Alternative methods'); 132 foreach ($providers as $prov) { 133 $url = wl($ID, [ 134 'do' => 'twofactor_login', 135 '2fa_provider' => $prov->getProviderID(), 136 ]); 137 $form->addHTML('< href="' . $url . '">' . hsc($prov->getLabel()) . '</a>'); 138 } 139 $form->addFieldsetClose(); 140 } 141 142 echo $form->toHTML(); 143 } 144 145 /** 146 * Has the user already authenticated with the second factor? 147 * @return bool 148 */ 149 protected function isAuthed() 150 { 151 if (!isset($_COOKIE[self::TWOFACTOR_COOKIE])) return false; 152 $data = unserialize(base64_decode($_COOKIE[self::TWOFACTOR_COOKIE])); 153 if (!is_array($data)) return false; 154 list($providerID, $hash,) = $data; 155 156 try { 157 $provider = (Manager::getInstance())->getUserProvider($providerID); 158 if ($this->cookieHash($provider) !== $hash) return false; 159 return true; 160 } catch (Exception $ignored) { 161 return false; 162 } 163 } 164 165 /** 166 * Verify a given code 167 * 168 * @return bool 169 * @throws Exception 170 */ 171 protected function verify($code, $providerID, $sticky) 172 { 173 global $conf; 174 175 if (!$code) return false; 176 if (!$providerID) return false; 177 $provider = (Manager::getInstance())->getUserProvider($providerID); 178 $ok = $provider->checkCode($code); 179 if (!$ok) { 180 msg('code was wrong', -1); 181 return false; 182 } 183 184 // store cookie 185 $hash = $this->cookieHash($provider); 186 $data = base64_encode(serialize([$providerID, $hash, time()])); 187 $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; 188 $time = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year 189 setcookie(self::TWOFACTOR_COOKIE, $data, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); 190 191 return true; 192 } 193 194 /** 195 * Create a hash that validates the cookie 196 * 197 * @param Provider $provider 198 * @return string 199 */ 200 protected function cookieHash($provider) 201 { 202 return sha1(join("\n", [ 203 $provider->getProviderID(), 204 (Manager::getInstance())->getUser(), 205 $provider->getSecret(), 206 auth_browseruid(), 207 auth_cookiesalt(false, true), 208 ])); 209 } 210} 211