TwoFactorChallengeController.php 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OC\Core\Controller;
  8. use OC\Authentication\TwoFactorAuth\Manager;
  9. use OC_User;
  10. use OCP\AppFramework\Controller;
  11. use OCP\AppFramework\Http\Attribute\FrontpageRoute;
  12. use OCP\AppFramework\Http\Attribute\NoAdminRequired;
  13. use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
  14. use OCP\AppFramework\Http\Attribute\OpenAPI;
  15. use OCP\AppFramework\Http\Attribute\UseSession;
  16. use OCP\AppFramework\Http\RedirectResponse;
  17. use OCP\AppFramework\Http\StandaloneTemplateResponse;
  18. use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin;
  19. use OCP\Authentication\TwoFactorAuth\IProvider;
  20. use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP;
  21. use OCP\Authentication\TwoFactorAuth\TwoFactorException;
  22. use OCP\IRequest;
  23. use OCP\ISession;
  24. use OCP\IURLGenerator;
  25. use OCP\IUserSession;
  26. use Psr\Log\LoggerInterface;
  27. #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
  28. class TwoFactorChallengeController extends Controller {
  29. public function __construct(
  30. string $appName,
  31. IRequest $request,
  32. private Manager $twoFactorManager,
  33. private IUserSession $userSession,
  34. private ISession $session,
  35. private IURLGenerator $urlGenerator,
  36. private LoggerInterface $logger,
  37. ) {
  38. parent::__construct($appName, $request);
  39. }
  40. /**
  41. * @return string
  42. */
  43. protected function getLogoutUrl() {
  44. return OC_User::getLogoutUrl($this->urlGenerator);
  45. }
  46. /**
  47. * @param IProvider[] $providers
  48. */
  49. private function splitProvidersAndBackupCodes(array $providers): array {
  50. $regular = [];
  51. $backup = null;
  52. foreach ($providers as $provider) {
  53. if ($provider->getId() === 'backup_codes') {
  54. $backup = $provider;
  55. } else {
  56. $regular[] = $provider;
  57. }
  58. }
  59. return [$regular, $backup];
  60. }
  61. /**
  62. * @TwoFactorSetUpDoneRequired
  63. *
  64. * @param string $redirect_url
  65. * @return StandaloneTemplateResponse
  66. */
  67. #[NoAdminRequired]
  68. #[NoCSRFRequired]
  69. #[FrontpageRoute(verb: 'GET', url: '/login/selectchallenge')]
  70. public function selectChallenge($redirect_url) {
  71. $user = $this->userSession->getUser();
  72. $providerSet = $this->twoFactorManager->getProviderSet($user);
  73. $allProviders = $providerSet->getProviders();
  74. [$providers, $backupProvider] = $this->splitProvidersAndBackupCodes($allProviders);
  75. $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
  76. $data = [
  77. 'providers' => $providers,
  78. 'backupProvider' => $backupProvider,
  79. 'providerMissing' => $providerSet->isProviderMissing(),
  80. 'redirect_url' => $redirect_url,
  81. 'logout_url' => $this->getLogoutUrl(),
  82. 'hasSetupProviders' => !empty($setupProviders),
  83. ];
  84. return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
  85. }
  86. /**
  87. * @TwoFactorSetUpDoneRequired
  88. *
  89. * @param string $challengeProviderId
  90. * @param string $redirect_url
  91. * @return StandaloneTemplateResponse|RedirectResponse
  92. */
  93. #[NoAdminRequired]
  94. #[NoCSRFRequired]
  95. #[UseSession]
  96. #[FrontpageRoute(verb: 'GET', url: '/login/challenge/{challengeProviderId}')]
  97. public function showChallenge($challengeProviderId, $redirect_url) {
  98. $user = $this->userSession->getUser();
  99. $providerSet = $this->twoFactorManager->getProviderSet($user);
  100. $provider = $providerSet->getProvider($challengeProviderId);
  101. if (is_null($provider)) {
  102. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  103. }
  104. $backupProvider = $providerSet->getProvider('backup_codes');
  105. if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
  106. // Don't show the backup provider link if we're already showing that provider's challenge
  107. $backupProvider = null;
  108. }
  109. $errorMessage = '';
  110. $error = false;
  111. if ($this->session->exists('two_factor_auth_error')) {
  112. $this->session->remove('two_factor_auth_error');
  113. $error = true;
  114. $errorMessage = $this->session->get("two_factor_auth_error_message");
  115. $this->session->remove('two_factor_auth_error_message');
  116. }
  117. $tmpl = $provider->getTemplate($user);
  118. $tmpl->assign('redirect_url', $redirect_url);
  119. $data = [
  120. 'error' => $error,
  121. 'error_message' => $errorMessage,
  122. 'provider' => $provider,
  123. 'backupProvider' => $backupProvider,
  124. 'logout_url' => $this->getLogoutUrl(),
  125. 'redirect_url' => $redirect_url,
  126. 'template' => $tmpl->fetchPage(),
  127. ];
  128. $response = new StandaloneTemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
  129. if ($provider instanceof IProvidesCustomCSP) {
  130. $response->setContentSecurityPolicy($provider->getCSP());
  131. }
  132. return $response;
  133. }
  134. /**
  135. * @TwoFactorSetUpDoneRequired
  136. *
  137. * @UserRateThrottle(limit=5, period=100)
  138. *
  139. * @param string $challengeProviderId
  140. * @param string $challenge
  141. * @param string $redirect_url
  142. * @return RedirectResponse
  143. */
  144. #[NoAdminRequired]
  145. #[NoCSRFRequired]
  146. #[UseSession]
  147. #[FrontpageRoute(verb: 'POST', url: '/login/challenge/{challengeProviderId}')]
  148. public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
  149. $user = $this->userSession->getUser();
  150. $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
  151. if (is_null($provider)) {
  152. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  153. }
  154. try {
  155. if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
  156. if (!is_null($redirect_url)) {
  157. return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
  158. }
  159. return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
  160. }
  161. } catch (TwoFactorException $e) {
  162. /*
  163. * The 2FA App threw an TwoFactorException. Now we display more
  164. * information to the user. The exception text is stored in the
  165. * session to be used in showChallenge()
  166. */
  167. $this->session->set('two_factor_auth_error_message', $e->getMessage());
  168. }
  169. $ip = $this->request->getRemoteAddress();
  170. $uid = $user->getUID();
  171. $this->logger->warning("Two-factor challenge failed: $uid (Remote IP: $ip)");
  172. $this->session->set('two_factor_auth_error', true);
  173. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
  174. 'challengeProviderId' => $provider->getId(),
  175. 'redirect_url' => $redirect_url,
  176. ]));
  177. }
  178. #[NoAdminRequired]
  179. #[NoCSRFRequired]
  180. #[FrontpageRoute(verb: 'GET', url: 'login/setupchallenge')]
  181. public function setupProviders(?string $redirect_url = null): StandaloneTemplateResponse {
  182. $user = $this->userSession->getUser();
  183. $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
  184. $data = [
  185. 'providers' => $setupProviders,
  186. 'logout_url' => $this->getLogoutUrl(),
  187. 'redirect_url' => $redirect_url,
  188. ];
  189. return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
  190. }
  191. #[NoAdminRequired]
  192. #[NoCSRFRequired]
  193. #[FrontpageRoute(verb: 'GET', url: 'login/setupchallenge/{providerId}')]
  194. public function setupProvider(string $providerId, ?string $redirect_url = null) {
  195. $user = $this->userSession->getUser();
  196. $providers = $this->twoFactorManager->getLoginSetupProviders($user);
  197. $provider = null;
  198. foreach ($providers as $p) {
  199. if ($p->getId() === $providerId) {
  200. $provider = $p;
  201. break;
  202. }
  203. }
  204. if ($provider === null) {
  205. return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
  206. }
  207. /** @var IActivatableAtLogin $provider */
  208. $tmpl = $provider->getLoginSetup($user)->getBody();
  209. $data = [
  210. 'provider' => $provider,
  211. 'logout_url' => $this->getLogoutUrl(),
  212. 'redirect_url' => $redirect_url,
  213. 'template' => $tmpl->fetchPage(),
  214. ];
  215. $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
  216. return $response;
  217. }
  218. /**
  219. * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
  220. */
  221. #[NoAdminRequired]
  222. #[NoCSRFRequired]
  223. #[FrontpageRoute(verb: 'POST', url: 'login/setupchallenge/{providerId}')]
  224. public function confirmProviderSetup(string $providerId, ?string $redirect_url = null) {
  225. return new RedirectResponse($this->urlGenerator->linkToRoute(
  226. 'core.TwoFactorChallenge.showChallenge',
  227. [
  228. 'challengeProviderId' => $providerId,
  229. 'redirect_url' => $redirect_url,
  230. ]
  231. ));
  232. }
  233. }