123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256 |
- <?php
- /**
- * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
- * SPDX-License-Identifier: AGPL-3.0-only
- */
- namespace OC\Core\Controller;
- use OC\Authentication\TwoFactorAuth\Manager;
- use OC_User;
- use OCP\AppFramework\Controller;
- use OCP\AppFramework\Http\Attribute\FrontpageRoute;
- use OCP\AppFramework\Http\Attribute\NoAdminRequired;
- use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
- use OCP\AppFramework\Http\Attribute\OpenAPI;
- use OCP\AppFramework\Http\Attribute\UseSession;
- use OCP\AppFramework\Http\RedirectResponse;
- use OCP\AppFramework\Http\StandaloneTemplateResponse;
- use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin;
- use OCP\Authentication\TwoFactorAuth\IProvider;
- use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP;
- use OCP\Authentication\TwoFactorAuth\TwoFactorException;
- use OCP\IRequest;
- use OCP\ISession;
- use OCP\IURLGenerator;
- use OCP\IUserSession;
- use Psr\Log\LoggerInterface;
- #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
- class TwoFactorChallengeController extends Controller {
- public function __construct(
- string $appName,
- IRequest $request,
- private Manager $twoFactorManager,
- private IUserSession $userSession,
- private ISession $session,
- private IURLGenerator $urlGenerator,
- private LoggerInterface $logger,
- ) {
- parent::__construct($appName, $request);
- }
- /**
- * @return string
- */
- protected function getLogoutUrl() {
- return OC_User::getLogoutUrl($this->urlGenerator);
- }
- /**
- * @param IProvider[] $providers
- */
- private function splitProvidersAndBackupCodes(array $providers): array {
- $regular = [];
- $backup = null;
- foreach ($providers as $provider) {
- if ($provider->getId() === 'backup_codes') {
- $backup = $provider;
- } else {
- $regular[] = $provider;
- }
- }
- return [$regular, $backup];
- }
- /**
- * @TwoFactorSetUpDoneRequired
- *
- * @param string $redirect_url
- * @return StandaloneTemplateResponse
- */
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[FrontpageRoute(verb: 'GET', url: '/login/selectchallenge')]
- public function selectChallenge($redirect_url) {
- $user = $this->userSession->getUser();
- $providerSet = $this->twoFactorManager->getProviderSet($user);
- $allProviders = $providerSet->getProviders();
- [$providers, $backupProvider] = $this->splitProvidersAndBackupCodes($allProviders);
- $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
- $data = [
- 'providers' => $providers,
- 'backupProvider' => $backupProvider,
- 'providerMissing' => $providerSet->isProviderMissing(),
- 'redirect_url' => $redirect_url,
- 'logout_url' => $this->getLogoutUrl(),
- 'hasSetupProviders' => !empty($setupProviders),
- ];
- return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
- }
- /**
- * @TwoFactorSetUpDoneRequired
- *
- * @param string $challengeProviderId
- * @param string $redirect_url
- * @return StandaloneTemplateResponse|RedirectResponse
- */
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[UseSession]
- #[FrontpageRoute(verb: 'GET', url: '/login/challenge/{challengeProviderId}')]
- public function showChallenge($challengeProviderId, $redirect_url) {
- $user = $this->userSession->getUser();
- $providerSet = $this->twoFactorManager->getProviderSet($user);
- $provider = $providerSet->getProvider($challengeProviderId);
- if (is_null($provider)) {
- return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
- }
- $backupProvider = $providerSet->getProvider('backup_codes');
- if (!is_null($backupProvider) && $backupProvider->getId() === $provider->getId()) {
- // Don't show the backup provider link if we're already showing that provider's challenge
- $backupProvider = null;
- }
- $errorMessage = '';
- $error = false;
- if ($this->session->exists('two_factor_auth_error')) {
- $this->session->remove('two_factor_auth_error');
- $error = true;
- $errorMessage = $this->session->get("two_factor_auth_error_message");
- $this->session->remove('two_factor_auth_error_message');
- }
- $tmpl = $provider->getTemplate($user);
- $tmpl->assign('redirect_url', $redirect_url);
- $data = [
- 'error' => $error,
- 'error_message' => $errorMessage,
- 'provider' => $provider,
- 'backupProvider' => $backupProvider,
- 'logout_url' => $this->getLogoutUrl(),
- 'redirect_url' => $redirect_url,
- 'template' => $tmpl->fetchPage(),
- ];
- $response = new StandaloneTemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
- if ($provider instanceof IProvidesCustomCSP) {
- $response->setContentSecurityPolicy($provider->getCSP());
- }
- return $response;
- }
- /**
- * @TwoFactorSetUpDoneRequired
- *
- * @UserRateThrottle(limit=5, period=100)
- *
- * @param string $challengeProviderId
- * @param string $challenge
- * @param string $redirect_url
- * @return RedirectResponse
- */
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[UseSession]
- #[FrontpageRoute(verb: 'POST', url: '/login/challenge/{challengeProviderId}')]
- public function solveChallenge($challengeProviderId, $challenge, $redirect_url = null) {
- $user = $this->userSession->getUser();
- $provider = $this->twoFactorManager->getProvider($user, $challengeProviderId);
- if (is_null($provider)) {
- return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
- }
- try {
- if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
- if (!is_null($redirect_url)) {
- return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
- }
- return new RedirectResponse($this->urlGenerator->linkToDefaultPageUrl());
- }
- } catch (TwoFactorException $e) {
- /*
- * The 2FA App threw an TwoFactorException. Now we display more
- * information to the user. The exception text is stored in the
- * session to be used in showChallenge()
- */
- $this->session->set('two_factor_auth_error_message', $e->getMessage());
- }
- $ip = $this->request->getRemoteAddress();
- $uid = $user->getUID();
- $this->logger->warning("Two-factor challenge failed: $uid (Remote IP: $ip)");
- $this->session->set('two_factor_auth_error', true);
- return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.showChallenge', [
- 'challengeProviderId' => $provider->getId(),
- 'redirect_url' => $redirect_url,
- ]));
- }
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[FrontpageRoute(verb: 'GET', url: 'login/setupchallenge')]
- public function setupProviders(?string $redirect_url = null): StandaloneTemplateResponse {
- $user = $this->userSession->getUser();
- $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
- $data = [
- 'providers' => $setupProviders,
- 'logout_url' => $this->getLogoutUrl(),
- 'redirect_url' => $redirect_url,
- ];
- return new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
- }
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[FrontpageRoute(verb: 'GET', url: 'login/setupchallenge/{providerId}')]
- public function setupProvider(string $providerId, ?string $redirect_url = null) {
- $user = $this->userSession->getUser();
- $providers = $this->twoFactorManager->getLoginSetupProviders($user);
- $provider = null;
- foreach ($providers as $p) {
- if ($p->getId() === $providerId) {
- $provider = $p;
- break;
- }
- }
- if ($provider === null) {
- return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
- }
- /** @var IActivatableAtLogin $provider */
- $tmpl = $provider->getLoginSetup($user)->getBody();
- $data = [
- 'provider' => $provider,
- 'logout_url' => $this->getLogoutUrl(),
- 'redirect_url' => $redirect_url,
- 'template' => $tmpl->fetchPage(),
- ];
- $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
- return $response;
- }
- /**
- * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
- */
- #[NoAdminRequired]
- #[NoCSRFRequired]
- #[FrontpageRoute(verb: 'POST', url: 'login/setupchallenge/{providerId}')]
- public function confirmProviderSetup(string $providerId, ?string $redirect_url = null) {
- return new RedirectResponse($this->urlGenerator->linkToRoute(
- 'core.TwoFactorChallenge.showChallenge',
- [
- 'challengeProviderId' => $providerId,
- 'redirect_url' => $redirect_url,
- ]
- ));
- }
- }
|