From 2eff42bd764cd119d53966d25a43ebfb35d636a9 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:32:50 -0700 Subject: [PATCH 1/5] Update SecuritySettings Controller, add 2FA backup code regeneration --- app/Http/Controllers/Settings/SecuritySettings.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/app/Http/Controllers/Settings/SecuritySettings.php b/app/Http/Controllers/Settings/SecuritySettings.php index 99547b73b..5d1c49ad3 100644 --- a/app/Http/Controllers/Settings/SecuritySettings.php +++ b/app/Http/Controllers/Settings/SecuritySettings.php @@ -110,6 +110,19 @@ trait SecuritySettings return view('settings.security.2fa.recovery-codes', compact('user', 'codes')); } + public function securityTwoFactorRecoveryCodesRegenerate(Request $request) + { + $user = Auth::user(); + + if(!$user->{'2fa_enabled'} || !$user->{'2fa_secret'}) { + abort(403); + } + $backups = $this->generateBackupCodes(); + $user->{'2fa_backup_codes'} = json_encode($backups); + $user->save(); + return redirect(route('settings.security.2fa.recovery')); + } + public function securityTwoFactorUpdate(Request $request) { $user = Auth::user(); From f7c1801ab82073ceed016d00e9b8bb7f18367b43 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:33:15 -0700 Subject: [PATCH 2/5] Update web routes --- routes/web.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/routes/web.php b/routes/web.php index aac1c1010..f74f894e6 100644 --- a/routes/web.php +++ b/routes/web.php @@ -166,6 +166,10 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact '2fa/recovery-codes', 'SettingsController@securityTwoFactorRecoveryCodes' )->name('settings.security.2fa.recovery'); + Route::post( + '2fa/recovery-codes', + 'SettingsController@securityTwoFactorRecoveryCodesRegenerate' + ); }); Route::get('applications', 'SettingsController@applications')->name('settings.applications'); From 3a38c7386b48e2a24f476a74f810b41c67c86bed Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:34:51 -0700 Subject: [PATCH 3/5] Update AccountController, allow 2FA backup codes --- app/Http/Controllers/AccountController.php | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php index 87423c5aa..980dd4dcd 100644 --- a/app/Http/Controllers/AccountController.php +++ b/app/Http/Controllers/AccountController.php @@ -339,6 +339,11 @@ class AccountController extends Controller $request->session()->push('2fa.session.active', true); return redirect('/'); } else { + + if($this->twoFactorBackupCheck($request, $code, $user)) { + return redirect('/'); + } + if($request->session()->has('2fa.attempts')) { $count = (int) $request->session()->has('2fa.attempts'); $request->session()->push('2fa.attempts', $count + 1); @@ -350,4 +355,31 @@ class AccountController extends Controller ]); } } + + protected function twoFactorBackupCheck($request, $code, User $user) + { + $backupCodes = $user->{'2fa_backup_codes'}; + if($backupCodes) { + $codes = json_decode($backupCodes, true); + foreach ($codes as $c) { + if(hash_equals($c, $code)) { + // remove code + $codes = array_flatten(array_diff($codes, [$code])); + $user->{'2fa_backup_codes'} = json_encode($codes); + $user->save(); + $request->session()->push('2fa.session.active', true); + return true; + } else { + return false; + } + } + } else { + return false; + } + } + + public function accountRestored(Request $request) + { + // + } } From 8576392662ea33f916cb31cf4d6e9dfdcd7ad672 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:35:24 -0700 Subject: [PATCH 4/5] Update 2FA view --- .../security/2fa/recovery-codes.blade.php | 32 ++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/resources/views/settings/security/2fa/recovery-codes.blade.php b/resources/views/settings/security/2fa/recovery-codes.blade.php index 47f37af29..9b6c61e4a 100644 --- a/resources/views/settings/security/2fa/recovery-codes.blade.php +++ b/resources/views/settings/security/2fa/recovery-codes.blade.php @@ -7,16 +7,26 @@
- -

- Each code can only be used once. -

- -

-
    - @foreach($codes as $code) -
  • {{$code}}
    • - @endforeach -
+ @if(count($codes) > 0) +

+ Each code can only be used once. +

+
    + @foreach($codes as $code) +
  • {{$code}}
    • + @endforeach +
+ @else +
+

You are out of recovery codes

+

Generate more recovery codes and store them in a safe place.

+

+

+ @csrf + +
+

+
+ @endif @endsection \ No newline at end of file From ce6ba4cd4b05d997a96fbf15fd981e46384f7c17 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:36:11 -0700 Subject: [PATCH 5/5] Bump version to 0.7.6 --- config/pixelfed.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/pixelfed.php b/config/pixelfed.php index 419e38e02..25c9c0870 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -23,7 +23,7 @@ return [ | This value is the version of your PixelFed instance. | */ - 'version' => '0.7.5', + 'version' => '0.7.6', /* |--------------------------------------------------------------------------