PHPCS

Author: Dave MacFarlane

modules/api/php/endpoints/login.class.inc

@@ -105,7 +105,6 @@ class Login extends Endpoint
 
             $user     = $requestdata['username'] ?? null;
             $password = $requestdata['password'] ?? null;
-            $mfacode  = $requestdata['code'] ?? null;
 
             if ($user === null || $password === null) {
                 return new \LORIS\Http\Response\JSON\BadRequest(
@@ -115,7 +114,7 @@ class Login extends Endpoint
 
             $login = $this->getLoginAuthenticator();
 
-            if ($login->passwordAuthenticate($user, $password, $mfacode, false)) {
+            if ($login->passwordAuthenticate($user, $password, false)) {
                 $token = $this->getEncodedToken($user);
                 if (!empty($token)) {
                     return new \LORIS\Http\Response\JsonResponse(

modules/login/php/authentication.class.inc

@@ -160,7 +160,6 @@ class Authentication extends \NDB_Page implements ETagCalculator
         $success = $login->passwordAuthenticate(
             $values['username'],
             $values['password'],
-	    null,
             false,
         );
         if ($success) {

modules/login/php/mfa.class.inc

@@ -4,27 +4,23 @@ namespace LORIS\login;
 
 use \Psr\Http\Message\ServerRequestInterface;
 use \Psr\Http\Message\ResponseInterface;
-use \LORIS\Middleware\ETagCalculator;
 
 /**
- * POST request for authentication.
+ * Perform multi-factor authentication for LORIS.
  *
- * Used to request account.
+ * This page is used by the MFA middleware to prompt for and
+ * validate a 2 factor authentication code.
  *
- * @category Loris
- * @package  Login
- * @author   Alizée Wickenheiser <[email protected]>
- * @license  http://www.gnu.org/licenses/gpl-3.0.txt GPLv3
- * @link     https://www.github.com/aces/Loris/
+ * @license http://www.gnu.org/licenses/gpl-3.0.txt GPLv3
  */
 class MFA extends \NDB_Page
 {
     public $skipTemplate = true;
 
     /**
-     * Include additional JS files
+     * {@inheritDoc}
      *
-     * @return array of javascript to be inserted
+     * @return array
      */
     function getJSDependencies()
     {
@@ -38,10 +34,11 @@ class MFA extends \NDB_Page
             ]
         );
     }
+
     /**
-     * Include additional CSS files:
+     * {@inheritDoc}
      *
-     * @return array of javascript to be inserted
+     * @return array
      */
     function getCSSDependencies()
     {
@@ -64,8 +61,8 @@ class MFA extends \NDB_Page
     {
         // Ensure POST request.
         switch ($request->getMethod()) {
-	case 'GET':
-		return parent::handle($request);
+        case 'GET':
+            return parent::handle($request);
         case 'POST':
             return $this->_handlePOST($request);
         default:
@@ -84,22 +81,22 @@ class MFA extends \NDB_Page
      */
     private function _handlePOST(ServerRequestInterface $request) : ResponseInterface
     {
-	    $requestdata = json_decode((string )$request->getBody(), true);
-	    $user = $request->getAttribute("user");
-	    if(!isset($requestdata['code'])) {
-		    return new \LORIS\Http\Response\JSON\Unauthorized("missing code");
-	    }
+        $requestdata = json_decode((string )$request->getBody(), true);
+        $user        = $request->getAttribute("user");
+        if (!isset($requestdata['code'])) {
+            return new \LORIS\Http\Response\JSON\Unauthorized("missing code");
+        }
 
-	    $validator = $user->getTOTPValidator();
-	    $counter = $validator->getTimeCounter();
-	    $wantCode = $validator->getCode($counter, 6);
-	    if($wantCode === $requestdata['code']) {
-		    $login = $_SESSION['State']->getProperty('login');
-		    $login->setPassedMFA();
-		    return new \LORIS\Http\Response\JSON\OK(["success" => "validated code"]);
-	    } else {
-		    return new \LORIS\Http\Response\JSON\Unauthorized("invalid code");
-	    }
+        $validator = $user->getTOTPValidator();
+        $counter   = $validator->getTimeCounter();
+        $wantCode  = $validator->getCode($counter, 6);
+        if ($wantCode === $requestdata['code']) {
+            $login = $_SESSION['State']->getProperty('login');
+            $login->setPassedMFA();
+            return new \LORIS\Http\Response\JSON\OK(["success" => "validated code"]);
+        } else {
+            return new \LORIS\Http\Response\JSON\Unauthorized("invalid code");
+        }
     }
 
     /**

modules/my_preferences/jsx/mfa.tsx

@@ -36,7 +36,10 @@ function CodeValidator(props: {
 		  return resp.json()
 	  }).then( (json) => {
 		  if (json.ok == 'success') {
-			  swal.fire('Success!', json.message, 'success')
+			  swal.fire('Success!', json.message, 'success').then( () => {
+				  window.location.href = loris.BaseURL + "/my_preferences/";
+			  });
+
 		  } else if (json.error) {
 			  swal.fire('Error', json.error, 'error')
 		  } else {

modules/my_preferences/php/mfa.class.inc

@@ -12,19 +12,24 @@ use \Psr\Http\Message\ResponseInterface;
  */
 class MFA extends \NDB_Page
 {
-	public $skipTemplate = true;
+    public $skipTemplate = true;
 
-	public function getBreadcrumbs(): \LORIS\BreadcrumbTrail
-	{
-		return new \LORIS\BreadcrumbTrail(
-			new \LORIS\Breadcrumb(
-				dgettext("loris", "My Preferences")
-			),
-			new \LORIS\Breadcrumb(
-				dgettext("my_preferences", "Configure 2FA")
-			),
-		);
-	}
+    /**
+     * {@inheritDoc}
+     *
+     * @return \LORIS\BreadcrumbTrail
+     */
+    public function getBreadcrumbs(): \LORIS\BreadcrumbTrail
+    {
+        return new \LORIS\BreadcrumbTrail(
+            new \LORIS\Breadcrumb(
+                dgettext("loris", "My Preferences")
+            ),
+            new \LORIS\Breadcrumb(
+                dgettext("my_preferences", "Configure 2FA")
+            ),
+        );
+    }
 
     /**
      * {@inheritDoc}
@@ -35,15 +40,18 @@ class MFA extends \NDB_Page
      */
     public function handle(ServerRequestInterface $request) : ResponseInterface
     {
-	    switch($request->getMethod()) {
-	    case 'GET':
-		    return parent::handle($request);
-	    case 'POST':
-		    return $this->validateCodeAndSave($request->getAttribute("user"), $request->getParsedBody());
-	    default:
-		    return new \LORIS\Http\Response\JSON\MethodNotAllowed(['GET', 'POST']);
+        switch ($request->getMethod()) {
+        case 'GET':
+            return parent::handle($request);
+        case 'POST':
+            return $this->validateCodeAndSave(
+                $request->getAttribute("user"),
+                $request->getParsedBody()
+            );
+        default:
+            return new \LORIS\Http\Response\JSON\MethodNotAllowed(['GET', 'POST']);
 
-	    }
+        }
     }
     /**
      * {@inheritDoc}
@@ -63,27 +71,48 @@ class MFA extends \NDB_Page
         );
     }
 
-    function validateCodeAndSave(\User $user, array $values): ResponseInterface {
-	    if(!isset($values['code']) || !isset($values['secret'])) {
-		    return new \LORIS\Http\Response\JSON\BadRequest('Missing code or secret to validate');
-	    }
-	    $base32Decoder = new Base32();
-	    $secret = $base32Decoder->decode($values['secret']);
-	    $validator = new \LORIS\Security\OTP\TOTP(secret: $secret);
-            $counter = $validator->getTimeCounter();
-	    $wantCode = $validator->getCode($counter, 6);
-	    if($wantCode !== strval($values['code'])) {
-		    return new \LORIS\Http\Response\JSON\BadRequest('Code does not match expected value');
-	    }
-	    $db = $this->loris->getDatabaseConnection();
-	    $db->_trackChanges = false;
-	    // We are dealing with binary data that never gets exposed to the user
-	    $db->unsafeUpdate("users", ['TOTPSecret' => $secret], ['ID' => $user->getId()]);
+    /**
+     * Validates the code passed by the user matches the secret key that they
+     * provided and save the secret key to the database if it matches
+     *
+     * @param \User $user   The user providing the 2FA code
+     * @param array $values The parsed values submitted by the user
+     *
+     * @return ResponseInterface
+     */
+    function validateCodeAndSave(\User $user, array $values): ResponseInterface
+    {
+        if (!isset($values['code']) || !isset($values['secret'])) {
+            return new \LORIS\Http\Response\JSON\BadRequest(
+                'Missing code or secret to validate'
+            );
+        }
+        $base32Decoder = new Base32();
+        $secret        = $base32Decoder->decode($values['secret']);
+        $validator     = new \LORIS\Security\OTP\TOTP(secret: $secret);
+            $counter   = $validator->getTimeCounter();
+        $wantCode      = $validator->getCode($counter, 6);
+        if ($wantCode !== strval($values['code'])) {
+            return new \LORIS\Http\Response\JSON\BadRequest(
+                'Code does not match expected value'
+            );
+        }
+        $db = $this->loris->getDatabaseConnection();
+        $db->_trackChanges = false;
+        // We are dealing with binary data that never gets exposed to the user
+        $db->unsafeUpdate(
+            "users",
+            ['TOTPSecret' => $secret],
+            ['ID' => $user->getId()]
+        );
 
-	    $login = $_SESSION['state']->getProperty('login');
-	    $login->setPassedMFA();
-	    return new \LORIS\Http\Response\JSON\OK(['ok' => 'success',
-		    'message' => 'Successfully registered multifactor authenticator']);
+        $login = $_SESSION['State']->getProperty('login');
+        $login->setPassedMFA();
+        return new \LORIS\Http\Response\JSON\OK(
+            ['ok' => 'success',
+                'message' => 'Successfully registered multifactor authenticator'
+            ]
+        );
     }
 }
 

modules/my_preferences/php/my_preferences.class.inc

@@ -1,7 +1,6 @@
 <?php declare(strict_types=1);
 
 namespace LORIS\my_preferences;
-use chillerlan\QRCode\QRCode;
 
 /**
  * Implements the my preferences page.

php/libraries/AnonymousUser.class.inc

@@ -86,7 +86,13 @@ class AnonymousUser extends \User
         return [];
     }
 
-    function totpRequired() : bool {
-	    return false;
+    /**
+     * {@inheritDoc}
+     *
+     * @return bool
+     */
+    function totpRequired() : bool
+    {
+        return false;
     }
 }

php/libraries/NDB_Client.class.inc

@@ -152,9 +152,6 @@ class NDB_Client
                     header("Location: /login/password-expiry");
 
                 }
-		if($login->needsMFA()) {
-			return false;
-		}
                 $login->setState();
             } elseif ($auth === false) {
                 // only send a 403 error if they were attempting to log in,

php/libraries/SinglePointLogin.class.inc

@@ -185,18 +185,18 @@ class SinglePointLogin
      * @param string $password The password to validate
      * @param bool   $redirect If this flag is true, this
      *                         function may instead print
-     *                         out a login or password expiry
-     *                         page. when trying to authenticate.
-     *                         If false, it won't provide any output
-     *                         in those situation.
+     *                         out a login or password
+     *                         expiry page. when trying
+     *                         to authenticate. If false,
+     *                         it won't provide any
+     *                         output in those situation.
      *
      * @return bool False unless account is valid and password correct.
      * @access public
      */
     function passwordAuthenticate(
         string $username,
         string $password,
-	?string $code = null,
         bool $redirect = true
     ): bool {
 
@@ -308,8 +308,6 @@ class SinglePointLogin
                         ['UserID' => $username]
                     );
                 }
-		//if($user->totpRequired() && $!$this->passedMFA()) {
-		//}
             }
 
             if ($row['Active'] == 'N'
@@ -601,15 +599,30 @@ class SinglePointLogin
         $_SESSION['State']->setProperty('login', $this);
     }
 
-    public function passedMFA() {
-	    return $_SESSION['PassedMFA'] ?? false === true;
+    /**
+     * Returns true if this login session has already passed a 2 factor
+     * authentication check
+     *
+     * @return bool
+     */
+    public function passedMFA(): bool
+    {
+        return $_SESSION['PassedMFA'] ?? false === true;
     }
-    public function setPassedMFA() {
-	    // NDB_Client called session_write_close, we need to re-start it
-	    // to edit a session variable.
-	    session_start();
-	    $_SESSION['PassedMFA'] = true;
-	    session_write_close();
+
+    /**
+     * Declare this session as having passed a 2 factor authentication
+     * check
+     *
+     * @return void
+     */
+    public function setPassedMFA()
+    {
+        // NDB_Client called session_write_close, we need to re-start it
+        // to edit a session variable.
+        session_start();
+        $_SESSION['PassedMFA'] = true;
+        session_write_close();
     }
 
 }