closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6872 Commits
2 Branches
178 MiB
Tree: 06ef5b68d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '06ef5b68d4'
${ noResults }
gitea/routers/user/setting/security_twofa.go

189 lines
4.7 KiB
Raw Normal View History

Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
Switch plaintext scratch tokens to use hash instead (#4331)
6 years ago
Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
Switch plaintext scratch tokens to use hash instead (#4331)
6 years ago
Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
Increase default TOTP secret size to 320 bits (#4287)
6 years ago
Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
Switch plaintext scratch tokens to use hash instead (#4331)
6 years ago
Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
Switch plaintext scratch tokens to use hash instead (#4331)
6 years ago
Splitted the user settings code into several files to be more maintainable (#3968) * refactor setting router code splitted up one huge router settings file into the smaller files representing the actual page structure * move code to subfolder * rename functions * renamed files * add copyright information
6 years ago
 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2018 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package setting
  7. 

  8. import (
  9. 	"bytes"
  10. 	"encoding/base64"
  11. 	"html/template"
  12. 	"image/png"
  13. 	"strings"
  14. 

  15. 	"code.gitea.io/gitea/models"
  16. 	"code.gitea.io/gitea/modules/auth"
  17. 	"code.gitea.io/gitea/modules/context"
  18. 	"code.gitea.io/gitea/modules/setting"
  19. 

  20. 	"github.com/pquerna/otp"
  21. 	"github.com/pquerna/otp/totp"
  22. )
  23. 

  24. // RegenerateScratchTwoFactor regenerates the user's 2FA scratch code.

  25. func RegenerateScratchTwoFactor(ctx *context.Context) {
  26. 	ctx.Data["Title"] = ctx.Tr("settings")
  27. 	ctx.Data["PageIsSettingsSecurity"] = true
  28. 

  29. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)
  30. 	if err != nil {
  31. 		ctx.ServerError("SettingsTwoFactor", err)
  32. 		return
  33. 	}
  34. 

  35. 	token, err := t.GenerateScratchToken()
  36. 	if err != nil {
  37. 		ctx.ServerError("SettingsTwoFactor", err)
  38. 		return
  39. 	}
  40. 

  41. 	if err = models.UpdateTwoFactor(t); err != nil {
  42. 		ctx.ServerError("SettingsTwoFactor", err)
  43. 		return
  44. 	}
  45. 

  46. 	ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", token))
  47. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
  48. }
  49. 

  50. // DisableTwoFactor deletes the user's 2FA settings.

  51. func DisableTwoFactor(ctx *context.Context) {
  52. 	ctx.Data["Title"] = ctx.Tr("settings")
  53. 	ctx.Data["PageIsSettingsSecurity"] = true
  54. 

  55. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)
  56. 	if err != nil {
  57. 		ctx.ServerError("SettingsTwoFactor", err)
  58. 		return
  59. 	}
  60. 

  61. 	if err = models.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {
  62. 		ctx.ServerError("SettingsTwoFactor", err)
  63. 		return
  64. 	}
  65. 

  66. 	ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))
  67. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
  68. }
  69. 

  70. func twofaGenerateSecretAndQr(ctx *context.Context) bool {
  71. 	var otpKey *otp.Key
  72. 	var err error
  73. 	uri := ctx.Session.Get("twofaUri")
  74. 	if uri != nil {
  75. 		otpKey, err = otp.NewKeyFromURL(uri.(string))
  76. 	}
  77. 	if otpKey == nil {
  78. 		err = nil // clear the error, in case the URL was invalid

  79. 		otpKey, err = totp.Generate(totp.GenerateOpts{
  80. 			SecretSize:  40,
  81. 			Issuer:      setting.AppName + " (" + strings.TrimRight(setting.AppURL, "/") + ")",
  82. 			AccountName: ctx.User.Name,
  83. 		})
  84. 		if err != nil {
  85. 			ctx.ServerError("SettingsTwoFactor", err)
  86. 			return false
  87. 		}
  88. 	}
  89. 

  90. 	ctx.Data["TwofaSecret"] = otpKey.Secret()
  91. 	img, err := otpKey.Image(320, 240)
  92. 	if err != nil {
  93. 		ctx.ServerError("SettingsTwoFactor", err)
  94. 		return false
  95. 	}
  96. 

  97. 	var imgBytes bytes.Buffer
  98. 	if err = png.Encode(&imgBytes, img); err != nil {
  99. 		ctx.ServerError("SettingsTwoFactor", err)
  100. 		return false
  101. 	}
  102. 

  103. 	ctx.Data["QrUri"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))
  104. 	ctx.Session.Set("twofaSecret", otpKey.Secret())
  105. 	ctx.Session.Set("twofaUri", otpKey.String())
  106. 	return true
  107. }
  108. 

  109. // EnrollTwoFactor shows the page where the user can enroll into 2FA.

  110. func EnrollTwoFactor(ctx *context.Context) {
  111. 	ctx.Data["Title"] = ctx.Tr("settings")
  112. 	ctx.Data["PageIsSettingsSecurity"] = true
  113. 

  114. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)
  115. 	if t != nil {
  116. 		// already enrolled

  117. 		ctx.ServerError("SettingsTwoFactor", err)
  118. 		return
  119. 	}
  120. 	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
  121. 		ctx.ServerError("SettingsTwoFactor", err)
  122. 		return
  123. 	}
  124. 

  125. 	if !twofaGenerateSecretAndQr(ctx) {
  126. 		return
  127. 	}
  128. 

  129. 	ctx.HTML(200, tplSettingsTwofaEnroll)
  130. }
  131. 

  132. // EnrollTwoFactorPost handles enrolling the user into 2FA.

  133. func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
  134. 	ctx.Data["Title"] = ctx.Tr("settings")
  135. 	ctx.Data["PageIsSettingsSecurity"] = true
  136. 

  137. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)
  138. 	if t != nil {
  139. 		// already enrolled

  140. 		ctx.ServerError("SettingsTwoFactor", err)
  141. 		return
  142. 	}
  143. 	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
  144. 		ctx.ServerError("SettingsTwoFactor", err)
  145. 		return
  146. 	}
  147. 

  148. 	if ctx.HasError() {
  149. 		if !twofaGenerateSecretAndQr(ctx) {
  150. 			return
  151. 		}
  152. 		ctx.HTML(200, tplSettingsTwofaEnroll)
  153. 		return
  154. 	}
  155. 

  156. 	secret := ctx.Session.Get("twofaSecret").(string)
  157. 	if !totp.Validate(form.Passcode, secret) {
  158. 		if !twofaGenerateSecretAndQr(ctx) {
  159. 			return
  160. 		}
  161. 		ctx.Flash.Error(ctx.Tr("settings.passcode_invalid"))
  162. 		ctx.HTML(200, tplSettingsTwofaEnroll)
  163. 		return
  164. 	}
  165. 

  166. 	t = &models.TwoFactor{
  167. 		UID: ctx.User.ID,
  168. 	}
  169. 	err = t.SetSecret(secret)
  170. 	if err != nil {
  171. 		ctx.ServerError("SettingsTwoFactor", err)
  172. 		return
  173. 	}
  174. 	token, err := t.GenerateScratchToken()
  175. 	if err != nil {
  176. 		ctx.ServerError("SettingsTwoFactor", err)
  177. 		return
  178. 	}
  179. 

  180. 	if err = models.NewTwoFactor(t); err != nil {
  181. 		ctx.ServerError("SettingsTwoFactor", err)
  182. 		return
  183. 	}
  184. 

  185. 	ctx.Session.Delete("twofaSecret")
  186. 	ctx.Session.Delete("twofaUri")
  187. 	ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", token))
  188. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
  189. }