closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5760 Commits
2 Branches
178 MiB
Tree: dcb009aa86
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dcb009aa86'
${ noResults }
gitea/models/twofactor.go

126 lines
3.2 KiB
Raw Normal View History

Two factor authentication support (#630) * Initial commit for 2FA support Signed-off-by: Andrew <write@imaginarycode.com> * Add vendored files * Add missing depends * A few clean ups * Added improvements, proper encryption * Better encryption key * Simplify "key" generation * Make 2FA enrollment page more robust * Fix typo * Rename twofa/2FA to TwoFactor * UNIQUE INDEX -> UNIQUE
7 years ago
Use created & updated instead BeforeInsert & BeforeUpdate (#2482) * use created & updated instead BeforeInsert & BeforeUpdate * fix vendor checksum * only show generated SQL when development mode * remove extra update column updated_unix * remove trace config
7 years ago
Use AfterLoad instead of AfterSet on Structs (#2628) * use AfterLoad instead of AfterSet on Structs * fix the comments on AfterLoad * fix the comments on action AfterLoad
7 years ago
Use created & updated instead BeforeInsert & BeforeUpdate (#2482) * use created & updated instead BeforeInsert & BeforeUpdate * fix vendor checksum * only show generated SQL when development mode * remove extra update column updated_unix * remove trace config
7 years ago
Two factor authentication support (#630) * Initial commit for 2FA support Signed-off-by: Andrew <write@imaginarycode.com> * Add vendored files * Add missing depends * A few clean ups * Added improvements, proper encryption * Better encryption key * Simplify "key" generation * Make 2FA enrollment page more robust * Fix typo * Rename twofa/2FA to TwoFactor * UNIQUE INDEX -> UNIQUE
7 years ago
Use AfterLoad instead of AfterSet on Structs (#2628) * use AfterLoad instead of AfterSet on Structs * fix the comments on AfterLoad * fix the comments on action AfterLoad
7 years ago
Two factor authentication support (#630) * Initial commit for 2FA support Signed-off-by: Andrew <write@imaginarycode.com> * Add vendored files * Add missing depends * A few clean ups * Added improvements, proper encryption * Better encryption key * Simplify "key" generation * Make 2FA enrollment page more robust * Fix typo * Rename twofa/2FA to TwoFactor * UNIQUE INDEX -> UNIQUE
7 years ago
Replace deprecated Id method with ID (#2655)
7 years ago
Two factor authentication support (#630) * Initial commit for 2FA support Signed-off-by: Andrew <write@imaginarycode.com> * Add vendored files * Add missing depends * A few clean ups * Added improvements, proper encryption * Better encryption key * Simplify "key" generation * Make 2FA enrollment page more robust * Fix typo * Rename twofa/2FA to TwoFactor * UNIQUE INDEX -> UNIQUE
7 years ago
Replace deprecated Id method with ID (#2655)
7 years ago
Two factor authentication support (#630) * Initial commit for 2FA support Signed-off-by: Andrew <write@imaginarycode.com> * Add vendored files * Add missing depends * A few clean ups * Added improvements, proper encryption * Better encryption key * Simplify "key" generation * Make 2FA enrollment page more robust * Fix typo * Rename twofa/2FA to TwoFactor * UNIQUE INDEX -> UNIQUE
7 years ago
 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models
  6. 

  7. import (
  8. 	"crypto/md5"
  9. 	"crypto/subtle"
  10. 	"encoding/base64"
  11. 	"time"
  12. 

  13. 	"github.com/Unknwon/com"
  14. 	"github.com/pquerna/otp/totp"
  15. 

  16. 	"code.gitea.io/gitea/modules/base"
  17. 	"code.gitea.io/gitea/modules/setting"
  18. )
  19. 

  20. // TwoFactor represents a two-factor authentication token.

  21. type TwoFactor struct {
  22. 	ID           int64 `xorm:"pk autoincr"`
  23. 	UID          int64 `xorm:"UNIQUE"`
  24. 	Secret       string
  25. 	ScratchToken string
  26. 

  27. 	Created     time.Time `xorm:"-"`
  28. 	CreatedUnix int64     `xorm:"INDEX created"`
  29. 	Updated     time.Time `xorm:"-"`
  30. 	UpdatedUnix int64     `xorm:"INDEX updated"`
  31. }
  32. 

  33. // AfterLoad is invoked from XORM after setting the values of all fields of this object.

  34. func (t *TwoFactor) AfterLoad() {
  35. 	t.Created = time.Unix(t.CreatedUnix, 0).Local()
  36. 	t.Updated = time.Unix(t.UpdatedUnix, 0).Local()
  37. }
  38. 

  39. // GenerateScratchToken recreates the scratch token the user is using.

  40. func (t *TwoFactor) GenerateScratchToken() error {
  41. 	token, err := base.GetRandomString(8)
  42. 	if err != nil {
  43. 		return err
  44. 	}
  45. 	t.ScratchToken = token
  46. 	return nil
  47. }
  48. 

  49. // VerifyScratchToken verifies if the specified scratch token is valid.

  50. func (t *TwoFactor) VerifyScratchToken(token string) bool {
  51. 	if len(token) == 0 {
  52. 		return false
  53. 	}
  54. 	return subtle.ConstantTimeCompare([]byte(token), []byte(t.ScratchToken)) == 1
  55. }
  56. 

  57. func (t *TwoFactor) getEncryptionKey() []byte {
  58. 	k := md5.Sum([]byte(setting.SecretKey))
  59. 	return k[:]
  60. }
  61. 

  62. // SetSecret sets the 2FA secret.

  63. func (t *TwoFactor) SetSecret(secret string) error {
  64. 	secretBytes, err := com.AESEncrypt(t.getEncryptionKey(), []byte(secret))
  65. 	if err != nil {
  66. 		return err
  67. 	}
  68. 	t.Secret = base64.StdEncoding.EncodeToString(secretBytes)
  69. 	return nil
  70. }
  71. 

  72. // ValidateTOTP validates the provided passcode.

  73. func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
  74. 	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
  75. 	if err != nil {
  76. 		return false, err
  77. 	}
  78. 	secret, err := com.AESDecrypt(t.getEncryptionKey(), decodedStoredSecret)
  79. 	if err != nil {
  80. 		return false, err
  81. 	}
  82. 	secretStr := string(secret)
  83. 	return totp.Validate(passcode, secretStr), nil
  84. }
  85. 

  86. // NewTwoFactor creates a new two-factor authentication token.

  87. func NewTwoFactor(t *TwoFactor) error {
  88. 	err := t.GenerateScratchToken()
  89. 	if err != nil {
  90. 		return err
  91. 	}
  92. 	_, err = x.Insert(t)
  93. 	return err
  94. }
  95. 

  96. // UpdateTwoFactor updates a two-factor authentication token.

  97. func UpdateTwoFactor(t *TwoFactor) error {
  98. 	_, err := x.ID(t.ID).AllCols().Update(t)
  99. 	return err
  100. }
  101. 

  102. // GetTwoFactorByUID returns the two-factor authentication token associated with

  103. // the user, if any.

  104. func GetTwoFactorByUID(uid int64) (*TwoFactor, error) {
  105. 	twofa := &TwoFactor{UID: uid}
  106. 	has, err := x.Get(twofa)
  107. 	if err != nil {
  108. 		return nil, err
  109. 	} else if !has {
  110. 		return nil, ErrTwoFactorNotEnrolled{uid}
  111. 	}
  112. 	return twofa, nil
  113. }
  114. 

  115. // DeleteTwoFactorByID deletes two-factor authentication token by given ID.

  116. func DeleteTwoFactorByID(id, userID int64) error {
  117. 	cnt, err := x.ID(id).Delete(&TwoFactor{
  118. 		UID: userID,
  119. 	})
  120. 	if err != nil {
  121. 		return err
  122. 	} else if cnt != 1 {
  123. 		return ErrTwoFactorNotEnrolled{userID}
  124. 	}
  125. 	return nil
  126. }