Support MFA recovery tokens

This commit is contained in:
garrettmills 2020-05-30 17:21:47 -05:00
parent a1a70e0548
commit 8680242349
No known key found for this signature in database
GPG Key ID: 6ACD58D6ADACFC6E
25 changed files with 393 additions and 10 deletions

View File

@ -1,2 +1,2 @@
- MFA recovery codes handling
- OAuth2 -> support refresh tokens
- Localize all the things

View File

@ -31,6 +31,7 @@ const FlitterUnits = {
* Custom units that modify or add functionality that needs to be made
* available to the middleware-routing-controller stack.
*/
'Locale' : require('flitter-i18n/src/LocaleUnit'),
'Redis' : require('flitter-redis/src/RedisUnit'),
'Jobs' : require('flitter-jobs/src/JobsUnit'),
'Settings' : require('./app/unit/SettingsUnit'),

View File

@ -26,6 +26,9 @@ const template = `
<div v-if="error_message" class="error-message">{{ error_message }}</div>
<div v-if="other_message" class="other-message">{{ other_message }}</div>
<div class="coreid-loading-spinner" v-if="loading"><div class="inner"></div></div>
<small
class="mr-3"
><a href="#" class="text-secondary" @click="on_do_recovery">Lost your MFA device?</a></small>
</div>
</div>
`
@ -70,4 +73,8 @@ export default class MFAChallengePage extends Component {
return false
}
}
async on_do_recovery(event) {
await location_service.redirect('/auth/mfa/recovery', 0)
}
}

View File

@ -0,0 +1,72 @@
import { Component } from '../../lib/vues6/vues6.js'
import { location_service } from '../service/Location.service.js'
import { auth_api } from '../service/AuthApi.service.js'
const template = `
<div class="coreid-auth-page col-lg-6 col-md-8 col-sm-10 col-xs-12 offset-lg-3 offset-md-2 offset-sm-1 offset-xs-0 text-left">
<div class="coreid-auth-page-inner">
<div class="coreid-header font-weight-light">{{ app_name }}</div>
<div class="coreid-message">
To recover access to your account, you can enter one of the generated MFA recovery codes:
</div>
<div class="form-group">
<input
class="form-control"
type="text"
placeholder="Recovery Code"
v-model="recovery_code"
@keyup="on_key_up"
name="recovery_code"
:disabled="verify_success"
ref="verify_input"
maxlength="36"
autofocus
>
</div>
<div v-if="error_message" class="error-message">{{ error_message }}</div>
<div v-if="other_message" class="other-message">{{ other_message }}</div>
<small
class="mr-3" v-if="!loading"
><a href="#" class="text-secondary" @click="on_do_challenge">Have a normal MFA code?</a></small>
<div class="coreid-loading-spinner" v-if="loading"><div class="inner"></div></div>
</div>
</div>
`
export default class MFARecoveryComponent extends Component {
static get selector() { return 'coreid-mfa-recovery-page' }
static get template() { return template }
static get props() { return ['app_name'] }
verify_success = false
loading = false
recovery_code = ''
error_message = ''
other_message = ''
async vue_on_create() {
this.$nextTick(() => {
this.$refs.verify_input.focus()
})
}
async on_key_up($event) {
if ( this.recovery_code.length === 36 ) {
this.error_message = ''
this.other_message = ''
this.loading = true
const result = await auth_api.attempt_mfa_recovery(this.recovery_code)
if ( result && result.success ) {
this.other_message = `Success! There are only ${result.remaining_codes} recovery codes remaining. Let's get you on your way...`
await location_service.redirect(result.next_destination, 5000)
} else {
this.loading = false
this.error_message = 'Hm. It doesn\'t look like that code is valid.'
}
}
}
async on_do_challenge() {
await location_service.redirect('/auth/mfa/challenge', 0)
}
}

View File

@ -7,6 +7,7 @@ import PasswordResetComponent from './auth/PasswordReset.component.js'
import InvokeActionComponent from './InvokeAction.component.js'
import RegistrationFormComponent from './auth/register/Form.component.js'
import MessageContainerComponent from './dash/message/MessageContainer.component.js'
import MFARecoveryComponent from './auth/MFARecovery.component.js'
const components = {
AuthLoginForm,
@ -18,6 +19,7 @@ const components = {
InvokeActionComponent,
RegistrationFormComponent,
MessageContainerComponent,
MFARecoveryComponent,
}
export { components }

View File

@ -35,7 +35,7 @@ const template = `
</button>
</div>
<div class="modal-body">
{{ modal.message }}
<span v-html="modal.message"></span>
<div v-if="Array.isArray(modal.inputs)" class="mt-4 mb-3">
<span v-for="input of modal.inputs">
<input

View File

@ -133,8 +133,14 @@ const template = `
<h6 class="pad-top">Recovery Codes</h6>
<p>Recovery codes can be used to regain access to your account in the event that you lose access to the device that generates your MFA codes.</p>
<p class="font-italic">No recovery codes have been generated for your account.</p>
<button class="btn btn-sm btn-success">Generate Recovery Codes</button>
<span v-if="!has_mfa_recovery">
<p class="font-italic">No recovery codes have been generated for your account.</p>
<button class="btn btn-sm btn-success" @click="on_mfa_recovery_generate">Generate Recovery Codes</button>
</span>
<span v-if="has_mfa_recovery">
<p class="font-italic">Recovery codes were generate for your account on {{ mfa_recovery_date }}. <span v-if="mfa_recovery_codes === 1">There is only 1 recovery code remaining.</span><span v-if="mfa_recovery_codes !== 1">There are {{ mfa_recovery_codes }} recovery codes remaining.</span></p>
<button class="btn btn-sm btn-success" @click="on_mfa_recovery_generate">Re-generate Recovery Codes</button>
</span>
</li>
</ul>
</div>
@ -163,6 +169,10 @@ export default class EditProfileComponent extends Component {
last_reset = ''
mfa_enable_date = ''
has_mfa_recovery = false
mfa_recovery_date = ''
mfa_recovery_codes = 0
form_message = 'No changes.'
has_mfa = false
@ -248,7 +258,16 @@ export default class EditProfileComponent extends Component {
const mfa = await auth_api.has_mfa()
this.has_mfa = mfa && mfa.mfa_enabled
if (this.has_mfa) this.mfa_enable_date = (new Date(mfa.mfa_enable_date)).toLocaleDateString()
if (this.has_mfa) {
this.mfa_enable_date = (new Date(mfa.mfa_enable_date)).toLocaleDateString()
const result = await auth_api.has_mfa_recovery()
if ( result && result.has_recovery ) {
this.has_mfa_recovery = true
this.mfa_recovery_date = (new Date(result.generated)).toLocaleDateString()
this.mfa_recovery_codes = result.remaining_codes
}
}
await this.load_app_passwords()
}
@ -301,5 +320,65 @@ export default class EditProfileComponent extends Component {
],
})
}
async on_mfa_recovery_generate($event) {
if ( !this.has_mfa ) return
if ( !this.has_mfa_recovery ) {
await this.generate_mfa_recovery()
} else {
message_service.modal({
title: 'Are you sure?',
message: 'There are already MFA recovery codes associated with your account. If you re-generate them, you will be unable to use the old ones. Continue?',
buttons: [
{
text: 'Cancel',
type: 'close',
},
{
text: 'Re-generate',
type: 'close',
class: ['btn', 'btn-warning'],
on_click: async () => {
await this.generate_mfa_recovery()
},
},
],
})
}
}
async generate_mfa_recovery() {
const codes = await auth_api.generate_mfa_recovery()
if ( codes ) {
this.display_mfa_recovery_modal(codes)
} else {
message_service.alert({
type: 'error',
message: 'An unknown error occurred while attempting to generate MFA recovery codes.'
})
}
await this.load()
}
display_mfa_recovery_modal(codes) {
const code_display = codes.map(x => `<li><code>${x}</code></li>`).join('\n')
message_service.modal({
title: 'MFA Recovery Codes',
message: `We've generated recovery codes for your account. You can use these to recover access to your account in the event that you lose your MFA device.
<br><br>
Be sure to put these somewhere safe. After you close this modal, they will disappear:
<br><br>
<ul>
${code_display}
</ul>`,
buttons: [
{
text: 'Close',
type: 'close',
},
],
})
}
}

View File

@ -58,6 +58,21 @@ class AuthAPI {
if ( result && result.data && result.data.data ) return result.data.data
}
async has_mfa_recovery() {
const result = await axios.get('/api/v1/auth/mfa/recovery')
if ( result && result.data && result.data.data ) return result.data.data
}
async generate_mfa_recovery() {
const result = await axios.post('/api/v1/auth/mfa/recovery')
if ( result && result.data && result.data.data && result.data.data.codes ) return result.data.data.codes
}
async attempt_mfa_recovery(code) {
const result = await axios.post('/api/v1/auth/mfa/recovery/attempt', { code })
if ( result && result.data && result.data.data ) return result.data.data
}
async app_passwords() {
const result = await axios.get('/api/v1/password/app_passwords')
if ( result && result.data && Array.isArray(result.data.data) ) return result.data.data

View File

@ -84,6 +84,41 @@ class AuthController extends Controller {
return res.api(await user.to_api())
}
async attempt_mfa_recovery(req, res, next) {
if (
!req.user.mfa_enabled
|| !Array.isArray(req.user.mfa_token.recovery_codes)
|| req.user.mfa_token.recovery_codes.length < 1
)
return res.status(400)
.message('Your user is not configured to use MFA, or has no recovery codes.')
.api()
if ( !req.body.code )
return res.status(400)
.message('Missing required field: code')
.api()
const success = await req.user.mfa_token.attempt_recovery(req.body.code)
if ( !success )
return res.api({ success })
if ( req.trap.has_trap('mfa_challenge') )
await req.trap.end()
let next_destination = req.session.auth.flow || this.configs.get('auth.default_login_route')
delete req.session.auth.flow
req.session.mfa_remember = true
return res.api({
success: true,
next_destination,
remaining_codes: req.user.mfa_token.recovery_codes.filter(x => !x.used).length,
})
}
async validate_email(req, res, next) {
let is_valid = !!req.body.email
@ -562,6 +597,37 @@ class AuthController extends Controller {
})
}
async get_mfa_recovery(req, res, next) {
if ( !req.user.mfa_enabled )
return res.status(400)
.message('Your user does not have MFA enabled.')
.api()
const token = req.user.mfa_token
if ( !Array.isArray(token.recovery_codes) || token.recovery_codes.length < 1 )
return res.api({ has_recovery: false })
return res.api({
has_recovery: true,
generated: token.recovery_codes[0].generated,
remaining_codes: token.recovery_codes.filter(x => !x.used).length,
})
}
async generate_mfa_recovery(req, res, next) {
if ( !req.user.mfa_enabled )
return res.status(400)
.message('Your user does not have MFA enabled.')
.api()
const token = req.user.mfa_token
const codes = await token.generate_recovery()
await req.user.save()
return res.api({
codes,
})
}
async generate_mfa_key(req, res, next) {
if ( req.user.mfa_enabled )
return res.status(400)

View File

@ -54,6 +54,23 @@ class MFAController extends Controller {
...this.Vue.session(req),
})
}
async get_recovery(req, res, next) {
if (
!req.user.mfa_enabled
|| !Array.isArray(req.user.mfa_token.recovery_codes)
|| req.user.mfa_token.recovery_codes.length < 1
) return this.Vue.auth_message(res, {
message: 'Unfortunately, it looks like your account does not have any MFA recovery codes generated.',
next_destination: '/auth/mfa/challenge',
button_text: 'Go Back',
})
return res.page('auth:mfa:recovery', {
...this.Vue.data(),
...this.Vue.session(req),
})
}
}
module.exports = exports = MFAController

View File

@ -0,0 +1,23 @@
const { Model } = require('flitter-orm')
const bcrypt = require('bcrypt')
class MFARecoveryCodeModel extends Model {
static get schema() {
return {
code: String,
used: { type: Boolean, default: false },
generated: { type: Date, default: () => new Date },
}
}
static async create(value) {
const code = await bcrypt.hash(value, 10)
return new this({ code })
}
async verify(code) {
return await bcrypt.compare(code, this.code)
}
}
module.exports = exports = MFARecoveryCodeModel

View File

@ -1,5 +1,7 @@
const { Model } = require('flitter-orm')
const speakeasy = require('speakeasy')
const MFARecoveryCode = require('./MFARecoveryCode.model')
const uuid = require('uuid/v4')
class MFATokenModel extends Model {
static get services() {
@ -10,9 +12,34 @@ class MFATokenModel extends Model {
return {
secret: String,
otpauth_url: String,
recovery_codes: [MFARecoveryCode],
}
}
async attempt_recovery(code) {
for ( const token of this.recovery_codes ) {
if ( await token.verify(code) && !token.used ) {
token.used = true
return true
}
}
return false
}
async generate_recovery() {
this.recovery_codes = []
const values = []
for ( let i = 0; i < 4; i++ ) {
const value = uuid()
values.push(value)
this.recovery_codes.push(await MFARecoveryCode.create(value))
}
return values
}
verify(value) {
return speakeasy.totp.verify({
secret: this.secret,

View File

@ -9,6 +9,7 @@
* routes file.
*/
const Middleware = [
"i18n:Localize",
"auth:Utility",
"auth:TrustTokenUtility",
"Traps",

View File

@ -0,0 +1,7 @@
const Middleware = require('flitter-i18n/src/middleware/Localize')
class LocalizeMiddleware extends Middleware {
}
module.exports = exports = LocalizeMiddleware

View File

@ -0,0 +1,7 @@
const Middleware = require('flitter-i18n/src/middleware/Scope')
class ScopeMiddleware extends Middleware {
}
module.exports = exports = ScopeMiddleware

View File

@ -41,6 +41,11 @@ const auth_routes = {
['middleware::api:Permission', { check: 'v1:auth:groups:get' }],
'controller::api:v1:Auth.get_group',
],
'/mfa/recovery': [
'middleware::auth:APIRoute',
['middleware::api:Permission', { check: 'v1:auth:mfa:recovery:get' }],
'controller::api:v1:Auth.get_mfa_recovery',
],
},
post: {
@ -70,6 +75,11 @@ const auth_routes = {
'controller::api:v1:Auth.attempt_mfa'
],
'/mfa/recovery/attempt': [
'middleware::auth:UserOnly',
'controller::api:v1:Auth.attempt_mfa_recovery'
],
'/mfa/enable': [
'middleware::auth:UserOnly',
['middleware::auth:RequireTrust', { scope: 'mfa.enable', deplete: true }],
@ -99,6 +109,11 @@ const auth_routes = {
'middleware::auth:GuestOnly',
'controller::api:v1:Auth.registration',
],
'/mfa/recovery': [
'middleware::auth:APIRoute',
['middleware::api:Permission', { check: 'v1:auth:mfa:recovery:create' }],
'controller::api:v1:Auth.generate_mfa_recovery',
],
},
patch: {

View File

@ -20,6 +20,9 @@ const mfa_routes = {
['middleware::auth:RequireTrust', { scope: 'mfa.disable' }],
'controller::auth:MFA.do_disable',
],
'/recovery': [
'controller::auth:MFA.get_recovery',
],
},
post: {

View File

@ -0,0 +1,7 @@
extends ../../theme/public/base
block append style
link(rel='stylesheet' href='/style-asset/form.css')
block vue
coreid-mfa-recovery-page(v-bind:app_name="app_name")

View File

@ -11,6 +11,7 @@ const app_config = {
* Can be used to generate fully-qualified links.
*/
url: env("APP_URL", "http://localhost:8000/"),
default_locale: env('APP_DEFAULT_LOCALE', 'en_US'),
}

View File

@ -12,9 +12,11 @@ const traps_config = {
mfa_challenge: {
redirect_to: '/auth/mfa/challenge',
allowed_routes: [
'/auth/mfa/recovery',
'/auth/mfa/challenge',
'/api/v1/auth/mfa/attempt',
'/auth/logout',
'/api/v1/auth/mfa/recovery/attempt',
],
},
},

View File

@ -0,0 +1,3 @@
module.exports = exports = {
flitter: 'Flitter',
}

View File

@ -0,0 +1,7 @@
module.exports = exports = {
welcome: 'Welcome',
powered_by_flitter: 'powered by flitter',
new_to_flitter: 'New to Flitter?',
start_here: 'Start Here.',
log_out: 'Log out',
}

View File

@ -0,0 +1,7 @@
module.exports = exports = {
welcome: 'Bienvenido',
powered_by_flitter: 'impulsado por flitter',
new_to_flitter: '¿Nuevo en Flitter?',
start_here: 'Empieza aqui.',
log_out: 'Cerrar sesión',
}

View File

@ -23,6 +23,7 @@
"flitter-di": "^0.5.0",
"flitter-flap": "^0.5.2",
"flitter-forms": "^0.8.1",
"flitter-i18n": "^0.1.0",
"flitter-jobs": "^0.1.2",
"flitter-less": "^0.5.3",
"flitter-orm": "^0.4.0",
@ -31,7 +32,7 @@
"ioredis": "^4.17.1",
"is-absolute-url": "^3.0.3",
"ldapjs": "^1.0.2",
"libflitter": "^0.52.1",
"libflitter": "^0.53.0",
"moment": "^2.24.0",
"mongodb": "^3.5.6",
"nodemailer": "^6.4.6",

View File

@ -1888,6 +1888,14 @@ flitter-forms@^0.8.1:
recursive-readdir "^2.2.2"
validator "^10.11.0"
flitter-i18n@^0.1.0:
version "0.1.0"
resolved "https://registry.yarnpkg.com/flitter-i18n/-/flitter-i18n-0.1.0.tgz#9670f9ebf5f120e794f147ebeb1fe99537ac4779"
integrity sha512-vdEgcDNtA4EEjwJ0QqIIdPwR4FI67XMr4dD5U2l/u/xrnwzUrQD2O3avc5EK4RAPXTgZpK5twotTD6julJlwoA==
dependencies:
ncp "^2.0.0"
pluralize "^8.0.0"
flitter-jobs@^0.1.2:
version "0.1.2"
resolved "https://registry.yarnpkg.com/flitter-jobs/-/flitter-jobs-0.1.2.tgz#5536bb12be728b61f6e0940b6c18760e4f1b59d6"
@ -2825,10 +2833,10 @@ leven@^1.0.2:
resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
libflitter@^0.52.1:
version "0.52.1"
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.52.1.tgz#3025dc97b9baaaaba00907e9c2de9a39cf41f4d8"
integrity sha512-USoAxZFfwHZkwd39wP/DuhDN3EnXYFcSby0W2WFuJlwCOXIfFTCr0tNcPbvHJrPI/Cxgy5ngExkzpG0OZhS+yQ==
libflitter@^0.53.0:
version "0.53.0"
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.0.tgz#f1e2250597916dd7b7b7b8f0af04118ed1f30b41"
integrity sha512-i8otSTzNwMFJEa585bw+xfaNSuXm6c/kQBYXsyB8jzFU9PBFmvrEp/QzRqQD/lDgiQChYgjRs2TJofqDYvAOHg==
dependencies:
colors "^1.3.3"
connect-mongodb-session "^2.2.0"
@ -3684,6 +3692,11 @@ pkg-dir@^4.1.0:
dependencies:
find-up "^4.0.0"
pluralize@^8.0.0:
version "8.0.0"
resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-8.0.0.tgz#1a6fa16a38d12a1901e0320fa017051c539ce3b1"
integrity sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==
pngjs@^3.3.0:
version "3.4.0"
resolved "https://registry.yarnpkg.com/pngjs/-/pngjs-3.4.0.tgz#99ca7d725965fb655814eaf65f38f12bbdbf555f"