upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-02-03 20:40:00 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
mattermost/server/platform/shared/mfa/mfa.go
Julien Tant d1cad8c692
add reuse check on update MFA (#28304)
2024-09-27 17:35:36 +02:00

166 lines
4.5 KiB
Go
Raw Permalink Blame History

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.
package mfa
import (
"crypto/rand"
"encoding/base32"
"fmt"
"net/url"
"strings"
"github.com/dgryski/dgoogauth"
"github.com/mattermost/mattermost/server/public/model"
"github.com/mattermost/rsc/qr"
"github.com/pkg/errors"
)
// InvalidToken indicates the case where the token validation has failed.
var InvalidToken = errors.New("invalid mfa token")
const (
// This will result in 160 bits of entropy (base32 encoded), as recommended by rfc4226.
mfaSecretSize = 20
)
type Store interface {
UpdateMfaActive(userId string, active bool) error
UpdateMfaSecret(userId, secret string) error
StoreMfaUsedTimestamps(userId string, ts []int) error
GetMfaUsedTimestamps(userId string) ([]int, error)
}
type MFA struct {
store Store
}
func New(store Store) *MFA {
return &MFA{store}
}
// newRandomBase32String returns a base32 encoded string of a random slice
// of bytes of the given size. The resulting entropy will be (8 * size) bits.
func newRandomBase32String(size int) string {
data := make([]byte, size)
rand.Read(data)
return base32.StdEncoding.EncodeToString(data)
}
func getIssuerFromURL(uri string) string {
issuer := "Mattermost"
siteURL := strings.TrimSpace(uri)
if siteURL != "" {
siteURL = strings.TrimPrefix(siteURL, "https://")
siteURL = strings.TrimPrefix(siteURL, "http://")
issuer = strings.TrimPrefix(siteURL, "www.")
}
return url.QueryEscape(issuer)
}
// GenerateSecret generates a new user mfa secret and store it with the StoreSecret function provided
func (m *MFA) GenerateSecret(siteURL, userEmail, userID string) (string, []byte, error) {
issuer := getIssuerFromURL(siteURL)
secret := newRandomBase32String(mfaSecretSize)
authLink := fmt.Sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", issuer, userEmail, secret, issuer)
code, err := qr.Encode(authLink, qr.H)
if err != nil {
return "", nil, errors.Wrap(err, "unable to generate qr code")
}
img := code.PNG()
if err := m.store.UpdateMfaSecret(userID, secret); err != nil {
return "", nil, errors.Wrap(err, "unable to store mfa secret")
}
return secret, img, nil
}
// Activate set the mfa as active and store it with the StoreActive function provided
func (m *MFA) Activate(userMfaSecret, userID string, token string) error {
usedTs, err := m.store.GetMfaUsedTimestamps(userID)
if err != nil {
return errors.Wrap(err, "unable to retrieve the DisallowReuse slice")
}
otpConfig, err := m.authenticate(userMfaSecret, usedTs, token)
if err != nil {
return errors.Wrap(err, "unable to authenticate the token")
}
if err = m.store.UpdateMfaActive(userID, true); err != nil {
return errors.Wrap(err, "unable to store mfa active")
}
err = m.store.StoreMfaUsedTimestamps(userID, otpConfig.DisallowReuse)
if err != nil {
return errors.Wrap(err, "unable to store the DisallowReuse slice")
}
return nil
}
// Deactivate set the mfa as deactivated, remove the mfa secret, store it with the StoreActive and StoreSecret functions provided
func (m *MFA) Deactivate(userId string) error {
if err := m.store.UpdateMfaActive(userId, false); err != nil {
return errors.Wrap(err, "unable to store mfa active")
}
if err := m.store.UpdateMfaSecret(userId, ""); err != nil {
return errors.Wrap(err, "unable to store mfa secret")
}
return nil
}
// Validate the provide token using the secret provided
func (m *MFA) ValidateToken(user *model.User, token string) (bool, error) {
usedTs, err := m.store.GetMfaUsedTimestamps(user.Id)
if err != nil {
return false, errors.Wrap(err, "unable to retrieve the DisallowReuse slice")
}
otpConfig, err := m.authenticate(user.MfaSecret, usedTs, token)
if err != nil {
if err == InvalidToken {
return false, nil
}
return false, errors.Wrap(err, "unable to parse the token")
}
err = m.store.StoreMfaUsedTimestamps(user.Id, otpConfig.DisallowReuse)
if err != nil {
return true, errors.Wrap(err, "unable to store the DisallowReuse slice")
}
return true, nil
}
func (*MFA) authenticate(userMfaSecret string, usedTs []int, token string) (*dgoogauth.OTPConfig, error) {
trimmedToken := strings.TrimSpace(token)
otpConfig := &dgoogauth.OTPConfig{
Secret: userMfaSecret,
WindowSize: 3,
HotpCounter: 0,
DisallowReuse: usedTs,
}
ok, err := otpConfig.Authenticate(trimmedToken)
if err != nil {
return nil, errors.Wrap(err, "unable to parse the token")
}
if !ok {
return nil, InvalidToken
}
return otpConfig, nil
}
Reference in a new issue View git blame Copy permalink