diff options
Diffstat (limited to 'perllib/FixMyStreet')
| -rw-r--r-- | perllib/FixMyStreet/App.pm | 17 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Alert.pm | 9 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth/Profile.pm | 26 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/New.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/Update.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/DB/Result/User.pm | 5 |
7 files changed, 57 insertions, 9 deletions
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm index e47336b7c..3108c5c01 100644 --- a/perllib/FixMyStreet/App.pm +++ b/perllib/FixMyStreet/App.pm @@ -61,10 +61,19 @@ __PACKAGE__->config( 'Plugin::Authentication' => { default_realm => 'default', default => { - credential => { # Catalyst::Authentication::Credential::Password - class => 'Password', - password_field => 'password', - password_type => 'self_check', + credential => { + class => 'MultiFactor', + factors => [ + # Catalyst::Authentication::Credential::Password + { + class => 'Password', + password_field => 'password', + password_type => 'self_check', + }, + { + class => '2FA', + }, + ], }, store => { # Catalyst::Authentication::Store::DBIx::Class class => 'DBIx::Class', diff --git a/perllib/FixMyStreet/App/Controller/Alert.pm b/perllib/FixMyStreet/App/Controller/Alert.pm index 5c9fbad1b..9d522dbc9 100644 --- a/perllib/FixMyStreet/App/Controller/Alert.pm +++ b/perllib/FixMyStreet/App/Controller/Alert.pm @@ -281,20 +281,25 @@ then display confirmation page. sub send_confirmation_email : Private { my ( $self, $c ) = @_; + my $user = $c->stash->{alert}->user; + + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa; + my $token = $c->model("DB::Token")->create( { scope => 'alert', data => { id => $c->stash->{alert}->id, type => 'subscribe', - email => $c->stash->{alert}->user->email + email => $user->email } } ); $c->stash->{token_url} = $c->uri_for_email( '/A', $token->token ); - $c->send_email( 'alert-confirm.txt', { to => $c->stash->{alert}->user->email } ); + $c->send_email( 'alert-confirm.txt', { to => $user->email } ); $c->stash->{email_type} = 'alert'; $c->stash->{template} = 'email_sent.html'; diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index 455022e03..06448afde 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -232,6 +232,9 @@ sub process_login : Private { $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_user_id}; + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa; + if ($data->{old_user_id}) { # Were logged in as old_user_id, want to switch to $user if ($user->in_storage) { diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm index 5e6fe6266..a58d2ddf6 100644 --- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm +++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm @@ -157,14 +157,34 @@ sub generate_token : Path('/auth/generate_token') { $c->stash->{template} = 'auth/generate_token.html'; $c->forward('/auth/get_csrf_token'); + my $has_2fa = $c->user->get_extra_metadata('2fa_secret'); + if ($c->req->method eq 'POST') { $c->forward('/auth/check_csrf_token'); - my $token = mySociety::AuthToken::random_token(); - $c->user->set_extra_metadata('access_token', $token); + + if ($c->get_param('generate_token')) { + my $token = mySociety::AuthToken::random_token(); + $c->user->set_extra_metadata('access_token', $token); + $c->stash->{token_generated} = 1; + } + + if ($c->get_param('toggle_2fa') && $c->user->is_superuser) { + if ($has_2fa) { + $c->user->unset_extra_metadata('2fa_secret'); + $c->stash->{toggle_2fa_off} = 1; + } else { + my $auth = Auth::GoogleAuth->new; + $c->stash->{qr_code} = $auth->qr_code(undef, $c->user->email, 'FixMyStreet'); + $c->stash->{secret32} = $auth->secret32; + $c->user->set_extra_metadata('2fa_secret', $auth->secret32); + $c->stash->{toggle_2fa_on} = 1; + } + } + $c->user->update(); - $c->stash->{token_generated} = 1; } + $c->stash->{has_2fa} = $has_2fa ? 1 : 0; $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token'); } diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm index 166c0614d..09430110d 100644 --- a/perllib/FixMyStreet/App/Controller/Report/New.pm +++ b/perllib/FixMyStreet/App/Controller/Report/New.pm @@ -1391,6 +1391,9 @@ sub redirect_or_confirm_creation : Private { return 1; } + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $report->user->has_2fa; + # otherwise email or text a confirm token to them. my $thing = 'email'; if ($report->user->email_verified) { diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm index c28039808..2f0ef8c0f 100644 --- a/perllib/FixMyStreet/App/Controller/Report/Update.pm +++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm @@ -478,6 +478,9 @@ sub redirect_or_confirm_creation : Private { return 1; } + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $update->user->has_2fa; + my $data = $c->stash->{token_data}; $data->{id} = $update->id; $data->{add_alert} = $c->get_param('add_alert') ? 1 : 0; diff --git a/perllib/FixMyStreet/DB/Result/User.pm b/perllib/FixMyStreet/DB/Result/User.pm index d02039ac3..7e16308b9 100644 --- a/perllib/FixMyStreet/DB/Result/User.pm +++ b/perllib/FixMyStreet/DB/Result/User.pm @@ -395,6 +395,11 @@ sub admin_user_body_permissions { }); } +sub has_2fa { + my $self = shift; + return $self->is_superuser && $self->get_extra_metadata('2fa_secret'); +} + sub contributing_as { my ($self, $other, $c, $bodies) = @_; $bodies = [ keys %$bodies ] if ref $bodies eq 'HASH'; |