aboutsummaryrefslogtreecommitdiffstats
path: root/perllib
diff options
context:
space:
mode:
Diffstat (limited to 'perllib')
-rw-r--r--perllib/Catalyst/Authentication/Credential/2FA.pm141
-rw-r--r--perllib/FixMyStreet/App.pm17
-rw-r--r--perllib/FixMyStreet/App/Controller/Alert.pm9
-rw-r--r--perllib/FixMyStreet/App/Controller/Auth.pm8
-rw-r--r--perllib/FixMyStreet/App/Controller/Auth/Profile.pm26
-rw-r--r--perllib/FixMyStreet/App/Controller/Report/New.pm32
-rw-r--r--perllib/FixMyStreet/App/Controller/Report/Update.pm16
-rw-r--r--perllib/FixMyStreet/DB/Result/User.pm5
8 files changed, 232 insertions, 22 deletions
diff --git a/perllib/Catalyst/Authentication/Credential/2FA.pm b/perllib/Catalyst/Authentication/Credential/2FA.pm
new file mode 100644
index 000000000..6cb1dd297
--- /dev/null
+++ b/perllib/Catalyst/Authentication/Credential/2FA.pm
@@ -0,0 +1,141 @@
+package Catalyst::Authentication::Credential::2FA;
+
+use strict;
+use warnings;
+use Auth::GoogleAuth;
+
+our $VERSION = "0.01";
+
+sub new {
+ my ($class, $config, $c, $realm) = @_;
+ my $self = { %$config };
+ bless $self, $class;
+ return $self;
+}
+
+sub authenticate {
+ my ( $self, $c, $realm, $authinfo ) = @_;
+
+ my $userfindauthinfo = {%{$authinfo}};
+ delete($userfindauthinfo->{password});
+
+ my $user_obj = $realm->find_user($userfindauthinfo, $c);
+ if (ref($user_obj)) {
+ # We don't care unless user is a superuser and has a 2FA secret
+ return $user_obj unless $user_obj->is_superuser;
+ return $user_obj unless $user_obj->get_extra_metadata('2fa_secret');
+
+ $c->stash->{token} = $c->get_param('token');
+
+ if ($self->check_2fa($c, $user_obj)) {
+ if ($c->stash->{token}) {
+ my $token = $c->forward('/tokens/load_auth_token', [ $c->stash->{token}, '2fa' ]);
+ # Will contain a detach_to and report/update data
+ $c->stash($token->data);
+ }
+ return $user_obj;
+ }
+
+ if ($c->stash->{tfa_data}) {
+ my $token = $c->model("DB::Token")->create( {
+ scope => '2fa',
+ data => $c->stash->{tfa_data},
+ });
+ $c->stash->{token} = $token->token;
+ }
+
+ $c->stash->{template} = 'auth/2faform.html';
+ $c->detach;
+ }
+}
+
+sub check_2fa {
+ my ($self, $c, $user) = @_;
+
+ if (my $code = $c->get_param('2fa_code')) {
+ my $auth = Auth::GoogleAuth->new;
+ my $secret32 = $user->get_extra_metadata('2fa_secret');
+ return 1 if $auth->verify($code, 1, $secret32);
+ $c->stash->{incorrect_code} = 1;
+ }
+ return 0;
+}
+
+__PACKAGE__;
+
+__END__
+
+=pod
+
+=head1 NAME
+
+Catalyst::Authentication::Credential::2FA - Authenticate a user
+with a two-factor authentication code.
+
+=head1 SYNOPSIS
+
+ use Catalyst qw/
+ Authentication
+ /;
+
+ package MyApp::Controller::Auth;
+
+ sub login : Local {
+ my ( $self, $c ) = @_;
+
+ $c->authenticate( { username => $c->req->param('username'),
+ password => $c->req->param('password') });
+ }
+
+=head1 DESCRIPTION
+
+This authentication credential checker takes authentication information
+(most often a username), and only passes if a valid 2FA code is then
+entered. It only works for Users that have an is_superuser flag set,
+plus store the 2FA secret in a FixMyStreet::Role::Extra metadata key.
+
+=head1 CONFIGURATION
+
+ # example
+ 'Plugin::Authentication' => {
+ default => {
+ credential => {
+ class => 'MultiFactor',
+ factors => [
+ {
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'self_check',
+ },
+ {
+ class => '2FA',
+ },
+ ],
+ },
+ store => {
+ class => 'DBIx::Class',
+ user_model => 'DB::User',
+ },
+ },
+
+
+=over 4
+
+=item class
+
+The classname used for Credential. This is part of
+L<Catalyst::Plugin::Authentication> and is the method by which
+Catalyst::Authentication::Credential::2FA is loaded as the
+credential validator. For this module to be used, this must be set to
+'2FA'.
+
+=back
+
+=head1 USAGE
+
+Once configured as indicated above, authenticating using this module is a
+matter of calling $c->authenticate() as normal. If you wish to use it in
+combination with e.g. password authentication as well (so it actually is
+two-factor!), check out Catalyst::Authentication::Credential::MultiFactor.
+
+=cut
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm
index a3331d32a..008aea595 100644
--- a/perllib/FixMyStreet/App.pm
+++ b/perllib/FixMyStreet/App.pm
@@ -62,10 +62,19 @@ __PACKAGE__->config(
'Plugin::Authentication' => {
default_realm => 'default',
default => {
- credential => { # Catalyst::Authentication::Credential::Password
- class => 'Password',
- password_field => 'password',
- password_type => 'self_check',
+ credential => {
+ class => 'MultiFactor',
+ factors => [
+ # Catalyst::Authentication::Credential::Password
+ {
+ class => 'Password',
+ password_field => 'password',
+ password_type => 'self_check',
+ },
+ {
+ class => '2FA',
+ },
+ ],
},
store => { # Catalyst::Authentication::Store::DBIx::Class
class => 'DBIx::Class',
diff --git a/perllib/FixMyStreet/App/Controller/Alert.pm b/perllib/FixMyStreet/App/Controller/Alert.pm
index 5c9fbad1b..9d522dbc9 100644
--- a/perllib/FixMyStreet/App/Controller/Alert.pm
+++ b/perllib/FixMyStreet/App/Controller/Alert.pm
@@ -281,20 +281,25 @@ then display confirmation page.
sub send_confirmation_email : Private {
my ( $self, $c ) = @_;
+ my $user = $c->stash->{alert}->user;
+
+ # Superusers using 2FA can not log in by code
+ $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa;
+
my $token = $c->model("DB::Token")->create(
{
scope => 'alert',
data => {
id => $c->stash->{alert}->id,
type => 'subscribe',
- email => $c->stash->{alert}->user->email
+ email => $user->email
}
}
);
$c->stash->{token_url} = $c->uri_for_email( '/A', $token->token );
- $c->send_email( 'alert-confirm.txt', { to => $c->stash->{alert}->user->email } );
+ $c->send_email( 'alert-confirm.txt', { to => $user->email } );
$c->stash->{email_type} = 'alert';
$c->stash->{template} = 'email_sent.html';
diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index 95f8bb9a2..533e6a9be 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -243,6 +243,9 @@ sub process_login : Private {
$c->detach( '/page_error_403_access_denied', [] )
if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_user_id};
+ # Superusers using 2FA can not log in by code
+ $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa;
+
if ($data->{old_user_id}) {
# Were logged in as old_user_id, want to switch to $user
if ($user->in_storage) {
@@ -281,6 +284,11 @@ Used after signing in to take the person back to where they were.
sub redirect_on_signin : Private {
my ( $self, $c, $redirect, $params ) = @_;
+
+ if ($c->stash->{detach_to}) {
+ $c->detach($c->stash->{detach_to}, $c->stash->{detach_args});
+ }
+
unless ( $redirect ) {
$c->detach('redirect_to_categories') if $c->user->from_body && scalar @{ $c->user->categories };
$redirect = 'my';
diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
index 2d8ae081e..87aff2261 100644
--- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm
@@ -180,14 +180,34 @@ sub generate_token : Path('/auth/generate_token') {
$c->stash->{template} = 'auth/generate_token.html';
$c->forward('/auth/get_csrf_token');
+ my $has_2fa = $c->user->get_extra_metadata('2fa_secret');
+
if ($c->req->method eq 'POST') {
$c->forward('/auth/check_csrf_token');
- my $token = mySociety::AuthToken::random_token();
- $c->user->set_extra_metadata('access_token', $token);
+
+ if ($c->get_param('generate_token')) {
+ my $token = mySociety::AuthToken::random_token();
+ $c->user->set_extra_metadata('access_token', $token);
+ $c->stash->{token_generated} = 1;
+ }
+
+ if ($c->get_param('toggle_2fa') && $c->user->is_superuser) {
+ if ($has_2fa) {
+ $c->user->unset_extra_metadata('2fa_secret');
+ $c->stash->{toggle_2fa_off} = 1;
+ } else {
+ my $auth = Auth::GoogleAuth->new;
+ $c->stash->{qr_code} = $auth->qr_code(undef, $c->user->email, 'FixMyStreet');
+ $c->stash->{secret32} = $auth->secret32;
+ $c->user->set_extra_metadata('2fa_secret', $auth->secret32);
+ $c->stash->{toggle_2fa_on} = 1;
+ }
+ }
+
$c->user->update();
- $c->stash->{token_generated} = 1;
}
+ $c->stash->{has_2fa} = $has_2fa ? 1 : 0;
$c->stash->{existing_token} = $c->user->get_extra_metadata('access_token');
}
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index 05d082e45..85652450e 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -109,8 +109,8 @@ sub report_new : Path : Args(0) {
return unless $c->forward('check_form_submitted');
$c->forward('/auth/check_csrf_token');
- $c->forward('process_user');
$c->forward('process_report');
+ $c->forward('process_user');
$c->forward('/photo/process_photo');
return unless $c->forward('check_for_errors');
$c->forward('save_user_and_report');
@@ -147,8 +147,8 @@ sub report_new_ajax : Path('mobile') : Args(0) {
$c->forward('setup_categories_and_bodies');
$c->forward('setup_report_extra_fields');
- $c->forward('process_user');
$c->forward('process_report');
+ $c->forward('process_user');
$c->forward('/photo/process_photo');
unless ($c->forward('check_for_errors')) {
@@ -418,7 +418,9 @@ sub report_import : Path('/import') {
sub oauth_callback : Private {
my ( $self, $c, $token_code ) = @_;
- $c->stash->{oauth_report} = $token_code;
+ my $auth_token = $c->forward(
+ '/tokens/load_auth_token', [ $token_code, 'problem/social' ]);
+ $c->stash->{oauth_report} = $auth_token->data;
$c->detach('report_new');
}
@@ -475,9 +477,7 @@ sub initialize_report : Private {
}
if (!$report && $c->stash->{oauth_report}) {
- my $auth_token = $c->forward( '/tokens/load_auth_token',
- [ $c->stash->{oauth_report}, 'problem/social' ] );
- $report = $c->model("DB::Problem")->new($auth_token->data);
+ $report = $c->model("DB::Problem")->new($c->stash->{oauth_report});
}
if ($report) {
@@ -772,7 +772,7 @@ sub process_user : Private {
if ( $c->user_exists ) { {
my $user = $c->user->obj;
- if ($c->stash->{contributing_as_another_user} = $user->contributing_as('another_user', $c, $c->stash->{bodies})) {
+ if ($c->stash->{contributing_as_another_user}) {
# Act as if not logged in (and it will be auto-confirmed later on)
$report->user(undef);
last;
@@ -781,8 +781,7 @@ sub process_user : Private {
$report->user( $user );
$c->forward('update_user', [ \%params ]);
- if ($c->stash->{contributing_as_body} = $user->contributing_as('body', $c, $c->stash->{bodies}) or
- $c->stash->{contributing_as_anonymous_user} = $user->contributing_as('anonymous_user', $c, $c->stash->{bodies})) {
+ if ($c->stash->{contributing_as_body} or $c->stash->{contributing_as_anonymous_user}) {
$report->name($user->from_body->name);
$user->name($user->from_body->name) unless $user->name;
$c->stash->{no_reporter_alert} = 1;
@@ -799,6 +798,11 @@ sub process_user : Private {
# The user is trying to sign in. We only care about username from the params.
if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
+ $c->stash->{tfa_data} = {
+ detach_to => '/report/new/report_new',
+ login_success => 1,
+ oauth_report => { $report->get_inflated_columns }
+ };
unless ( $c->forward( '/auth/sign_in', [ $params{username} ] ) ) {
$c->stash->{field_errors}->{password} = _('There was a problem with your login information. If you cannot remember your password, or do not have one, please fill in the &lsquo;No&rsquo; section of the form.');
return 1;
@@ -869,6 +873,13 @@ sub process_report : Private {
$report->longitude( $c->stash->{longitude} );
$report->send_questionnaire( $c->cobrand->send_questionnaires() );
+ if ( $c->user_exists ) {
+ my $user = $c->user->obj;
+ $c->stash->{contributing_as_another_user} = $user->contributing_as('another_user', $c, $c->stash->{bodies});
+ $c->stash->{contributing_as_body} = $user->contributing_as('body', $c, $c->stash->{bodies});
+ $c->stash->{contributing_as_anonymous_user} = $user->contributing_as('anonymous_user', $c, $c->stash->{bodies});
+ }
+
# set some simple bool values (note they get inverted)
if ($c->stash->{contributing_as_body}) {
$report->anonymous(0);
@@ -1393,6 +1404,9 @@ sub redirect_or_confirm_creation : Private {
return 1;
}
+ # Superusers using 2FA can not log in by code
+ $c->detach( '/page_error_403_access_denied', [] ) if $report->user->has_2fa;
+
# otherwise email or text a confirm token to them.
my $thing = 'email';
if ($report->user->email_verified) {
diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm
index c684e46ad..24b54d7b5 100644
--- a/perllib/FixMyStreet/App/Controller/Report/Update.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm
@@ -131,6 +131,11 @@ sub process_user : Private {
# The user is trying to sign in. We only care about username from the params.
if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
+ $c->stash->{tfa_data} = {
+ detach_to => '/report/update/report_update',
+ login_success => 1,
+ oauth_update => { $update->get_inflated_columns }
+ };
unless ( $c->forward( '/auth/sign_in', [ $params{username} ] ) ) {
$c->stash->{field_errors}->{password} = _('There was a problem with your login information. If you cannot remember your password, or do not have one, please fill in the &lsquo;No&rsquo; section of the form.');
return 1;
@@ -164,7 +169,9 @@ what we have so far.
sub oauth_callback : Private {
my ( $self, $c, $token_code ) = @_;
- $c->stash->{oauth_update} = $token_code;
+ my $auth_token = $c->forward('/tokens/load_auth_token',
+ [ $token_code, 'update/social' ]);
+ $c->stash->{oauth_update} = $auth_token->data;
$c->detach('report_update');
}
@@ -179,9 +186,7 @@ sub initialize_update : Private {
my $update;
if ($c->stash->{oauth_update}) {
- my $auth_token = $c->forward( '/tokens/load_auth_token',
- [ $c->stash->{oauth_update}, 'update/social' ] );
- $update = $c->model("DB::Comment")->new($auth_token->data);
+ $update = $c->model("DB::Comment")->new($c->stash->{oauth_update});
}
if ($update) {
@@ -481,6 +486,9 @@ sub redirect_or_confirm_creation : Private {
return 1;
}
+ # Superusers using 2FA can not log in by code
+ $c->detach( '/page_error_403_access_denied', [] ) if $update->user->has_2fa;
+
my $data = $c->stash->{token_data};
$data->{id} = $update->id;
$data->{add_alert} = $c->get_param('add_alert') ? 1 : 0;
diff --git a/perllib/FixMyStreet/DB/Result/User.pm b/perllib/FixMyStreet/DB/Result/User.pm
index 97f2132b1..a6b927ad1 100644
--- a/perllib/FixMyStreet/DB/Result/User.pm
+++ b/perllib/FixMyStreet/DB/Result/User.pm
@@ -400,6 +400,11 @@ sub admin_user_body_permissions {
});
}
+sub has_2fa {
+ my $self = shift;
+ return $self->is_superuser && $self->get_extra_metadata('2fa_secret');
+}
+
sub contributing_as {
my ($self, $other, $c, $bodies) = @_;
$bodies = [ keys %$bodies ] if ref $bodies eq 'HASH';