Module: SecondFactorManager
- Extended by:
- ActiveSupport::Concern
- Included in:
- User, UserSecondFactor
- Defined in:
- app/models/concerns/second_factor_manager.rb
Defined Under Namespace
Classes: SecondFactorAuthenticationResult
Constant Summary
collapse
- TOTP_ALLOWED_DRIFT_SECONDS =
30
Instance Method Summary
collapse
Instance Method Details
#authenticate_backup_code(backup_code) ⇒ Object
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
# File 'app/models/concerns/second_factor_manager.rb', line 245
def authenticate_backup_code(backup_code)
if !backup_code.blank?
codes = self.user_second_factors&.backup_codes
codes.each do |code|
parsed_data = JSON.parse(code.data)
stored_code = parsed_data["code_hash"]
stored_salt = parsed_data["salt"]
backup_hash = hash_backup_code(backup_code, stored_salt)
next unless backup_hash == stored_code
code.update(enabled: false, last_used: DateTime.now)
return true
end
false
end
false
end
|
#authenticate_second_factor(params, secure_session) ⇒ Object
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
# File 'app/models/concerns/second_factor_manager.rb', line 107
def authenticate_second_factor(params, secure_session)
ok_result = SecondFactorAuthenticationResult.new(true)
return ok_result if !security_keys_enabled? && !totp_or_backup_codes_enabled?
second_factor_token = params[:second_factor_token]
second_factor_method = params[:second_factor_method]&.to_i
if second_factor_method.blank? || UserSecondFactor.methods[second_factor_method].blank?
return invalid_second_factor_method_result
end
if !valid_second_factor_method_for_user?(second_factor_method)
return not_enabled_second_factor_method_result
end
case second_factor_method
when UserSecondFactor.methods[:totp]
if authenticate_totp(second_factor_token)
ok_result.used_2fa_method = UserSecondFactor.methods[:totp]
return ok_result
else
return invalid_totp_or_backup_code_result
end
when UserSecondFactor.methods[:backup_codes]
if authenticate_backup_code(second_factor_token)
ok_result.used_2fa_method = UserSecondFactor.methods[:backup_codes]
return ok_result
else
return invalid_totp_or_backup_code_result
end
when UserSecondFactor.methods[:security_key]
if authenticate_security_key(secure_session, second_factor_token)
ok_result.used_2fa_method = UserSecondFactor.methods[:security_key]
return ok_result
else
return invalid_security_key_result
end
end
invalid_second_factor_method_result
rescue ::DiscourseWebauthn::SecurityKeyError => err
invalid_security_key_result(err.message)
end
|
#authenticate_security_key(secure_session, security_key_credential) ⇒ Object
165
166
167
168
169
170
171
172
|
# File 'app/models/concerns/second_factor_manager.rb', line 165
def authenticate_security_key(secure_session, security_key_credential)
::DiscourseWebauthn::AuthenticationService.new(
self,
security_key_credential,
session: secure_session,
factor_type: UserSecurityKey.factor_types[:second_factor],
).authenticate_security_key
end
|
#authenticate_totp(token) ⇒ Object
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# File 'app/models/concerns/second_factor_manager.rb', line 40
def authenticate_totp(token)
totps = self.user_second_factors&.totps
authenticated = false
totps.each do |totp|
last_used = 0
last_used = totp.last_used.to_i if totp.last_used
authenticated =
!token.blank? &&
totp.totp_object.verify(
token,
drift_ahead: TOTP_ALLOWED_DRIFT_SECONDS,
drift_behind: TOTP_ALLOWED_DRIFT_SECONDS,
after: last_used,
)
if authenticated
totp.update!(last_used: DateTime.now)
break
end
end
!!authenticated
end
|
#backup_codes_enabled? ⇒ Boolean
70
71
72
73
|
# File 'app/models/concerns/second_factor_manager.rb', line 70
def backup_codes_enabled?
!SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins &&
self.user_second_factors&.backup_codes&.exists?
end
|
#create_backup_codes(codes) ⇒ Object
234
235
236
237
238
239
240
241
242
243
|
# File 'app/models/concerns/second_factor_manager.rb', line 234
def create_backup_codes(codes)
codes.each do |code|
UserSecondFactor.create!(
user_id: self.id,
data: code.to_json,
enabled: true,
method: UserSecondFactor.methods[:backup_codes],
)
end
end
|
#create_totp(opts = {}) ⇒ Object
20
21
22
23
24
25
26
27
28
29
|
# File 'app/models/concerns/second_factor_manager.rb', line 20
def create_totp(opts = {})
require_rotp
UserSecondFactor.create!(
{
user_id: self.id,
method: UserSecondFactor.methods[:totp],
data: ROTP::Base32.random,
}.merge(opts),
)
end
|
#generate_backup_codes ⇒ Object
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
# File 'app/models/concerns/second_factor_manager.rb', line 214
def generate_backup_codes
codes = []
10.times { codes << SecureRandom.hex(16) }
codes_json =
codes.map do |code|
salt = SecureRandom.hex(16)
{ salt: salt, code_hash: hash_backup_code(code, salt) }
end
if self.user_second_factors.backup_codes.empty?
create_backup_codes(codes_json)
else
self.user_second_factors.where(method: UserSecondFactor.methods[:backup_codes]).destroy_all
create_backup_codes(codes_json)
end
codes
end
|
#get_totp_object(data) ⇒ Object
31
32
33
34
|
# File 'app/models/concerns/second_factor_manager.rb', line 31
def get_totp_object(data)
require_rotp
ROTP::TOTP.new(data, issuer: SiteSetting.title.gsub(":", ""))
end
|
#has_any_second_factor_methods_enabled? ⇒ Boolean
83
84
85
|
# File 'app/models/concerns/second_factor_manager.rb', line 83
def has_any_second_factor_methods_enabled?
totp_enabled? || security_keys_enabled?
end
|
#has_multiple_second_factor_methods? ⇒ Boolean
87
88
89
|
# File 'app/models/concerns/second_factor_manager.rb', line 87
def has_multiple_second_factor_methods?
security_keys_enabled? && totp_or_backup_codes_enabled?
end
|
#hash_backup_code(code, salt) ⇒ Object
264
265
266
267
268
269
|
# File 'app/models/concerns/second_factor_manager.rb', line 264
def hash_backup_code(code, salt)
iterations = Rails.env.test? ? 10 : 64_000
Pbkdf2.hash_password(code, salt, iterations, "sha256")
end
|
#invalid_second_factor_authentication_result(error_message, reason) ⇒ Object
202
203
204
205
206
207
208
209
210
211
212
|
# File 'app/models/concerns/second_factor_manager.rb', line 202
def invalid_second_factor_authentication_result(error_message, reason)
SecondFactorAuthenticationResult.new(
false,
error_message,
reason,
backup_codes_enabled?,
security_keys_enabled?,
totp_enabled?,
has_multiple_second_factor_methods?,
)
end
|
#invalid_second_factor_method_result ⇒ Object
188
189
190
191
192
193
|
# File 'app/models/concerns/second_factor_manager.rb', line 188
def invalid_second_factor_method_result
invalid_second_factor_authentication_result(
I18n.t("login.invalid_second_factor_method"),
"invalid_second_factor_method",
)
end
|
#invalid_security_key_result(error_message = nil) ⇒ Object
181
182
183
184
185
186
|
# File 'app/models/concerns/second_factor_manager.rb', line 181
def invalid_security_key_result(error_message = nil)
invalid_second_factor_authentication_result(
error_message || I18n.t("login.invalid_security_key"),
"invalid_security_key",
)
end
|
#invalid_totp_or_backup_code_result ⇒ Object
174
175
176
177
178
179
|
# File 'app/models/concerns/second_factor_manager.rb', line 174
def invalid_totp_or_backup_code_result
invalid_second_factor_authentication_result(
I18n.t("login.invalid_second_factor_code"),
"invalid_second_factor",
)
end
|
#not_enabled_second_factor_method_result ⇒ Object
195
196
197
198
199
200
|
# File 'app/models/concerns/second_factor_manager.rb', line 195
def not_enabled_second_factor_method_result
invalid_second_factor_authentication_result(
I18n.t("login.not_enabled_second_factor_method"),
"not_enabled_second_factor_method",
)
end
|
#only_security_keys_enabled? ⇒ Boolean
95
96
97
|
# File 'app/models/concerns/second_factor_manager.rb', line 95
def only_security_keys_enabled?
security_keys_enabled? && !totp_or_backup_codes_enabled?
end
|
#only_totp_or_backup_codes_enabled? ⇒ Boolean
99
100
101
|
# File 'app/models/concerns/second_factor_manager.rb', line 99
def only_totp_or_backup_codes_enabled?
!security_keys_enabled? && totp_or_backup_codes_enabled?
end
|
#remaining_backup_codes ⇒ Object
103
104
105
|
# File 'app/models/concerns/second_factor_manager.rb', line 103
def remaining_backup_codes
self.user_second_factors&.backup_codes&.count
end
|
#require_rotp ⇒ Object
271
272
273
|
# File 'app/models/concerns/second_factor_manager.rb', line 271
def require_rotp
require "rotp" if !defined?(ROTP)
end
|
#security_keys_enabled? ⇒ Boolean
75
76
77
78
79
80
81
|
# File 'app/models/concerns/second_factor_manager.rb', line 75
def security_keys_enabled?
!SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins &&
self
.security_keys
&.where(factor_type: UserSecurityKey.factor_types[:second_factor], enabled: true)
&.exists?
end
|
#totp_enabled? ⇒ Boolean
65
66
67
68
|
# File 'app/models/concerns/second_factor_manager.rb', line 65
def totp_enabled?
!SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins &&
self.user_second_factors&.totps&.exists?
end
|
#totp_or_backup_codes_enabled? ⇒ Boolean
91
92
93
|
# File 'app/models/concerns/second_factor_manager.rb', line 91
def totp_or_backup_codes_enabled?
totp_enabled? || backup_codes_enabled?
end
|
#totp_provisioning_uri(data) ⇒ Object
36
37
38
|
# File 'app/models/concerns/second_factor_manager.rb', line 36
def totp_provisioning_uri(data)
get_totp_object(data).provisioning_uri(self.email)
end
|
#valid_second_factor_method_for_user?(method) ⇒ Boolean
153
154
155
156
157
158
159
160
161
162
163
|
# File 'app/models/concerns/second_factor_manager.rb', line 153
def valid_second_factor_method_for_user?(method)
case method
when UserSecondFactor.methods[:totp]
return totp_enabled?
when UserSecondFactor.methods[:backup_codes]
return backup_codes_enabled?
when UserSecondFactor.methods[:security_key]
return security_keys_enabled?
end
false
end
|