Start to create 2FA exemption after successful 2FA login

2022-11-12 10:24:00 +01:00
parent c24318f6b8
commit 7a3eaa944e
7 changed files with 88 additions and 7 deletions
--- a/src/controllers/admin_controller.rs
+++ b/src/controllers/admin_controller.rs
@ -55,6 +55,7 @@ pub struct UpdateUserQuery {
    email: String,
    gen_new_password: Option<String>,
    enabled: Option<String>,
+    two_factor_exemption_after_successful_login: Option<String>,
    admin: Option<String>,
    grant_type: String,
    granted_clients: String,
@ -84,6 +85,10 @@ pub async fn users_route(
        user.last_name = update.0.last_name;
        user.email = update.0.email;
        user.enabled = update.0.enabled.is_some();
+        user.two_factor_exemption_after_successful_login = update
+            .0
+            .two_factor_exemption_after_successful_login
+            .is_some();
        user.admin = update.0.admin.is_some();

        let factors_to_keep = update.0.two_factor.split(';').collect::<Vec<_>>();
--- a/src/controllers/login_api.rs
+++ b/src/controllers/login_api.rs
@ -1,3 +1,7 @@
+use crate::actors::users_actor;
+use crate::actors::users_actor::UsersActor;
+use crate::data::remote_ip::RemoteIP;
+use actix::Addr;
 use actix_identity::Identity;
 use actix_web::{web, HttpRequest, HttpResponse, Responder};
 use webauthn_rs::prelude::PublicKeyCredential;
@ -16,6 +20,8 @@ pub async fn auth_webauthn(
    req: web::Json<AuthWebauthnRequest>,
    manager: WebAuthManagerReq,
    http_req: HttpRequest,
+    remote_ip: RemoteIP,
+    users: web::Data<Addr<UsersActor>>,
 ) -> impl Responder {
    if !SessionIdentity(Some(&id)).need_2fa_auth() {
        return HttpResponse::Unauthorized().json("No 2FA required!");
@ -25,6 +31,11 @@ pub async fn auth_webauthn(

    match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) {
        Ok(_) => {
+            users
+                .send(users_actor::AddSuccessful2FALogin(user_id, remote_ip.0))
+                .await
+                .unwrap();
+
            SessionIdentity(Some(&id)).set_status(&http_req, SessionStatus::SignedIn);
            HttpResponse::Ok().body("You are authenticated!")
        }
--- a/src/controllers/login_controller.rs
+++ b/src/controllers/login_controller.rs
@ -139,7 +139,8 @@ pub async fn login_route(
            LoginResult::Success(user) => {
                let status = if user.need_reset_password {
                    SessionStatus::NeedNewPassword
-                } else if user.has_two_factor() {
+                } else if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0)
+                {
                    SessionStatus::Need2FA
                } else {
                    SessionStatus::SignedIn
@ -326,6 +327,7 @@ pub async fn login_with_otp(
    form: Option<web::Form<LoginWithOTPForm>>,
    users: web::Data<Addr<UsersActor>>,
    http_req: HttpRequest,
+    remote_ip: RemoteIP,
 ) -> impl Responder {
    let mut danger = None;

@ -354,6 +356,11 @@ pub async fn login_with_otp(
        {
            danger = Some("Specified code is invalid!".to_string());
        } else {
+            users
+                .send(users_actor::AddSuccessful2FALogin(user.uid, remote_ip.0))
+                .await
+                .unwrap();
+
            SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
            return redirect_user(query.redirect.get());
        }