pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Need to perform 2FA before modifying factors

Browse Source
This commit is contained in:
Pierre HUBERT 2024-03-27 19:26:07 +01:00
parent 8d739c6f72
commit 9a79ef701b
9 changed files with 107 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/constants.rs
View File

@ -29,6 +29,10 @@ pub const MAX_SECOND_FACTOR_NAME_LEN: usize = 25;
/// exempted from this IP address to use 2FA
pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
/// The maximum acceptable interval of time between last two factors authentication of a user and
/// access to a critical route / a critical client
pub const SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS: u64 = 60 * 10;
/// Minimum password length
pub const MIN_PASS_LEN: usize = 4;

7
src/controllers/login_controller.rs
View File

@ -14,7 +14,7 @@ use crate::controllers::base_controller::{
};
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::force_2fa_auth::Force2FAAuth;
use crate::data::login_redirect::LoginRedirect;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use crate::data::provider::{Provider, ProvidersManager};
use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::data::user::User;
@ -129,10 +129,7 @@ pub async fn login_route(
}
// Check if the user has to validate a second factor
else if SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user(&format!(
"/2fa_auth?redirect={}",
query.redirect.get_encoded()
));
return redirect_user(&get_2fa_url(&query.redirect, false));
}
// Check if given login is not acceptable
else if req

5
src/controllers/two_factor_api.rs
View File

@ -7,6 +7,7 @@ use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey;
use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
@ -29,6 +30,7 @@ pub struct AddTOTPRequest {
}
pub async fn save_totp_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<AddTOTPRequest>,
users: web::Data<Addr<UsersActor>>,
@ -77,6 +79,7 @@ pub struct AddWebauthnRequest {
}
pub async fn save_webauthn_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<AddWebauthnRequest>,
users: web::Data<Addr<UsersActor>>,
@ -121,6 +124,7 @@ pub struct DeleteFactorRequest {
}
pub async fn delete_factor(
_critical: CriticalRoute,
user: CurrentUser,
form: web::Json<DeleteFactorRequest>,
users: web::Data<Addr<UsersActor>>,
@ -145,6 +149,7 @@ pub async fn delete_factor(
}
pub async fn clear_login_history(
_critical: CriticalRoute,
user: CurrentUser,
users: web::Data<Addr<UsersActor>>,
logger: ActionLogger,

6
src/controllers/two_factors_controller.rs
View File

@ -9,6 +9,7 @@ use qrcode_generator::QrCodeEcc;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::controllers::settings_controller::BaseSettingsPage;
use crate::data::app_config::AppConfig;
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey;
use crate::data::user::User;
@ -43,7 +44,7 @@ struct AddWebauhtnPage<'a> {
}
/// Manage two factors authentication methods route
pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
HttpResponse::Ok().body(
TwoFactorsPage {
p: BaseSettingsPage::get("Two factor auth", &user, None, None),
@ -56,7 +57,7 @@ pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
}
/// Configure a new TOTP authentication factor
pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
let key = TotpKey::new_random();
let qr_code = qrcode_generator::to_png_to_vec(
@ -87,6 +88,7 @@ pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
/// Configure a new security key factor
pub async fn add_webauthn_factor_route(
_critical: CriticalRoute,
user: CurrentUser,
manager: WebAuthManagerReq,
) -> impl Responder {

32
src/data/critical_route.rs Normal file
View File

@ -0,0 +1,32 @@
use crate::data::current_user::CurrentUser;
use crate::data::from_request_redirect::FromRequestRedirect;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use actix_web::dev::Payload;
use actix_web::{FromRequest, HttpRequest};
use std::future::Future;
use std::pin::Pin;
pub struct CriticalRoute;
impl FromRequest for CriticalRoute {
type Error = FromRequestRedirect;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let req = req.clone();
Box::pin(async move {
let current_user = CurrentUser::from_request(&req, &mut Payload::None)
.await
.expect("Failed to extract user identity!");
if current_user.should_request_2fa_for_critical_function() {
let url = get_2fa_url(&LoginRedirect::from_req(&req), true);
return Err(FromRequestRedirect::new(url));
}
Ok(Self)
})
}
}

12
src/data/current_user.rs
View File

@ -10,8 +10,10 @@ use actix_web::{web, Error, FromRequest, HttpRequest};
use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor;
use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
use crate::data::session_identity::SessionIdentity;
use crate::data::user::User;
use crate::utils::time::time;
pub struct CurrentUser {
user: User,
@ -19,6 +21,16 @@ pub struct CurrentUser {
pub last_2fa_auth: Option<u64>,
}
impl CurrentUser {
pub fn should_request_2fa_for_critical_function(&self) -> bool {
self.user.has_two_factor()
&& self
.last_2fa_auth
.map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
.unwrap_or(true)
}
}
impl From<CurrentUser> for User {
fn from(user: CurrentUser) -> Self {
user.user

32
src/data/from_request_redirect.rs Normal file
View File

@ -0,0 +1,32 @@
use actix_web::body::BoxBody;
use actix_web::http::StatusCode;
use actix_web::{HttpResponse, ResponseError};
use std::fmt::{Debug, Display, Formatter};
#[derive(Debug)]
pub struct FromRequestRedirect {
url: String,
}
impl FromRequestRedirect {
pub fn new(url: String) -> Self {
Self { url }
}
}
impl Display for FromRequestRedirect {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "Redirect to {}", self.url)
}
}
impl ResponseError for FromRequestRedirect {
fn status_code(&self) -> StatusCode {
StatusCode::FOUND
}
fn error_response(&self) -> HttpResponse<BoxBody> {
HttpResponse::Found()
.insert_header(("Location", self.url.as_str()))
.body("Redirecting...")
}
}

14
src/data/login_redirect.rs
View File

@ -1,7 +1,13 @@
use actix_web::HttpRequest;
#[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
pub struct LoginRedirect(String);
impl LoginRedirect {
pub fn from_req(req: &HttpRequest) -> Self {
Self(req.uri().to_string())
}
pub fn get(&self) -> &str {
match self.0.starts_with('/') && !self.0.starts_with("//") {
true => self.0.as_str(),
@ -19,3 +25,11 @@ impl Default for LoginRedirect {
Self("/".to_string())
}
}
/// Get the URL for 2FA authentication
pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
format!(
"/2fa_auth?redirect={}&force_2fa={force_2fa}",
redir.get_encoded()
)
}

2
src/data/mod.rs
View File

@ -3,9 +3,11 @@ pub mod action_logger;
pub mod app_config;
pub mod client;
pub mod code_challenge;
pub mod critical_route;
pub mod current_user;
pub mod entity_manager;
pub mod force_2fa_auth;
pub mod from_request_redirect;
pub mod id_token;
pub mod jwt_signer;
pub mod login_redirect;