Need to perform 2FA before modifying factors
This commit is contained in:
parent
8d739c6f72
commit
9a79ef701b
@ -29,6 +29,10 @@ pub const MAX_SECOND_FACTOR_NAME_LEN: usize = 25;
|
|||||||
/// exempted from this IP address to use 2FA
|
/// exempted from this IP address to use 2FA
|
||||||
pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
|
pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
|
||||||
|
|
||||||
|
/// The maximum acceptable interval of time between last two factors authentication of a user and
|
||||||
|
/// access to a critical route / a critical client
|
||||||
|
pub const SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS: u64 = 60 * 10;
|
||||||
|
|
||||||
/// Minimum password length
|
/// Minimum password length
|
||||||
pub const MIN_PASS_LEN: usize = 4;
|
pub const MIN_PASS_LEN: usize = 4;
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ use crate::controllers::base_controller::{
|
|||||||
};
|
};
|
||||||
use crate::data::action_logger::{Action, ActionLogger};
|
use crate::data::action_logger::{Action, ActionLogger};
|
||||||
use crate::data::force_2fa_auth::Force2FAAuth;
|
use crate::data::force_2fa_auth::Force2FAAuth;
|
||||||
use crate::data::login_redirect::LoginRedirect;
|
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
|
||||||
use crate::data::provider::{Provider, ProvidersManager};
|
use crate::data::provider::{Provider, ProvidersManager};
|
||||||
use crate::data::session_identity::{SessionIdentity, SessionStatus};
|
use crate::data::session_identity::{SessionIdentity, SessionStatus};
|
||||||
use crate::data::user::User;
|
use crate::data::user::User;
|
||||||
@ -129,10 +129,7 @@ pub async fn login_route(
|
|||||||
}
|
}
|
||||||
// Check if the user has to validate a second factor
|
// Check if the user has to validate a second factor
|
||||||
else if SessionIdentity(id.as_ref()).need_2fa_auth() {
|
else if SessionIdentity(id.as_ref()).need_2fa_auth() {
|
||||||
return redirect_user(&format!(
|
return redirect_user(&get_2fa_url(&query.redirect, false));
|
||||||
"/2fa_auth?redirect={}",
|
|
||||||
query.redirect.get_encoded()
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
// Check if given login is not acceptable
|
// Check if given login is not acceptable
|
||||||
else if req
|
else if req
|
||||||
|
@ -7,6 +7,7 @@ use crate::actors::users_actor;
|
|||||||
use crate::actors::users_actor::UsersActor;
|
use crate::actors::users_actor::UsersActor;
|
||||||
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
|
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
|
||||||
use crate::data::action_logger::{Action, ActionLogger};
|
use crate::data::action_logger::{Action, ActionLogger};
|
||||||
|
use crate::data::critical_route::CriticalRoute;
|
||||||
use crate::data::current_user::CurrentUser;
|
use crate::data::current_user::CurrentUser;
|
||||||
use crate::data::totp_key::TotpKey;
|
use crate::data::totp_key::TotpKey;
|
||||||
use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
|
use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
|
||||||
@ -29,6 +30,7 @@ pub struct AddTOTPRequest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub async fn save_totp_factor(
|
pub async fn save_totp_factor(
|
||||||
|
_critical: CriticalRoute,
|
||||||
user: CurrentUser,
|
user: CurrentUser,
|
||||||
form: web::Json<AddTOTPRequest>,
|
form: web::Json<AddTOTPRequest>,
|
||||||
users: web::Data<Addr<UsersActor>>,
|
users: web::Data<Addr<UsersActor>>,
|
||||||
@ -77,6 +79,7 @@ pub struct AddWebauthnRequest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub async fn save_webauthn_factor(
|
pub async fn save_webauthn_factor(
|
||||||
|
_critical: CriticalRoute,
|
||||||
user: CurrentUser,
|
user: CurrentUser,
|
||||||
form: web::Json<AddWebauthnRequest>,
|
form: web::Json<AddWebauthnRequest>,
|
||||||
users: web::Data<Addr<UsersActor>>,
|
users: web::Data<Addr<UsersActor>>,
|
||||||
@ -121,6 +124,7 @@ pub struct DeleteFactorRequest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub async fn delete_factor(
|
pub async fn delete_factor(
|
||||||
|
_critical: CriticalRoute,
|
||||||
user: CurrentUser,
|
user: CurrentUser,
|
||||||
form: web::Json<DeleteFactorRequest>,
|
form: web::Json<DeleteFactorRequest>,
|
||||||
users: web::Data<Addr<UsersActor>>,
|
users: web::Data<Addr<UsersActor>>,
|
||||||
@ -145,6 +149,7 @@ pub async fn delete_factor(
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub async fn clear_login_history(
|
pub async fn clear_login_history(
|
||||||
|
_critical: CriticalRoute,
|
||||||
user: CurrentUser,
|
user: CurrentUser,
|
||||||
users: web::Data<Addr<UsersActor>>,
|
users: web::Data<Addr<UsersActor>>,
|
||||||
logger: ActionLogger,
|
logger: ActionLogger,
|
||||||
|
@ -9,6 +9,7 @@ use qrcode_generator::QrCodeEcc;
|
|||||||
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
|
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
|
||||||
use crate::controllers::settings_controller::BaseSettingsPage;
|
use crate::controllers::settings_controller::BaseSettingsPage;
|
||||||
use crate::data::app_config::AppConfig;
|
use crate::data::app_config::AppConfig;
|
||||||
|
use crate::data::critical_route::CriticalRoute;
|
||||||
use crate::data::current_user::CurrentUser;
|
use crate::data::current_user::CurrentUser;
|
||||||
use crate::data::totp_key::TotpKey;
|
use crate::data::totp_key::TotpKey;
|
||||||
use crate::data::user::User;
|
use crate::data::user::User;
|
||||||
@ -43,7 +44,7 @@ struct AddWebauhtnPage<'a> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/// Manage two factors authentication methods route
|
/// Manage two factors authentication methods route
|
||||||
pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
|
pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
|
||||||
HttpResponse::Ok().body(
|
HttpResponse::Ok().body(
|
||||||
TwoFactorsPage {
|
TwoFactorsPage {
|
||||||
p: BaseSettingsPage::get("Two factor auth", &user, None, None),
|
p: BaseSettingsPage::get("Two factor auth", &user, None, None),
|
||||||
@ -56,7 +57,7 @@ pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/// Configure a new TOTP authentication factor
|
/// Configure a new TOTP authentication factor
|
||||||
pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
|
pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder {
|
||||||
let key = TotpKey::new_random();
|
let key = TotpKey::new_random();
|
||||||
|
|
||||||
let qr_code = qrcode_generator::to_png_to_vec(
|
let qr_code = qrcode_generator::to_png_to_vec(
|
||||||
@ -87,6 +88,7 @@ pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
|
|||||||
|
|
||||||
/// Configure a new security key factor
|
/// Configure a new security key factor
|
||||||
pub async fn add_webauthn_factor_route(
|
pub async fn add_webauthn_factor_route(
|
||||||
|
_critical: CriticalRoute,
|
||||||
user: CurrentUser,
|
user: CurrentUser,
|
||||||
manager: WebAuthManagerReq,
|
manager: WebAuthManagerReq,
|
||||||
) -> impl Responder {
|
) -> impl Responder {
|
||||||
|
32
src/data/critical_route.rs
Normal file
32
src/data/critical_route.rs
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
use crate::data::current_user::CurrentUser;
|
||||||
|
use crate::data::from_request_redirect::FromRequestRedirect;
|
||||||
|
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
|
||||||
|
use actix_web::dev::Payload;
|
||||||
|
use actix_web::{FromRequest, HttpRequest};
|
||||||
|
use std::future::Future;
|
||||||
|
use std::pin::Pin;
|
||||||
|
|
||||||
|
pub struct CriticalRoute;
|
||||||
|
|
||||||
|
impl FromRequest for CriticalRoute {
|
||||||
|
type Error = FromRequestRedirect;
|
||||||
|
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
|
||||||
|
|
||||||
|
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
|
||||||
|
let req = req.clone();
|
||||||
|
|
||||||
|
Box::pin(async move {
|
||||||
|
let current_user = CurrentUser::from_request(&req, &mut Payload::None)
|
||||||
|
.await
|
||||||
|
.expect("Failed to extract user identity!");
|
||||||
|
|
||||||
|
if current_user.should_request_2fa_for_critical_function() {
|
||||||
|
let url = get_2fa_url(&LoginRedirect::from_req(&req), true);
|
||||||
|
|
||||||
|
return Err(FromRequestRedirect::new(url));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(Self)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
@ -10,8 +10,10 @@ use actix_web::{web, Error, FromRequest, HttpRequest};
|
|||||||
|
|
||||||
use crate::actors::users_actor;
|
use crate::actors::users_actor;
|
||||||
use crate::actors::users_actor::UsersActor;
|
use crate::actors::users_actor::UsersActor;
|
||||||
|
use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
|
||||||
use crate::data::session_identity::SessionIdentity;
|
use crate::data::session_identity::SessionIdentity;
|
||||||
use crate::data::user::User;
|
use crate::data::user::User;
|
||||||
|
use crate::utils::time::time;
|
||||||
|
|
||||||
pub struct CurrentUser {
|
pub struct CurrentUser {
|
||||||
user: User,
|
user: User,
|
||||||
@ -19,6 +21,16 @@ pub struct CurrentUser {
|
|||||||
pub last_2fa_auth: Option<u64>,
|
pub last_2fa_auth: Option<u64>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl CurrentUser {
|
||||||
|
pub fn should_request_2fa_for_critical_function(&self) -> bool {
|
||||||
|
self.user.has_two_factor()
|
||||||
|
&& self
|
||||||
|
.last_2fa_auth
|
||||||
|
.map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
|
||||||
|
.unwrap_or(true)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl From<CurrentUser> for User {
|
impl From<CurrentUser> for User {
|
||||||
fn from(user: CurrentUser) -> Self {
|
fn from(user: CurrentUser) -> Self {
|
||||||
user.user
|
user.user
|
||||||
|
32
src/data/from_request_redirect.rs
Normal file
32
src/data/from_request_redirect.rs
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
use actix_web::body::BoxBody;
|
||||||
|
use actix_web::http::StatusCode;
|
||||||
|
use actix_web::{HttpResponse, ResponseError};
|
||||||
|
use std::fmt::{Debug, Display, Formatter};
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct FromRequestRedirect {
|
||||||
|
url: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl FromRequestRedirect {
|
||||||
|
pub fn new(url: String) -> Self {
|
||||||
|
Self { url }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Display for FromRequestRedirect {
|
||||||
|
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
|
||||||
|
write!(f, "Redirect to {}", self.url)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ResponseError for FromRequestRedirect {
|
||||||
|
fn status_code(&self) -> StatusCode {
|
||||||
|
StatusCode::FOUND
|
||||||
|
}
|
||||||
|
fn error_response(&self) -> HttpResponse<BoxBody> {
|
||||||
|
HttpResponse::Found()
|
||||||
|
.insert_header(("Location", self.url.as_str()))
|
||||||
|
.body("Redirecting...")
|
||||||
|
}
|
||||||
|
}
|
@ -1,7 +1,13 @@
|
|||||||
|
use actix_web::HttpRequest;
|
||||||
|
|
||||||
#[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
|
#[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
|
||||||
pub struct LoginRedirect(String);
|
pub struct LoginRedirect(String);
|
||||||
|
|
||||||
impl LoginRedirect {
|
impl LoginRedirect {
|
||||||
|
pub fn from_req(req: &HttpRequest) -> Self {
|
||||||
|
Self(req.uri().to_string())
|
||||||
|
}
|
||||||
|
|
||||||
pub fn get(&self) -> &str {
|
pub fn get(&self) -> &str {
|
||||||
match self.0.starts_with('/') && !self.0.starts_with("//") {
|
match self.0.starts_with('/') && !self.0.starts_with("//") {
|
||||||
true => self.0.as_str(),
|
true => self.0.as_str(),
|
||||||
@ -19,3 +25,11 @@ impl Default for LoginRedirect {
|
|||||||
Self("/".to_string())
|
Self("/".to_string())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Get the URL for 2FA authentication
|
||||||
|
pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
|
||||||
|
format!(
|
||||||
|
"/2fa_auth?redirect={}&force_2fa={force_2fa}",
|
||||||
|
redir.get_encoded()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
@ -3,9 +3,11 @@ pub mod action_logger;
|
|||||||
pub mod app_config;
|
pub mod app_config;
|
||||||
pub mod client;
|
pub mod client;
|
||||||
pub mod code_challenge;
|
pub mod code_challenge;
|
||||||
|
pub mod critical_route;
|
||||||
pub mod current_user;
|
pub mod current_user;
|
||||||
pub mod entity_manager;
|
pub mod entity_manager;
|
||||||
pub mod force_2fa_auth;
|
pub mod force_2fa_auth;
|
||||||
|
pub mod from_request_redirect;
|
||||||
pub mod id_token;
|
pub mod id_token;
|
||||||
pub mod jwt_signer;
|
pub mod jwt_signer;
|
||||||
pub mod login_redirect;
|
pub mod login_redirect;
|
||||||
|
Loading…
Reference in New Issue
Block a user