casdoor/object/mfa.go

// Copyright 2023 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	"fmt"

	"github.com/casdoor/casdoor/util"

	"github.com/beego/beego/context"
)

type MfaSessionData struct {
	UserId string
}

type MfaProps struct {
	Enabled       bool     `json:"enabled"`
	IsPreferred   bool     `json:"isPreferred"`
	MfaType       string   `json:"mfaType" form:"mfaType"`
	Secret        string   `json:"secret,omitempty"`
	CountryCode   string   `json:"countryCode,omitempty"`
	URL           string   `json:"url,omitempty"`
	RecoveryCodes []string `json:"recoveryCodes,omitempty"`
}

type MfaInterface interface {
	SetupVerify(ctx *context.Context, passCode string) error
	Verify(passCode string) error
	Initiate(ctx *context.Context, name1 string, name2 string) (*MfaProps, error)
	Enable(ctx *context.Context, user *User) error
}

const (
	EmailType = "email"
	SmsType   = "sms"
	TotpType  = "app"
)

const (
	MfaSessionUserId = "MfaSessionUserId"
	NextMfa          = "NextMfa"
	RequiredMfa      = "RequiredMfa"
)

func GetMfaUtil(mfaType string, config *MfaProps) MfaInterface {
	switch mfaType {
	case SmsType:
		return NewSmsTwoFactor(config)
	case EmailType:
		return NewEmailTwoFactor(config)
	case TotpType:
		return nil
	}

	return nil
}

func MfaRecover(user *User, recoveryCode string) error {
	hit := false

	if len(user.RecoveryCodes) == 0 {
		return fmt.Errorf("do not have recovery codes")
	}

	for _, code := range user.RecoveryCodes {
		if code == recoveryCode {
			hit = true
			user.RecoveryCodes = util.DeleteVal(user.RecoveryCodes, code)
			break
		}
	}
	if !hit {
		return fmt.Errorf("recovery code not found")
	}

	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())
	if err != nil {
		return err
	}

	return nil
}

func GetAllMfaProps(user *User, masked bool) []*MfaProps {
	mfaProps := []*MfaProps{}

	if user.MfaPhoneEnabled {
		mfaProps = append(mfaProps, user.GetMfaProps(SmsType, masked))
	} else {
		mfaProps = append(mfaProps, &MfaProps{
			Enabled: false,
			MfaType: SmsType,
		})
	}
	if user.MfaEmailEnabled {
		mfaProps = append(mfaProps, user.GetMfaProps(EmailType, masked))
	} else {
		mfaProps = append(mfaProps, &MfaProps{
			Enabled: false,
			MfaType: EmailType,
		})
	}

	return mfaProps
}

func (user *User) GetMfaProps(mfaType string, masked bool) *MfaProps {
	mfaProps := &MfaProps{}

	if mfaType == SmsType {
		mfaProps = &MfaProps{
			Enabled:     user.MfaPhoneEnabled,
			MfaType:     mfaType,
			CountryCode: user.CountryCode,
		}
		if masked {
			mfaProps.Secret = util.GetMaskedPhone(user.Phone)
		} else {
			mfaProps.Secret = user.Phone
		}
	} else if mfaType == EmailType {
		mfaProps = &MfaProps{
			Enabled: user.MfaEmailEnabled,
			MfaType: mfaType,
		}
		if masked {
			mfaProps.Secret = util.GetMaskedEmail(user.Email)
		} else {
			mfaProps.Secret = user.Email
		}
	} else if mfaType == TotpType {
		mfaProps = &MfaProps{
			MfaType: mfaType,
		}
	}

	if user.PreferredMfaType == mfaType {
		mfaProps.IsPreferred = true
	}
	return mfaProps
}

func DisabledMultiFactorAuth(user *User) error {
	user.PreferredMfaType = ""
	user.RecoveryCodes = []string{}
	user.MfaPhoneEnabled = false
	user.MfaEmailEnabled = false

	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled"}, user.IsAdminUser())
	if err != nil {
		return err
	}
	return nil
}

func SetPreferredMultiFactorAuth(user *User, mfaType string) error {
	user.PreferredMfaType = mfaType

	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())
	if err != nil {
		return err
	}
	return nil
}
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`// Copyright 2023 The Casdoor Authors. All Rights Reserved.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package object`

			`import (`
			`"fmt"`

			`"github.com/casdoor/casdoor/util"`

			`"github.com/beego/beego/context"`
			`)`

			`type MfaSessionData struct {`
			`UserId string`
			`}`

			`type MfaProps struct {`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			Enabled bool `json:"enabled"`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			IsPreferred bool `json:"isPreferred"`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			MfaType string `json:"mfaType" form:"mfaType"`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			Secret string `json:"secret,omitempty"`
			CountryCode string `json:"countryCode,omitempty"`
			URL string `json:"url,omitempty"`
			RecoveryCodes []string `json:"recoveryCodes,omitempty"`
			`}`

			`type MfaInterface interface {`
			`SetupVerify(ctx *context.Context, passCode string) error`
			`Verify(passCode string) error`
			`Initiate(ctx context.Context, name1 string, name2 string) (MfaProps, error)`
			`Enable(ctx context.Context, user User) error`
			`}`

			`const (`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`EmailType = "email"`
			`SmsType = "sms"`
			`TotpType = "app"`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`)`

			`const (`
			`MfaSessionUserId = "MfaSessionUserId"`
			`NextMfa = "NextMfa"`
feat: support forced binding MFA after login (#1845) 2023-05-17 01:13:13 +08:00			`RequiredMfa = "RequiredMfa"`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`)`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`func GetMfaUtil(mfaType string, config *MfaProps) MfaInterface {`
			`switch mfaType {`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`case SmsType:`
			`return NewSmsTwoFactor(config)`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`case EmailType:`
			`return NewEmailTwoFactor(config)`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`case TotpType:`
			`return nil`
			`}`

			`return nil`
			`}`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`func MfaRecover(user *User, recoveryCode string) error {`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`hit := false`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`if len(user.RecoveryCodes) == 0 {`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`return fmt.Errorf("do not have recovery codes")`
			`}`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`for _, code := range user.RecoveryCodes {`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`if code == recoveryCode {`
			`hit = true`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`user.RecoveryCodes = util.DeleteVal(user.RecoveryCodes, code)`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`break`
			`}`
			`}`
			`if !hit {`
			`return fmt.Errorf("recovery code not found")`
			`}`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())`
feat: return most backend API errors to frontend (#1836) * feat: return most backend API errros to frontend Signed-off-by: yehong <239859435@qq.com> * refactor: reduce int type change Signed-off-by: yehong <239859435@qq.com> * feat: return err backend in token.go Signed-off-by: yehong <239859435@qq.com> --------- Signed-off-by: yehong <239859435@qq.com> 2023-05-30 15:49:39 +08:00			`if err != nil {`
			`return err`
			`}`

feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`return nil`
			`}`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`func GetAllMfaProps(user User, masked bool) []MfaProps {`
			`mfaProps := []*MfaProps{}`

			`if user.MfaPhoneEnabled {`
			`mfaProps = append(mfaProps, user.GetMfaProps(SmsType, masked))`
			`} else {`
			`mfaProps = append(mfaProps, &MfaProps{`
			`Enabled: false,`
			`MfaType: SmsType,`
			`})`
			`}`
			`if user.MfaEmailEnabled {`
			`mfaProps = append(mfaProps, user.GetMfaProps(EmailType, masked))`
			`} else {`
			`mfaProps = append(mfaProps, &MfaProps{`
			`Enabled: false,`
			`MfaType: EmailType,`
			`})`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`}`

feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`return mfaProps`
			`}`

			`func (user User) GetMfaProps(mfaType string, masked bool) MfaProps {`
			`mfaProps := &MfaProps{}`

			`if mfaType == SmsType {`
			`mfaProps = &MfaProps{`
			`Enabled: user.MfaPhoneEnabled,`
			`MfaType: mfaType,`
			`CountryCode: user.CountryCode,`
			`}`
			`if masked {`
			`mfaProps.Secret = util.GetMaskedPhone(user.Phone)`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`} else {`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00			`mfaProps.Secret = user.Phone`
			`}`
			`} else if mfaType == EmailType {`
			`mfaProps = &MfaProps{`
			`Enabled: user.MfaEmailEnabled,`
			`MfaType: mfaType,`
			`}`
			`if masked {`
			`mfaProps.Secret = util.GetMaskedEmail(user.Email)`
			`} else {`
			`mfaProps.Secret = user.Email`
			`}`
			`} else if mfaType == TotpType {`
			`mfaProps = &MfaProps{`
			`MfaType: mfaType,`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`}`
			`}`
feat: improve MFA by using user's own Email and Phone (#2002) * refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot 2023-06-21 18:56:37 +08:00
			`if user.PreferredMfaType == mfaType {`
			`mfaProps.IsPreferred = true`
			`}`
			`return mfaProps`
			`}`

			`func DisabledMultiFactorAuth(user *User) error {`
			`user.PreferredMfaType = ""`
			`user.RecoveryCodes = []string{}`
			`user.MfaPhoneEnabled = false`
			`user.MfaEmailEnabled = false`

			`_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled"}, user.IsAdminUser())`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`func SetPreferredMultiFactorAuth(user *User, mfaType string) error {`
			`user.PreferredMfaType = mfaType`

			`_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
feat: add multi-factor authentication (MFA) feature (#1800) * feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com> 2023-05-05 21:23:59 +08:00			`}`