feat: improve MFA by using user's own Email and Phone (#2002)

* refactor: mfa * fix: clean code * fix: clean code * fix: fix crash and improve robot
2025-07-03 20:50:19 +08:00 · 2023-06-21 18:56:37 +08:00
parent 6ebca6dbe7
commit c391af4552
28 changed files with 528 additions and 362 deletions
--- a/object/mfa.go
+++ b/object/mfa.go
@ -27,9 +27,9 @@ type MfaSessionData struct {
 }

 type MfaProps struct {
-	Id            string   `json:"id"`
+	Enabled       bool     `json:"enabled"`
 	IsPreferred   bool     `json:"isPreferred"`
-	AuthType      string   `json:"type" form:"type"`
+	MfaType       string   `json:"mfaType" form:"mfaType"`
 	Secret        string   `json:"secret,omitempty"`
 	CountryCode   string   `json:"countryCode,omitempty"`
 	URL           string   `json:"url,omitempty"`
@ -44,8 +44,9 @@ type MfaInterface interface {
 }

 const (
-	SmsType  = "sms"
-	TotpType = "app"
+	EmailType = "email"
+	SmsType   = "sms"
+	TotpType  = "app"
 )

 const (
@ -54,10 +55,12 @@ const (
 	RequiredMfa      = "RequiredMfa"
 )

-func GetMfaUtil(providerType string, config *MfaProps) MfaInterface {
-	switch providerType {
+func GetMfaUtil(mfaType string, config *MfaProps) MfaInterface {
+	switch mfaType {
 	case SmsType:
 		return NewSmsTwoFactor(config)
+	case EmailType:
+		return NewEmailTwoFactor(config)
 	case TotpType:
 		return nil
 	}
@ -65,17 +68,17 @@ func GetMfaUtil(providerType string, config *MfaProps) MfaInterface {
 	return nil
 }

-func RecoverTfs(user *User, recoveryCode string) error {
+func MfaRecover(user *User, recoveryCode string) error {
 	hit := false

-	twoFactor := user.GetPreferMfa(false)
-	if len(twoFactor.RecoveryCodes) == 0 {
+	if len(user.RecoveryCodes) == 0 {
 		return fmt.Errorf("do not have recovery codes")
 	}

-	for _, code := range twoFactor.RecoveryCodes {
+	for _, code := range user.RecoveryCodes {
 		if code == recoveryCode {
 			hit = true
+			user.RecoveryCodes = util.DeleteVal(user.RecoveryCodes, code)
 			break
 		}
 	}
@ -83,30 +86,92 @@ func RecoverTfs(user *User, recoveryCode string) error {
 		return fmt.Errorf("recovery code not found")
 	}

-	affected, err := UpdateUser(user.GetId(), user, []string{"two_factor_auth"}, user.IsAdminUser())
+	_, err := UpdateUser(user.GetId(), user, []string{"recovery_codes"}, user.IsAdminUser())
 	if err != nil {
 		return err
 	}

-	if !affected {
-		return fmt.Errorf("")
+	return nil
+}
+
+func GetAllMfaProps(user *User, masked bool) []*MfaProps {
+	mfaProps := []*MfaProps{}
+
+	if user.MfaPhoneEnabled {
+		mfaProps = append(mfaProps, user.GetMfaProps(SmsType, masked))
+	} else {
+		mfaProps = append(mfaProps, &MfaProps{
+			Enabled: false,
+			MfaType: SmsType,
+		})
+	}
+	if user.MfaEmailEnabled {
+		mfaProps = append(mfaProps, user.GetMfaProps(EmailType, masked))
+	} else {
+		mfaProps = append(mfaProps, &MfaProps{
+			Enabled: false,
+			MfaType: EmailType,
+		})
+	}
+
+	return mfaProps
+}
+
+func (user *User) GetMfaProps(mfaType string, masked bool) *MfaProps {
+	mfaProps := &MfaProps{}
+
+	if mfaType == SmsType {
+		mfaProps = &MfaProps{
+			Enabled:     user.MfaPhoneEnabled,
+			MfaType:     mfaType,
+			CountryCode: user.CountryCode,
+		}
+		if masked {
+			mfaProps.Secret = util.GetMaskedPhone(user.Phone)
+		} else {
+			mfaProps.Secret = user.Phone
+		}
+	} else if mfaType == EmailType {
+		mfaProps = &MfaProps{
+			Enabled: user.MfaEmailEnabled,
+			MfaType: mfaType,
+		}
+		if masked {
+			mfaProps.Secret = util.GetMaskedEmail(user.Email)
+		} else {
+			mfaProps.Secret = user.Email
+		}
+	} else if mfaType == TotpType {
+		mfaProps = &MfaProps{
+			MfaType: mfaType,
+		}
+	}
+
+	if user.PreferredMfaType == mfaType {
+		mfaProps.IsPreferred = true
+	}
+	return mfaProps
+}
+
+func DisabledMultiFactorAuth(user *User) error {
+	user.PreferredMfaType = ""
+	user.RecoveryCodes = []string{}
+	user.MfaPhoneEnabled = false
+	user.MfaEmailEnabled = false
+
+	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type", "recovery_codes", "mfa_phone_enabled", "mfa_email_enabled"}, user.IsAdminUser())
+	if err != nil {
+		return err
 	}
 	return nil
 }

-func GetMaskedProps(props *MfaProps) *MfaProps {
-	maskedProps := &MfaProps{
-		AuthType:    props.AuthType,
-		Id:          props.Id,
-		IsPreferred: props.IsPreferred,
-	}
+func SetPreferredMultiFactorAuth(user *User, mfaType string) error {
+	user.PreferredMfaType = mfaType

-	if props.AuthType == SmsType {
-		if !util.IsEmailValid(props.Secret) {
-			maskedProps.Secret = util.GetMaskedPhone(props.Secret)
-		} else {
-			maskedProps.Secret = util.GetMaskedEmail(props.Secret)
-		}
+	_, err := UpdateUser(user.GetId(), user, []string{"preferred_mfa_type"}, user.IsAdminUser())
+	if err != nil {
+		return err
 	}
-	return maskedProps
+	return nil
 }
--- a/object/mfa_sms.go
+++ b/object/mfa_sms.go
@ -34,6 +34,21 @@ type SmsMfa struct {
 	Config *MfaProps
 }

+func (mfa *SmsMfa) Initiate(ctx *context.Context, name string, secret string) (*MfaProps, error) {
+	recoveryCode := uuid.NewString()
+
+	err := ctx.Input.CruSession.Set(MfaSmsRecoveryCodesSession, []string{recoveryCode})
+	if err != nil {
+		return nil, err
+	}
+
+	mfaProps := MfaProps{
+		MfaType:       mfa.Config.MfaType,
+		RecoveryCodes: []string{recoveryCode},
+	}
+	return &mfaProps, nil
+}
+
 func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
 	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
 	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
@ -47,6 +62,45 @@ func (mfa *SmsMfa) SetupVerify(ctx *context.Context, passCode string) error {
 	return nil
 }

+func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
+	recoveryCodes := ctx.Input.CruSession.Get(MfaSmsRecoveryCodesSession).([]string)
+	if len(recoveryCodes) == 0 {
+		return fmt.Errorf("recovery codes is empty")
+	}
+
+	columns := []string{"recovery_codes", "preferred_mfa_type"}
+
+	user.RecoveryCodes = append(user.RecoveryCodes, recoveryCodes...)
+	if user.PreferredMfaType == "" {
+		user.PreferredMfaType = mfa.Config.MfaType
+	}
+
+	if mfa.Config.MfaType == SmsType {
+		user.MfaPhoneEnabled = true
+		columns = append(columns, "mfa_phone_enabled")
+
+		if user.Phone == "" {
+			user.Phone = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+			user.CountryCode = ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
+			columns = append(columns, "phone", "country_code")
+		}
+	} else if mfa.Config.MfaType == EmailType {
+		user.MfaEmailEnabled = true
+		columns = append(columns, "mfa_email_enabled")
+
+		if user.Email == "" {
+			user.Email = ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
+			columns = append(columns, "email")
+		}
+	}
+
+	_, err := UpdateUser(user.GetId(), user, columns, false)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (mfa *SmsMfa) Verify(passCode string) error {
 	if !util.IsEmailValid(mfa.Config.Secret) {
 		mfa.Config.Secret, _ = util.GetE164Number(mfa.Config.Secret, mfa.Config.CountryCode)
@ -57,65 +111,21 @@ func (mfa *SmsMfa) Verify(passCode string) error {
 	return nil
 }

-func (mfa *SmsMfa) Initiate(ctx *context.Context, name string, secret string) (*MfaProps, error) {
-	recoveryCode, err := uuid.NewRandom()
-	if err != nil {
-		return nil, err
-	}
-
-	err = ctx.Input.CruSession.Set(MfaSmsRecoveryCodesSession, []string{recoveryCode.String()})
-	if err != nil {
-		return nil, err
-	}
-
-	mfaProps := MfaProps{
-		AuthType:      SmsType,
-		RecoveryCodes: []string{recoveryCode.String()},
-	}
-	return &mfaProps, nil
-}
-
-func (mfa *SmsMfa) Enable(ctx *context.Context, user *User) error {
-	dest := ctx.Input.CruSession.Get(MfaSmsDestSession).(string)
-	recoveryCodes := ctx.Input.CruSession.Get(MfaSmsRecoveryCodesSession).([]string)
-	countryCode := ctx.Input.CruSession.Get(MfaSmsCountryCodeSession).(string)
-
-	if dest == "" || len(recoveryCodes) == 0 {
-		return fmt.Errorf("MFA dest or recovery codes is empty")
-	}
-
-	if !util.IsEmailValid(dest) {
-		mfa.Config.CountryCode = countryCode
-	}
-
-	mfa.Config.AuthType = SmsType
-	mfa.Config.Id = uuid.NewString()
-	mfa.Config.Secret = dest
-	mfa.Config.RecoveryCodes = recoveryCodes
-
-	for i, mfaProp := range user.MultiFactorAuths {
-		if mfaProp.Secret == mfa.Config.Secret {
-			user.MultiFactorAuths = append(user.MultiFactorAuths[:i], user.MultiFactorAuths[i+1:]...)
-		}
-	}
-	user.MultiFactorAuths = append(user.MultiFactorAuths, mfa.Config)
-
-	affected, err := UpdateUser(user.GetId(), user, []string{"multi_factor_auths"}, user.IsAdminUser())
-	if err != nil {
-		return err
-	}
-
-	if !affected {
-		return fmt.Errorf("failed to enable two factor authentication")
-	}
-
-	return nil
-}
-
 func NewSmsTwoFactor(config *MfaProps) *SmsMfa {
 	if config == nil {
 		config = &MfaProps{
-			AuthType: SmsType,
+			MfaType: SmsType,
+		}
+	}
+	return &SmsMfa{
+		Config: config,
+	}
+}
+
+func NewEmailTwoFactor(config *MfaProps) *SmsMfa {
+	if config == nil {
+		config = &MfaProps{
+			MfaType: EmailType,
 		}
 	}
 	return &SmsMfa{
--- a/object/user.go
+++ b/object/user.go
@ -159,7 +159,11 @@ type User struct {
 	Custom          string `xorm:"custom varchar(100)" json:"custom"`

 	WebauthnCredentials []webauthn.Credential `xorm:"webauthnCredentials blob" json:"webauthnCredentials"`
-	MultiFactorAuths    []*MfaProps           `json:"multiFactorAuths"`
+	PreferredMfaType    string                `xorm:"varchar(100)" json:"preferredMfaType"`
+	RecoveryCodes       []string              `xorm:"varchar(1000)" json:"recoveryCodes,omitempty"`
+	MfaPhoneEnabled     bool                  `json:"mfaPhoneEnabled"`
+	MfaEmailEnabled     bool                  `json:"mfaEmailEnabled"`
+	MultiFactorAuths    []*MfaProps           `xorm:"-" json:"multiFactorAuths,omitempty"`

 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
@ -425,6 +429,12 @@ func GetMaskedUser(user *User, errs ...error) (*User, error) {
 	if user.Password != "" {
 		user.Password = "***"
 	}
+	if user.AccessSecret != "" {
+		user.AccessSecret = "***"
+	}
+	if user.RecoveryCodes != nil {
+		user.RecoveryCodes = nil
+	}

 	if user.ManagedAccounts != nil {
 		for _, manageAccount := range user.ManagedAccounts {
@ -432,11 +442,6 @@ func GetMaskedUser(user *User, errs ...error) (*User, error) {
 		}
 	}

-	if user.MultiFactorAuths != nil {
-		for i, props := range user.MultiFactorAuths {
-			user.MultiFactorAuths[i] = GetMaskedProps(props)
-		}
-	}
 	return user, nil
 }

@ -823,35 +828,14 @@ func userChangeTrigger(oldName string, newName string) error {
 }

 func (user *User) IsMfaEnabled() bool {
-	return len(user.MultiFactorAuths) > 0
+	return user.PreferredMfaType != ""
 }

-func (user *User) GetPreferMfa(masked bool) *MfaProps {
-	if len(user.MultiFactorAuths) == 0 {
+func (user *User) GetPreferredMfaProps(masked bool) *MfaProps {
+	if user.PreferredMfaType == "" {
 		return nil
 	}
-
-	if masked {
-		if len(user.MultiFactorAuths) == 1 {
-			return GetMaskedProps(user.MultiFactorAuths[0])
-		}
-		for _, v := range user.MultiFactorAuths {
-			if v.IsPreferred {
-				return GetMaskedProps(v)
-			}
-		}
-		return GetMaskedProps(user.MultiFactorAuths[0])
-	} else {
-		if len(user.MultiFactorAuths) == 1 {
-			return user.MultiFactorAuths[0]
-		}
-		for _, v := range user.MultiFactorAuths {
-			if v.IsPreferred {
-				return v
-			}
-		}
-		return user.MultiFactorAuths[0]
-	}
+	return user.GetMfaProps(user.PreferredMfaType, masked)
 }

 func AddUserkeys(user *User, isAdmin bool) (bool, error) {
--- a/object/user_util.go
+++ b/object/user_util.go
@ -288,9 +288,7 @@ func CheckPermissionForUpdateUser(oldUser, newUser *User, isAdmin bool, lang str
 		itemsChanged = append(itemsChanged, item)
 	}

-	oldUserTwoFactorAuthJson, _ := json.Marshal(oldUser.MultiFactorAuths)
-	newUserTwoFactorAuthJson, _ := json.Marshal(newUser.MultiFactorAuths)
-	if string(oldUserTwoFactorAuthJson) != string(newUserTwoFactorAuthJson) {
+	if oldUser.PreferredMfaType != newUser.PreferredMfaType {
 		item := GetAccountItemByName("Multi-factor authentication", organization)
 		itemsChanged = append(itemsChanged, item)
 	}