feat: add multi-factor authentication (MFA) feature (#1800)

* feat: add two-factor authentication interface and api * merge * feat: add Two-factor authentication accountItem and two-factor api in frontend * feat: add basic 2fa setup UI * rebase * feat: finish the two-factor authentication * rebase * feat: support recover code * chore: fix eslint error * feat: support multiple sms account * fix: client application login * fix: lint * Update authz.go * Update mfa.go * fix: support phone * fix: i18n * fix: i18n * fix: support preferred mfa methods --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>
2025-07-03 12:30:19 +08:00 · 2023-05-05 21:23:59 +08:00
parent 5b27f939b8
commit eb39e9e044
51 changed files with 4215 additions and 2776 deletions
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -24,7 +24,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"

 	"github.com/casdoor/casdoor/captcha"
 	"github.com/casdoor/casdoor/conf"
@ -70,6 +69,12 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		return
 	}

+	if form.Password != "" && user.IsMfaEnabled() {
+		c.setMfaSessionData(&object.MfaSessionData{UserId: userId})
+		resp = &Response{Status: object.NextMfa, Data: user.GetPreferMfa(true)}
+		return
+	}
+
 	if form.Type == ResponseTypeLogin {
 		c.SetSessionUsername(userId)
 		util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
@ -133,11 +138,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob

 	// if user did not check auto signin
 	if resp.Status == "ok" && !form.AutoSignin {
-		timestamp := time.Now().Unix()
-		timestamp += 3600 * 24
-		c.SetSessionData(&SessionData{
-			ExpireTime: timestamp,
-		})
+		c.setExpireForSession()
 	}

 	if resp.Status == "ok" && user.Owner == object.CasdoorOrganization && application.Name == object.CasdoorApplication {
@ -298,7 +299,6 @@ func (c *ApiController) Login() {

 			password := authForm.Password
 			user, msg = object.CheckUserPassword(authForm.Organization, authForm.Username, password, c.GetAcceptLanguage(), enableCaptcha)
-
 		}

 		if msg != "" {
@ -522,6 +522,38 @@ func (c *ApiController) Login() {
 				resp = &Response{Status: "error", Msg: "Failed to link user account", Data: isLinked}
 			}
 		}
+	} else if c.getMfaSessionData() != nil {
+		mfaSession := c.getMfaSessionData()
+		user := object.GetUser(mfaSession.UserId)
+
+		if authForm.Passcode != "" {
+			MfaUtil := object.GetMfaUtil(authForm.MfaType, user.GetPreferMfa(false))
+			err = MfaUtil.Verify(authForm.Passcode)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+		if authForm.RecoveryCode != "" {
+			err = object.RecoverTfs(user, authForm.RecoveryCode)
+			if err != nil {
+				c.ResponseError(err.Error())
+				return
+			}
+		}
+
+		application := object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		if application == nil {
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), authForm.Application))
+			return
+		}
+
+		resp = c.HandleLoggedIn(application, user, &authForm)
+
+		record := object.NewRecord(c.Ctx)
+		record.Organization = application.Organization
+		record.User = user.Name
+		util.SafeGoroutine(func() { object.AddRecord(record) })
 	} else {
 		if c.GetSessionUsername() != "" {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
@ -539,7 +571,7 @@ func (c *ApiController) Login() {
 			record.User = user.Name
 			util.SafeGoroutine(func() { object.AddRecord(record) })
 		} else {
-			c.ResponseError(fmt.Sprintf(c.T("auth:Unknown authentication type (not password or provider), authForm = %s"), util.StructToJson(authForm)))
+			c.ResponseError(fmt.Sprintf(c.T("auth:Unknown authentication type (not password or provider), form = %s"), util.StructToJson(authForm)))
 			return
 		}
 	}
--- a/controllers/base.go
+++ b/controllers/base.go
@ -168,6 +168,30 @@ func (c *ApiController) SetSessionData(s *SessionData) {
 	c.SetSession("SessionData", util.StructToJson(s))
 }

+func (c *ApiController) setMfaSessionData(data *object.MfaSessionData) {
+	c.SetSession(object.MfaSessionUserId, data.UserId)
+}
+
+func (c *ApiController) getMfaSessionData() *object.MfaSessionData {
+	userId := c.GetSession(object.MfaSessionUserId)
+	if userId == nil {
+		return nil
+	}
+
+	data := &object.MfaSessionData{
+		UserId: userId.(string),
+	}
+	return data
+}
+
+func (c *ApiController) setExpireForSession() {
+	timestamp := time.Now().Unix()
+	timestamp += 3600 * 24
+	c.SetSessionData(&SessionData{
+		ExpireTime: timestamp,
+	})
+}
+
 func wrapActionResponse(affected bool) *Response {
 	if affected {
 		return &Response{Status: "ok", Msg: "", Data: "Affected"}
--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@ -0,0 +1,190 @@
+// Copyright 2023 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"net/http"
+
+	"github.com/beego/beego"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// MfaSetupInitiate
+// @Title MfaSetupInitiate
+// @Tag MFA API
+// @Description setup MFA
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param type	form	string	true	"MFA auth type"
+// @Success 200 {object}   The Response object
+// @router /mfa/setup/initiate [post]
+func (c *ApiController) MfaSetupInitiate() {
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	authType := c.Ctx.Request.Form.Get("type")
+	userId := util.GetId(owner, name)
+
+	if len(userId) == 0 {
+		c.ResponseError(http.StatusText(http.StatusBadRequest))
+		return
+	}
+
+	MfaUtil := object.GetMfaUtil(authType, nil)
+	if MfaUtil == nil {
+		c.ResponseError("Invalid auth type")
+	}
+	user := object.GetUser(userId)
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	issuer := beego.AppConfig.String("appname")
+	accountName := user.GetId()
+
+	mfaProps, err := MfaUtil.Initiate(c.Ctx, issuer, accountName)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	resp := mfaProps
+	c.ResponseOk(resp)
+}
+
+// MfaSetupVerify
+// @Title MfaSetupVerify
+// @Tag MFA API
+// @Description setup verify totp
+// @param	secret		form	string	true	"MFA secret"
+// @param	passcode	form 	string 	true	"MFA passcode"
+// @Success 200 {object}  Response object
+// @router /mfa/setup/verify [post]
+func (c *ApiController) MfaSetupVerify() {
+	authType := c.Ctx.Request.Form.Get("type")
+	passcode := c.Ctx.Request.Form.Get("passcode")
+
+	if authType == "" || passcode == "" {
+		c.ResponseError("missing auth type or passcode")
+		return
+	}
+	MfaUtil := object.GetMfaUtil(authType, nil)
+
+	err := MfaUtil.SetupVerify(c.Ctx, passcode)
+	if err != nil {
+		c.ResponseError(err.Error())
+	} else {
+		c.ResponseOk(http.StatusText(http.StatusOK))
+	}
+}
+
+// MfaSetupEnable
+// @Title MfaSetupEnable
+// @Tag MFA API
+// @Description enable totp
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param type	form	string	true	"MFA auth type"
+// @Success 200 {object}  Response object
+// @router /mfa/setup/enable [post]
+func (c *ApiController) MfaSetupEnable() {
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	authType := c.Ctx.Request.Form.Get("type")
+
+	user := object.GetUser(util.GetId(owner, name))
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	twoFactor := object.GetMfaUtil(authType, nil)
+	err := twoFactor.Enable(c.Ctx, user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(http.StatusText(http.StatusOK))
+}
+
+// DeleteMfa
+// @Title DeleteMfa
+// @Tag MFA API
+// @Description: Delete MFA
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param id	form	string	true	"id of user's MFA props"
+// @Success 200 {object}  Response object
+// @router /delete-mfa/ [post]
+func (c *ApiController) DeleteMfa() {
+	id := c.Ctx.Request.Form.Get("id")
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	userId := util.GetId(owner, name)
+
+	user := object.GetUser(userId)
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	mfaProps := user.MultiFactorAuths[:0]
+	i := 0
+	for _, mfaProp := range mfaProps {
+		if mfaProp.Id != id {
+			mfaProps[i] = mfaProp
+			i++
+		}
+	}
+	user.MultiFactorAuths = mfaProps
+	object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	c.ResponseOk(user.MultiFactorAuths)
+}
+
+// SetPreferredMfa
+// @Title SetPreferredMfa
+// @Tag MFA API
+// @Description: Set specific Mfa Preferred
+// @param owner	form	string	true	"owner of user"
+// @param name	form	string	true	"name of user"
+// @param id	form	string	true	"id of user's MFA props"
+// @Success 200 {object}  Response object
+// @router /set-preferred-mfa [post]
+func (c *ApiController) SetPreferredMfa() {
+	id := c.Ctx.Request.Form.Get("id")
+	owner := c.Ctx.Request.Form.Get("owner")
+	name := c.Ctx.Request.Form.Get("name")
+	userId := util.GetId(owner, name)
+
+	user := object.GetUser(userId)
+	if user == nil {
+		c.ResponseError("User doesn't exist")
+		return
+	}
+
+	mfaProps := user.MultiFactorAuths
+	for i, mfaProp := range user.MultiFactorAuths {
+		if mfaProp.Id == id {
+			mfaProps[i].IsPreferred = true
+		} else {
+			mfaProps[i].IsPreferred = false
+		}
+	}
+
+	object.UpdateUser(userId, user, []string{"multi_factor_auths"}, user.IsAdminUser())
+	c.ResponseOk(user.MultiFactorAuths)
+}
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -27,10 +27,12 @@ import (
 )

 const (
-	SignupVerification = "signup"
-	ResetVerification  = "reset"
-	LoginVerification  = "login"
-	ForgetVerification = "forget"
+	SignupVerification   = "signup"
+	ResetVerification    = "reset"
+	LoginVerification    = "login"
+	ForgetVerification   = "forget"
+	MfaSetupVerification = "mfaSetup"
+	MfaAuthVerification  = "mfaAuth"
 )

 // SendVerificationCode ...
@ -78,6 +80,11 @@ func (c *ApiController) SendVerificationCode() {
 		user = object.GetUser(util.GetId(owner, vform.CheckUser))
 	}

+	// mfaSessionData != nil, means method is MfaSetupVerification
+	if mfaSessionData := c.getMfaSessionData(); mfaSessionData != nil {
+		user = object.GetUser(mfaSessionData.UserId)
+	}
+
 	sendResp := errors.New("invalid dest type")

 	switch vform.Type {
@ -99,6 +106,11 @@ func (c *ApiController) SendVerificationCode() {
 			}
 		} else if vform.Method == ResetVerification {
 			user = c.getCurrentUser()
+		} else if vform.Method == MfaAuthVerification {
+			mfaProps := user.GetPreferMfa(false)
+			if user != nil && util.GetMaskedEmail(mfaProps.Secret) == vform.Dest {
+				vform.Dest = mfaProps.Secret
+			}
 		}

 		provider := application.GetEmailProvider()
@ -119,6 +131,13 @@ func (c *ApiController) SendVerificationCode() {
 			if user = c.getCurrentUser(); user != nil {
 				vform.CountryCode = user.GetCountryCode(vform.CountryCode)
 			}
+		} else if vform.Method == MfaAuthVerification {
+			mfaProps := user.GetPreferMfa(false)
+			if user != nil && util.GetMaskedPhone(mfaProps.Secret) == vform.Dest {
+				vform.Dest = mfaProps.Secret
+			}
+
+			vform.CountryCode = mfaProps.CountryCode
 		}

 		provider := application.GetSmsProvider()
@ -130,6 +149,11 @@ func (c *ApiController) SendVerificationCode() {
 		}
 	}

+	if vform.Method == MfaSetupVerification {
+		c.SetSession(object.MfaSmsCountryCodeSession, vform.CountryCode)
+		c.SetSession(object.MfaSmsDestSession, vform.Dest)
+	}
+
 	if sendResp != nil {
 		c.ResponseError(sendResp.Error())
 	} else {