misuzu/public-legacy/auth/twofactor.php

<?php
namespace Misuzu;

use RuntimeException;
use Misuzu\TOTPGenerator;
use Misuzu\Auth\AuthTokenCookie;

$urls = $msz->getURLs();
$authInfo = $msz->getAuthInfo();
if($authInfo->isLoggedIn()) {
    Tools::redirect($urls->format('index'));
    return;
}

$authCtx = $msz->getAuthContext();
$users = $msz->getUsersContext()->getUsers();
$sessions = $authCtx->getSessions();
$tfaSessions = $authCtx->getTwoFactorAuthSessions();
$loginAttempts = $authCtx->getLoginAttempts();

$ipAddress = $_SERVER['REMOTE_ADDR'];
$countryCode = $_SERVER['COUNTRY_CODE'] ?? 'XX';
$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$twofactor = !empty($_POST['twofactor']) && is_array($_POST['twofactor']) ? $_POST['twofactor'] : [];
$notices = [];

$remainingAttempts = $loginAttempts->countRemainingAttempts($ipAddress);

$tokenString = !empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : (
    !empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : ''
);

$tokenUserId = $tfaSessions->getTokenUserId($tokenString);
if(empty($tokenUserId)) {
    Tools::redirect($urls->format('auth-login'));
    return;
}

$userInfo = $users->getUser($tokenUserId, 'id');

// checking user_totp_key specifically because there's a fringe chance that
//  there's a token present, but totp is actually disabled
if(!$userInfo->hasTOTPKey()) {
    Tools::redirect($urls->format('auth-login'));
    return;
}

while(!empty($twofactor)) {
    if(!CSRF::validateRequest()) {
        $notices[] = 'Was unable to verify the request, please try again!';
        break;
    }

    $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
    $redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : '';

    if(empty($twofactor['code']) || !is_string($twofactor['code'])) {
        $notices[] = 'Code field was empty.';
        break;
    }

    if($remainingAttempts < 1) {
        $notices[] = 'There are too many failed login attempts from your IP address, please try again later.';
        break;
    }

    $clientInfo = ClientInfo::fromRequest();
    $totp = new TOTPGenerator($userInfo->getTOTPKey());

    if(!in_array($twofactor['code'], $totp->generateRange())) {
        $notices[] = sprintf(
            "Invalid two factor code, %d attempt%s remaining",
            $remainingAttempts - 1,
            $remainingAttempts === 2 ? '' : 's'
        );
        $loginAttempts->recordAttempt(false, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);
        break;
    }

    $loginAttempts->recordAttempt(true, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);
    $tfaSessions->deleteToken($tokenString);

    try {
        $sessionInfo = $sessions->createSession($userInfo, $ipAddress, $countryCode, $userAgent, $clientInfo);
    } catch(RuntimeException $ex) {
        $notices[] = "Something broke while creating a session for you, please tell an administrator or developer about this!";
        break;
    }

    $tokenBuilder = $authInfo->getTokenInfo()->toBuilder();
    $tokenBuilder->setUserId($userInfo);
    $tokenBuilder->setSessionToken($sessionInfo);
    $tokenBuilder->removeImpersonatedUserId();
    $tokenInfo = $tokenBuilder->toInfo();

    AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));

    if(!Tools::isLocalURL($redirect))
        $redirect = $urls->format('index');

    Tools::redirect($redirect);
    return;
}

Template::render('auth.twofactor', [
    'twofactor_notices' => $notices,
    'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : $urls->format('index'),
    'twofactor_attempts_remaining' => $remainingAttempts,
    'twofactor_token' => $tokenString,
]);
Imported into new repository. 2022-09-13 13:14:49 +00:00			`<?php`
			`namespace Misuzu;`

Normalised custom exception usage in user classes. Also updated the Index library to include the MediaType fix. 2023-07-22 15:02:41 +00:00			`use RuntimeException;`
Rewrote the user information class. This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time. The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates. If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe. 2023-08-02 22:12:47 +00:00			`use Misuzu\TOTPGenerator;`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`use Misuzu\Auth\AuthTokenCookie;`
Imported into new repository. 2022-09-13 13:14:49 +00:00
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`$urls = $msz->getURLs();`
Moved authentication related macros out of MisuzuContext. 2023-09-06 20:06:07 +00:00			`$authInfo = $msz->getAuthInfo();`
			`if($authInfo->isLoggedIn()) {`
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`Tools::redirect($urls->format('index'));`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`return;`
			`}`

Split auth stuff off into own context. 2023-09-08 00:43:00 +00:00			`$authCtx = $msz->getAuthContext();`
Moved user related stuff into its own context object. 2023-09-06 13:50:19 +00:00			`$users = $msz->getUsersContext()->getUsers();`
Split auth stuff off into own context. 2023-09-08 00:43:00 +00:00			`$sessions = $authCtx->getSessions();`
			`$tfaSessions = $authCtx->getTwoFactorAuthSessions();`
			`$loginAttempts = $authCtx->getLoginAttempts();`
Rewrote the user information class. This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time. The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates. If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe. 2023-08-02 22:12:47 +00:00
Remove IPAddress::remote and all implicit resolving of the request remote address. 2023-01-05 18:33:03 +00:00			`$ipAddress = $_SERVER['REMOTE_ADDR'];`
Rely on NGINX GeoIP2 module for country code lookup. 2023-07-11 00:25:43 +00:00			`$countryCode = $_SERVER['COUNTRY_CODE'] ?? 'XX';`
Rewrite login attempts log to use new database backend. 2023-07-22 16:37:57 +00:00			`$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`$twofactor = !empty($_POST['twofactor']) && is_array($_POST['twofactor']) ? $_POST['twofactor'] : [];`
			`$notices = [];`
Rewrite login attempts log to use new database backend. 2023-07-22 16:37:57 +00:00
			`$remainingAttempts = $loginAttempts->countRemainingAttempts($ipAddress);`
Imported into new repository. 2022-09-13 13:14:49 +00:00
Rewrote TFA session code. 2023-07-27 12:44:50 +00:00			`$tokenString = !empty($_GET['token']) && is_string($_GET['token']) ? $_GET['token'] : (`
			`!empty($twofactor['token']) && is_string($twofactor['token']) ? $twofactor['token'] : ''`
			`);`
Imported into new repository. 2022-09-13 13:14:49 +00:00
Rewrote TFA session code. 2023-07-27 12:44:50 +00:00			`$tokenUserId = $tfaSessions->getTokenUserId($tokenString);`
			`if(empty($tokenUserId)) {`
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`Tools::redirect($urls->format('auth-login'));`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`return;`
			`}`

Rewrote the user information class. This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time. The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates. If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe. 2023-08-02 22:12:47 +00:00			`$userInfo = $users->getUser($tokenUserId, 'id');`
Imported into new repository. 2022-09-13 13:14:49 +00:00
			`// checking user_totp_key specifically because there's a fringe chance that`
			`// there's a token present, but totp is actually disabled`
Some TOTP touch-ups. 2023-07-29 20:18:41 +00:00			`if(!$userInfo->hasTOTPKey()) {`
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`Tools::redirect($urls->format('auth-login'));`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`return;`
			`}`

			`while(!empty($twofactor)) {`
			`if(!CSRF::validateRequest()) {`
			`$notices[] = 'Was unable to verify the request, please try again!';`
			`break;`
			`}`

			`$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';`
			`$redirect = !empty($twofactor['redirect']) && is_string($twofactor['redirect']) ? $twofactor['redirect'] : '';`

			`if(empty($twofactor['code']) \|\| !is_string($twofactor['code'])) {`
			`$notices[] = 'Code field was empty.';`
			`break;`
			`}`

			`if($remainingAttempts < 1) {`
			`$notices[] = 'There are too many failed login attempts from your IP address, please try again later.';`
			`break;`
			`}`

Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00			`$clientInfo = ClientInfo::fromRequest();`
Rewrote the user information class. This one took multiple days and it pretty invasive into the core of Misuzu so issue might (will) arise, there's also some features that have gone temporarily missing in the mean time and some inefficiencies introduced that will be fixed again at a later time. The old class isn't gone entirely because I still have to figure out what I'm gonna do about validation, but for the most part this knocks out one of the "layers of backwards compatibility", as I've been referring to it, and is moving us closer to a future where Flashii actually gets real updates. If you run into anything that's broken and you're inhibited from reporting it through the forum, do it through chat or mail me at flashii-issues@flash.moe. 2023-08-02 22:12:47 +00:00			`$totp = new TOTPGenerator($userInfo->getTOTPKey());`
Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00
Some TOTP touch-ups. 2023-07-29 20:18:41 +00:00			`if(!in_array($twofactor['code'], $totp->generateRange())) {`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`$notices[] = sprintf(`
			`"Invalid two factor code, %d attempt%s remaining",`
			`$remainingAttempts - 1,`
			`$remainingAttempts === 2 ? '' : 's'`
			`);`
Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00			`$loginAttempts->recordAttempt(false, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`break;`
			`}`

Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00			`$loginAttempts->recordAttempt(true, $ipAddress, $countryCode, $userAgent, $clientInfo, $userInfo);`
Rewrote TFA session code. 2023-07-27 12:44:50 +00:00			`$tfaSessions->deleteToken($tokenString);`
Imported into new repository. 2022-09-13 13:14:49 +00:00
			`try {`
Rewrote Sessions backend. 2023-07-28 20:06:12 +00:00			`$sessionInfo = $sessions->createSession($userInfo, $ipAddress, $countryCode, $userAgent, $clientInfo);`
Normalised custom exception usage in user classes. Also updated the Index library to include the MediaType fix. 2023-07-22 15:02:41 +00:00			`} catch(RuntimeException $ex) {`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`$notices[] = "Something broke while creating a session for you, please tell an administrator or developer about this!";`
			`break;`
			`}`

Moved authentication related macros out of MisuzuContext. 2023-09-06 20:06:07 +00:00			`$tokenBuilder = $authInfo->getTokenInfo()->toBuilder();`
Changed the way msz_auth is handled. Going forward msz_auth is always assumed to be present, even while the user is not logged in. If the cookie is not present a default, empty value will be used. The msz_uid and msz_sid cookies are also still upconverted for some reason but are no longer removed even though there's no active sessions that can possibly have those anymore. As with the previous change, shit may be broken so report any Anomalies you come across, through flashii-issues@flash.moe if necessary. 2023-08-03 01:35:08 +00:00			`$tokenBuilder->setUserId($userInfo);`
			`$tokenBuilder->setSessionToken($sessionInfo);`
			`$tokenBuilder->removeImpersonatedUserId();`
			`$tokenInfo = $tokenBuilder->toInfo();`

			`AuthTokenCookie::apply($tokenPacker->pack($tokenInfo));`
Imported into new repository. 2022-09-13 13:14:49 +00:00
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`if(!Tools::isLocalURL($redirect))`
			`$redirect = $urls->format('index');`
Imported into new repository. 2022-09-13 13:14:49 +00:00
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`Tools::redirect($redirect);`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`return;`
			`}`

			`Template::render('auth.twofactor', [`
			`'twofactor_notices' => $notices,`
Rewrote URL registry. 2023-09-08 20:40:48 +00:00			`'twofactor_redirect' => !empty($_GET['redirect']) && is_string($_GET['redirect']) ? $_GET['redirect'] : $urls->format('index'),`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`'twofactor_attempts_remaining' => $remainingAttempts,`
Rewrote TFA session code. 2023-07-27 12:44:50 +00:00			`'twofactor_token' => $tokenString,`
Imported into new repository. 2022-09-13 13:14:49 +00:00			`]);`