CoCalc -- ToggleTwoFactorService.php

GitHub Repository: pterodactyl/panel
Path: blob/1.0-develop/app/Services/Users/ToggleTwoFactorService.php
¹⁰²⁷⁷ views
1
<?php
2

3
namespace Pterodactyl\Services\Users;
4

5
use Carbon\Carbon;
6
use Illuminate\Support\Str;
7
use Pterodactyl\Models\User;
8
use PragmaRX\Google2FA\Google2FA;
9
use Illuminate\Database\ConnectionInterface;
10
use Illuminate\Contracts\Encryption\Encrypter;
11
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
12
use Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository;
13
use Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid;
14

15
class ToggleTwoFactorService
16
{
17
    /**
18
     * ToggleTwoFactorService constructor.
19
     */
20
    public function __construct(
21
        private ConnectionInterface $connection,
22
        private Encrypter $encrypter,
23
        private Google2FA $google2FA,
24
        private RecoveryTokenRepository $recoveryTokenRepository,
25
        private UserRepositoryInterface $repository,
26
    ) {
27
    }
28

29
    /**
30
     * Toggle 2FA on an account only if the token provided is valid.
31
     *
32
     * @throws \Throwable
33
     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
34
     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
35
     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
36
     * @throws TwoFactorAuthenticationTokenInvalid
37
     */
38
    public function handle(User $user, string $token, ?bool $toggleState = null): array
39
    {
40
        $secret = $this->encrypter->decrypt($user->totp_secret);
41

42
        $isValidToken = $this->google2FA->verifyKey($secret, $token, config()->get('pterodactyl.auth.2fa.window'));
43

44
        if (!$isValidToken) {
45
            throw new TwoFactorAuthenticationTokenInvalid();
46
        }
47

48
        return $this->connection->transaction(function () use ($user, $toggleState) {
49
            // Now that we're enabling 2FA on the account, generate 10 recovery tokens for the account
50
            // and store them hashed in the database. We'll return them to the caller so that the user
51
            // can see and save them.
52
            //
53
            // If a user is unable to login with a 2FA token they can provide one of these backup codes
54
            // which will then be marked as deleted from the database and will also bypass 2FA protections
55
            // on their account.
56
            $tokens = [];
57
            if ((!$toggleState && !$user->use_totp) || $toggleState) {
58
                $inserts = [];
59
                for ($i = 0; $i < 10; ++$i) {
60
                    $token = Str::random(10);
61

62
                    $inserts[] = [
63
                        'user_id' => $user->id,
64
                        'token' => password_hash($token, PASSWORD_DEFAULT),
65
                        // insert() won't actually set the time on the models, so make sure we do this
66
                        // manually here.
67
                        'created_at' => Carbon::now(),
68
                    ];
69

70
                    $tokens[] = $token;
71
                }
72

73
                // Before inserting any new records make sure all of the old ones are deleted to avoid
74
                // any issues or storing an unnecessary number of tokens in the database.
75
                $this->recoveryTokenRepository->deleteWhere(['user_id' => $user->id]);
76

77
                // Bulk insert the hashed tokens.
78
                $this->recoveryTokenRepository->insert($inserts);
79
            }
80

81
            $this->repository->withoutFreshModel()->update($user->id, [
82
                'totp_authenticated_at' => null,
83
                'use_totp' => (is_null($toggleState) ? !$user->use_totp : $toggleState),
84
            ]);
85

86
            return $tokens;
87
        });
88
    }
89
}
90

91
Product

Resources

Company
