TwoFactorHook::executeBefore() - Code Metrics - eduvpn/vpn-lib-common - Measure and Improve Code Quality continuously with Scrutinizer

TwoFactorHook::executeBefore() C
last analyzed 2017-08-17 16:32 UTC

↳ Parent: TwoFactorHook

Complexity

Conditions	9
Paths	7

Size

Total Lines	58
Code Lines	30

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	58
rs	6.9928
c	0
b	0
f	0
cc	9
eloc	30
nc	7
nop	2

How to fix Long Method

<?php

/**
 * eduVPN - End-user friendly VPN.
 *
 * Copyright: 2016-2017, The Commons Conservancy eduVPN Programme
 * SPDX-License-Identifier: AGPL-3.0+
 */

namespace SURFnet\VPN\Common\Http;

use fkooman\SeCookie\SessionInterface;
use SURFnet\VPN\Common\Http\Exception\HttpException;
use SURFnet\VPN\Common\HttpClient\ServerClient;
use SURFnet\VPN\Common\TplInterface;

class TwoFactorHook implements BeforeHookInterface
{
    /** @var \fkooman\SeCookie\SessionInterface; */
    private $session;

    /** @var \SURFnet\VPN\Common\TplInterface */
    private $tpl;

    /** @var \SURFnet\VPN\Common\HttpClient\ServerClient */
    private $serverClient;

    public function __construct(SessionInterface $session, TplInterface $tpl, ServerClient $serverClient)
    {
        $this->session = $session;
        $this->tpl = $tpl;
        $this->serverClient = $serverClient;
    }

    public function executeBefore(Request $request, array $hookData)
    {
        // some URIs are allowed as they are used for either logging in, or
        // verifying the OTP key
        $allowedUris = [
            '/_form/auth/verify',
            '/_form/auth/logout',
            '/_two_factor/auth/verify/totp',
            '/_two_factor/auth/verify/yubi',
            '/_oauth/token',
        ];

        if (in_array($request->getPathInfo(), $allowedUris) && 'POST' === $request->getRequestMethod()) {
            return false;
        }

        if (!array_key_exists('auth', $hookData)) {
            throw new HttpException('authentication hook did not run before', 500);
        }
        $userId = $hookData['auth'];

        if ($this->session->has('_two_factor_verified')) {
            if ($userId !== $this->session->get('_two_factor_verified')) {
                throw new HttpException('two-factor code not bound to authenticated user', 400);
            }

            return true;
        }

        $hasTotpSecret = $this->serverClient->get('has_totp_secret', ['user_id' => $userId]);
        $hasYubiId = $this->serverClient->get('has_yubi_key_id', ['user_id' => $userId]);

        // check if the user is enrolled for 2FA, if not we are fine, for this
        // session we assume we are verified!
        if (!$hasTotpSecret && !$hasYubiId) {
            $this->session->regenerate(true);
            $this->session->set('_two_factor_verified', $userId);

            return false;
        }

        // if not Yubi, then TOTP
        $templateName = $hasYubiId ? 'twoFactorYubiKeyOtp' : 'twoFactorTotp';

        // any other URL, enforce 2FA
        $response = new Response(200, 'text/html');
        $response->setBody(
            $this->tpl->render(
                $templateName,
                [
                    '_two_factor_auth_invalid' => false,
                    '_two_factor_auth_redirect_to' => $request->getUri(),
                ]
            )
        );

        return $response;
    }
}


1			<?php
2
3			/**
4			* eduVPN - End-user friendly VPN.
5			*
6			* Copyright: 2016-2017, The Commons Conservancy eduVPN Programme
7			* SPDX-License-Identifier: AGPL-3.0+
8			*/
9
10			namespace SURFnet\VPN\Common\Http;
11
12			use fkooman\SeCookie\SessionInterface;
13			use SURFnet\VPN\Common\Http\Exception\HttpException;
14			use SURFnet\VPN\Common\HttpClient\ServerClient;
15			use SURFnet\VPN\Common\TplInterface;
16
17			class TwoFactorHook implements BeforeHookInterface
18			{
19			/** @var \fkooman\SeCookie\SessionInterface; */
20			private $session;
21
22			/** @var \SURFnet\VPN\Common\TplInterface */
23			private $tpl;
24
25			/** @var \SURFnet\VPN\Common\HttpClient\ServerClient */
26			private $serverClient;
27
28			public function __construct(SessionInterface $session, TplInterface $tpl, ServerClient $serverClient)
29			{
30			$this->session = $session;
31			$this->tpl = $tpl;
32			$this->serverClient = $serverClient;
33			}
34
35			public function executeBefore(Request $request, array $hookData)
36			{
37			// some URIs are allowed as they are used for either logging in, or
38			// verifying the OTP key
39			$allowedUris = [
40			'/_form/auth/verify',
41			'/_form/auth/logout',
42			'/_two_factor/auth/verify/totp',
43			'/_two_factor/auth/verify/yubi',
44			'/_oauth/token',
45			];
46
47			if (in_array($request->getPathInfo(), $allowedUris) && 'POST' === $request->getRequestMethod()) {
48			return false;
49			}
50
51			if (!array_key_exists('auth', $hookData)) {
52			throw new HttpException('authentication hook did not run before', 500);
53			}
54			$userId = $hookData['auth'];
55
56			if ($this->session->has('_two_factor_verified')) {
57			if ($userId !== $this->session->get('_two_factor_verified')) {
58			throw new HttpException('two-factor code not bound to authenticated user', 400);
59			}
60
61			return true;
62			}
63
64			$hasTotpSecret = $this->serverClient->get('has_totp_secret', ['user_id' => $userId]);
65			$hasYubiId = $this->serverClient->get('has_yubi_key_id', ['user_id' => $userId]);
66
67			// check if the user is enrolled for 2FA, if not we are fine, for this
68			// session we assume we are verified!
69			if (!$hasTotpSecret && !$hasYubiId) {
70			$this->session->regenerate(true);
71			$this->session->set('_two_factor_verified', $userId);
72
73			return false;
74			}
75
76			// if not Yubi, then TOTP
77			$templateName = $hasYubiId ? 'twoFactorYubiKeyOtp' : 'twoFactorTotp';
78
79			// any other URL, enforce 2FA
80			$response = new Response(200, 'text/html');
81			$response->setBody(
82			$this->tpl->render(
83			$templateName,
84			[
85			'_two_factor_auth_invalid' => false,
86			'_two_factor_auth_redirect_to' => $request->getUri(),
87			]
88			)
89			);
90
91			return $response;
92			}
93			}
94

eduvpn / vpn-lib-common

GitHub Access Token became invalid

TwoFactorHook::executeBefore() C last analyzed 2017-08-17 16:32 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like

TwoFactorHook::executeBefore() C
last analyzed 2017-08-17 16:32 UTC