|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace SilverStripe\MFA\RequestHandler; |
|
4
|
|
|
|
|
5
|
|
|
use SilverStripe\Control\HTTPRequest; |
|
6
|
|
|
use SilverStripe\Control\HTTPResponse; |
|
7
|
|
|
use SilverStripe\Core\Config\Config; |
|
8
|
|
|
use SilverStripe\MFA\Exception\InvalidMethodException; |
|
9
|
|
|
use SilverStripe\MFA\Method\MethodInterface; |
|
10
|
|
|
use SilverStripe\MFA\Service\EnforcementManager; |
|
11
|
|
|
use SilverStripe\MFA\Service\MethodRegistry; |
|
12
|
|
|
use SilverStripe\MFA\Service\RegisteredMethodManager; |
|
13
|
|
|
use SilverStripe\MFA\State\Result; |
|
14
|
|
|
use SilverStripe\MFA\Store\StoreInterface; |
|
15
|
|
|
use SilverStripe\Security\SecurityToken; |
|
16
|
|
|
|
|
17
|
|
|
/** |
|
18
|
|
|
* This trait encapsulates logic that can be added to a `RequestHandler` to work with logging in using MFA front-end |
|
19
|
|
|
* app. It provides two main methods; @see createStartVerificationResponse - a response that can be easily consumed by |
|
20
|
|
|
* the MFA app to prompt a login, and @see completeVerificationRequest - used to verify a request sent by the MFA app |
|
21
|
|
|
* containing the login attempt. |
|
22
|
|
|
*/ |
|
23
|
|
|
trait VerificationHandlerTrait |
|
24
|
|
|
{ |
|
25
|
|
|
/** |
|
26
|
|
|
* Create an HTTPResponse that provides information to the client side React MFA app to prompt the user to login |
|
27
|
|
|
* with their configured MFA method |
|
28
|
|
|
* |
|
29
|
|
|
* @param StoreInterface $store |
|
30
|
|
|
* @param MethodInterface|null $requestedMethod |
|
31
|
|
|
* @return HTTPResponse |
|
32
|
|
|
*/ |
|
33
|
|
|
protected function createStartVerificationResponse( |
|
34
|
|
|
StoreInterface $store, |
|
35
|
|
|
?MethodInterface $requestedMethod = null |
|
36
|
|
|
): HTTPResponse { |
|
37
|
|
|
$registeredMethod = null; |
|
38
|
|
|
$member = $store->getMember(); |
|
39
|
|
|
|
|
40
|
|
|
// Use a requested method if provided |
|
41
|
|
|
if ($requestedMethod) { |
|
42
|
|
|
$registeredMethod = RegisteredMethodManager::singleton()->getFromMember($member, $requestedMethod); |
|
43
|
|
|
} |
|
44
|
|
|
|
|
45
|
|
|
// ...Or use the default (TODO: Should we have the default as a fallback? Maybe just if no method is specified?) |
|
46
|
|
|
if (!$registeredMethod) { |
|
47
|
|
|
$registeredMethod = $member->DefaultRegisteredMethod; |
|
48
|
|
|
} |
|
49
|
|
|
|
|
50
|
|
|
$response = HTTPResponse::create() |
|
51
|
|
|
->addHeader('Content-Type', 'application/json'); |
|
52
|
|
|
|
|
53
|
|
|
// We can't proceed with login if the Member doesn't have this method registered |
|
54
|
|
|
if (!$registeredMethod) { |
|
55
|
|
|
// We can display a specific message if there was no method specified |
|
56
|
|
|
if (!$requestedMethod) { |
|
57
|
|
|
$message = _t( |
|
58
|
|
|
__CLASS__ . '.METHOD_NOT_PROVIDED', |
|
59
|
|
|
'No method was provided to login with and the Member has no default' |
|
60
|
|
|
); |
|
61
|
|
|
} else { |
|
62
|
|
|
$message = _t(__CLASS__ . '.METHOD_NOT_REGISTERED', 'Member does not have this method registered'); |
|
63
|
|
|
} |
|
64
|
|
|
|
|
65
|
|
|
return $response->setBody(json_encode(['errors' => [$message]]))->setStatusCode(400); |
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
|
|
// Mark the given method as started within the store |
|
69
|
|
|
$store->setMethod($registeredMethod->getMethod()->getURLSegment()); |
|
70
|
|
|
// Allow the authenticator to begin the process and generate some data to pass through to the front end |
|
71
|
|
|
$data = $registeredMethod->getVerifyHandler()->start($store, $registeredMethod) ?: []; |
|
72
|
|
|
|
|
73
|
|
|
// Add a CSRF token |
|
74
|
|
|
$token = SecurityToken::inst(); |
|
75
|
|
|
$token->reset(); |
|
76
|
|
|
$data[$token->getName()] = $token->getValue(); |
|
77
|
|
|
|
|
78
|
|
|
// Respond with our method |
|
79
|
|
|
return $response->setBody(json_encode($data)); |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
/** |
|
83
|
|
|
* Attempt to verify a login attempt provided by the given request |
|
84
|
|
|
* |
|
85
|
|
|
* @param StoreInterface $store |
|
86
|
|
|
* @param HTTPRequest $request |
|
87
|
|
|
* @return Result |
|
88
|
|
|
* @throws InvalidMethodException |
|
89
|
|
|
*/ |
|
90
|
|
|
protected function completeVerificationRequest(StoreInterface $store, HTTPRequest $request): Result |
|
91
|
|
|
{ |
|
92
|
|
|
if (!SecurityToken::inst()->checkRequest($request)) { |
|
93
|
|
|
return Result::create(false, _t( |
|
94
|
|
|
__CLASS__ . '.CSRF_FAILURE', |
|
95
|
|
|
'Your request timed out. Please refresh and try again' |
|
96
|
|
|
), ['code' => 403]); |
|
97
|
|
|
} |
|
98
|
|
|
|
|
99
|
|
|
$method = $store->getMethod(); |
|
100
|
|
|
$methodInstance = $method ? MethodRegistry::singleton()->getMethodByURLSegment($method) : null; |
|
101
|
|
|
|
|
102
|
|
|
// The method must be tracked in session. If it's missing we can't continue |
|
103
|
|
|
if (!$methodInstance) { |
|
104
|
|
|
throw new InvalidMethodException('There is no method tracked in a store for this request'); |
|
105
|
|
|
} |
|
106
|
|
|
|
|
107
|
|
|
// Get the member and authenticator ready |
|
108
|
|
|
$member = $store->getMember(); |
|
109
|
|
|
$registeredMethod = RegisteredMethodManager::singleton()->getFromMember($member, $methodInstance); |
|
110
|
|
|
$authenticator = $registeredMethod->getVerifyHandler(); |
|
111
|
|
|
|
|
112
|
|
|
$result = $authenticator->verify($request, $store, $registeredMethod); |
|
113
|
|
|
if ($result->isSuccessful()) { |
|
114
|
|
|
$store->addVerifiedMethod($method); |
|
|
|
|
|
|
115
|
|
|
$store->save($request); |
|
116
|
|
|
$this->extend('onMethodVerificationSuccess', $member, $methodInstance); |
|
|
|
|
|
|
117
|
|
|
return $result; |
|
118
|
|
|
} |
|
119
|
|
|
|
|
120
|
|
|
$this->extend('onMethodVerificationFailure', $member, $methodInstance); |
|
121
|
|
|
return $result; |
|
122
|
|
|
} |
|
123
|
|
|
|
|
124
|
|
|
/** |
|
125
|
|
|
* Indicates the current member has verified with MFA methods enough to be considered "verified" |
|
126
|
|
|
* |
|
127
|
|
|
* @param StoreInterface $store |
|
128
|
|
|
* @return bool |
|
129
|
|
|
*/ |
|
130
|
|
|
protected function isVerificationComplete(StoreInterface $store): bool |
|
131
|
|
|
{ |
|
132
|
|
|
// Pull the successful methods from session |
|
133
|
|
|
$successfulMethods = $store->getVerifiedMethods(); |
|
134
|
|
|
|
|
135
|
|
|
// Zero is "not complete". There's different config for optional MFA |
|
136
|
|
|
if (!is_array($successfulMethods) || !count($successfulMethods)) { |
|
|
|
|
|
|
137
|
|
|
return false; |
|
138
|
|
|
} |
|
139
|
|
|
|
|
140
|
|
|
return count($successfulMethods) >= Config::inst()->get(EnforcementManager::class, 'required_mfa_methods'); |
|
141
|
|
|
} |
|
142
|
|
|
} |
|
143
|
|
|
|
silverstripe /
silverstripe-mfa
Loading history...