mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 212 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7680 Commits
17 Branches
Tree: 337d6915ff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '337d6915ff'
${ noResults }
gitea/routers/user/setting/security_twofa.go

security_twofa.go 5.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2018 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package setting

  7. 

  8. import (

  9. 	"bytes"

  10. 	"encoding/base64"

  11. 	"html/template"

  12. 	"image/png"

  13. 	"strings"

  14. 

  15. 	"code.gitea.io/gitea/models"

  16. 	"code.gitea.io/gitea/modules/auth"

  17. 	"code.gitea.io/gitea/modules/context"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 

  20. 	"github.com/pquerna/otp"

  21. 	"github.com/pquerna/otp/totp"

  22. )

  23. 

  24. // RegenerateScratchTwoFactor regenerates the user's 2FA scratch code.

  25. func RegenerateScratchTwoFactor(ctx *context.Context) {

  26. 	ctx.Data["Title"] = ctx.Tr("settings")

  27. 	ctx.Data["PageIsSettingsSecurity"] = true

  28. 

  29. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)

  30. 	if err != nil {

  31. 		ctx.ServerError("SettingsTwoFactor", err)

  32. 		return

  33. 	}

  34. 

  35. 	token, err := t.GenerateScratchToken()

  36. 	if err != nil {

  37. 		ctx.ServerError("SettingsTwoFactor", err)

  38. 		return

  39. 	}

  40. 

  41. 	if err = models.UpdateTwoFactor(t); err != nil {

  42. 		ctx.ServerError("SettingsTwoFactor", err)

  43. 		return

  44. 	}

  45. 

  46. 	ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", token))

  47. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  48. }

  49. 

  50. // DisableTwoFactor deletes the user's 2FA settings.

  51. func DisableTwoFactor(ctx *context.Context) {

  52. 	ctx.Data["Title"] = ctx.Tr("settings")

  53. 	ctx.Data["PageIsSettingsSecurity"] = true

  54. 

  55. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)

  56. 	if err != nil {

  57. 		ctx.ServerError("SettingsTwoFactor", err)

  58. 		return

  59. 	}

  60. 

  61. 	if err = models.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil {

  62. 		ctx.ServerError("SettingsTwoFactor", err)

  63. 		return

  64. 	}

  65. 

  66. 	ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))

  67. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  68. }

  69. 

  70. func twofaGenerateSecretAndQr(ctx *context.Context) bool {

  71. 	var otpKey *otp.Key

  72. 	var err error

  73. 	uri := ctx.Session.Get("twofaUri")

  74. 	if uri != nil {

  75. 		otpKey, err = otp.NewKeyFromURL(uri.(string))

  76. 		if err != nil {

  77. 			ctx.ServerError("SettingsTwoFactor: NewKeyFromURL: ", err)

  78. 			return false

  79. 		}

  80. 	}

  81. 	// Filter unsafe character ':' in issuer

  82. 	issuer := strings.Replace(setting.AppName+" ("+setting.Domain+")", ":", "", -1)

  83. 	if otpKey == nil {

  84. 		err = nil // clear the error, in case the URL was invalid

  85. 		otpKey, err = totp.Generate(totp.GenerateOpts{

  86. 			SecretSize:  40,

  87. 			Issuer:      issuer,

  88. 			AccountName: ctx.User.Name,

  89. 		})

  90. 		if err != nil {

  91. 			ctx.ServerError("SettingsTwoFactor", err)

  92. 			return false

  93. 		}

  94. 	}

  95. 

  96. 	ctx.Data["TwofaSecret"] = otpKey.Secret()

  97. 	img, err := otpKey.Image(320, 240)

  98. 	if err != nil {

  99. 		ctx.ServerError("SettingsTwoFactor", err)

  100. 		return false

  101. 	}

  102. 

  103. 	var imgBytes bytes.Buffer

  104. 	if err = png.Encode(&imgBytes, img); err != nil {

  105. 		ctx.ServerError("SettingsTwoFactor", err)

  106. 		return false

  107. 	}

  108. 

  109. 	ctx.Data["QrUri"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))

  110. 	err = ctx.Session.Set("twofaSecret", otpKey.Secret())

  111. 	if err != nil {

  112. 		ctx.ServerError("SettingsTwoFactor", err)

  113. 		return false

  114. 	}

  115. 	err = ctx.Session.Set("twofaUri", otpKey.String())

  116. 	if err != nil {

  117. 		ctx.ServerError("SettingsTwoFactor", err)

  118. 		return false

  119. 	}

  120. 	return true

  121. }

  122. 

  123. // EnrollTwoFactor shows the page where the user can enroll into 2FA.

  124. func EnrollTwoFactor(ctx *context.Context) {

  125. 	ctx.Data["Title"] = ctx.Tr("settings")

  126. 	ctx.Data["PageIsSettingsSecurity"] = true

  127. 

  128. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)

  129. 	if t != nil {

  130. 		// already enrolled

  131. 		ctx.ServerError("SettingsTwoFactor", err)

  132. 		return

  133. 	}

  134. 	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {

  135. 		ctx.ServerError("SettingsTwoFactor", err)

  136. 		return

  137. 	}

  138. 

  139. 	if !twofaGenerateSecretAndQr(ctx) {

  140. 		return

  141. 	}

  142. 

  143. 	ctx.HTML(200, tplSettingsTwofaEnroll)

  144. }

  145. 

  146. // EnrollTwoFactorPost handles enrolling the user into 2FA.

  147. func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {

  148. 	ctx.Data["Title"] = ctx.Tr("settings")

  149. 	ctx.Data["PageIsSettingsSecurity"] = true

  150. 

  151. 	t, err := models.GetTwoFactorByUID(ctx.User.ID)

  152. 	if t != nil {

  153. 		// already enrolled

  154. 		ctx.ServerError("SettingsTwoFactor", err)

  155. 		return

  156. 	}

  157. 	if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {

  158. 		ctx.ServerError("SettingsTwoFactor", err)

  159. 		return

  160. 	}

  161. 

  162. 	if ctx.HasError() {

  163. 		if !twofaGenerateSecretAndQr(ctx) {

  164. 			return

  165. 		}

  166. 		ctx.HTML(200, tplSettingsTwofaEnroll)

  167. 		return

  168. 	}

  169. 

  170. 	secret := ctx.Session.Get("twofaSecret").(string)

  171. 	if !totp.Validate(form.Passcode, secret) {

  172. 		if !twofaGenerateSecretAndQr(ctx) {

  173. 			return

  174. 		}

  175. 		ctx.Flash.Error(ctx.Tr("settings.passcode_invalid"))

  176. 		ctx.HTML(200, tplSettingsTwofaEnroll)

  177. 		return

  178. 	}

  179. 

  180. 	t = &models.TwoFactor{

  181. 		UID: ctx.User.ID,

  182. 	}

  183. 	err = t.SetSecret(secret)

  184. 	if err != nil {

  185. 		ctx.ServerError("SettingsTwoFactor", err)

  186. 		return

  187. 	}

  188. 	token, err := t.GenerateScratchToken()

  189. 	if err != nil {

  190. 		ctx.ServerError("SettingsTwoFactor", err)

  191. 		return

  192. 	}

  193. 

  194. 	if err = models.NewTwoFactor(t); err != nil {

  195. 		ctx.ServerError("SettingsTwoFactor", err)

  196. 		return

  197. 	}

  198. 

  199. 	err = ctx.Session.Delete("twofaSecret")

  200. 	if err != nil {

  201. 		ctx.ServerError("SettingsTwoFactor", err)

  202. 		return

  203. 	}

  204. 	err = ctx.Session.Delete("twofaUri")

  205. 	if err != nil {

  206. 		ctx.ServerError("SettingsTwoFactor", err)

  207. 		return

  208. 	}

  209. 	ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", token))

  210. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  211. }