feature Added mfa api endpoints to work with oauth2 access_token (#16)

* fast commit

* removed action code

* minor

* minor

Co-authored-by: Dmytro Naumenko <[email protected]>

* minor

* fixed auth bug, suggesting oauth2 package, updated mfa interfaces, minor

* Update src/base/ApiMfaIdentityInterface.php

Co-authored-by: Andrey Klochok <[email protected]>

* Update src/GrantType/UserCredentials.php

Co-authored-by: Andrey Klochok <[email protected]>

* Update src/controllers/TotpController.php

Co-authored-by: Andrey Klochok <[email protected]>

* Update src/behaviors/OauthLoginBehavior.php

Co-authored-by: Andrey Klochok <[email protected]>

* minor

Co-authored-by: Dmytro Naumenko <[email protected]>
Co-authored-by: Andrey Klochok <[email protected]>

Author: 3 people

README.md

@@ -100,6 +100,35 @@ which will return or set MFA properties. For example:
 IPs and TOTP functions are independent and you can provide just one of properties to have only
 corresponding functionality.
 
+## Usage with OAuth2
+
+Also there is a configuration to provide MFA for OAuth2.
+
+ - Require suggested `"bshaffer/oauth2-server-php": '~1.7'` package
+
+ - Use `hiqdev\yii2\mfa\GrantType\UserCredentials` for configuring `/oauth/token` command via totp code.
+For example:
+
+
+    'modules' => [
+        'oauth2' => [
+            'grantTypes' => [
+                'user_credentials' => [
+                    'class' => \hiqdev\yii2\mfa\GrantType\UserCredentials::class,
+                ],
+            ],
+        ],
+    ]
+
+ - Extend you `Identity` class from `ApiMfaIdentityInterface`.
+
+ - Use actions:
+
+
+    POST /mfa/totp/api-temporary-secret - Proviedes temporary secret to generate QR-code
+    POST /mfa/totp/api-enable - Enables totp
+    POST /mfa/totp/api-disable - Disables totp
+
 ## License
 
 This project is released under the terms of the BSD-3-Clause [license](LICENSE).

composer.json

@@ -52,6 +52,9 @@
         "hiqdev/hidev-php": "dev-master",
         "hiqdev/hidev-hiqdev": "dev-master"
     },
+    "suggest": {
+        "bshaffer/oauth2-server-php": "Require '~1.7' version to use TOTP with OAuth2 protocol"
+    },
     "autoload": {
         "psr-4": {
             "hiqdev\\yii2\\mfa\\": "src"

src/GrantType/UserCredentials.php

@@ -0,0 +1,56 @@
+<?php
+declare(strict_types=1);
+
+namespace hiqdev\yii2\mfa\GrantType;
+
+use OAuth2\RequestInterface;
+use OAuth2\ResponseInterface;
+use OAuth2\Storage\UserCredentialsInterface;
+use RobThree\Auth\TwoFactorAuth;
+
+class UserCredentials extends \OAuth2\GrantType\UserCredentials
+{
+    private TwoFactorAuth $totpService;
+
+    public function __construct(UserCredentialsInterface $storage)
+    {
+        parent::__construct($storage);
+
+        $this->totpService = \Yii::createObject(TwoFactorAuth::class);
+    }
+
+    public function validateRequest(RequestInterface $request, ResponseInterface $response): bool
+    {
+        $result = parent::validateRequest($request, $response);
+        if (!$result) {
+            return $result;
+        }
+
+        $prop = new \ReflectionProperty(parent::class, 'userInfo');
+        $prop->setAccessible(true);
+        $userInfo = $prop->getValue($this);
+
+        if (!$this->checkTotp($userInfo, $request)) {
+            $prop->setValue($this, null);
+            $response->setError(400, 'invalid_totp', 'Failed to validate TOTP');
+
+            return false;
+        }
+
+        return true;
+    }
+
+    private function checkTotp(array $userInfo, RequestInterface $request): bool
+    {
+        if (empty($userInfo['totp_secret'])) {
+            return true;
+        }
+
+        $code = $request->request('code');
+        if (empty($code)) {
+            return false;
+        }
+
+        return $this->totpService->verifyCode($userInfo['totp_secret'], $code);
+    }
+}

src/base/ApiMfaIdentityInterface.php

@@ -0,0 +1,23 @@
+<?php
+declare(strict_types=1);
+
+namespace hiqdev\yii2\mfa\base;
+
+use yii\web\IdentityInterface;
+
+/**
+ * Interface which describes Identity functionality to work with temporary TOTP secret via API.
+ *
+ * @see \hiqdev\yii2\mfa\controllers\TotpController::actionApiEnable()
+ *
+ * In general case temporary TOTP secret is stored in Session
+ *
+ * @see \hiqdev\yii2\mfa\base\Totp::getSecret()
+ * @see \hiqdev\yii2\mfa\controllers\TotpController::actionEnable()
+ */
+interface ApiMfaIdentityInterface extends TotpSecretStorageInterface, MfaSaveInterface
+{
+    public function getTemporarySecret(): ?string;
+
+    public function setTemporarySecret(?string $secret): void;
+}

src/base/MfaIdentityInterface.php

@@ -10,19 +10,19 @@
  * Interface MfaIdentityInterface
  * @package hiqdev\yii2\mfa\base
  */
-interface MfaIdentityInterface extends IdentityInterface
+interface MfaIdentityInterface extends IdentityInterface, TotpSecretStorageInterface, MfaSaveInterface
 {
     /**
      * @inheritDoc
      *
-     * @return MfaIdentityInterface
+     * @return MfaIdentityInterface|null
      */
     public static function findIdentity($id);
 
     /**
      * @inheritDoc
      *
-     * @return MfaIdentityInterface
+     * @return MfaIdentityInterface|null
      */
     public static function findIdentityByAccessToken($token, $type = null);
 
@@ -31,25 +31,13 @@ public static function findIdentityByAccessToken($token, $type = null);
      */
     public function getUsername(): string;
 
-    /**
-     * @return string
-     */
-    public function getTotpSecret(): string;
-
     /**
      * @return string[]
      */
     public function getAllowedIps(): array;
 
-    /**
-     * @param string $secret
-     * @return $this
-     */
-    public function setTotpSecret(string $secret): self;
-
     /**
      * @param string $allowedIp
-     * @return $this
      */
-    public function addAllowedIp(string $allowedIp): self;
+    public function addAllowedIp(string $allowedIp): void;
 }

src/base/MfaSaveInterface.php

@@ -0,0 +1,9 @@
+<?php
+declare(strict_types=1);
+
+namespace hiqdev\yii2\mfa\base;
+
+interface MfaSaveInterface
+{
+    public function save(): bool;
+}

src/base/TotpSecretStorageInterface.php

@@ -0,0 +1,17 @@
+<?php
+declare(strict_types=1);
+
+namespace hiqdev\yii2\mfa\base;
+
+interface TotpSecretStorageInterface
+{
+    /**
+     * @return string
+     */
+    public function getTotpSecret(): string;
+
+    /**
+     * @param string $secret
+     */
+    public function setTotpSecret(string $secret): void;
+}

src/behaviors/OauthLoginBehavior.php

@@ -0,0 +1,64 @@
+<?php
+declare(strict_types=1);
+
+namespace hiqdev\yii2\mfa\behaviors;
+
+use hiqdev\yii2\mfa\Module;
+use yii\base\ActionFilter;
+use yii\web\Request;
+use yii\web\Response;
+use yii\web\User;
+
+class OauthLoginBehavior extends ActionFilter
+{
+    private bool $isLogined = false;
+
+    private User $user;
+    private Request $request;
+    private Response $response;
+    private Module $module;
+
+    public function __construct(
+        User $user,
+        Request $request,
+        Response $response,
+        $config = []
+    ) {
+        parent::__construct($config);
+
+        $this->user = $user;
+        $this->request = $request;
+        $this->response = $response;
+        $this->module = \Yii::$app->getModule('mfa');;
+    }
+
+    public function beforeAction($action)
+    {
+        if (!empty($this->user->identity)) {
+            $this->isLogined = true;
+            return true;
+        }
+
+        $token = $this->request->post('access_token', '');
+        $identity = $this->user->identityClass::findIdentityByAccessToken($token);
+        if ($identity === null) {
+            $this->response->setStatusCode(400);
+            $this->response->data = ['_error' => 'invalid_token'];
+            return false;
+        }
+
+        $this->module->getTotp()->setIsVerified(true);
+        $this->user->login($identity);
+
+        return true;
+    }
+
+    public function afterAction($action, $result)
+    {
+        if (!$this->isLogined) {
+            $this->user->logout();
+        }
+
+        return parent::afterAction($action, $result);
+    }
+}

src/controllers/TotpController.php

@@ -10,20 +10,31 @@
 
 namespace hiqdev\yii2\mfa\controllers;
 
+use hiqdev\yii2\mfa\base\ApiMfaIdentityInterface;
 use hiqdev\yii2\mfa\base\MfaIdentityInterface;
+use hiqdev\yii2\mfa\behaviors\OauthLoginBehavior;
 use hiqdev\yii2\mfa\forms\InputForm;
 use Yii;
 use yii\filters\AccessControl;
+use yii\filters\ContentNegotiator;
+use yii\filters\VerbFilter;
+use yii\web\Response;
 
 /**
  * TOTP controller.
  * Time-based One Time Password.
  */
 class TotpController extends \yii\web\Controller
 {
+    public $enableCsrfValidation = false;
+
     public function behaviors()
     {
         return array_merge(parent::behaviors(), [
+            'filterApi' => [
+                'class' => OauthLoginBehavior::class,
+                'only' => ['api-temporary-secret', 'api-disable', 'api-enable'],
+            ],
             'access' => [
                 'class' => AccessControl::class,
                 'denyCallback' => [$this, 'denyCallback'],
@@ -36,12 +47,27 @@ public function behaviors()
                     ],
                     // @ - authenticated
                     [
-                        'actions' => ['enable', 'disable', 'toggle'],
+                        'actions' => ['enable', 'disable', 'toggle', 'api-temporary-secret', 'api-disable', 'api-enable'],
                         'roles' => ['@'],
                         'allow' => true,
                     ],
                 ],
             ],
+            'verbFilter' => [
+                'class' => VerbFilter::class,
+                'actions' => [
+                    'api-temporary-secret' => ['POST'],
+                    'api-enable' => ['POST'],
+                    'api-disable' => ['POST'],
+                ],
+            ],
+            'contentNegotiator' => [
+                'class' => ContentNegotiator::class,
+                'only' => ['api-temporary-secret', 'api-disable', 'api-enable'],
+                'formats' => [
+                    'application/json' => Response::FORMAT_JSON,
+                ],
+            ],
         ]);
     }
 
@@ -159,4 +185,54 @@ public function goBack($defaultUrl = null)
 
         return parent::goBack($defaultUrl);
     }
+
+    public function actionApiEnable()
+    {
+        /** @var ApiMfaIdentityInterface $identity */
+        $identity = \Yii::$app->user->identity;
+        $secret = $identity->getTotpSecret();
+        if (!empty($secret)) {
+            return ['_error' => 'mfa already enabled' . $secret];
+        }
+
+        if (!$this->module->getTotp()->verifyCode($identity->getTemporarySecret(), $this->request->post('code', ''))) {
+            return ['_error' => 'invalid totp code'];
+        }
+
+        $identity->setTotpSecret($identity->getTemporarySecret());
+        $identity->setTemporarySecret(null);
+        $identity->save();
+
+        return ['id' => $identity->getId()];
+    }
+
+    public function actionApiDisable()
+    {
+        /** @var ApiMfaIdentityInterface $identity */
+        $identity = \Yii::$app->user->identity;
+        $secret = $identity->getTotpSecret();
+        if (empty($secret)) {
+            return ['_error' => 'mfa disabled, enable first'];
+        }
+
+        if (!$this->module->getTotp()->verifyCode($secret, $this->request->post('code', ''))) {
+            return ['_error' => 'invalid totp code'];
+        }
+
+        $identity->setTotpSecret('');
+        $identity->save();
+
+        return ['id' => $identity->getId()];
+    }
+
+    public function actionApiTemporarySecret()
+    {
+        /** @var ApiMfaIdentityInterface $identity */
+        $identity = \Yii::$app->user->identity;
+        $secret = $this->module->getTotp()->getSecret();
+        $identity->setTemporarySecret($secret);
+        $identity->save();
+
+        return ['secret' => $secret];
+    }
 }