Implement changes to 2FA system (pterodactyl#761)

Author: DaneEveritt

CHANGELOG.md

@@ -17,6 +17,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 
 ### Changed
 * Moved Docker image setting to be on the startup management page for a server rather than the details page. This value changes based on the Nest and Egg that are selected.
+* Two-Factor authentication tokens are now 32 bytes in length, and are stored encrypted at rest in the database.
 
 ## v0.7.0-beta.1 (Derelict Dermodactylus)
 ### Added

app/Http/Controllers/Auth/LoginController.php

@@ -202,7 +202,7 @@ public function totpCheckpoint(Request $request)
             return $this->sendFailedLoginResponse($request);
         }
 
-        if (! $G2FA->verifyKey($user->totp_secret, $request->input('2fa_token'), 2)) {
+        if (! $G2FA->verifyKey(Crypt::decrypt($user->totp_secret), $request->input('2fa_token'), 2)) {
             event(new \Illuminate\Auth\Events\Failed($user, $credentials));
 
             return $this->sendFailedLoginResponse($request);

app/Http/Controllers/Base/SecurityController.php

@@ -27,7 +27,6 @@
 
 use Illuminate\Http\Request;
 use Prologue\Alerts\AlertsMessageBag;
-use Illuminate\Contracts\Session\Session;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Users\TwoFactorSetupService;
 use Pterodactyl\Services\Users\ToggleTwoFactorService;
@@ -52,11 +51,6 @@ class SecurityController extends Controller
      */
     protected $repository;
 
-    /**
-     * @var \Illuminate\Contracts\Session\Session
-     */
-    protected $session;
-
     /**
      * @var \Pterodactyl\Services\Users\ToggleTwoFactorService
      */
@@ -72,23 +66,20 @@ class SecurityController extends Controller
      *
      * @param \Prologue\Alerts\AlertsMessageBag                            $alert
      * @param \Illuminate\Contracts\Config\Repository                      $config
-     * @param \Illuminate\Contracts\Session\Session                        $session
      * @param \Pterodactyl\Contracts\Repository\SessionRepositoryInterface $repository
      * @param \Pterodactyl\Services\Users\ToggleTwoFactorService           $toggleTwoFactorService
      * @param \Pterodactyl\Services\Users\TwoFactorSetupService            $twoFactorSetupService
      */
     public function __construct(
         AlertsMessageBag $alert,
         ConfigRepository $config,
-        Session $session,
         SessionRepositoryInterface $repository,
         ToggleTwoFactorService $toggleTwoFactorService,
         TwoFactorSetupService $twoFactorSetupService
     ) {
         $this->alert = $alert;
         $this->config = $config;
         $this->repository = $repository;
-        $this->session = $session;
         $this->toggleTwoFactorService = $toggleTwoFactorService;
         $this->twoFactorSetupService = $twoFactorSetupService;
     }
@@ -122,7 +113,9 @@ public function index(Request $request)
      */
     public function generateTotp(Request $request)
     {
-        return response()->json($this->twoFactorSetupService->handle($request->user()));
+        return response()->json([
+            'qrImage' => $this->twoFactorSetupService->handle($request->user()),
+        ]);
     }
 
     /**

app/Models/User.php

@@ -63,6 +63,7 @@ class User extends Model implements
         'language',
         'use_totp',
         'totp_secret',
+        'totp_authenticated_at',
         'gravatar',
         'root_admin',
     ];
@@ -78,6 +79,11 @@ class User extends Model implements
         'gravatar' => 'boolean',
     ];
 
+    /**
+     * @var array
+     */
+    protected $dates = [self::CREATED_AT, self::UPDATED_AT, 'totp_authenticated_at'];
+
     /**
      * The attributes excluded from the model's JSON form.
      *

app/Services/Users/ToggleTwoFactorService.php

@@ -1,66 +1,82 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Services\Users;
 
+use Carbon\Carbon;
 use Pterodactyl\Models\User;
-use PragmaRX\Google2FA\Contracts\Google2FA;
+use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid;
 
 class ToggleTwoFactorService
 {
     /**
-     * @var \PragmaRX\Google2FA\Contracts\Google2FA
+     * @var \Illuminate\Contracts\Config\Repository
      */
-    protected $google2FA;
+    private $config;
+
+    /**
+     * @var \Illuminate\Contracts\Encryption\Encrypter
+     */
+    private $encrypter;
+
+    /**
+     * @var \PragmaRX\Google2FA\Google2FA
+     */
+    private $google2FA;
 
     /**
      * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
      */
-    protected $repository;
+    private $repository;
 
     /**
      * ToggleTwoFactorService constructor.
      *
-     * @param \PragmaRX\Google2FA\Contracts\Google2FA                   $google2FA
+     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
+     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
+     * @param \Illuminate\Contracts\Config\Repository                   $config
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
+        Encrypter $encrypter,
         Google2FA $google2FA,
+        Repository $config,
         UserRepositoryInterface $repository
     ) {
+        $this->config = $config;
+        $this->encrypter = $encrypter;
         $this->google2FA = $google2FA;
         $this->repository = $repository;
     }
 
     /**
-     * @param int|\Pterodactyl\Models\User $user
-     * @param string                       $token
-     * @param null|bool                    $toggleState
+     * Toggle 2FA on an account only if the token provided is valid.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @param string                   $token
+     * @param bool|null                $toggleState
      * @return bool
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      * @throws \Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid
      */
-    public function handle($user, $token, $toggleState = null)
+    public function handle(User $user, string $token, bool $toggleState = null): bool
     {
-        if (! $user instanceof User) {
-            $user = $this->repository->find($user);
-        }
+        $window = $this->config->get('pterodactyl.auth.2fa.window');
+        $secret = $this->encrypter->decrypt($user->totp_secret);
+
+        $isValidToken = $this->google2FA->verifyKey($secret, $token, $window);
 
-        if (! $this->google2FA->verifyKey($user->totp_secret, $token, 2)) {
+        if (! $isValidToken) {
             throw new TwoFactorAuthenticationTokenInvalid;
         }
 
         $this->repository->withoutFresh()->update($user->id, [
+            'totp_authenticated_at' => Carbon::now(),
             'use_totp' => (is_null($toggleState) ? ! $user->use_totp : $toggleState),
         ]);
 

app/Services/Users/TwoFactorSetupService.php

@@ -10,7 +10,8 @@
 namespace Pterodactyl\Services\Users;
 
 use Pterodactyl\Models\User;
-use PragmaRX\Google2FA\Contracts\Google2FA;
+use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Illuminate\Contracts\Config\Repository as ConfigRepository;
 
@@ -19,58 +20,62 @@ class TwoFactorSetupService
     /**
      * @var \Illuminate\Contracts\Config\Repository
      */
-    protected $config;
+    private $config;
 
     /**
-     * @var \PragmaRX\Google2FA\Contracts\Google2FA
+     * @var \Illuminate\Contracts\Encryption\Encrypter
      */
-    protected $google2FA;
+    private $encrypter;
+
+    /**
+     * @var \PragmaRX\Google2FA\Google2FA
+     */
+    private $google2FA;
 
     /**
      * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
      */
-    protected $repository;
+    private $repository;
 
     /**
      * TwoFactorSetupService constructor.
      *
      * @param \Illuminate\Contracts\Config\Repository                   $config
-     * @param \PragmaRX\Google2FA\Contracts\Google2FA                   $google2FA
+     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
+     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
         ConfigRepository $config,
+        Encrypter $encrypter,
         Google2FA $google2FA,
         UserRepositoryInterface $repository
     ) {
         $this->config = $config;
+        $this->encrypter = $encrypter;
         $this->google2FA = $google2FA;
         $this->repository = $repository;
     }
 
     /**
-     * Generate a 2FA token and store it in the database.
+     * Generate a 2FA token and store it in the database before returning the
+     * QR code image.
      *
-     * @param int|\Pterodactyl\Models\User $user
-     * @return array
+     * @param \Pterodactyl\Models\User $user
+     * @return string
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function handle($user)
+    public function handle(User $user): string
     {
-        if (! $user instanceof User) {
-            $user = $this->repository->find($user);
-        }
-
-        $secret = $this->google2FA->generateSecretKey();
+        $secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
         $image = $this->google2FA->getQRCodeGoogleUrl($this->config->get('app.name'), $user->email, $secret);
 
-        $this->repository->withoutFresh()->update($user->id, ['totp_secret' => $secret]);
+        $this->repository->withoutFresh()->update($user->id, [
+            'totp_secret' => $this->encrypter->encrypt($secret),
+        ]);
 
-        return [
-            'qrImage' => $image,
-            'secret' => $secret,
-        ];
+        return $image;
     }
 }

composer.json

@@ -31,7 +31,7 @@
         "mtdowling/cron-expression": "^1.2",
         "nesbot/carbon": "^1.22",
         "nicolaslopezj/searchable": "^1.9",
-        "pragmarx/google2fa": "^1.0",
+        "pragmarx/google2fa": "^2.0",
         "predis/predis": "^1.1",
         "prologue/alerts": "^0.4",
         "ramsey/uuid": "^3.7",
@@ -46,7 +46,7 @@
     "require-dev": {
         "barryvdh/laravel-debugbar": "^2.4",
         "barryvdh/laravel-ide-helper": "^2.4",
-        "friendsofphp/php-cs-fixer": "^2.4",
+        "friendsofphp/php-cs-fixer": "^2.8.0",
         "fzaninotto/faker": "^1.6",
         "mockery/mockery": "^0.9",
         "php-mock/php-mock-phpunit": "^1.1",