Backup codes for 2fa auth (#1237).

Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@19990 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-16 05:20:28 +01:00 · 2020-08-29 06:51:21 +00:00
parent be7f5e21fa
commit 8900eb6eb5
15 changed files with 230 additions and 19 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -265,6 +265,9 @@ class AccountController < ApplicationController
    # set locale for the twofa user
    set_localization(@user)

+    # set the requesting IP of the twofa user (e.g. for security notifications)
+    @user.remote_ip = request.remote_ip
+
    @twofa = Redmine::Twofa.for_user(@user)
  end

--- a/app/controllers/twofa_backup_codes_controller.rb
+++ b/app/controllers/twofa_backup_codes_controller.rb
@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-2020  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+class TwofaBackupCodesController < ApplicationController
+  include TwofaHelper
+
+  self.main_menu = false
+
+  before_action :require_login, :require_active_twofa
+
+  before_action :twofa_setup
+
+  require_sudo_mode :init
+
+  def init
+    if @twofa.send_code(controller: 'twofa_backup_codes', action: 'create')
+      flash[:notice] = l('twofa_code_sent')
+    end
+    redirect_to action: 'confirm'
+  end
+
+  def confirm
+    @twofa_view = @twofa.otp_confirm_view_variables
+  end
+
+  def create
+    if @twofa.verify!(params[:twofa_code].to_s)
+      if time = @twofa.backup_codes.map(&:created_on).max
+        flash[:warning] = t('twofa_warning_backup_codes_generated_invalidated', time: format_time(time))
+      else
+        flash[:notice] = t('twofa_notice_backup_codes_generated')
+      end
+      tokens = @twofa.init_backup_codes!
+      flash[:twofa_backup_token_ids] = tokens.collect(&:id)
+      redirect_to action: 'show'
+    else
+      flash[:error] = l('twofa_invalid_code')
+      redirect_to action: 'confirm'
+    end
+  end
+
+  def show
+    # make sure we get only the codes that we should show
+    tokens = @twofa.backup_codes.where(id: flash[:twofa_backup_token_ids])
+    # Redmine will show all flash contents at the top of the rendered html
+    # page, so we need to explicitely delete this here
+    flash.delete(:twofa_backup_token_ids)
+
+    if tokens.present? && (@created_at = tokens.collect(&:created_on).max) > 5.minutes.ago
+      @backup_codes = tokens.collect(&:value)
+    else
+      flash[:warning] = l('twofa_backup_codes_already_shown', bc_path: my_twofa_backup_codes_init_path)
+      redirect_to controller: 'my', action: 'account'
+    end
+  end
+
+  private
+
+  def twofa_setup
+    @user = User.current
+    @twofa = Redmine::Twofa.for_user(@user)
+  end
+end
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -18,6 +18,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class TwofaController < ApplicationController
+  include TwofaHelper
+
  self.main_menu = false

  before_action :require_login
@@ -45,7 +47,7 @@ class TwofaController < ApplicationController

  def activate
    if @twofa.confirm_pairing!(params[:twofa_code].to_s)
-      flash[:notice] = l('twofa_activated')
+      flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
      redirect_to my_account_path
    else
      flash[:error] = l('twofa_invalid_code')
@@ -110,8 +112,4 @@ class TwofaController < ApplicationController
      redirect_to my_account_path
    end
  end
-
-  def require_active_twofa
-    Setting.twofa? ? true : deny_access
-  end
 end
--- a/app/helpers/twofa_helper.rb
+++ b/app/helpers/twofa_helper.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-2020  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module TwofaHelper
+  def require_active_twofa
+    Setting.twofa? ? true : deny_access
+  end
+end
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -42,6 +42,7 @@ class Token < ActiveRecord::Base
  add_action :recovery,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
  add_action :register,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
  add_action :session,   max_instances: 10, validity_time: nil
+  add_action :twofa_backup_code, max_instances: 10, validity_time: nil

  def generate_new_token
    self.value = Token.generate_token_value
--- a/app/views/my/account.html.erb
+++ b/app/views/my/account.html.erb
@@ -34,6 +34,7 @@
    <% if @user.twofa_active? %>
      <%=l 'twofa_currently_active', twofa_scheme_name: l("twofa__#{@user.twofa_scheme}__name") -%><br/>
      <%= link_to l('button_disable'), { controller: 'twofa', action: 'deactivate_init', scheme: @user.twofa_scheme }, method: :post -%><br/>
+      <%= link_to l('twofa_generate_backup_codes'), { controller: 'twofa_backup_codes', action: 'init' }, method: :post, data: { confirm: Redmine::Twofa.for_user(User.current).backup_codes.any? ? t('twofa_text_generate_backup_codes_confirmation') : nil } -%>
    <% else %>
      <% Redmine::Twofa.available_schemes.each do |s| %>
        <%= link_to l("twofa__#{s}__label_activate"), { controller: 'twofa', action: 'activate_init', scheme: s }, method: :post -%><br/>
--- a/app/views/twofa/_twofa_code_form.html.erb
+++ b/app/views/twofa/_twofa_code_form.html.erb
@@ -0,0 +1,9 @@
+<div class="box">
+  <p><%=l 'twofa_label_enter_otp' %></p>
+  <div class="tabular">
+    <p>
+      <label for="twofa_code"><%=l 'twofa_label_code' -%></label>
+      <%= text_field_tag :twofa_code, nil, autocomplete: 'off' -%>
+    </p>
+  </div>
+</div>
--- a/app/views/twofa/deactivate_confirm.html.erb
+++ b/app/views/twofa/deactivate_confirm.html.erb
@@ -5,16 +5,7 @@
                 scheme: @twofa_view[:scheme_name] },
               { method: :post,
                 id: 'twofa_form' }) do -%>
-    <div class="box">
-
-      <p><%=l 'twofa_label_enter_otp' %></p>
-      <div class="tabular">
-        <p>
-          <label for="twofa_code"><%=l 'twofa_label_code' -%></label>
-          <%= text_field_tag :twofa_code, nil, autocomplete: 'off' -%>
-        </p>
-      </div>
-    </div>
+    <%= render partial: 'twofa_code_form' -%>
    <%= submit_tag l('button_disable'), name: :submit_otp -%>
    <%= link_to l('twofa_resend_code'), { action: 'deactivate_init', scheme: @twofa_view[:scheme_name] }, method: :post if @twofa_view[:resendable] -%>
  <% end %>
--- a/app/views/twofa_backup_codes/confirm.html.erb
+++ b/app/views/twofa_backup_codes/confirm.html.erb
@@ -0,0 +1,15 @@
+<h2><%=l 'twofa_generate_backup_codes' -%></h2>
+
+<div class="splitcontentleft">
+  <%= form_tag({ action: :create },
+               { method: :post,
+                 id: 'twofa_form' }) do -%>
+    <%= render partial: 'twofa/twofa_code_form' -%>
+    <%= submit_tag l('button_submit'), name: :submit_otp -%>
+    <%= link_to l('twofa_resend_code'), { action: 'init' }, method: :post if @twofa_view[:resendable] -%>
+  <% end %>
+</div>
+
+<% content_for :sidebar do %>
+<%= render :partial => 'my/sidebar' %>
+<% end %>
--- a/app/views/twofa_backup_codes/show.html.erb
+++ b/app/views/twofa_backup_codes/show.html.erb
@@ -0,0 +1,17 @@
+<h2><%=l 'twofa_label_backup_codes' -%></h2>
+
+<div class="splitcontentleft">
+  <div class="box">
+    <p><%=l 'twofa_text_backup_codes_hint' -%></p>
+    <ul class="twofa_backup_codes">
+    <% @backup_codes.each do |code| -%>
+      <li><code><%= code.scan(/.{4}/).join(' ') -%></code></li>
+    <% end -%>
+    </ul>
+    <p><em class="info"><%=l 'twofa_text_backup_codes_created_at', datetime: format_time(@created_at) -%></em></p>
+  </div>
+</div>
+
+<% content_for :sidebar do %>
+<%= render :partial => 'my/sidebar' %>
+<% end %>