authelia/internal/handlers/handler_sign_totp.go

package handlers

import (
	"fmt"

	"github.com/authelia/authelia/internal/authentication"
	"github.com/authelia/authelia/internal/middlewares"
)

// SecondFactorTOTPPost validate the TOTP passcode provided by the user.
func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {
	return func(ctx *middlewares.AutheliaCtx) {
		bodyJSON := signTOTPRequestBody{}
		err := ctx.ParseBody(&bodyJSON)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, err, mfaValidationFailedMessage)
			return
		}

		userSession := ctx.GetSession()

		secret, err := ctx.Providers.StorageProvider.LoadTOTPSecret(userSession.Username)
		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to load TOTP secret: %s", err), mfaValidationFailedMessage)
			return
		}

		isValid, err := totpVerifier.Verify(bodyJSON.Token, secret)
		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Error occurred during OTP validation for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)
			return
		}

		if !isValid {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Wrong passcode during TOTP validation for user %s", userSession.Username), mfaValidationFailedMessage)
			return
		}

		err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to regenerate session for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)
			return
		}

		userSession.AuthenticationLevel = authentication.TwoFactor
		err = ctx.SaveSession(userSession)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to update the authentication level with TOTP: %s", err), mfaValidationFailedMessage)
			return
		}

		Handle2FAResponse(ctx, bodyJSON.TargetURL)
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`package handlers`

			`import (`
			`"fmt"`

Rename org from clems4ever to authelia Also fix references from config.yml to configuration.yml 2019-12-24 09:14:52 +07:00			`"github.com/authelia/authelia/internal/authentication"`
			`"github.com/authelia/authelia/internal/middlewares"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`)`

			`// SecondFactorTOTPPost validate the TOTP passcode provided by the user.`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {`
			`return func(ctx *middlewares.AutheliaCtx) {`
			`bodyJSON := signTOTPRequestBody{}`
			`err := ctx.ParseBody(&bodyJSON)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, err, mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`userSession := ctx.GetSession()`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-06 02:35:32 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`secret, err := ctx.Providers.StorageProvider.LoadTOTPSecret(userSession.Username)`
			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to load TOTP secret: %s", err), mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`isValid, err := totpVerifier.Verify(bodyJSON.Token, secret)`
			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Error occurred during OTP validation for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if !isValid {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Wrong passcode during TOTP validation for user %s", userSession.Username), mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-03-01 06:13:33 +07:00			`err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)`

			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to regenerate session for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)`
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-03-01 06:13:33 +07:00			`return`
			`}`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`userSession.AuthenticationLevel = authentication.TwoFactor`
			`err = ctx.SaveSession(userSession)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to update the authentication level with TOTP: %s", err), mfaValidationFailedMessage)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`return`
			`}`

[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611) * Redirect to default URL after 1FA when default policy is one_factor. User is now redirected to the default redirection URL after 1FA if the default policy is set to one_factor and there is no target URL or if the target URL is unsafe. Also, if the default policy is set to one_factor and the user is already authenticated, if she visits the login portal, the 'already authenticated' view is displayed with a logout button. This fixes #581. * Update users.yml * Fix permissions issue causing suite test failure 2020-02-05 04:18:02 +07:00			`Handle2FAResponse(ctx, bodyJSON.TargetURL)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`}`
			`}`