authelia/internal/handlers/handler_sign_totp.go

package handlers

import (
	"fmt"

	"github.com/authelia/authelia/internal/authentication"
	"github.com/authelia/authelia/internal/middlewares"
)

// SecondFactorTOTPPost validate the TOTP passcode provided by the user.
func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {
	return func(ctx *middlewares.AutheliaCtx) {
		requestBody := signTOTPRequestBody{}
		err := ctx.ParseBody(&requestBody)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, err, mfaValidationFailedMessage)
			return
		}

		userSession := ctx.GetSession()

		secret, err := ctx.Providers.StorageProvider.LoadTOTPSecret(userSession.Username)
		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to load TOTP secret: %s", err), mfaValidationFailedMessage)
			return
		}

		isValid, err := totpVerifier.Verify(requestBody.Token, secret)
		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Error occurred during OTP validation for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)
			return
		}

		if !isValid {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Wrong passcode during TOTP validation for user %s", userSession.Username), mfaValidationFailedMessage)
			return
		}

		err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to regenerate session for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)
			return
		}

		userSession.AuthenticationLevel = authentication.TwoFactor
		err = ctx.SaveSession(userSession)

		if err != nil {
			handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to update the authentication level with TOTP: %s", err), mfaValidationFailedMessage)
			return
		}

		if userSession.OIDCWorkflowSession != nil {
			HandleOIDCWorkflowResponse(ctx)
		} else {
			Handle2FAResponse(ctx, requestBody.TargetURL)
		}
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`package handlers`

			`import (`
			`"fmt"`

Rename org from clems4ever to authelia Also fix references from config.yml to configuration.yml 2019-12-24 09:14:52 +07:00			`"github.com/authelia/authelia/internal/authentication"`
			`"github.com/authelia/authelia/internal/middlewares"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`)`

			`// SecondFactorTOTPPost validate the TOTP passcode provided by the user.`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {`
			`return func(ctx *middlewares.AutheliaCtx) {`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`requestBody := signTOTPRequestBody{}`
			`err := ctx.ParseBody(&requestBody)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, err, mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`userSession := ctx.GetSession()`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-06 02:35:32 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`secret, err := ctx.Providers.StorageProvider.LoadTOTPSecret(userSession.Username)`
			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to load TOTP secret: %s", err), mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`isValid, err := totpVerifier.Verify(requestBody.Token, secret)`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Error occurred during OTP validation for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if !isValid {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Wrong passcode during TOTP validation for user %s", userSession.Username), mfaValidationFailedMessage)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-03-01 06:13:33 +07:00			`err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx)`

			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to regenerate session for user %s: %s", userSession.Username, err), mfaValidationFailedMessage)`
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-03-01 06:13:33 +07:00			`return`
			`}`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`userSession.AuthenticationLevel = authentication.TwoFactor`
			`err = ctx.SaveSession(userSession)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
			`if err != nil {`
[SECURITY] Fix Authentication HTTP Status Codes (#959) * [FIX] Send correct HTTP status codes for 1FA * use harmonious func to handle all 1FA attempt errors * use same harmonious func to handle 2FA attempt errors * always send a 401 which is correct according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401 * fix tests * refactor isTargetURLAuthorized * fix padding and imports * harmonize remaining return messages * fixup docs and layout of verifySessionHasUpToDateProfile 2020-05-06 04:27:38 +07:00			`handleAuthenticationUnauthorized(ctx, fmt.Errorf("Unable to update the authentication level with TOTP: %s", err), mfaValidationFailedMessage)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`return`
			`}`

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`if userSession.OIDCWorkflowSession != nil {`
			`HandleOIDCWorkflowResponse(ctx)`
			`} else {`
			`Handle2FAResponse(ctx, requestBody.TargetURL)`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`}`
			`}`