authelia/internal/handlers/handler_sign_totp.go

package handlers

import (
	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/regulation"
)

// SecondFactorTOTPPost validate the TOTP passcode provided by the user.
func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {
	return func(ctx *middlewares.AutheliaCtx) {
		requestBody := signTOTPRequestBody{}

		if err := ctx.ParseBody(&requestBody); err != nil {
			ctx.Logger.Errorf(logFmtErrParseRequestBody, regulation.AuthTypeTOTP, err)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		userSession := ctx.GetSession()

		config, err := ctx.Providers.StorageProvider.LoadTOTPConfiguration(ctx, userSession.Username)
		if err != nil {
			ctx.Logger.Errorf("Failed to load TOTP configuration: %+v", err)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		isValid, err := totpVerifier.Verify(config, requestBody.Token)
		if err != nil {
			ctx.Logger.Errorf("Failed to perform TOTP verification: %+v", err)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		if !isValid {
			_ = markAuthenticationAttempt(ctx, false, nil, userSession.Username, regulation.AuthTypeTOTP, nil)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		if err = markAuthenticationAttempt(ctx, true, nil, userSession.Username, regulation.AuthTypeTOTP, nil); err != nil {
			respondUnauthorized(ctx, messageMFAValidationFailed)
			return
		}

		if err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx); err != nil {
			ctx.Logger.Errorf(logFmtErrSessionRegenerate, regulation.AuthTypeTOTP, userSession.Username, err)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		userSession.SetTwoFactor(ctx.Clock.Now())

		if err = ctx.SaveSession(userSession); err != nil {
			ctx.Logger.Errorf(logFmtErrSessionSave, "authentication time", regulation.AuthTypeTOTP, userSession.Username, err)

			respondUnauthorized(ctx, messageMFAValidationFailed)

			return
		}

		if userSession.OIDCWorkflowSession != nil {
			handleOIDCWorkflowResponse(ctx)
		} else {
			Handle2FAResponse(ctx, requestBody.TargetURL)
		}
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`package handlers`

			`import (`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 08:04:35 +07:00			`"github.com/authelia/authelia/v4/internal/middlewares"`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`"github.com/authelia/authelia/v4/internal/regulation"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`)`

			`// SecondFactorTOTPPost validate the TOTP passcode provided by the user.`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`func SecondFactorTOTPPost(totpVerifier TOTPVerifier) middlewares.RequestHandler {`
			`return func(ctx *middlewares.AutheliaCtx) {`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`requestBody := signTOTPRequestBody{}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`if err := ctx.ParseBody(&requestBody); err != nil {`
			`ctx.Logger.Errorf(logFmtErrParseRequestBody, regulation.AuthTypeTOTP, err)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`userSession := ctx.GetSession()`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-06 02:35:32 +07:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 16:45:38 +07:00			`config, err := ctx.Providers.StorageProvider.LoadTOTPConfiguration(ctx, userSession.Username)`
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if err != nil {`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`ctx.Logger.Errorf("Failed to load TOTP configuration: %+v", err)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 16:45:38 +07:00			`isValid, err := totpVerifier.Verify(config, requestBody.Token)`
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`if err != nil {`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`ctx.Logger.Errorf("Failed to perform TOTP verification: %+v", err)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`

[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773) * Add period TOPT config key to define the time in seconds each OTP is rotated * Add skew TOTP config to define how many keys either side of the current one should be considered valid * Add tests and set minimum values * Update config template * Use unix epoch for position calculation and Fix QR gen * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute * Generate QR based on period * Fix OTP timer graphic 2020-03-25 08:48:20 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`if !isValid {`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`_ = markAuthenticationAttempt(ctx, false, nil, userSession.Username, regulation.AuthTypeTOTP, nil)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`

[FIX] Fix default redirection URL not taken into account (#600) * Remove unused mongo docker-compose file. * Default redirection URL was not taken into account. * Fix possible storage options in config template. * Remove useless checks in u2f registration endpoints. * Add default redirection url in config of duo suite. * Fix log line in response handler of 2FA methods. * Fix integration tests. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2020-02-01 19:54:50 +07:00			`return`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`if err = markAuthenticationAttempt(ctx, true, nil, userSession.Username, regulation.AuthTypeTOTP, nil); err != nil {`
			`respondUnauthorized(ctx, messageMFAValidationFailed)`
			`return`
			`}`

			`if err = ctx.Providers.SessionProvider.RegenerateSession(ctx.RequestCtx); err != nil {`
			`ctx.Logger.Errorf(logFmtErrSessionRegenerate, regulation.AuthTypeTOTP, userSession.Username, err)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`
[FEATURE] Regenerate session IDs after 2FA authentication. (#670) Session fixation attacks were prevented because a session ID was regenerated at each first factor authentication but this commit generalize session regeneration from first to second factor too. Fixes #180 2020-03-01 06:13:33 +07:00
			`return`
			`}`

feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-04 06:44:30 +07:00			`userSession.SetTwoFactor(ctx.Clock.Now())`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 10:09:14 +07:00			`if err = ctx.SaveSession(userSession); err != nil {`
			`ctx.Logger.Errorf(logFmtErrSessionSave, "authentication time", regulation.AuthTypeTOTP, userSession.Username, err)`

			`respondUnauthorized(ctx, messageMFAValidationFailed)`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`return`
			`}`

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`if userSession.OIDCWorkflowSession != nil {`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-04 06:44:30 +07:00			`handleOIDCWorkflowResponse(ctx)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-05 05:06:05 +07:00			`} else {`
			`Handle2FAResponse(ctx, requestBody.TargetURL)`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-25 04:52:08 +07:00			`}`
			`}`