mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
ad8e844af6
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
179 lines
4.4 KiB
Go
179 lines
4.4 KiB
Go
package storage
|
|
|
|
const (
|
|
queryFmtSelectMigrations = `
|
|
SELECT id, applied, version_before, version_after, application_version
|
|
FROM %s;`
|
|
|
|
queryFmtSelectLatestMigration = `
|
|
SELECT id, applied, version_before, version_after, application_version
|
|
FROM %s
|
|
ORDER BY id DESC
|
|
LIMIT 1;`
|
|
|
|
queryFmtInsertMigration = `
|
|
INSERT INTO %s (applied, version_before, version_after, application_version)
|
|
VALUES (?, ?, ?, ?);`
|
|
)
|
|
|
|
const (
|
|
queryMySQLSelectExistingTables = `
|
|
SELECT table_name
|
|
FROM information_schema.tables
|
|
WHERE table_type = 'BASE TABLE' AND table_schema = database();`
|
|
|
|
queryPostgreSelectExistingTables = `
|
|
SELECT table_name
|
|
FROM information_schema.tables
|
|
WHERE table_type = 'BASE TABLE' AND table_schema = 'public';`
|
|
|
|
querySQLiteSelectExistingTables = `
|
|
SELECT name
|
|
FROM sqlite_master
|
|
WHERE type = 'table';`
|
|
)
|
|
|
|
const (
|
|
queryFmtSelectUserInfo = `
|
|
SELECT second_factor_method, (SELECT EXISTS (SELECT id FROM %s WHERE username = ?)) AS has_totp, (SELECT EXISTS (SELECT id FROM %s WHERE username = ?)) AS has_u2f, (SELECT EXISTS (SELECT id FROM %s WHERE username = ?)) AS has_duo
|
|
FROM %s
|
|
WHERE username = ?;`
|
|
|
|
queryFmtSelectPreferred2FAMethod = `
|
|
SELECT second_factor_method
|
|
FROM %s
|
|
WHERE username = ?;`
|
|
|
|
queryFmtUpsertPreferred2FAMethod = `
|
|
REPLACE INTO %s (username, second_factor_method)
|
|
VALUES (?, ?);`
|
|
|
|
queryFmtPostgresUpsertPreferred2FAMethod = `
|
|
INSERT INTO %s (username, second_factor_method)
|
|
VALUES ($1, $2)
|
|
ON CONFLICT (username)
|
|
DO UPDATE SET second_factor_method = $2;`
|
|
)
|
|
|
|
const (
|
|
queryFmtSelectExistsIdentityVerification = `
|
|
SELECT EXISTS (
|
|
SELECT id
|
|
FROM %s
|
|
WHERE jti = ? AND exp > CURRENT_TIMESTAMP AND used IS NULL
|
|
);`
|
|
|
|
queryFmtInsertIdentityVerification = `
|
|
INSERT INTO %s (jti, iat, exp, username, action)
|
|
VALUES (?, ?, ?, ?, ?);`
|
|
|
|
queryFmtDeleteIdentityVerification = `
|
|
UPDATE %s
|
|
SET used = CURRENT_TIMESTAMP
|
|
WHERE jti = ?;`
|
|
)
|
|
|
|
const (
|
|
queryFmtSelectTOTPConfiguration = `
|
|
SELECT id, username, issuer, algorithm, digits, totp_period, secret
|
|
FROM %s
|
|
WHERE username = ?;`
|
|
|
|
queryFmtSelectTOTPConfigurations = `
|
|
SELECT id, username, issuer, algorithm, digits, totp_period, secret
|
|
FROM %s
|
|
LIMIT ?
|
|
OFFSET ?;`
|
|
|
|
//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
|
|
queryFmtUpdateTOTPConfigurationSecret = `
|
|
UPDATE %s
|
|
SET secret = ?
|
|
WHERE id = ?;`
|
|
|
|
//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
|
|
queryFmtUpdateTOTPConfigurationSecretByUsername = `
|
|
UPDATE %s
|
|
SET secret = ?
|
|
WHERE username = ?;`
|
|
|
|
queryFmtUpsertTOTPConfiguration = `
|
|
REPLACE INTO %s (username, issuer, algorithm, digits, totp_period, secret)
|
|
VALUES (?, ?, ?, ?, ?, ?);`
|
|
|
|
queryFmtPostgresUpsertTOTPConfiguration = `
|
|
INSERT INTO %s (username, issuer, algorithm, digits, totp_period, secret)
|
|
VALUES ($1, $2, $3, $4, $5, $6)
|
|
ON CONFLICT (username)
|
|
DO UPDATE SET issuer = $2, algorithm = $3, digits = $4, totp_period = $5, secret = $6;`
|
|
|
|
queryFmtDeleteTOTPConfiguration = `
|
|
DELETE FROM %s
|
|
WHERE username = ?;`
|
|
)
|
|
|
|
const (
|
|
queryFmtSelectU2FDevice = `
|
|
SELECT key_handle, public_key
|
|
FROM %s
|
|
WHERE username = ?;`
|
|
|
|
queryFmtUpsertU2FDevice = `
|
|
REPLACE INTO %s (username, key_handle, public_key)
|
|
VALUES (?, ?, ?);`
|
|
|
|
queryFmtPostgresUpsertU2FDevice = `
|
|
INSERT INTO %s (username, key_handle, public_key)
|
|
VALUES ($1, $2, $3)
|
|
ON CONFLICT (username)
|
|
DO UPDATE SET key_handle=$2, public_key=$3;`
|
|
)
|
|
|
|
const (
|
|
queryFmtUpsertDuoDevice = `
|
|
REPLACE INTO %s (username, device, method)
|
|
VALUES (?, ?, ?);`
|
|
|
|
queryFmtDeleteDuoDevice = `
|
|
DELETE
|
|
FROM %s
|
|
WHERE username = ?;`
|
|
|
|
queryFmtSelectDuoDevice = `
|
|
SELECT id, username, device, method
|
|
FROM %s
|
|
WHERE username = ?
|
|
ORDER BY id;`
|
|
)
|
|
|
|
const (
|
|
queryFmtInsertAuthenticationLogEntry = `
|
|
INSERT INTO %s (time, successful, banned, username, auth_type, remote_ip, request_uri, request_method)
|
|
VALUES (?, ?, ?, ?, ?, ?, ?, ?);`
|
|
|
|
queryFmtSelect1FAAuthenticationLogEntryByUsername = `
|
|
SELECT time, successful, username
|
|
FROM %s
|
|
WHERE time > ? AND username = ? AND auth_type = '1FA' AND banned = 0
|
|
ORDER BY time DESC
|
|
LIMIT ?
|
|
OFFSET ?;`
|
|
)
|
|
|
|
const (
|
|
queryFmtSelectEncryptionValue = `
|
|
SELECT (value)
|
|
FROM %s
|
|
WHERE name = ?`
|
|
|
|
queryFmtUpsertEncryptionValue = `
|
|
REPLACE INTO %s (name, value)
|
|
VALUES (?, ?);`
|
|
|
|
queryFmtPostgresUpsertEncryptionValue = `
|
|
INSERT INTO %s (name, value)
|
|
VALUES ($1, $2)
|
|
ON CONFLICT (name)
|
|
DO UPDATE SET value=$2;`
|
|
)
|