mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
347bd1be77
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
65 lines
1.4 KiB
Go
65 lines
1.4 KiB
Go
package handlers
|
|
|
|
import (
|
|
"errors"
|
|
"time"
|
|
|
|
"github.com/pquerna/otp"
|
|
"github.com/pquerna/otp/totp"
|
|
|
|
"github.com/authelia/authelia/v4/internal/models"
|
|
)
|
|
|
|
// TOTPVerifier is the interface for verifying TOTPs.
|
|
type TOTPVerifier interface {
|
|
Verify(config *models.TOTPConfiguration, token string) (bool, error)
|
|
}
|
|
|
|
// TOTPVerifierImpl the production implementation for TOTP verification.
|
|
type TOTPVerifierImpl struct {
|
|
Period uint
|
|
Skew uint
|
|
}
|
|
|
|
// Verify verifies TOTPs.
|
|
func (tv *TOTPVerifierImpl) Verify(config *models.TOTPConfiguration, token string) (bool, error) {
|
|
if config == nil {
|
|
return false, errors.New("config not provided")
|
|
}
|
|
|
|
opts := totp.ValidateOpts{
|
|
Period: uint(config.Period),
|
|
Skew: tv.Skew,
|
|
Digits: otp.Digits(config.Digits),
|
|
Algorithm: otpStringToAlgo(config.Algorithm),
|
|
}
|
|
|
|
return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)
|
|
}
|
|
|
|
func otpAlgoToString(algorithm otp.Algorithm) (out string) {
|
|
switch algorithm {
|
|
case otp.AlgorithmSHA1:
|
|
return totpAlgoSHA1
|
|
case otp.AlgorithmSHA256:
|
|
return totpAlgoSHA256
|
|
case otp.AlgorithmSHA512:
|
|
return totpAlgoSHA512
|
|
default:
|
|
return ""
|
|
}
|
|
}
|
|
|
|
func otpStringToAlgo(in string) (algorithm otp.Algorithm) {
|
|
switch in {
|
|
case totpAlgoSHA1:
|
|
return otp.AlgorithmSHA1
|
|
case totpAlgoSHA256:
|
|
return otp.AlgorithmSHA256
|
|
case totpAlgoSHA512:
|
|
return otp.AlgorithmSHA512
|
|
default:
|
|
return otp.AlgorithmSHA1
|
|
}
|
|
}
|