3 * @copyright Copyright (C) 2020, Friendica
5 * @license GNU AGPL version 3 or any later version
7 * This program is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as
9 * published by the Free Software Foundation, either version 3 of the
10 * License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <https://www.gnu.org/licenses/>.
22 namespace Friendica\Model\TwoFactor;
24 use Friendica\Database\DBA;
25 use Friendica\Model\User;
26 use Friendica\Util\DateTimeFormat;
27 use Friendica\Util\Temporal;
28 use PragmaRX\Random\Random;
31 * Manages users' two-factor recovery hashed_passwords in the 2fa_app_specific_passwords table
33 class AppSpecificPassword
35 public static function countForUser($uid)
37 return DBA::count('2fa_app_specific_password', ['uid' => $uid]);
40 public static function checkDuplicateForUser($uid, $description)
42 return DBA::exists('2fa_app_specific_password', ['uid' => $uid, 'description' => $description]);
46 * Checks the provided hashed_password is available to use for login by the provided user
48 * @param int $uid User ID
49 * @param string $plaintextPassword
53 public static function authenticateUser($uid, $plaintextPassword)
55 $appSpecificPasswords = self::getListForUser($uid);
59 foreach ($appSpecificPasswords as $appSpecificPassword) {
60 if (password_verify($plaintextPassword, $appSpecificPassword['hashed_password'])) {
61 $fields = ['last_used' => DateTimeFormat::utcNow()];
62 if (password_needs_rehash($appSpecificPassword['hashed_password'], PASSWORD_DEFAULT)) {
63 $fields['hashed_password'] = User::hashPassword($plaintextPassword);
66 self::update($appSpecificPassword['id'], $fields);
76 * Returns a complete list of all recovery hashed_passwords for the provided user, including the used status
78 * @param int $uid User ID
82 public static function getListForUser($uid)
84 $appSpecificPasswordsStmt = DBA::select('2fa_app_specific_password', ['id', 'description', 'hashed_password', 'last_used'], ['uid' => $uid]);
86 $appSpecificPasswords = DBA::toArray($appSpecificPasswordsStmt);
88 array_walk($appSpecificPasswords, function (&$value) {
89 $value['ago'] = Temporal::getRelativeDate($value['last_used']);
92 return $appSpecificPasswords;
96 * Generates a new app specific password for the provided user and hashes it in the database.
98 * @param int $uid User ID
99 * @param string $description Password description
100 * @return array The new app-specific password data structure with the plaintext password added
103 public static function generateForUser(int $uid, $description)
105 $Random = (new Random())->size(40);
107 $plaintextPassword = $Random->get();
109 $generated = DateTimeFormat::utcNow();
113 'description' => $description,
114 'hashed_password' => User::hashPassword($plaintextPassword),
115 'generated' => $generated,
118 DBA::insert('2fa_app_specific_password', $fields);
120 $fields['id'] = DBA::lastInsertId();
121 $fields['plaintext_password'] = $plaintextPassword;
126 private static function update($appSpecificPasswordId, $fields)
128 return DBA::update('2fa_app_specific_password', $fields, ['id' => $appSpecificPasswordId]);
132 * Deletes all the recovery hashed_passwords for the provided user.
134 * @param int $uid User ID
138 public static function deleteAllForUser(int $uid)
140 return DBA::delete('2fa_app_specific_password', ['uid' => $uid]);
145 * @param int $app_specific_password_id
149 public static function deleteForUser(int $uid, int $app_specific_password_id)
151 return DBA::delete('2fa_app_specific_password', ['id' => $app_specific_password_id, 'uid' => $uid]);