use Friendica\Core\System;
use Friendica\DI;
use Friendica\Model\Profile;
+use Friendica\Security\TwoFactor;
/**
* Logout module
}
Hook::callAll("logging_out");
+
+ // Remove this trusted browser as it won't be able to be used ever again after the cookie is cleared
+ if (DI::cookie()->get('trusted')) {
+ $trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
+ $trustedBrowserRepository->removeForUser(local_user(), DI::cookie()->get('trusted'));
+ }
+
DI::cookie()->clear();
DI::session()->clear();
use Friendica\Core\Session;
use Friendica\DI;
use PragmaRX\Google2FA\Google2FA;
+use Friendica\Security\TwoFactor;
/**
* Page 1: Authenticator code verification
if ($valid && Session::get('2fa') !== $code) {
Session::set('2fa', $code);
+ // Trust this browser feature
+ if (!empty($_REQUEST['trust_browser'])) {
+ $trustedBrowserFactory = new TwoFactor\Factory\TrustedBrowser(DI::logger());
+ $trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger(), $trustedBrowserFactory);
+
+ $trustedBrowser = $trustedBrowserFactory->createForUserWithUserAgent(local_user(), $_SERVER['HTTP_USER_AGENT']);
+
+ $trustedBrowserRepository->save($trustedBrowser);
+
+ // The string is sent to the browser to be sent back with each request
+ DI::cookie()->set('trusted', $trustedBrowser->cookie_hash);
+ }
+
// Resume normal login workflow
DI::auth()->setForUser($a, $a->user, true, true);
} else {
'$errors' => self::$errors,
'$recovery_message' => DI::l10n()->t('Don’t have your phone? <a href="%s">Enter a two-factor recovery code</a>', '2fa/recovery'),
'$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'],
+ '$trust_browser' => ['trust_browser', DI::l10n()->t('This is my two-factor authenticator app device'), !empty($_REQUEST['trust_browser'])],
'$verify_label' => DI::l10n()->t('Verify code and complete login'),
]);
}
use Friendica\DI;
use Friendica\Model\User;
use Friendica\Network\HTTPException;
-use Friendica\Repository\TwoFactor\TrustedBrowser;
+use Friendica\Security\TwoFactor\Repository\TrustedBrowser;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Network;
use Friendica\Util\Strings;
return;
}
- // Case 1: 2FA session present and valid: return
+ // Case 1a: 2FA session already present: return
if ($this->session->get('2fa')) {
return;
}
+ // Case 1b: Check for trusted browser
+ if ($this->cookie->get('trusted')) {
+ // Retrieve a trusted_browser model based on cookie hash
+ $trustedBrowserRepository = new TrustedBrowser($this->dba, $this->logger);
+ try {
+ $trustedBrowser = $trustedBrowserRepository->selectOneByHash($this->cookie->get('trusted'));
+ // Verify record ownership
+ if ($trustedBrowser->uid === $uid) {
+ // Update last_used date
+ $trustedBrowser->recordUse();
+
+ // Save it to the database
+ $trustedBrowserRepository->save($trustedBrowser);
+
+ // Set 2fa session key and return
+ $this->session->set('2fa', true);
+
+ return;
+ } else {
+ // Invalid trusted cookie value, removing it
+ $this->cookie->unset('trusted');
+ }
+ } catch (\Throwable $e) {
+ // Local trusted browser record was probably removed by the user, we carry on with 2FA
+ }
+ }
+
// Case 2: No valid 2FA session: redirect to code verification page
if ($this->mode->isAjax()) {
throw new HTTPException\ForbiddenException();
{{include file="field_input.tpl" field=$verify_code}}
+ {{include file="field_checkbox.tpl" field=$trust_browser}}
+
<div class="form-group settings-submit-wrapper">
<button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="verify">{{$verify_label}}</button>
</div>
projects / friendica.git / commitdiff