A fork of Gitea (see branch `mj`) adding Majority Judgment Polls 𐄷 over Issues and Merge Requests. https://git.mieuxvoter.fr
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

125 lines
3.4 KiB

  1. // Copyright 2017 The Gitea Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "crypto/md5"
  7. "crypto/sha256"
  8. "crypto/subtle"
  9. "encoding/base64"
  10. "fmt"
  11. "code.gitea.io/gitea/modules/generate"
  12. "code.gitea.io/gitea/modules/secret"
  13. "code.gitea.io/gitea/modules/setting"
  14. "code.gitea.io/gitea/modules/timeutil"
  15. "github.com/pquerna/otp/totp"
  16. "golang.org/x/crypto/pbkdf2"
  17. )
  18. // TwoFactor represents a two-factor authentication token.
  19. type TwoFactor struct {
  20. ID int64 `xorm:"pk autoincr"`
  21. UID int64 `xorm:"UNIQUE"`
  22. Secret string
  23. ScratchSalt string
  24. ScratchHash string
  25. LastUsedPasscode string `xorm:"VARCHAR(10)"`
  26. CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
  27. UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
  28. }
  29. // GenerateScratchToken recreates the scratch token the user is using.
  30. func (t *TwoFactor) GenerateScratchToken() (string, error) {
  31. token, err := generate.GetRandomString(8)
  32. if err != nil {
  33. return "", err
  34. }
  35. t.ScratchSalt, _ = generate.GetRandomString(10)
  36. t.ScratchHash = hashToken(token, t.ScratchSalt)
  37. return token, nil
  38. }
  39. func hashToken(token, salt string) string {
  40. tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)
  41. return fmt.Sprintf("%x", tempHash)
  42. }
  43. // VerifyScratchToken verifies if the specified scratch token is valid.
  44. func (t *TwoFactor) VerifyScratchToken(token string) bool {
  45. if len(token) == 0 {
  46. return false
  47. }
  48. tempHash := hashToken(token, t.ScratchSalt)
  49. return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1
  50. }
  51. func (t *TwoFactor) getEncryptionKey() []byte {
  52. k := md5.Sum([]byte(setting.SecretKey))
  53. return k[:]
  54. }
  55. // SetSecret sets the 2FA secret.
  56. func (t *TwoFactor) SetSecret(secretString string) error {
  57. secretBytes, err := secret.AesEncrypt(t.getEncryptionKey(), []byte(secretString))
  58. if err != nil {
  59. return err
  60. }
  61. t.Secret = base64.StdEncoding.EncodeToString(secretBytes)
  62. return nil
  63. }
  64. // ValidateTOTP validates the provided passcode.
  65. func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
  66. decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
  67. if err != nil {
  68. return false, err
  69. }
  70. secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
  71. if err != nil {
  72. return false, err
  73. }
  74. secretStr := string(secretBytes)
  75. return totp.Validate(passcode, secretStr), nil
  76. }
  77. // NewTwoFactor creates a new two-factor authentication token.
  78. func NewTwoFactor(t *TwoFactor) error {
  79. _, err := x.Insert(t)
  80. return err
  81. }
  82. // UpdateTwoFactor updates a two-factor authentication token.
  83. func UpdateTwoFactor(t *TwoFactor) error {
  84. _, err := x.ID(t.ID).AllCols().Update(t)
  85. return err
  86. }
  87. // GetTwoFactorByUID returns the two-factor authentication token associated with
  88. // the user, if any.
  89. func GetTwoFactorByUID(uid int64) (*TwoFactor, error) {
  90. twofa := &TwoFactor{}
  91. has, err := x.Where("uid=?", uid).Get(twofa)
  92. if err != nil {
  93. return nil, err
  94. } else if !has {
  95. return nil, ErrTwoFactorNotEnrolled{uid}
  96. }
  97. return twofa, nil
  98. }
  99. // DeleteTwoFactorByID deletes two-factor authentication token by given ID.
  100. func DeleteTwoFactorByID(id, userID int64) error {
  101. cnt, err := x.ID(id).Delete(&TwoFactor{
  102. UID: userID,
  103. })
  104. if err != nil {
  105. return err
  106. } else if cnt != 1 {
  107. return ErrTwoFactorNotEnrolled{userID}
  108. }
  109. return nil
  110. }