go-urlsh/internal/web/multifactor-setup.go

package web

import (
	"bytes"
	"context"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"image/png"
	"log"
	"strconv"
	"time"

	"code.lila.network/adoralaura/go-urlsh/internal/constants"
	"code.lila.network/adoralaura/go-urlsh/internal/db"
	"code.lila.network/adoralaura/go-urlsh/internal/misc"
	"code.lila.network/adoralaura/go-urlsh/models"
	"github.com/gofiber/fiber/v2"
	"github.com/pquerna/otp/totp"
)

func HandleAdminAccountMFASetupGet(c *fiber.Ctx) error {
	if !db.IsCookieValid(c.Cookies(constants.LoginCookieName, "")) {
		c.Location("/admin/")
		c.Status(fiber.StatusSeeOther)
		return nil
	}

	var mfaobject models.MFATemplateObject
	var mfaconfig models.MFAConfig
	mfaconfig.Active = false
	mfaconfig.ExpiresAt = time.Now().Add(15 * time.Minute)

	user, err := db.GetUserFromCookie(c.Cookies(constants.LoginCookieName))
	if err != nil {
		log.Println(err)
		fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	scratchcodes := []models.MFAScratchCode{}
	scratchcodeFailed := 0

	// generate four unique(!) scratch codes for the user
	for len(scratchcodes) != 4 {
		if scratchcodeFailed > 15 {
			//TODO: structurized error logging
			fmt.Println("[HandleAdminAccountMFASetupPost] Failed to generate unique scratch code 15 times! Aborting")
			return misc.New500Error()
		}

		code := misc.RandomString(8)

		if db.ScratchCodeIsUnique(code) {
			scratchcodes = append(scratchcodes, models.MFAScratchCode{
				IsUsed: false, Code: code, UserName: user.UserName})
		} else {
			scratchcodeFailed++
		}
	}

	mfaconfig.UserName = user.UserName

	key, err := totp.Generate(totp.GenerateOpts{
		Issuer:      "go-urlsh",
		AccountName: user.UserName,
	})
	if err != nil {
		log.Println(err)
		fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	mfaconfig.TOTPSecret = key.Secret()
	mfaobject.Key = key.URL()

	var buf bytes.Buffer
	img, err := key.Image(200, 200)
	if err != nil {
		log.Println(err)
		fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	png.Encode(&buf, img)
	base64img := base64.StdEncoding.EncodeToString(buf.Bytes())

	mfaobject.Image = base64img

	_, err = models.DB.NewInsert().Model(&scratchcodes).Exec(context.Background())
	if err != nil {
		log.Printf("[HandleAdminAccountMFASetupGet] Error inserting scratch codes to DB: %q\n", err)
		fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	_, err = models.DB.NewInsert().Model(&mfaconfig).Exec(context.Background())
	if err != nil {
		log.Printf("[HandleAdminAccountMFASetupGet] Error inserting mfaconfig to DB: %q\n", err)
		fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	misc.SetMFASetupCookie(c, strconv.Itoa(int(mfaconfig.ID)))
	return c.Render("setup-multifactor", mfaobject)
}

func HandleAdminAccountMFASetupPost(c *fiber.Ctx) error {
	if !db.IsCookieValid(c.Cookies(constants.LoginCookieName, "")) {
		c.Location("/admin/")
		c.Status(fiber.StatusSeeOther)
		return nil
	}

	var response models.MFASetupResponse
	response.Error = true

	var token models.TokenRequest
	var config models.MFAConfig
	var scratchcodes []models.MFAScratchCode
	//var user models.User

	err := json.Unmarshal(c.Body(), &token)
	if err != nil {
		log.Println(err.Error())
		return fiber.NewError(fiber.StatusBadRequest, "400 Bad Request")
	}

	//if err := c.BodyParser(&token); err != nil {
	//	response.Message = "Token is invalid"
	//	c.Status(fiber.StatusBadRequest)
	//	c.JSON(response)
	//	return nil
	//}
	setupcookie := c.Cookies(constants.MFASetupCookieName, "")

	if setupcookie == "" {
		return fiber.NewError(fiber.StatusBadRequest, "400 Bad Request")
	}

	err = models.DB.NewSelect().Model(&config).Where("id = ?", setupcookie).Scan(context.Background())
	if err != nil {
		log.Printf("[HandleAdminAccountMFASetupPost] Error getting MFAConfig from DB: %q\n", err)
		return fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
	}

	totpvalid := totp.Validate(token.Token, config.TOTPSecret)
	if totpvalid {
		response.Error = false
		response.Message = "Multifactor authentication was successfully set up!"

		err = models.DB.NewSelect().Model(&scratchcodes).Where("username = ?", config.UserName).Scan(context.Background())
		if err != nil {
			log.Printf("[HandleAdminAccountMFASetupPost] Error getting MFA scratch codes from DB: %q\n", err)
			return fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")
		}

		var scratchcodeSlice []string
		for _, code := range scratchcodes {
			scratchcodeSlice = append(scratchcodeSlice, code.Code)
		}

		response.RecoveryTokens = scratchcodeSlice

		config.Active = true

		_, err := models.DB.NewUpdate().Model(&config).Column("active").WherePK().Exec(context.Background())
		if err != nil {
			log.Printf("[HandleAdminAccountMFASetupGet] Error getting MFAConfig from DB: %q\n", err)
			response.Message = "500: DB Error, see logs"
			c.Status(fiber.StatusInternalServerError)
			c.JSON(response)
			return nil
		}
		c.Status(fiber.StatusOK)
		c.JSON(response)
	} else {
		response.Error = true
		response.Message = "Token is invalid, please try again."
		c.Status(fiber.StatusBadRequest)
		c.JSON(response)
	}

	return nil
}
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`package web`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/base64"`
			`"encoding/json"`
Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00			`"fmt"`
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`"image/png"`
			`"log"`
			`"strconv"`
			`"time"`

			`"code.lila.network/adoralaura/go-urlsh/internal/constants"`
			`"code.lila.network/adoralaura/go-urlsh/internal/db"`
			`"code.lila.network/adoralaura/go-urlsh/internal/misc"`
			`"code.lila.network/adoralaura/go-urlsh/models"`
			`"github.com/gofiber/fiber/v2"`
			`"github.com/pquerna/otp/totp"`
			`)`

			`func HandleAdminAccountMFASetupGet(c *fiber.Ctx) error {`
			`if !db.IsCookieValid(c.Cookies(constants.LoginCookieName, "")) {`
			`c.Location("/admin/")`
			`c.Status(fiber.StatusSeeOther)`
			`return nil`
			`}`

			`var mfaobject models.MFATemplateObject`
			`var mfaconfig models.MFAConfig`
			`mfaconfig.Active = false`
			`mfaconfig.ExpiresAt = time.Now().Add(15 * time.Minute)`

			`user, err := db.GetUserFromCookie(c.Cookies(constants.LoginCookieName))`
			`if err != nil {`
			`log.Println(err)`
			`fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`
Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00
			`scratchcodes := []models.MFAScratchCode{}`
			`scratchcodeFailed := 0`

			`// generate four unique(!) scratch codes for the user`
			`for len(scratchcodes) != 4 {`
			`if scratchcodeFailed > 15 {`
			`//TODO: structurized error logging`
			`fmt.Println("[HandleAdminAccountMFASetupPost] Failed to generate unique scratch code 15 times! Aborting")`
			`return misc.New500Error()`
			`}`

			`code := misc.RandomString(8)`

			`if db.ScratchCodeIsUnique(code) {`
			`scratchcodes = append(scratchcodes, models.MFAScratchCode{`
			`IsUsed: false, Code: code, UserName: user.UserName})`
			`} else {`
			`scratchcodeFailed++`
			`}`
			`}`

Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`mfaconfig.UserName = user.UserName`

			`key, err := totp.Generate(totp.GenerateOpts{`
			`Issuer: "go-urlsh",`
			`AccountName: user.UserName,`
			`})`
			`if err != nil {`
			`log.Println(err)`
			`fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

			`mfaconfig.TOTPSecret = key.Secret()`
			`mfaobject.Key = key.URL()`

			`var buf bytes.Buffer`
			`img, err := key.Image(200, 200)`
			`if err != nil {`
			`log.Println(err)`
			`fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

			`png.Encode(&buf, img)`
			`base64img := base64.StdEncoding.EncodeToString(buf.Bytes())`

			`mfaobject.Image = base64img`

Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00			`_, err = models.DB.NewInsert().Model(&scratchcodes).Exec(context.Background())`
			`if err != nil {`
			`log.Printf("[HandleAdminAccountMFASetupGet] Error inserting scratch codes to DB: %q\n", err)`
			`fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`_, err = models.DB.NewInsert().Model(&mfaconfig).Exec(context.Background())`
			`if err != nil {`
			`log.Printf("[HandleAdminAccountMFASetupGet] Error inserting mfaconfig to DB: %q\n", err)`
			`fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

			`misc.SetMFASetupCookie(c, strconv.Itoa(int(mfaconfig.ID)))`
			`return c.Render("setup-multifactor", mfaobject)`
			`}`

			`func HandleAdminAccountMFASetupPost(c *fiber.Ctx) error {`
			`if !db.IsCookieValid(c.Cookies(constants.LoginCookieName, "")) {`
			`c.Location("/admin/")`
			`c.Status(fiber.StatusSeeOther)`
			`return nil`
			`}`

Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00			`var response models.MFASetupResponse`
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`response.Error = true`

			`var token models.TokenRequest`
			`var config models.MFAConfig`
Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00			`var scratchcodes []models.MFAScratchCode`
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`//var user models.User`

			`err := json.Unmarshal(c.Body(), &token)`
			`if err != nil {`
			`log.Println(err.Error())`
			`return fiber.NewError(fiber.StatusBadRequest, "400 Bad Request")`
			`}`

			`//if err := c.BodyParser(&token); err != nil {`
			`// response.Message = "Token is invalid"`
			`// c.Status(fiber.StatusBadRequest)`
			`// c.JSON(response)`
			`// return nil`
			`//}`
			`setupcookie := c.Cookies(constants.MFASetupCookieName, "")`

			`if setupcookie == "" {`
			`return fiber.NewError(fiber.StatusBadRequest, "400 Bad Request")`
			`}`

			`err = models.DB.NewSelect().Model(&config).Where("id = ?", setupcookie).Scan(context.Background())`
			`if err != nil {`
Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00			`log.Printf("[HandleAdminAccountMFASetupPost] Error getting MFAConfig from DB: %q\n", err)`
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00			`return fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

			`totpvalid := totp.Validate(token.Token, config.TOTPSecret)`
			`if totpvalid {`
			`response.Error = false`
			`response.Message = "Multifactor authentication was successfully set up!"`
Scratch codes can only be ussed once now (#6) 2024-05-06 15:32:53 +02:00
			`err = models.DB.NewSelect().Model(&scratchcodes).Where("username = ?", config.UserName).Scan(context.Background())`
			`if err != nil {`
			`log.Printf("[HandleAdminAccountMFASetupPost] Error getting MFA scratch codes from DB: %q\n", err)`
			`return fiber.NewError(fiber.StatusInternalServerError, "500 Internal Server Error")`
			`}`

			`var scratchcodeSlice []string`
			`for _, code := range scratchcodes {`
			`scratchcodeSlice = append(scratchcodeSlice, code.Code)`
			`}`

			`response.RecoveryTokens = scratchcodeSlice`
Add minimal working 2fa implementation 2024-05-04 17:06:01 +02:00
			`config.Active = true`

			`_, err := models.DB.NewUpdate().Model(&config).Column("active").WherePK().Exec(context.Background())`
			`if err != nil {`
			`log.Printf("[HandleAdminAccountMFASetupGet] Error getting MFAConfig from DB: %q\n", err)`
			`response.Message = "500: DB Error, see logs"`
			`c.Status(fiber.StatusInternalServerError)`
			`c.JSON(response)`
			`return nil`
			`}`
			`c.Status(fiber.StatusOK)`
			`c.JSON(response)`
			`} else {`
			`response.Error = true`
			`response.Message = "Token is invalid, please try again."`
			`c.Status(fiber.StatusBadRequest)`
			`c.JSON(response)`
			`}`

			`return nil`
			`}`