Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Building solution for 2FA signin , there a lot of work! #280

Open
orlovskyjavaprofi opened this issue Oct 18, 2023 · 9 comments
Open

Building solution for 2FA signin , there a lot of work! #280

orlovskyjavaprofi opened this issue Oct 18, 2023 · 9 comments

Comments

@orlovskyjavaprofi
Copy link

orlovskyjavaprofi commented Oct 18, 2023

Yes i am crazy about security and i am doing it:

First alteration in the main table Yourtableprefix is just placeholder use your prefix if you have one!

CREATE TABLE Yourtableprefix_admin2faconfig (
users2FAstateName VARCHAR(100) NOT NULL,
enabled2fa BOOLEAN DEFAULT FALSE NOT NULL,
PRIMARY KEY (users2FAstateName)
);

INSERT INTO Yourtableprefix_admin2faconfig (users2FAstateName, enabled2fa) VALUES ('Global2FAState', 0);

This trigger will not allow to insert rows, we dont need this , just do update.
DELIMITER //
CREATE TRIGGER InsertionToAdmin2FAConfigDisallow
BEFORE INSERT ON Yourtableprefix_admin2faconfig
FOR EACH ROW
BEGIN
SIGNAL SQLSTATE '45000'
SET MESSAGE_TEXT = 'You cannot insert rows to admin2faconfig table.';
END;
//
DELIMITER ;

ALTER TABLE Yourtableprefix_users
ADD COLUMN user2FAstate BOOLEAN DEFAULT FALSE NOT NULL;

With that you have one table which acts like indicator if 2FA should be "worldwide" enabled or not.
Then there alteration for all users, because each user must be allowed to enable and use 2fa

I will write 2FA activation and authentication for sign in only parts , because i think deactivating 2fA is trivial stuff, and let be honest clipbucket code base not in the best shape or condition , to make fast commits, you need be chatgpt version 10 ;)

Here i post code which allow you to have via admin config panel to enable or disable global 2fa state

[ https://pastebin.com/wVuXmDKW ](main.php from the admin panel)
https://pastebin.com/qWAJUUaJ ** my_queries.class.php oh now , i think when i work with that i lost my mind ;)**
https://pastebin.com/t4KEerZD i got lazy and written special method for only 3 parameters for the update, i like explicit stuff and dislike verbosity and obscure and unclean function calls .
https://pastebin.com/6W9C7Cmt Now i am not a fronted developer, but i am fullstack developer, still this part of code wasn't so hard, but understanding binding without chatgpt would be even for me very hard.

Overall , if somebody love php and try to work on the clipbucket , i think they start to want to program something better pascal or python i dont know.

My motivation to work on this project is really limited on what my client expects from final product.
I even manage to integrate via simple web widget owncast server , its html code which load the broadcasting live , which actually missing in clipbucket.
Don't close this issue i will post further details about developing 2FA

@orlovskyjavaprofi
Copy link
Author

ALTER TABLE YourFavorPrefix_users
ADD COLUMN user2FAconfigstate BOOLEAN DEFAULT FALSE NOT NULL;

ALTER TABLE YourFavorPrefix_users
ADD COLUMN user2FAprivatecode VARCHAR(40) DEFAULT '' NOT NULL;

user2FAconfigstate will be use to decide where to display or not to display config for 2FA
user2FAprivatecode this will be used for encrypted key, AES algo which would use user password , only encrypted code will be stored in the database.

@orlovskyjavaprofi
Copy link
Author

Work on 2FA continues, the difficulty which i currently experience is that template engine very strange to me binding in the template of clipbucket and data submission between fronted and back-end is complex , i think after i have full integration of 2FA i will probably stop submit any new code (yes that stuff happen), this project is really complex and who ever will maintain it in future, they have my full respect and honor.

https://pastebin.com/qp71bwDG here is userMenuLeft.html trough which i added new menu item.
https://pastebin.com/WccCKwxq edit_account.php here is big question i need to figure out how to back and forth with database, because some data like state of the checkbox is decide via database
https://pastebin.com/YFCwDfKm is utter mess, i don't know how i manage to parse it , i was lucky , chatgtp did not help me at all here, so in template stuff like
<input value="1" id="example" {if $variablewhichbinded.NameOfCheckbox=='1'}checked{/if} name="NameOfCheckbox" type="checkbox" class="ace ace-switch ace-switch-5 bootstrap-switch-on"/>
The tricky part about to do in php the right binding so that if each time template loaded it get populated with right value from database, and thats sometimes can be very challenging, because defined methods or even variable not always make sense, sometime i just search in code for very low level function and do rewrite them to suite my current requirements, i know this not perfect , but it works!
I wil explain later how i will generate secure codes for the Google Authenticator that would be fun.....

@orlovskyjavaprofi
Copy link
Author

Fighting templating of smarty was not fun, neither i will do it second time. so here another major milestone!
Chatgpt assisted, but many times it just push to write own better code, which is really good.

https://pastebin.com/Z4Webn83 I have issues, with the way how smarty doing stuff, it just annoying, to fight it , conditional stuff is obvious but understanding how binding works was really , really important .

https://pastebin.com/876dqHxF same issues binding its way to complicating, you store state in database get it constantly back and catch the right post , at the moment user can set up 2FA only once, i think its good because if user constantly enabled and disable 2FA this potential can produce performance decrease, sure nobody in mind would make big big youtube clone , but stil consider this user who have security concerns must make sure that his authenticator device is operation if suddenly he loose his device he would not able to login. Somebody else write this future, my major concern usage of 2FA with clipbucket.
https://pastebin.com/wkK0mE6t user.class.php responsible for all user activity and getting data from db class, not much to say, sure one big refactor for this class make live of all developers better.
**https://pastebin.com/NTzpkqQW ** db.class.php this one too way big , i added some functions for my 2FA logic and it works.

Summary: binding, binding its one of things which i hate in this project , sure without good template you have obviously not so beautiful website, but i say why limit yourself with somebody understanding of content representation, webcomponents nowadays are way more efficient, hell even VueJS or Angular is better in comparison to smarty. I just saying , if somebody have plans to develop this platform , i think good overall change in design and software architecture should be considered.
Me? As soon as i get 2FA working , i will not bother with commits, its project , but code quality not at my best expectations.

@orlovskyjavaprofi
Copy link
Author

orlovskyjavaprofi commented Oct 20, 2023

ALTER TABLE voiceOfIRS_users MODIFY user2FAprivatecode VARCHAR(300) NOT NULL;

This alteration is needed because i store encrypted 2FA secret code.

@orlovskyjavaprofi
Copy link
Author

my current composer.json

{
"name": "opensourcecommunity/clipbucket",
"require": {
"filp/whoops": "2.15.3",
"predis/predis": "^v1.1.10",
"psr/log": "1.1.4",
"phpmailer/phpmailer": "^6.8.0",
"spomky-labs/otphp": "11.2.0",
"bacon/bacon-qr-code": "2.0.7",
"smarty/smarty": "3.1.48"
},
"prefer-stable": true,
"config": {
"preferred-install": {
"smarty/smarty": "3.1.48"
}
}
}

@orlovskyjavaprofi
Copy link
Author

https://pastebin.com/BaUURMwf Well edit_account.html was a mess ,now i finally added the part for 2FA it do what it does , meaning showing all important parts for 2FA activation

https://pastebin.com/c9BpNtPh edit_account.php now it have everything what you for 2FA setup ( i plan to move the decryption method near login and it make sense because here i only encrypt the code

https://pastebin.com/dRV6DzYD user.class.php just forward data to db class nothing special , merely a design from "legacy"

https://pastebin.com/hu6uQRs9 db.class.php i written another db methods to do my data persistence too nothing special about.

Now everything in place (except admin management for each of users 2fa ) , i do finally the job for activating 2FA on all login forms admin and user and thats it!

The dependency on bacon and otphp hopefully is in terms of the project licensing and the opensource community.
I should repeat major hurdle is old template engine smarty i "fought" it really and really hard,

Eventually i know how it binds, it make me not feel happier , but 2FA is almost ready now i proceed to work on logins.

@orlovskyjavaprofi
Copy link
Author

Finally it works!
The admin 2FA will be on the next week, i proceed with cleanup of stuff, a lot thing did moved for me.

https://pastebin.com/dPud6EAX edit_account.html nothing here changed so far
https://pastebin.com/X4WFsj61 edit_account.php moved the method for decryption to signup.php , it works!
https://pastebin.com/9NgBAh6m ok some explanation 2FA acts like additional layer of protection, some cleaning probably at order , currently i dont care because it work so dont touch it ;)
https://pastebin.com/UkGtR7Zk here nothing special hide and unhide could be done better, but as said early i dont care about smarty way of handling content and i dont like working with smarty.
https://pastebin.com/Djbxm9kz this class must be refactored i dont know how it must be to many responsibilities its acts currently as proxy for persistance to db.

https://pastebin.com/6j3fkcdu db.class.php i have done my best all SQL which executes it acts like measure , if condition not applied no SQL update or insert executed , it is better to be safe then sorry.

So this it next last chapter will be 2FA for admin panel and then it will be upto other to write code or fix bugs.

@orlovskyjavaprofi
Copy link
Author

orlovskyjavaprofi commented Oct 21, 2023

Finally the completion!

https://pastebin.com/QixiG2bW login.php , yes code repeat quick and diry this works, you can refactor of course all to class 2FAAuth or something like that , but for me i just care that it works!
**And think about, what if you need to use different encryption and decryption method for your admin (Security matters), **
Tight coupling must be avoided at all times!
https://pastebin.com/c2vrRGj3 admin.login yes code repeat too, but it works!

Feel free to improve my code make new php class or classes for repeated code, but this project a huge one, some classes have 1000+ lines try to refactor it without breaking something and its really hard!!!

Smarty template engine, what a joke, one of the obscures template engine i ever saw!

Chapgpt helped me a lot, i can say , the code was not always on point but with 4 or 5 iterations i always got what i expected, it was like a TDD actually really cool you should try it.

Whats left?

One stuff which i didn't implemented on the admin side to have feature to enable and disable 2FA for any given user, i think its easy fix trough database, real reason, i dont like writing new forms in smarty , i provided enough example code to do it without major pains, but its up to someone else who will work further on this project.

2FA as you read works on both user groups admin and users and its really secure.

One last feature which i would like to see in future is hCaptcha on Login (Both admin and user) , but its a plugin, we don't need tight coupling with any external services like hCaptcha.

Overall i must say using php is way way easy , then program in Java or God forbids Kotlin or even Scala, real competitor to PHP probably Python, but as JAVA in Enterprise PHP "owns" CMS for small and middle Enterprises systems.

@orlovskyjavaprofi
Copy link
Author

ALTER TABLE clipbucket.yourpreifx_users
MODIFY COLUMN user2FAprivatecode varchar(300) NOT NULL DEFAULT '';
Yes this will fix problems with registration of users!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant