Add TOTP MFA (#342)

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/hashicorp/go-memdb v1.3.4
 	github.com/labstack/echo/v4 v4.12.0
 	github.com/markbates/goth v1.80.0
+	github.com/pquerna/otp v1.4.0
 	github.com/rs/zerolog v1.33.0
 	github.com/stretchr/testify v1.9.0
 	github.com/urfave/cli/v2 v2.27.2
@@ -51,6 +52,7 @@ require (
 	github.com/blevesearch/zapx/v14 v14.3.10 // indirect
 	github.com/blevesearch/zapx/v15 v15.3.13 // indirect
 	github.com/blevesearch/zapx/v16 v16.1.0 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.11.0 // indirect

go.sum

@@ -49,6 +49,9 @@ github.com/blevesearch/zapx/v15 v15.3.13 h1:6EkfaZiPlAxqXz0neniq35my6S48QI94W/wy
 github.com/blevesearch/zapx/v15 v15.3.13/go.mod h1:Turk/TNRKj9es7ZpKK95PS7f6D44Y7fAFy8F4LXQtGg=
 github.com/blevesearch/zapx/v16 v16.1.0 h1:bHsyowFqU0QA+uVDJCjifv9OvPGb8htkV52Yc/wT6xs=
 github.com/blevesearch/zapx/v16 v16.1.0/go.mod h1:P0h9lKRyl4EKksAWfxwCQ5I5pLB9jH2XD8bhYHuIYuc=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
+github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/chromedp/cdproto v0.0.0-20230220211738-2b1ec77315c9 h1:wMSvdj3BswqfQOXp2R1bJOAE7xIQLt2dlMQDMf836VY=
 github.com/chromedp/cdproto v0.0.0-20230220211738-2b1ec77315c9/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.1 h1:CC7cC5p1BeLiiS2gfNNPwp3OaUxtRMBjfiw3E3k6dFA=
@@ -189,6 +192,8 @@ github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJm
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=

internal/auth/totp/totp.go

@@ -0,0 +1,61 @@
+package totp
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/base64"
+	"github.com/pquerna/otp/totp"
+	"html/template"
+	"image/png"
+	"strings"
+)
+
+const secretSize = 16
+
+func GenerateQRCode(username, siteUrl string, secret []byte) (string, template.URL, error, []byte) {
+	var err error
+	if secret == nil {
+		secret, err = generateSecret()
+		if err != nil {
+			return "", "", err, nil
+		}
+	}
+
+	otpKey, err := totp.Generate(totp.GenerateOpts{
+		SecretSize:  secretSize,
+		Issuer:      "Opengist (" + strings.ReplaceAll(siteUrl, ":", "") + ")",
+		AccountName: username,
+		Secret:      secret,
+	})
+	if err != nil {
+		return "", "", err, nil
+	}
+
+	qrcode, err := otpKey.Image(320, 240)
+	if err != nil {
+		return "", "", err, nil
+	}
+
+	var imgBytes bytes.Buffer
+	if err = png.Encode(&imgBytes, qrcode); err != nil {
+		return "", "", err, nil
+	}
+
+	qrcodeImage := template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))
+
+	return otpKey.Secret(), qrcodeImage, nil, secret
+}
+
+func Validate(passcode, secret string) bool {
+	return totp.Validate(passcode, secret)
+}
+
+func generateSecret() ([]byte, error) {
+	secret := make([]byte, secretSize)
+	_, err := rand.Reader.Read(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	return secret, nil
+}

internal/config/config.go

@@ -22,6 +22,8 @@ var OpengistVersion = ""
 
 var C *config
 
+var SecretKey []byte
+
 // Not using nested structs because the library
 // doesn't support dot notation in this case sadly
 type config struct {
@@ -136,6 +138,8 @@ func InitConfig(configPath string, out io.Writer) error {
 
 	C = c
 
+	// SecretKey = utils.GenerateSecretKey(filepath.Join(GetHomeDir(), "opengist-secret.key"))
+
 	if err = os.Setenv("OG_OPENGIST_HOME_INTERNAL", GetHomeDir()); err != nil {
 		return err
 	}

internal/db/db.go

@@ -137,7 +137,7 @@ func Setup(dbUri string, sharedCache bool) error {
 		return err
 	}
 
-	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}); err != nil {
+	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{}); err != nil {
 		return err
 	}
 
@@ -241,5 +241,5 @@ func DeprecationDBFilename() {
 }
 
 func TruncateDatabase() error {
-	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{})
+	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{})
 }

internal/db/totp.go

@@ -0,0 +1,121 @@
+package db
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	ogtotp "github.com/thomiceli/opengist/internal/auth/totp"
+	"github.com/thomiceli/opengist/internal/utils"
+	"slices"
+)
+
+type TOTP struct {
+	ID            uint `gorm:"primaryKey"`
+	UserID        uint `gorm:"uniqueIndex"`
+	User          User
+	Secret        string
+	RecoveryCodes jsonData `gorm:"type:json"`
+	CreatedAt     int64
+	LastUsedAt    int64
+}
+
+func GetTOTPByUserID(userID uint) (*TOTP, error) {
+	var totp TOTP
+	err := db.Where("user_id = ?", userID).First(&totp).Error
+	return &totp, err
+}
+
+func (totp *TOTP) StoreSecret(secret string) error {
+	secretBytes := []byte(secret)
+	encrypted, err := utils.AESEncrypt([]byte("tmp"), secretBytes)
+	if err != nil {
+		return err
+	}
+
+	totp.Secret = base64.URLEncoding.EncodeToString(encrypted)
+	return nil
+}
+
+func (totp *TOTP) ValidateCode(code string) (bool, error) {
+	ciphertext, err := base64.URLEncoding.DecodeString(totp.Secret)
+	if err != nil {
+		return false, err
+	}
+
+	secretBytes, err := utils.AESDecrypt([]byte("tmp"), ciphertext)
+	if err != nil {
+		return false, err
+	}
+
+	return ogtotp.Validate(code, string(secretBytes)), nil
+}
+
+func (totp *TOTP) ValidateRecoveryCode(code string) (bool, error) {
+	var hashedCodes []string
+	if err := json.Unmarshal(totp.RecoveryCodes, &hashedCodes); err != nil {
+		return false, err
+	}
+
+	for i, hashedCode := range hashedCodes {
+		ok, err := utils.Argon2id.Verify(code, hashedCode)
+		if err != nil {
+			return false, err
+		}
+		if ok {
+			codesJson, _ := json.Marshal(slices.Delete(hashedCodes, i, i+1))
+			totp.RecoveryCodes = codesJson
+			return true, db.Model(&totp).Updates(TOTP{RecoveryCodes: codesJson}).Error
+		}
+	}
+	return false, nil
+}
+
+func (totp *TOTP) GenerateRecoveryCodes() ([]string, error) {
+	codes, plainCodes, err := generateRandomCodes()
+	if err != nil {
+		return nil, err
+	}
+
+	codesJson, _ := json.Marshal(codes)
+	totp.RecoveryCodes = codesJson
+
+	return plainCodes, db.Model(&totp).Updates(TOTP{RecoveryCodes: codesJson}).Error
+}
+
+func (totp *TOTP) Create() error {
+	return db.Create(&totp).Error
+}
+
+func (totp *TOTP) Delete() error {
+	return db.Delete(&totp).Error
+}
+
+func generateRandomCodes() ([]string, []string, error) {
+	const count = 5
+	const length = 10
+	codes := make([]string, count)
+	plainCodes := make([]string, count)
+	for i := 0; i < count; i++ {
+		bytes := make([]byte, (length+1)/2)
+		if _, err := rand.Read(bytes); err != nil {
+			return nil, nil, err
+		}
+		hexCode := hex.EncodeToString(bytes)
+		code := fmt.Sprintf("%s-%s", hexCode[:length/2], hexCode[length/2:])
+		plainCodes[i] = code
+		hashed, err := utils.Argon2id.Hash(code)
+		if err != nil {
+			return nil, nil, err
+		}
+		codes[i] = hashed
+	}
+	return codes, plainCodes, nil
+}
+
+// -- DTO -- //
+
+type TOTPDTO struct {
+	Code string `form:"code" validate:"max=50"`
+}

internal/db/types.go

@@ -2,6 +2,8 @@ package db
 
 import (
 	"database/sql/driver"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"gorm.io/gorm"
 	"gorm.io/gorm/schema"
@@ -38,3 +40,38 @@ func (*binaryData) GormDBDataType(db *gorm.DB, _ *schema.Field) string {
 		return "BLOB"
 	}
 }
+
+type jsonData json.RawMessage
+
+func (j *jsonData) Scan(value interface{}) error {
+	bytes, ok := value.([]byte)
+	if !ok {
+		return errors.New(fmt.Sprint("Failed to unmarshal JSONB value:", value))
+	}
+
+	result := json.RawMessage{}
+	err := json.Unmarshal(bytes, &result)
+	*j = jsonData(result)
+	return err
+}
+
+func (j *jsonData) Value() (driver.Value, error) {
+	if len(*j) == 0 {
+		return nil, nil
+	}
+	return json.RawMessage(*j).MarshalJSON()
+}
+
+func (*jsonData) GormDataType() string {
+	return "json"
+}
+
+func (*jsonData) GormDBDataType(db *gorm.DB, _ *schema.Field) string {
+	switch db.Dialector.Name() {
+	case "mysql", "sqlite":
+		return "JSON"
+	case "postgres":
+		return "JSONB"
+	}
+	return ""
+}

internal/db/user.go

@@ -206,11 +206,17 @@ func (user *User) DeleteProviderID(provider string) error {
 	return nil
 }
 
-func (user *User) HasMFA() (bool, error) {
-	var exists bool
-	err := db.Model(&WebAuthnCredential{}).Select("count(*) > 0").Where("user_id = ?", user.ID).Find(&exists).Error
+func (user *User) HasMFA() (bool, bool, error) {
+	var webauthn bool
+	var totp bool
+	err := db.Model(&WebAuthnCredential{}).Select("count(*) > 0").Where("user_id = ?", user.ID).Find(&webauthn).Error
+	if err != nil {
+		return false, false, err
+	}
+
+	err = db.Model(&TOTP{}).Select("count(*) > 0").Where("user_id = ?", user.ID).Find(&totp).Error
 
-	return exists, err
+	return webauthn, totp, err
 }
 
 // -- DTO -- //

internal/i18n/locales/en-US.yml

@@ -158,6 +158,23 @@ auth.mfa.passkey-added-at: Added
 auth.mfa.passkey-never-used: Never used
 auth.mfa.passkey-last-used: Last used
 auth.mfa.delete-passkey-confirm: Confirm deletion of passkey
+auth.totp: Time based one-time password (TOTP)
+auth.totp.help: TOTP is a two-factor authentication method that uses a shared secret to generate a one-time password.
+auth.totp.use: Use TOTP
+auth.totp.regenerate-recovery-codes: Regenerate recovery codes
+auth.totp.already-enabled: TOTP is already enabled
+auth.totp.invalid-secret: Invalid TOTP secret
+auth.totp.invalid-code: Invalid TOTP code
+auth.totp.code-used: The recovery code %s was used, it is now invalid. You may want to disable MFA for now or regenerate your codes.
+auth.totp.disabled: TOTP successfully disabled
+auth.totp.disable: Disable TOTP
+auth.totp.enter-code: Enter the code from the Authenticator app
+auth.totp.enter-recovery-key: or a recovery key if you lost your device
+auth.totp.code: Code
+auth.totp.submit: Submit
+auth.totp.proceed: Proceed
+auth.totp.save-recovery-codes: Save your recovery codes in a safe place. You can use these codes to recover access to your account if you lose access to your authenticator app.
+auth.totp.scan-qr-code: Scan the QR code below with your authenticator app to enable two-factor authentication or enter the following string, then confirm with the generated code.
 
 
 error: Error

internal/utils/aes.go

@@ -0,0 +1,46 @@
+package utils
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"fmt"
+	"io"
+)
+
+func AESEncrypt(key, text []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext := make([]byte, aes.BlockSize+len(text))
+	iv := ciphertext[:aes.BlockSize]
+	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[aes.BlockSize:], text)
+
+	return ciphertext, nil
+}
+
+func AESDecrypt(key, ciphertext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ciphertext) < aes.BlockSize {
+		return nil, fmt.Errorf("ciphertext too short")
+	}
+
+	iv := ciphertext[:aes.BlockSize]
+	ciphertext = ciphertext[aes.BlockSize:]
+
+	stream := cipher.NewCFBDecrypter(block, iv)
+	stream.XORKeyStream(ciphertext, ciphertext)
+
+	return ciphertext, nil
+}