1 files changed, 74 insertions, 39 deletions

diff --git a/app/Controller/Twofactor.php b/app/Controller/Twofactor.php
index 179241f8..10292261 100644
--- a/app/Controller/Twofactor.php
+++ b/app/Controller/Twofactor.php
@@ -2,10 +2,6 @@
 
 namespace Kanboard\Controller;
 
-use Otp\Otp;
-use Otp\GoogleAuthenticator;
-use Base32\Base32;
-
 /**
  * Two Factor Auth controller
  *
@@ -27,7 +23,7 @@ class Twofactor extends User
     }
 
     /**
-     * Index
+     * Show form to disable/enable 2FA
      *
      * @access public
      */
@@ -35,68 +31,98 @@ class Twofactor extends User
     {
         $user = $this->getUser();
         $this->checkCurrentUser($user);
+        unset($this->sessionStorage->twoFactorSecret);
+
+        $this->response->html($this->helper->layout->user('twofactor/index', array(
+            'user' => $user,
+            'provider' => $this->authenticationManager->getPostAuthenticationProvider()->getName(),
+        )));
+    }
+
+    /**
+     * Show page with secret and test form
+     *
+     * @access public
+     */
+    public function show()
+    {
+        $user = $this->getUser();
+        $this->checkCurrentUser($user);
 
         $label = $user['email'] ?: $user['username'];
+        $provider = $this->authenticationManager->getPostAuthenticationProvider();
 
-        $this->response->html($this->layout('twofactor/index', array(
+        if (! isset($this->sessionStorage->twoFactorSecret)) {
+            $provider->generateSecret();
+            $provider->beforeCode();
+            $this->sessionStorage->twoFactorSecret = $provider->getSecret();
+        } else {
+            $provider->setSecret($this->sessionStorage->twoFactorSecret);
+        }
+
+        $this->response->html($this->helper->layout->user('twofactor/show', array(
             'user' => $user,
-            'qrcode_url' => $user['twofactor_activated'] == 1 ? GoogleAuthenticator::getQrCodeUrl('totp', $label, $user['twofactor_secret']) : '',
-            'key_url' => $user['twofactor_activated'] == 1 ? GoogleAuthenticator::getKeyUri('totp', $label, $user['twofactor_secret']) : '',
+            'secret' => $this->sessionStorage->twoFactorSecret,
+            'qrcode_url' => $provider->getQrCodeUrl($label),
+            'key_url' => $provider->getKeyUrl($label),
         )));
     }
 
     /**
-     * Enable/disable 2FA
+     * Test code and save secret
      *
      * @access public
      */
-    public function save()
+    public function test()
     {
         $user = $this->getUser();
         $this->checkCurrentUser($user);
 
         $values = $this->request->getValues();
 
-        if (isset($values['twofactor_activated']) && $values['twofactor_activated'] == 1) {
+        $provider = $this->authenticationManager->getPostAuthenticationProvider();
+        $provider->setCode(empty($values['code']) ? '' : $values['code']);
+        $provider->setSecret($this->sessionStorage->twoFactorSecret);
+
+        if ($provider->authenticate()) {
+            $this->flash->success(t('The two factor authentication code is valid.'));
+
             $this->user->update(array(
                 'id' => $user['id'],
                 'twofactor_activated' => 1,
-                'twofactor_secret' => GoogleAuthenticator::generateRandom(),
+                'twofactor_secret' => $this->authenticationManager->getPostAuthenticationProvider()->getSecret(),
             ));
-        } else {
-            $this->user->update(array(
-                'id' => $user['id'],
-                'twofactor_activated' => 0,
-                'twofactor_secret' => '',
-            ));
-        }
 
-        // Allow the user to test or disable the feature
-        $_SESSION['user']['twofactor_activated'] = false;
+            unset($this->sessionStorage->twoFactorSecret);
+            $this->userSession->disablePostAuthentication();
 
-        $this->session->flash(t('User updated successfully.'));
-        $this->response->redirect($this->helper->url->to('twofactor', 'index', array('user_id' => $user['id'])));
+            $this->response->redirect($this->helper->url->to('twofactor', 'index', array('user_id' => $user['id'])));
+        } else {
+            $this->flash->failure(t('The two factor authentication code is not valid.'));
+            $this->response->redirect($this->helper->url->to('twofactor', 'show', array('user_id' => $user['id'])));
+        }
     }
 
     /**
-     * Test 2FA
+     * Disable 2FA for the current user
      *
      * @access public
      */
-    public function test()
+    public function deactivate()
     {
         $user = $this->getUser();
         $this->checkCurrentUser($user);
 
-        $otp = new Otp;
-        $values = $this->request->getValues();
+        $this->user->update(array(
+            'id' => $user['id'],
+            'twofactor_activated' => 0,
+            'twofactor_secret' => '',
+        ));
 
-        if (! empty($values['code']) && $otp->checkTotp(Base32::decode($user['twofactor_secret']), $values['code'])) {
-            $this->session->flash(t('The two factor authentication code is valid.'));
-        } else {
-            $this->session->flashError(t('The two factor authentication code is not valid.'));
-        }
+        // Allow the user to test or disable the feature
+        $this->userSession->disablePostAuthentication();
 
+        $this->flash->success(t('User updated successfully.'));
         $this->response->redirect($this->helper->url->to('twofactor', 'index', array('user_id' => $user['id'])));
     }
 
@@ -110,15 +136,18 @@ class Twofactor extends User
         $user = $this->getUser();
         $this->checkCurrentUser($user);
 
-        $otp = new Otp;
         $values = $this->request->getValues();
 
-        if (! empty($values['code']) && $otp->checkTotp(Base32::decode($user['twofactor_secret']), $values['code'])) {
-            $this->session['2fa_validated'] = true;
-            $this->session->flash(t('The two factor authentication code is valid.'));
+        $provider = $this->authenticationManager->getPostAuthenticationProvider();
+        $provider->setCode(empty($values['code']) ? '' : $values['code']);
+        $provider->setSecret($user['twofactor_secret']);
+
+        if ($provider->authenticate()) {
+            $this->userSession->validatePostAuthentication();
+            $this->flash->success(t('The two factor authentication code is valid.'));
             $this->response->redirect($this->helper->url->to('app', 'index'));
         } else {
-            $this->session->flashError(t('The two factor authentication code is not valid.'));
+            $this->flash->failure(t('The two factor authentication code is not valid.'));
             $this->response->redirect($this->helper->url->to('twofactor', 'code'));
         }
     }
@@ -130,7 +159,13 @@ class Twofactor extends User
      */
     public function code()
     {
-        $this->response->html($this->template->layout('twofactor/check', array(
+        if (! isset($this->sessionStorage->twoFactorBeforeCodeCalled)) {
+            $provider = $this->authenticationManager->getPostAuthenticationProvider();
+            $provider->beforeCode();
+            $this->sessionStorage->twoFactorBeforeCodeCalled = true;
+        }
+
+        $this->response->html($this->helper->layout->app('twofactor/check', array(
             'title' => t('Check two factor authentication code'),
         )));
     }
@@ -156,7 +191,7 @@ class Twofactor extends User
             $this->response->redirect($this->helper->url->to('user', 'show', array('user_id' => $user['id'])));
         }
 
-        $this->response->html($this->layout('twofactor/disable', array(
+        $this->response->html($this->helper->layout->user('twofactor/disable', array(
             'user' => $user,
         )));
     }