summaryrefslogtreecommitdiffstats
path: root/Bugzilla/MFA/TOTP.pm
blob: 05e4e4e3b4fde90d8008cc7cec50c0ca0b278783 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

package Bugzilla::MFA::TOTP;
use strict;
use parent 'Bugzilla::MFA';

use Auth::GoogleAuth;
use Bugzilla::Error;
use Bugzilla::Token qw( issue_session_token );
use Bugzilla::Util qw( template_var generate_random_password );
use GD::Barcode::QRcode;
use MIME::Base64 qw( encode_base64 );

sub _auth {
    my ($self) = @_;
    return Auth::GoogleAuth->new({
        secret => $self->property_get('secret') // $self->property_get('secret.temp'),
        issuer => template_var('terms')->{BugzillaTitle},
        key_id => $self->{user}->login,
    });
}

sub enroll {
    my ($self) = @_;

    # create a new secret for the user
    # store it in secret.temp to avoid overwriting a valid secret
    $self->property_set('secret.temp', generate_random_password(16));

    # build the qr code
    my $auth = $self->_auth();
    my $otpauth = $auth->qr_code(undef, undef, undef, 1);
    my $png = GD::Barcode::QRcode->new($otpauth, { Version => 10, ModuleSize => 3 })->plot()->png();
    return { png => encode_base64($png), secret32 => $auth->secret32 };
}

sub enrolled {
    my ($self) = @_;

    # make the temporary secret permanent
    $self->property_set('secret', $self->property_get('secret.temp'));
    $self->property_delete('secret.temp');
}

sub prompt {
    my ($self, $params) = @_;
    my $template = Bugzilla->template;

    my $vars = {
        user  => $params->{user},
        token => scalar issue_session_token('mfa', $params->{user}),
        type  => $params->{type},
    };

    print Bugzilla->cgi->header();
    $template->process('mfa/totp/verify.html.tmpl', $vars)
        || ThrowTemplateError($template->error());
}

sub check {
    my ($self, $code) = @_;
    $self->_auth()->verify($code, 1)
        || ThrowUserError('mfa_totp_bad_code');
}

sub check_login {
    my ($self, $user) = @_;
    my $cgi = Bugzilla->cgi;

    $self->check($cgi->param('code') // '');
    $user->authorizer->mfa_verified($user, $cgi->param('type'));
}

1;