Add TOTP functionality

Signed-off-by: Tim Goudriaan <tim@codedmonkey.com>

Author: codedmonkey

config/packages/scheb_2fa.yaml

@@ -5,3 +5,4 @@ scheb_two_factor:
         - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken
     totp:
         enabled: true
+        template: dashboard/security/mfa.html.twig

migrations/Version20250922225651.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20250922225651 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add TOTP secret';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ADD totp_secret VARCHAR(255) DEFAULT NULL
+        SQL);
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" DROP totp_secret
+        SQL);
+    }
+}

src/Controller/Dashboard/DashboardAccountController.php

@@ -6,11 +6,12 @@
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
 use CodedMonkey\Dirigent\Form\AccountFormType;
 use CodedMonkey\Dirigent\Form\ChangePasswordFormType;
+use CodedMonkey\Dirigent\Form\MfaClearFormType;
+use CodedMonkey\Dirigent\Form\MfaSetupFormType;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticatorInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
-use Symfony\Component\Form\FormError;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Attribute\Route;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
@@ -19,7 +20,7 @@ class DashboardAccountController extends AbstractController
 {
     public function __construct(
         private readonly UserRepository $userRepository,
-        private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly TotpAuthenticatorInterface $totpAuthenticator,
     ) {
     }
 
@@ -28,8 +29,6 @@ public function __construct(
     public function account(Request $request, #[CurrentUser] User $user): Response
     {
         $accountForm = $this->createForm(AccountFormType::class, $user);
-        $passwordForm = $this->createForm(ChangePasswordFormType::class);
-
         $accountForm->handleRequest($request);
 
         if ($accountForm->isSubmitted() && $accountForm->isValid()) {
@@ -40,29 +39,84 @@ public function account(Request $request, #[CurrentUser] User $user): Response
             return $this->redirectToRoute('dashboard_account');
         }
 
+        $passwordForm = $this->createForm(ChangePasswordFormType::class);
         $passwordForm->handleRequest($request);
 
-        if ($passwordForm->isSubmitted()) {
-            $currentPassword = $passwordForm->get('currentPassword')->getData();
+        if ($passwordForm->isSubmitted() && $passwordForm->isValid()) {
+            $user->setPlainPassword($passwordForm->get('newPassword')->getData());
 
-            if (!$this->passwordHasher->isPasswordValid($user, $currentPassword)) {
-                $passwordForm->get('currentPassword')->addError(new FormError('Your current password is incorrect.'));
-            }
-
-            if ($passwordForm->isValid()) {
-                $user->setPlainPassword($passwordForm->get('newPassword')->getData());
-
-                $this->userRepository->save($user, true);
+            $this->userRepository->save($user, true);
 
-                $this->addFlash('success', 'Your password was successfully updated.');
+            $this->addFlash('success', 'Your password was successfully updated.');
 
-                return $this->redirectToRoute('dashboard_account');
-            }
+            return $this->redirectToRoute('dashboard_account');
         }
 
-        return $this->render('dashboard/account.html.twig', [
+        return $this->render('dashboard/account/account.html.twig', [
             'accountForm' => $accountForm,
             'passwordForm' => $passwordForm,
         ]);
     }
+
+    #[Route('/account/mfa', name: 'dashboard_account_mfa')]
+    #[IsGranted('ROLE_USER')]
+    public function mfa(Request $request, #[CurrentUser] User $user): Response
+    {
+        if ($user->isTotpAuthenticationEnabled()) {
+            return $this->clearMfa($request, $user);
+        }
+
+        return $this->setupMfa($request, $user);
+    }
+
+    private function setupMfa(Request $request, User $user): Response
+    {
+        $session = $request->getSession();
+
+        if (null === $totpSecret = $session->get('totp_secret')) {
+            $totpSecret = $this->totpAuthenticator->generateSecret();
+
+            $session->set('totp_secret', $totpSecret);
+        }
+
+        $user->setTotpSecret($totpSecret);
+
+        $form = $this->createForm(MfaSetupFormType::class);
+        $form->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            $this->userRepository->save($user, true);
+
+            $this->addFlash('success', 'Multi-factor authentication was successfully enabled.');
+
+            $session->remove('totp_secret');
+
+            return $this->redirectToRoute('dashboard_account');
+        }
+
+        return $this->render('dashboard/account/mfa_setup.html.twig', [
+            'form' => $form,
+            'totpContent' => $this->totpAuthenticator->getQRContent($user),
+        ]);
+    }
+
+    public function clearMfa(Request $request, User $user): Response
+    {
+        $form = $this->createForm(MfaClearFormType::class);
+        $form->handleRequest($request);
+
+        if ($form->isSubmitted() && $form->isValid()) {
+            $user->setTotpSecret(null);
+
+            $this->userRepository->save($user, true);
+
+            $this->addFlash('warning', 'Multi-factor authentication was successfully disabled.');
+
+            return $this->redirectToRoute('dashboard_account');
+        }
+
+        return $this->render('dashboard/account/mfa_clear.html.twig', [
+            'form' => $form,
+        ]);
+    }
 }

src/Doctrine/Entity/User.php

@@ -8,14 +8,17 @@
 use Doctrine\ORM\Mapping\GeneratedValue;
 use Doctrine\ORM\Mapping\Id;
 use Doctrine\ORM\Mapping\Table;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfiguration;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfigurationInterface;
+use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface;
 use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 #[Entity(repositoryClass: UserRepository::class)]
 #[Table(name: '`user`')]
 #[UniqueEntity('username', message: 'This username is already taken')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFactorInterface
 {
     #[Column]
     #[GeneratedValue]
@@ -39,6 +42,9 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
     private ?string $plainPassword = null;
 
+    #[Column(nullable: true)]
+    private ?string $totpSecret = null;
+
     public function getId(): ?int
     {
         return $this->id;
@@ -110,6 +116,16 @@ public function setPlainPassword(string $password): self
         return $this;
     }
 
+    public function getTotpSecret(): ?string
+    {
+        return $this->totpSecret;
+    }
+
+    public function setTotpSecret(?string $totpSecret): void
+    {
+        $this->totpSecret = $totpSecret;
+    }
+
     public function getUserIdentifier(): string
     {
         return (string) $this->username;
@@ -160,4 +176,19 @@ public function setSuperAdmin(bool $admin): void
             }
         }
     }
+
+    public function isTotpAuthenticationEnabled(): bool
+    {
+        return null !== $this->totpSecret;
+    }
+
+    public function getTotpAuthenticationUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function getTotpAuthenticationConfiguration(): ?TotpConfigurationInterface
+    {
+        return $this->totpSecret ? new TotpConfiguration($this->totpSecret, TotpConfiguration::ALGORITHM_SHA1, 30, 6) : null;
+    }
 }

src/EventListener/DashboardRoutingListener.php

@@ -16,8 +16,9 @@
     public function dashboardContext(RequestEvent $event): void
     {
         $request = $event->getRequest();
+        $routeName = $request->attributes->get('_route');
 
-        if (str_starts_with($request->attributes->get('_route'), 'dashboard_')) {
+        if (str_starts_with($routeName, 'dashboard_') || 'mfa_login' === $routeName) {
             $request->attributes->set(EA::DASHBOARD_CONTROLLER_FQCN, DashboardRootController::class);
         }
     }

src/Form/ChangePasswordFormType.php

@@ -2,6 +2,7 @@
 
 namespace CodedMonkey\Dirigent\Form;
 
+use CodedMonkey\Dirigent\Validator\UserPassword;
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\FormBuilderInterface;
@@ -13,6 +14,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
         $builder
             ->add('currentPassword', PasswordType::class, [
                 'required' => true,
+                'constraints' => [new UserPassword()],
             ])
             ->add('newPassword', NewPasswordType::class, [
                 'new_password' => true,

src/Form/MfaClearFormType.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Form;
+
+use CodedMonkey\Dirigent\Validator\UserPassword;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\FormBuilderInterface;
+
+class MfaClearFormType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('currentPassword', PasswordType::class, [
+                'required' => true,
+                'constraints' => [new UserPassword()],
+            ]);
+    }
+}

src/Form/MfaSetupFormType.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Form;
+
+use CodedMonkey\Dirigent\Validator\UserMfaCode;
+use CodedMonkey\Dirigent\Validator\UserPassword;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\FormBuilderInterface;
+
+class MfaSetupFormType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('currentPassword', PasswordType::class, [
+                'required' => true,
+                'constraints' => [new UserPassword()],
+            ])
+            ->add('totpCode', TotpCodeType::class, [
+                'label' => 'auth_code',
+                'translation_domain' => 'SchebTwoFactorBundle',
+                'constraints' => [new UserMfaCode()],
+            ]);
+    }
+}

src/Form/NewPasswordType.php

@@ -51,7 +51,7 @@ public static function constraints(bool $nullable = true): array
         $constraints = [
             new Length([
                 'min' => 8,
-                'minMessage' => 'Your password should be at least {{ limit }} characters',
+                'minMessage' => 'Your password must be at least {{ limit }} characters',
                 'max' => 4096, // max length allowed by Symfony for security reasons
             ]),
             new PasswordStrength(minScore: PasswordStrength::STRENGTH_WEAK),
@@ -60,7 +60,7 @@ public static function constraints(bool $nullable = true): array
 
         if (!$nullable) {
             $constraints[] = new NotBlank([
-                'message' => 'Please enter a password',
+                'message' => 'Enter a password',
             ]);
         }
 

src/Form/TotpCodeType.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Form;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\Form\FormInterface;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+class TotpCodeType extends AbstractType
+{
+    public function buildView(FormView $view, FormInterface $form, array $options): void
+    {
+        $view->vars['value'] = '';
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            'attr' => [
+                'autocomplete' => 'one-time-code',
+                'inputmode' => 'numeric',
+                'pattern' => '[0-9]*',
+            ],
+        ]);
+    }
+
+    public function getParent(): string
+    {
+        return TextType::class;
+    }
+}