Prevent bypassing 2fa by changing username case

When using postgres db as authentication backend it was possible
to bypass 2fa by using e.g. `ADMIN` instead of `admin` as username.

This is now prevented by:
1. Ensuring there is only one secret per user no matter the case
2. Lowering all usernames for filtering in the database

Author: jrauh01

library/Icinga/Authentication/TwoFactorTotp.php

@@ -8,11 +8,10 @@
 use Endroid\QrCode\Builder\Builder;
 use Icinga\Common\Database;
 use Icinga\Exception\ConfigurationError;
-use Icinga\Model\TwoFactorModel;
 use ipl\Sql\Connection;
 use ipl\Sql\Delete;
 use ipl\Sql\Insert;
-use ipl\Stdlib\Filter;
+use ipl\Sql\Select;
 use OTPHP\TOTP;
 use PDOException;
 use Throwable;
@@ -75,10 +74,14 @@ public static function createFromSecret(string $secret, string $user): static
      */
     public static function loadFromDb(Connection $db, string $user): ?static
     {
-        $dbTwoFactor = TwoFactorModel::on($db)->filter(Filter::equal('username', $user))->first();
+        $select = (new Select())
+            ->from('icingaweb_2fa')
+            ->columns('secret')
+            ->where(['LOWER(username) = ?' => strtolower($user)]);
 
-        /** @var TwoFactorModel|null $dbTwoFactor */
-        if ($dbTwoFactor === null) {
+        $dbTwoFactor = $db->select($select)->fetch();
+
+        if (! $dbTwoFactor) {
             return null;
         }
 
@@ -96,7 +99,12 @@ public static function loadFromDb(Connection $db, string $user): ?static
     public static function hasDbSecret(Connection $db, string $user): bool
     {
         try {
-            return TwoFactorModel::on($db)->filter(Filter::equal('username', $user))->first() !== null;
+            $select = (new Select())
+                ->from('icingaweb_2fa')
+                ->columns('username')
+                ->where(['LOWER(username) = ?' => strtolower($user)]);
+
+            return ! empty($db->select($select)->fetchAll());
         } catch (PDOException) {
             return false;
         }
@@ -196,7 +204,7 @@ public function removeFromDb(): void
             $db->prepexec(
                 (new Delete())
                     ->from('icingaweb_2fa')
-                    ->where(['username = ?' => $this->user])
+                    ->where(['LOWER(username) = ?' => strtolower($this->user)])
             );
             $db->commitTransaction();
         } catch (Throwable $e) {

library/Icinga/Model/TwoFactorModel.php

@@ -4,3 +4,9 @@ CREATE TABLE "icingaweb_2fa" (
   "ctime"    bigint,
   CONSTRAINT pk_icingaweb_2fa PRIMARY KEY ("username")
 );
+
+CREATE UNIQUE INDEX idx_icingaweb_2fa
+  ON "icingaweb_2fa"
+  USING btree (
+    lower((username)::text)
+);

schema/pgsql-upgrades/2.13.0.sql

@@ -138,5 +138,11 @@ CREATE TABLE "icingaweb_2fa" (
   CONSTRAINT pk_icingaweb_2fa PRIMARY KEY ("username")
 );
 
+CREATE UNIQUE INDEX idx_icingaweb_2fa
+  ON "icingaweb_2fa"
+  USING btree (
+    lower((username)::text)
+);
+
 INSERT INTO icingaweb_schema (version, timestamp, success)
   VALUES ('2.12.0', extract(epoch from now()) * 1000, 'y');