Add TOTP functionality

Signed-off-by: Tim Goudriaan <tim@codedmonkey.com>

Author: codedmonkey

migrations/Version20250409225651.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20250409225651 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add TOTP secret';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" ADD totp_secret VARCHAR(255) DEFAULT NULL
+        SQL);
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            ALTER TABLE "user" DROP totp_secret
+        SQL);
+    }
+}

src/Controller/Dashboard/DashboardAccountController.php

@@ -5,8 +5,10 @@
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
 use CodedMonkey\Dirigent\Form\AccountFormType;
+use CodedMonkey\Dirigent\Form\AccountMfaFormType;
 use CodedMonkey\Dirigent\Form\ChangePasswordFormType;
 use EasyCorp\Bundle\EasyAdminBundle\Router\AdminUrlGenerator;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticatorInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\Form\FormError;
 use Symfony\Component\HttpFoundation\Request;
@@ -28,6 +30,7 @@ public static function getSubscribedServices(): array
     public function __construct(
         private readonly UserRepository $userRepository,
         private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly TotpAuthenticatorInterface $totpAuthenticator,
     ) {
     }
 
@@ -36,8 +39,6 @@ public function __construct(
     public function account(Request $request, #[CurrentUser] User $user): Response
     {
         $accountForm = $this->createForm(AccountFormType::class, $user);
-        $passwordForm = $this->createForm(ChangePasswordFormType::class);
-
         $accountForm->handleRequest($request);
 
         if ($accountForm->isSubmitted() && $accountForm->isValid()) {
@@ -50,6 +51,7 @@ public function account(Request $request, #[CurrentUser] User $user): Response
             return $this->redirect($url);
         }
 
+        $passwordForm = $this->createForm(ChangePasswordFormType::class);
         $passwordForm->handleRequest($request);
 
         if ($passwordForm->isSubmitted()) {
@@ -77,4 +79,57 @@ public function account(Request $request, #[CurrentUser] User $user): Response
             'passwordForm' => $passwordForm,
         ]);
     }
+
+    #[Route('/dashboard/account/mfa', name: 'dashboard_account_mfa')]
+    #[IsGranted('ROLE_USER')]
+    public function mfa(Request $request, #[CurrentUser] User $user): Response
+    {
+        if (!$user->isTotpAuthenticationEnabled()) {
+            $session = $request->getSession();
+
+            if (null === $totpSecret = $session->get('totp_secret')) {
+                $totpSecret = $this->totpAuthenticator->generateSecret();
+
+                $session->set('totp_secret', $totpSecret);
+            }
+
+            $form = $this->createForm(AccountMfaFormType::class);
+            $form->handleRequest($request);
+
+            if ($form->isSubmitted()) {
+                $currentPassword = $form->get('currentPassword')->getData();
+
+                if (!$this->passwordHasher->isPasswordValid($user, $currentPassword)) {
+                    $form->get('currentPassword')->addError(new FormError('Your current password is incorrect.'));
+                }
+
+                $user->setTotpSecret($totpSecret);
+
+                $totpCode = $form->get('totpCode')->getData();
+
+                if (!$this->totpAuthenticator->checkCode($user, $totpCode)) {
+                    $user->setTotpSecret(null);
+
+                    $form->get('totpCode')->addError(new FormError('The verification code is incorrect.'));
+                }
+
+                if ($form->isValid()) {
+                    $this->userRepository->save($user, true);
+
+                    $this->addFlash('success', 'Multi-factor authentication was successfully enabled.');
+
+                    $session->remove('totp_secret');
+
+                    $url = $this->container->get(AdminUrlGenerator::class)->setRoute('dashboard_account')->generateUrl();
+
+                    return $this->redirect($url);
+                }
+            }
+
+            return $this->render('dashboard/account/mfa.html.twig', [
+                'form' => $form,
+                'totpSecret' => $totpSecret,
+            ]);
+        }
+    }
 }

src/Doctrine/Entity/User.php

@@ -8,12 +8,15 @@
 use Doctrine\ORM\Mapping\GeneratedValue;
 use Doctrine\ORM\Mapping\Id;
 use Doctrine\ORM\Mapping\Table;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfiguration;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfigurationInterface;
+use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 #[Entity(repositoryClass: UserRepository::class)]
 #[Table(name: '`user`')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFactorInterface
 {
     #[Column]
     #[GeneratedValue]
@@ -37,6 +40,9 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
     private ?string $plainPassword = null;
 
+    #[Column(nullable: true)]
+    private ?string $totpSecret = null;
+
     public function getId(): ?int
     {
         return $this->id;
@@ -108,6 +114,16 @@ public function setPlainPassword(string $password): self
         return $this;
     }
 
+    public function getTotpSecret(): ?string
+    {
+        return $this->totpSecret;
+    }
+
+    public function setTotpSecret(?string $totpSecret): void
+    {
+        $this->totpSecret = $totpSecret;
+    }
+
     public function getUserIdentifier(): string
     {
         return (string) $this->username;
@@ -158,4 +174,19 @@ public function setSuperAdmin(bool $admin): void
             }
         }
     }
+
+    public function isTotpAuthenticationEnabled(): bool
+    {
+        return null !== $this->totpSecret;
+    }
+
+    public function getTotpAuthenticationUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function getTotpAuthenticationConfiguration(): ?TotpConfigurationInterface
+    {
+        return new TotpConfiguration($this->totpSecret, TotpConfiguration::ALGORITHM_SHA1, 20, 8);
+    }
 }

src/Form/AccountMfaFormType.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Form;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\FormBuilderInterface;
+
+class AccountMfaFormType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('currentPassword', PasswordType::class, [
+                'required' => true,
+            ])
+            ->add('totpCode', TotpCodeType::class, [
+                'label' => 'Verification code',
+            ]);
+    }
+}

src/Form/TotpCodeType.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Form;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\Form\FormInterface;
+use Symfony\Component\Form\FormView;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+class TotpCodeType extends AbstractType
+{
+    public function buildView(FormView $view, FormInterface $form, array $options): void
+    {
+        $view->vars['value'] = '';
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            'attr' => [
+                'autocomplete' => 'one-time-code',
+                'inputmode' => 'numeric',
+                'pattern' => '[0-9]*',
+            ],
+        ]);
+    }
+
+    public function getParent(): string
+    {
+        return TextType::class;
+    }
+}

templates/dashboard/account.html.twig

@@ -41,18 +41,17 @@
   <div class="form-fieldset field-form_fieldset">
     <div class="form-fieldset-header with-help">
       <div class="form-fieldset-title">
-        <span class="not-collapsible form-fieldset-title-content">Multi-Factor Authentication</span>
-        <div class="form-fieldset-help">Add an extra layer of security</div>
+        <span class="not-collapsible form-fieldset-title-content">{{ 'Multi-Factor Authentication'|trans }}</span>
+        <div class="form-fieldset-help">{{ 'account.mfa.help'|trans }}</div>
       </div>
     </div>
 
     <div class="form-fieldset-body show">
       <div class="row">
         <div class="col-md-6 col-xxl-5">
-          todo
+          <a href="{{ path('dashboard_account_mfa') }}" class="btn btn-primary">{{ 'account.mfa.enable'|trans }}</a>
         </div>
       </div>
     </div>
   </div>
-
 {% endblock %}

templates/dashboard/account/mfa.html.twig

@@ -0,0 +1,22 @@
+{% extends '@EasyAdmin/page/content.html.twig' %}
+
+{% block page_title %}{{ 'Multi-Factor Authentication'|trans }}{% endblock %}
+
+{% block page_content %}
+  <div class="row">
+    <div class="col-md-6 col-xxl-5">
+      <div class="mb-3">
+        <label for="totp_secret" class="form-label required">{{ 'MFA secret' }}</label>
+        <input id="totp_secret" type="text" value="{{ totpSecret }}" class="form-control">
+      </div>
+
+      {{ form_start(form) }}
+        {{ form_rest(form) }}
+
+        <div class="form-group">
+          <button class="btn btn-primary">{{ 'account.mfa.enable'|trans }}</button>
+        </div>
+      {{ form_end(form) }}
+    </div>
+  </div>
+{% endblock %}

translations/messages.en.yaml

@@ -25,6 +25,7 @@ Description: Description
 Dynamic Update Delay: Dynamic Update Delay
 Email: Email
 Expires At: Expires at
+Multi-Factor Authentication: Multi-Factor Authentication
 New password: New password
 Name: Name
 Package Mirroring: Package Mirroring
@@ -69,3 +70,8 @@ registry:
     none: Package mirroring disabled
     manual: Only mirror specified packages
     auto: Automatically mirror packages on request
+
+account:
+  mfa:
+    enable: Enable MFA authentication
+    help: Secure your account with a time-based code from an authenticator app.