mirror of
https://github.com/elyby/accounts.git
synced 2025-01-16 16:52:59 +05:30
148 lines
4.8 KiB
PHP
148 lines
4.8 KiB
PHP
<?php
|
||
namespace api\models\profile;
|
||
|
||
use api\models\base\ApiForm;
|
||
use api\validators\TotpValidator;
|
||
use api\validators\PasswordRequiredValidator;
|
||
use BaconQrCode\Common\ErrorCorrectionLevel;
|
||
use BaconQrCode\Encoder\Encoder;
|
||
use BaconQrCode\Renderer\Color\Rgb;
|
||
use BaconQrCode\Renderer\Image\Svg;
|
||
use BaconQrCode\Writer;
|
||
use Base32\Base32;
|
||
use common\components\Qr\ElyDecorator;
|
||
use common\helpers\Error as E;
|
||
use common\models\Account;
|
||
use OTPHP\TOTP;
|
||
use yii\base\ErrorException;
|
||
|
||
class TwoFactorAuthForm extends ApiForm {
|
||
|
||
const SCENARIO_ACTIVATE = 'enable';
|
||
const SCENARIO_DISABLE = 'disable';
|
||
|
||
public $token;
|
||
|
||
public $password;
|
||
|
||
/**
|
||
* @var Account
|
||
*/
|
||
private $account;
|
||
|
||
public function __construct(Account $account, array $config = []) {
|
||
$this->account = $account;
|
||
parent::__construct($config);
|
||
}
|
||
|
||
public function rules() {
|
||
$bothScenarios = [self::SCENARIO_ACTIVATE, self::SCENARIO_DISABLE];
|
||
return [
|
||
['account', 'validateOtpDisabled', 'on' => self::SCENARIO_ACTIVATE],
|
||
['account', 'validateOtpEnabled', 'on' => self::SCENARIO_DISABLE],
|
||
['token', 'required', 'message' => E::OTP_TOKEN_REQUIRED, 'on' => $bothScenarios],
|
||
['token', TotpValidator::class, 'account' => $this->account, 'window' => 30, 'on' => $bothScenarios],
|
||
['password', PasswordRequiredValidator::class, 'account' => $this->account, 'on' => $bothScenarios],
|
||
];
|
||
}
|
||
|
||
public function getCredentials(): array {
|
||
if (empty($this->account->otp_secret)) {
|
||
$this->setOtpSecret();
|
||
}
|
||
|
||
$provisioningUri = $this->getTotp()->getProvisioningUri();
|
||
|
||
return [
|
||
'qr' => base64_encode($this->drawQrCode($provisioningUri)),
|
||
'uri' => $provisioningUri,
|
||
'secret' => $this->account->otp_secret,
|
||
];
|
||
}
|
||
|
||
public function activate(): bool {
|
||
if ($this->scenario !== self::SCENARIO_ACTIVATE || !$this->validate()) {
|
||
return false;
|
||
}
|
||
|
||
$account = $this->account;
|
||
$account->is_otp_enabled = true;
|
||
if (!$account->save()) {
|
||
throw new ErrorException('Cannot enable otp for account');
|
||
}
|
||
|
||
return true;
|
||
}
|
||
|
||
public function disable(): bool {
|
||
if ($this->scenario !== self::SCENARIO_DISABLE || !$this->validate()) {
|
||
return false;
|
||
}
|
||
|
||
$account = $this->account;
|
||
$account->is_otp_enabled = false;
|
||
$account->otp_secret = null;
|
||
if (!$account->save()) {
|
||
throw new ErrorException('Cannot disable otp for account');
|
||
}
|
||
|
||
return true;
|
||
}
|
||
|
||
public function validateOtpDisabled($attribute) {
|
||
if ($this->account->is_otp_enabled) {
|
||
$this->addError($attribute, E::OTP_ALREADY_ENABLED);
|
||
}
|
||
}
|
||
|
||
public function validateOtpEnabled($attribute) {
|
||
if (!$this->account->is_otp_enabled) {
|
||
$this->addError($attribute, E::OTP_NOT_ENABLED);
|
||
}
|
||
}
|
||
|
||
public function getAccount(): Account {
|
||
return $this->account;
|
||
}
|
||
|
||
/**
|
||
* @return TOTP
|
||
*/
|
||
public function getTotp(): TOTP {
|
||
$totp = new TOTP($this->account->email, $this->account->otp_secret);
|
||
$totp->setIssuer('Ely.by');
|
||
|
||
return $totp;
|
||
}
|
||
|
||
public function drawQrCode(string $content): string {
|
||
$renderer = new Svg();
|
||
$renderer->setHeight(256);
|
||
$renderer->setWidth(256);
|
||
$renderer->setForegroundColor(new Rgb(32, 126, 92));
|
||
$renderer->setMargin(0);
|
||
$renderer->addDecorator(new ElyDecorator());
|
||
|
||
$writer = new Writer($renderer);
|
||
|
||
return $writer->writeString($content, Encoder::DEFAULT_BYTE_MODE_ECODING, ErrorCorrectionLevel::H);
|
||
}
|
||
|
||
/**
|
||
* otp_secret кодируется в Base32, т.к. после кодирования в результурющей строке нет символов,
|
||
* которые можно перепутать (1 и l, O и 0, и т.д.). Отрицательной стороной является то, что итоговая
|
||
* строка составляет 160% от исходной. Поэтому, генерируя исходный приватный ключ, мы должны обеспечить
|
||
* ему такую длину, чтобы 160% его длины было равно запрошенному значению
|
||
*
|
||
* @throws ErrorException
|
||
*/
|
||
protected function setOtpSecret(int $length = 24): void {
|
||
$randomBytesLength = ceil($length / 1.6);
|
||
$this->account->otp_secret = substr(trim(Base32::encode(random_bytes($randomBytesLength)), '='), 0, $length);
|
||
if (!$this->account->save()) {
|
||
throw new ErrorException('Cannot set account otp_secret');
|
||
}
|
||
}
|
||
|
||
}
|