2 fa

.github/workflows/publish.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - GaelO2
       - GaelO2-dev
-      - imap-lib
+      - 2FA
     tags:
       - '*'
 

GaelO2/app/GaelO/Entities/UserEntity.php

@@ -26,6 +26,8 @@ class UserEntity
 
     public ?array $roles;
 
+    public ?string $twoFactorConfirmedAt;
+
     public static function fillFromDBReponseArray(array $array): UserEntity
     {
         $userEntity  = new UserEntity();
@@ -44,6 +46,7 @@ public static function fillFromDBReponseArray(array $array): UserEntity
         $userEntity->emailVerifiedAt = $array['email_verified_at'];
         $userEntity->lastConnection = $array['last_connection'];
         $userEntity->onboardingVersion = $array['onboarding_version'];
+        $userEntity->twoFactorConfirmedAt = $array['two_factor_confirmed_at'] ?? null;
         return $userEntity;
     }
 

GaelO2/app/GaelO/Repositories/UserRepository.php

@@ -35,7 +35,9 @@ public function __construct(User $user, Role $roles, CenterUser $centerUser, Stu
 
     public function find($id): array
     {
-        return $this->userModel->findOrFail($id)->toArray();
+        return $this->userModel->findOrFail($id)->makeVisible([
+            'two_factor_confirmed_at'
+        ])->toArray();
     }
 
     public function delete($id): void
@@ -143,7 +145,11 @@ public function getUserByEmail(String $email, bool $withTrashed = false): array
             $user = $this->userModel->where('email', strtolower($email))->sole();
         }
 
-        return $user->toArray();
+        return $user->makeVisible([
+            'two_factor_secret',
+            'two_factor_recovery_codes',
+            'two_factor_confirmed_at'
+        ])->toArray();
     }
 
     public function isExistingEmail(String $email): bool

GaelO2/app/GaelO/UseCases/Login/Login.php

@@ -51,11 +51,17 @@ public function execute(LoginRequest $loginRequest, LoginResponse $loginResponse
 
             //if everything OK => Login
             if ($user['email_verified_at'] !== null && $attempts < 3) {
+
+                // Detect if 2FA is enable and is validate for this user 
+                $twoFactorEnabled = !empty($user['two_factor_secret']) && !empty($user['two_factor_confirmed_at']);
+
                 $this->updateDbOnSuccess($user, $loginRequest->ip);
+
                 $loginResponse->onboarded = !(Util::isVersionHigher(FrameworkAdapter::getConfig('onboarding_version'), $user['onboarding_version']));
+                $loginResponse->use2FA = $twoFactorEnabled;
                 $loginResponse->status = 200;
                 $loginResponse->statusText = "OK";
-                //should not happen
+                $loginResponse->userId = $user['id'];
             } else {
                 throw new GaelOUnauthorizedException("Unknown email/password");
             }

GaelO2/app/GaelO/UseCases/Login/LoginResponse.php

@@ -8,4 +8,6 @@ class LoginResponse
     public ?bool $onboarded = null;
     public int $status;
     public string $statusText;
+    public ?bool $use2FA = null;
+    public ?int $userId = null;
 }

GaelO2/app/Http/Controllers/AuthController.php

@@ -12,10 +12,14 @@
 use App\GaelO\UseCases\Login\LoginRequest;
 use App\GaelO\UseCases\Login\LoginResponse;
 use App\GaelO\Util;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Str;
 use App\Models\User;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Routing\UrlGenerator;
+use Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider;
 
 class AuthController extends Controller
 {
@@ -29,16 +33,44 @@ public function login(Request $request, Login $login, LoginRequest $loginRequest
         $login->execute($loginRequest, $loginResponse);
 
         if ($loginResponse->status === 200) {
+            $userId = $loginResponse->userId;
+            $use2FA = $loginResponse->use2FA;
 
+            if ($use2FA) {
+                // Temporary Opaque Token. available for 5 minutes
+                $challengeToken = Str::uuid()->toString();
+                Cache::put('2fa_challenge_' . $challengeToken, $userId, now()->addMinutes(5));
+
+                return response()->json([
+                    'onboarded' => $loginResponse->onboarded,
+                    'needs2FA' => true,
+                    'challenge_token' => $challengeToken
+                ], 200);
+            }
+
+
+            // Regular Login
             $user = User::where('email', strtolower($request->email))->sole();
+            $isAdmin = $user->administrator;
+
+            if ($isAdmin && !$use2FA) {
+                return response()->json([
+                    'id' => $user->id,
+                    //'onboarded' => $loginResponse->onboarded,
+                    'needs2FA' => true
+
+                ]);
+            }
 
             $tokenResult = $user->createToken('GaelO');
+
             return response()->json([
                 'id' => $user->id,
                 'onboarded' => $loginResponse->onboarded,
                 'access_token' => $tokenResult->plainTextToken,
                 'token_type' => 'Bearer'
             ], 200);
+
         } else {
             return $this->getJsonResponse($loginResponse->body, $loginResponse->status, $loginResponse->statusText);
         }
@@ -50,6 +82,145 @@ public function logout(Request $request)
         return response()->json();
     }
 
+    public function twoFactorChallenge(
+        Request $request,
+        TwoFactorAuthenticationProvider $provider
+    ): JsonResponse {
+
+        $challengeToken = $request->input('challenge_token');
+
+        if (!$challengeToken) {
+            return response()->json(['message' => 'Session expired.'], 422);
+        }
+
+        // pull = get + delete in one operaion (single use)
+        $userId = Cache::pull('2fa_challenge_' . $challengeToken);
+
+        if (!$userId) {
+            return response()->json(['message' => 'Session expired or already use.'], 422);
+        }
+
+        $user = User::findOrFail($userId);
+
+        $code = $request->input('code');
+        $recoveryCode = $request->input('recovery_code');
+
+        $valid = false;
+
+        if ($recoveryCode) {
+            $codes = json_decode(decrypt($user->two_factor_recovery_codes), true);
+            $index = array_search($recoveryCode, $codes);
+
+            if ($index !== false) {
+                array_splice($codes, $index, 1);
+                $user->forceFill([
+                    'two_factor_recovery_codes' => encrypt(json_encode($codes))
+                ])->save();
+                $valid = true;
+            }
+
+        } elseif ($code) {
+            $valid = $provider->verify(
+                decrypt($user->two_factor_secret),
+                $code
+            );
+        }
+
+        if (!$valid) {
+            return response()->json([
+                'errors' => ['code' => ['invalid code']]
+            ], 422);
+        }
+
+        $tokenResult = $user->createToken('GaelO');
+
+        return response()->json([
+            'id' => $user->id,
+            'access_token' => $tokenResult->plainTextToken,
+            'token_type' => 'Bearer'
+        ], 200);
+    }
+
+    /**
+     * Generate 2FA secret + QR code SVG for the authenticated user.
+     * Route protected by auth:sanctum — the Bearer token from login
+     * is sent explicitly by the front before being stored in Redux.
+     * Must be in the auth:sanctum group but NOT in the onboarded group
+     * (admin may not be onboarded yet when setting up 2FA).
+     */
+    public function setup2FA(Request $request, TwoFactorAuthenticationProvider $provider): JsonResponse
+    {
+        $user = $request->user();
+
+        // Generate secret if not already set
+        if (empty($user->two_factor_secret)) {
+            $user->forceFill([
+                'two_factor_secret' => encrypt($provider->generateSecretKey()),
+                'two_factor_recovery_codes' => encrypt(json_encode(
+                    collect(range(1, 8))->map(fn() => Str::random(10) . '-' . Str::random(10))->all()
+                ))
+            ])->save();
+        }
+
+        $appName = urlencode(config('app.name'));
+        $email = urlencode($user->email);
+        $secret = decrypt($user->two_factor_secret);
+        $otpauthUrl = "otpauth://totp/{$appName}:{$email}?secret={$secret}&issuer={$appName}";
+
+        $renderer = new \BaconQrCode\Renderer\ImageRenderer(
+            new \BaconQrCode\Renderer\RendererStyle\RendererStyle(192),
+            new \BaconQrCode\Renderer\Image\SvgImageBackEnd()
+        );
+        $svg = (new \BaconQrCode\Writer($renderer))->writeString($otpauthUrl);
+
+        return response()->json(['svg' => $svg]);
+    }
+
+    /**
+     * Confirm 2FA setup by verifying the TOTP code for the authenticated user.
+     */
+    public function confirmSetup2FA(Request $request, TwoFactorAuthenticationProvider $provider): JsonResponse
+    {
+        $user = $request->user();
+
+        if (empty($user->two_factor_secret)) {
+            return response()->json(['message' => '2FA not initialized'], 422);
+        }
+
+        $valid = $provider->verify(decrypt($user->two_factor_secret), $request->input('code'));
+
+        if (!$valid) {
+            return response()->json(['errors' => ['code' => ['invalid code']]], 422);
+        }
+
+        $user->forceFill(['two_factor_confirmed_at' => now()])->save();
+
+        return response()->json(['message' => '2FA activated']);
+    }
+
+
+    public function generateRecoveryCodes2FA(Request $request): JsonResponse
+    {
+        $user = $request->user();
+
+        if (!$user) {
+            return response()->json(['message' => 'Unauthenticated'], 401);
+        }
+
+        if (empty($user->two_factor_secret) || empty($user->two_factor_confirmed_at)) {
+            return response()->json(['message' => '2FA Not activated'], 422);
+        }
+
+        // Decrypt to return the code on the front side
+        $codes = $user->recoveryCodes();
+        foreach ($codes as $code) {
+            $user->replaceRecoveryCode($code);
+        }
+
+        $updatedCodes = $user->recoveryCodes();
+        return response()->json(['recoveryCodes' => $updatedCodes]);
+    }
+
     public function getMagicLink(Request $request, UrlGenerator $urlGenerator)
     {
 
@@ -89,4 +260,6 @@ public function getSystem(Request $request, GetSystem $getSystem, GetSystemReque
         $getSystem->execute($getSystemRequest, $getSystemResponse);
         return $this->getJsonResponse($getSystemResponse->body, $getSystemResponse->status, $getSystemResponse->statusText);
     }
+
+
 }

GaelO2/app/Models/User.php

@@ -13,10 +13,11 @@
 use Illuminate\Notifications\Notifiable;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Laravel\Sanctum\HasApiTokens;
+use Laravel\Fortify\TwoFactorAuthenticatable;
 
 class User extends Authenticatable implements CanResetPassword, MustVerifyEmail
 {
-    use Notifiable, SoftDeletes, HasApiTokens, HasFactory, PasswordsCanResetPassword;
+    use Notifiable, SoftDeletes, HasApiTokens, HasFactory, PasswordsCanResetPassword, TwoFactorAuthenticatable;
 
     /**
      * The attributes that are mass assignable.
@@ -33,7 +34,10 @@ class User extends Authenticatable implements CanResetPassword, MustVerifyEmail
      * @var array
      */
     protected $hidden = [
-        'remember_token'
+        'remember_token',
+        'two_factor_secret',
+        'two_factor_recovery_codes',
+        'two_factor_confirmed_at',
     ];
 
     /**
@@ -60,7 +64,8 @@ protected function casts(): array
             'orthanc_password' => 'string',
             'api_token' => 'string',
             'email_verified_at' => 'datetime',
-            'onboarding_version' => 'string'
+            'onboarding_version' => 'string',
+            'two_factor_confirmed_at' => 'datetime'
         ];
     }
 

GaelO2/app/Providers/FortifyServiceProvider.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Providers;
+
+use Illuminate\Support\ServiceProvider;
+use Laravel\Fortify\Fortify;
+
+class FortifyServiceProvider extends ServiceProvider
+{
+    public function register(): void
+    {
+        // Forcer toutes les routes Fortify sous le middleware API avec auth Sanctum
+        config(['fortify.middleware' => ['api', 'auth:sanctum']]);
+    }
+
+    public function boot(): void
+    {
+        Fortify::ignoreRoutes();
+        // No view for 2FA challenge
+        Fortify::twoFactorChallengeView(function () {
+            return response()->json(['message' => 'Unauthorized'], 401);
+        });
+    }
+}

GaelO2/composer.json

@@ -16,6 +16,7 @@
         "directorytree/imapengine-laravel": "^1.1",
         "giggsey/libphonenumber-for-php": "^9.0",
         "guzzlehttp/guzzle": "^7.9",
+        "laravel/fortify": "^1.36",
         "laravel/framework": "^12.0",
         "laravel/sanctum": "^4.0",
         "laravel/tinker": "^2.10",