lavender/auth/providers/otp.go

96 lines
2.2 KiB
Go
Raw Permalink Normal View History

package providers
2024-10-06 21:30:39 +01:00
import (
"context"
"errors"
2024-12-09 18:40:18 +00:00
"fmt"
"github.com/1f349/lavender/auth"
2025-01-19 12:04:25 +00:00
"github.com/1f349/lavender/auth/authContext"
2024-10-06 21:30:39 +01:00
"github.com/1f349/lavender/database"
"github.com/xlzd/gotp"
"net/http"
"time"
)
func isDigitsSupported(digits int64) bool {
return digits >= 6 && digits <= 8
}
type otpLoginDB interface {
GetOtp(ctx context.Context, subject string) (database.GetOtpRow, error)
2024-10-06 21:30:39 +01:00
}
var _ auth.Provider = (*OtpLogin)(nil)
2024-10-06 21:30:39 +01:00
type OtpLogin struct {
DB otpLoginDB
2024-10-06 21:30:39 +01:00
}
2024-12-09 18:40:18 +00:00
func (o *OtpLogin) AccessState() auth.State { return auth.StateBasic }
2024-10-06 21:30:39 +01:00
func (o *OtpLogin) Name() string { return "basic" }
2024-10-06 21:30:39 +01:00
2025-01-19 12:04:25 +00:00
func (o *OtpLogin) RenderTemplate(ctx authContext.TemplateContext) error {
user := ctx.User()
if user == nil || user.Subject == "" {
2025-01-19 12:04:25 +00:00
return fmt.Errorf("requires previous factor")
2024-10-06 21:30:39 +01:00
}
if user.OtpSecret == "" || !isDigitsSupported(user.OtpDigits) {
2025-01-19 12:04:25 +00:00
return fmt.Errorf("user does not support factor")
2024-10-06 21:30:39 +01:00
}
2025-01-19 12:04:25 +00:00
// TODO: is this right?
ctx.Render(map[string]any{
"Redirect": "/",
})
2024-10-06 21:30:39 +01:00
// no need to provide render data
2025-01-19 12:04:25 +00:00
return nil
2024-10-06 21:30:39 +01:00
}
2025-01-19 12:04:25 +00:00
func (o *OtpLogin) AttemptLogin(ctx authContext.TemplateContext) error {
user := ctx.User()
2024-10-06 21:30:39 +01:00
if user == nil || user.Subject == "" {
2024-12-09 18:40:18 +00:00
return fmt.Errorf("requires previous factor")
2024-10-06 21:30:39 +01:00
}
if user.OtpSecret == "" || !isDigitsSupported(user.OtpDigits) {
2024-12-09 18:40:18 +00:00
return fmt.Errorf("user does not support factor")
2024-10-06 21:30:39 +01:00
}
2025-01-19 12:04:25 +00:00
code := ctx.Request().FormValue("code")
2024-10-06 21:30:39 +01:00
if !validateTotp(user.OtpSecret, int(user.OtpDigits), code) {
return auth.BasicUserSafeError(http.StatusBadRequest, "invalid OTP code")
2024-10-06 21:30:39 +01:00
}
return nil
}
var ErrInvalidOtpCode = errors.New("invalid OTP code")
func (o *OtpLogin) VerifyOtpCode(ctx context.Context, subject, code string) error {
otp, err := o.DB.GetOtp(ctx, subject)
if err != nil {
return err
}
if !validateTotp(otp.OtpSecret, int(otp.OtpDigits), code) {
return ErrInvalidOtpCode
}
return nil
}
func validateTotp(secret string, digits int, code string) bool {
totp := gotp.NewTOTP(secret, int(digits), 30, nil)
return verifyTotp(totp, code)
}
2024-10-06 21:30:39 +01:00
func verifyTotp(totp *gotp.TOTP, code string) bool {
t := time.Now()
if totp.VerifyTime(code, t) {
return true
}
if totp.VerifyTime(code, t.Add(-30*time.Second)) {
return true
}
return totp.VerifyTime(code, t.Add(30*time.Second))
}