init

kirby/src/Cms/Auth/Challenge.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace Kirby\Cms\Auth;
+
+use Kirby\Cms\User;
+use SensitiveParameter;
+
+/**
+ * Template class for authentication challenges
+ * that create and verify one-time auth codes
+ *
+ * @package   Kirby Cms
+ * @author    Lukas Bestle <lukas@getkirby.com>
+ * @link      https://getkirby.com
+ * @copyright Bastian Allgeier
+ * @license   https://getkirby.com/license
+ */
+abstract class Challenge
+{
+	/**
+	 * Checks whether the challenge is available
+	 * for the passed user and purpose
+	 *
+	 * @param \Kirby\Cms\User $user User the code will be generated for
+	 * @param 'login'|'password-reset'|'2fa' $mode Purpose of the code
+	 */
+	abstract public static function isAvailable(User $user, string $mode): bool;
+
+	/**
+	 * Generates a random one-time auth code and returns that code
+	 * for later verification
+	 *
+	 * @param \Kirby\Cms\User $user User to generate the code for
+	 * @param array $options Details of the challenge request:
+	 *                       - 'mode': Purpose of the code ('login', 'password-reset' or '2fa')
+	 *                       - 'timeout': Number of seconds the code will be valid for
+	 * @return string|null The generated and sent code or `null` in case
+	 *                     there was no code to generate by this algorithm
+	 */
+	abstract public static function create(User $user, array $options): string|null;
+
+	/**
+	 * Verifies the provided code against the created one;
+	 * default implementation that checks the code that was
+	 * returned from the `create()` method
+	 *
+	 * @param \Kirby\Cms\User $user User to check the code for
+	 * @param string $code Code to verify
+	 */
+	public static function verify(
+		User $user,
+		#[SensitiveParameter]
+		string $code
+	): bool {
+		$hash = $user->kirby()->session()->get('kirby.challenge.code');
+		if (is_string($hash) !== true) {
+			return false;
+		}
+
+		// normalize the formatting in the user-provided code
+		$code = str_replace(' ', '', $code);
+
+		return password_verify($code, $hash);
+	}
+}

kirby/src/Cms/Auth/EmailChallenge.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace Kirby\Cms\Auth;
+
+use Kirby\Cms\User;
+use Kirby\Toolkit\I18n;
+use Kirby\Toolkit\Str;
+
+/**
+ * Creates and verifies one-time auth codes
+ * that are sent via email
+ *
+ * @package   Kirby Cms
+ * @author    Lukas Bestle <lukas@getkirby.com>
+ * @link      https://getkirby.com
+ * @copyright Bastian Allgeier
+ * @license   https://getkirby.com/license
+ */
+class EmailChallenge extends Challenge
+{
+	/**
+	 * Checks whether the challenge is available
+	 * for the passed user and purpose
+	 *
+	 * @param \Kirby\Cms\User $user User the code will be generated for
+	 * @param 'login'|'password-reset'|'2fa' $mode Purpose of the code
+	 */
+	public static function isAvailable(User $user, string $mode): bool
+	{
+		return true;
+	}
+
+	/**
+	 * Generates a random one-time auth code and returns that code
+	 * for later verification
+	 *
+	 * @param \Kirby\Cms\User $user User to generate the code for
+	 * @param array $options Details of the challenge request:
+	 *                       - 'mode': Purpose of the code ('login', 'password-reset' or '2fa')
+	 *                       - 'timeout': Number of seconds the code will be valid for
+	 * @return string The generated and sent code
+	 */
+	public static function create(User $user, array $options): string
+	{
+		$code = Str::random(6, 'num');
+
+		// insert a space in the middle for easier readability
+		$formatted = substr($code, 0, 3) . ' ' . substr($code, 3, 3);
+
+		// use the login templates for 2FA
+		$mode = $options['mode'];
+		if ($mode === '2fa') {
+			$mode = 'login';
+		}
+
+		$kirby = $user->kirby();
+		$kirby->email([
+			'from' => $kirby->option('auth.challenge.email.from', 'noreply@' . $kirby->url('index', true)->host()),
+			'fromName' => $kirby->option('auth.challenge.email.fromName', $kirby->site()->title()),
+			'to' => $user,
+			'subject' => $kirby->option(
+				'auth.challenge.email.subject',
+				I18n::translate('login.email.' . $mode . '.subject', null, $user->language())
+			),
+			'template' => 'auth/' . $mode,
+			'data' => [
+				'user'    => $user,
+				'site'    => $kirby->system()->title(),
+				'code'    => $formatted,
+				'timeout' => round($options['timeout'] / 60)
+			]
+		]);
+
+		return $code;
+	}
+}

kirby/src/Cms/Auth/Status.php

@@ -0,0 +1,160 @@
+<?php
+
+namespace Kirby\Cms\Auth;
+
+use Kirby\Cms\App;
+use Kirby\Cms\User;
+use Kirby\Exception\InvalidArgumentException;
+use Kirby\Toolkit\Properties;
+
+/**
+ * Information container for the
+ * authentication status
+ * @since 3.5.1
+ *
+ * @package   Kirby Cms
+ * @author    Lukas Bestle <lukas@getkirby.com>
+ * @link      https://getkirby.com
+ * @copyright Bastian Allgeier
+ * @license   https://getkirby.com/license
+ */
+class Status
+{
+	/**
+	 * Type of the active challenge
+	 */
+	protected string|null $challenge = null;
+
+	/**
+	 * Challenge type to use as a fallback
+	 * when $challenge is `null`
+	 */
+	protected string|null $challengeFallback = null;
+
+	/**
+	 * Email address of the current/pending user
+	 */
+	protected string|null $email;
+
+	/**
+	 * Kirby instance for user lookup
+	 */
+	protected App $kirby;
+
+	/**
+	 * Authentication status:
+	 * `active|impersonated|pending|inactive`
+	 */
+	protected string $status;
+
+	/**
+	 * Class constructor
+	 *
+	 * @param array $props
+	 */
+	public function __construct(array $props)
+	{
+		if (in_array($props['status'], ['active', 'impersonated', 'pending', 'inactive']) !== true) {
+			throw new InvalidArgumentException([
+				'data' => [
+					'argument' => '$props[\'status\']',
+					'method'   => 'Status::__construct'
+				]
+			]);
+		}
+
+		$this->kirby 		 	 = $props['kirby'];
+		$this->challenge 		 = $props['challenge'] ?? null;
+		$this->challengeFallback = $props['challengeFallback'] ?? null;
+		$this->email 		 	 = $props['email'] ?? null;
+		$this->status 			 = $props['status'];
+	}
+
+	/**
+	 * Returns the authentication status
+	 */
+	public function __toString(): string
+	{
+		return $this->status();
+	}
+
+	/**
+	 * Returns the type of the active challenge
+	 *
+	 * @param bool $automaticFallback If set to `false`, no faked challenge is returned;
+	 *                                WARNING: never send the resulting `null` value to the
+	 *                                user to avoid leaking whether the pending user exists
+	 */
+	public function challenge(bool $automaticFallback = true): string|null
+	{
+		// never return a challenge type if the status doesn't match
+		if ($this->status() !== 'pending') {
+			return null;
+		}
+
+		if ($automaticFallback === false) {
+			return $this->challenge;
+		}
+
+		return $this->challenge ?? $this->challengeFallback;
+	}
+
+	/**
+	 * Creates a new instance while
+	 * merging initial and new properties
+	 */
+	public function clone(array $props = []): static
+	{
+		return new static(array_replace_recursive([
+			'kirby' 			=> $this->kirby,
+			'challenge' 		=> $this->challenge,
+			'challengeFallback' => $this->challengeFallback,
+			'email' 			=> $this->email,
+			'status' 			=> $this->status,
+		], $props));
+	}
+
+	/**
+	 * Returns the email address of the current/pending user
+	 */
+	public function email(): string|null
+	{
+		return $this->email;
+	}
+
+	/**
+	 * Returns the authentication status
+	 *
+	 * @return string `active|impersonated|pending|inactive`
+	 */
+	public function status(): string
+	{
+		return $this->status;
+	}
+
+	/**
+	 * Returns an array with all public status data
+	 */
+	public function toArray(): array
+	{
+		return [
+			'challenge' => $this->challenge(),
+			'email'     => $this->email(),
+			'status'    => $this->status()
+		];
+	}
+
+	/**
+	 * Returns the currently logged in user
+	 */
+	public function user(): User|null
+	{
+		// for security, only return the user if they are
+		// already logged in
+		if (in_array($this->status(), ['active', 'impersonated']) !== true) {
+			return null;
+		}
+
+		return $this->kirby->user($this->email());
+	}
+}

kirby/src/Cms/Auth/TotpChallenge.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace Kirby\Cms\Auth;
+
+use Kirby\Cms\User;
+use Kirby\Toolkit\Totp;
+
+/**
+ * Verifies one-time time-based auth codes
+ * that are generated with an authenticator app.
+ * Users first have to set up time-based codes
+ * (storing the TOTP secret in their user account).
+ * @since 4.0.0
+ *
+ * @package   Kirby Cms
+ * @author    Nico Hoffmann <nico@getkirby.com>
+ * @link      https://getkirby.com
+ * @copyright Bastian Allgeier
+ * @license   https://getkirby.com/license
+ */
+class TotpChallenge extends Challenge
+{
+	/**
+	 * Checks whether the challenge is available
+	 * for the passed user and purpose
+	 *
+	 * @param \Kirby\Cms\User $user User the code will be generated for
+	 * @param 'login'|'password-reset'|'2fa' $mode Purpose of the code
+	 */
+	public static function isAvailable(User $user, string $mode): bool
+	{
+		// user needs to have a TOTP secret set up
+		return $user->secret('totp') !== null;
+	}
+
+	/**
+	 * Generates a random one-time auth code and returns that code
+	 * for later verification
+	 *
+	 * @param \Kirby\Cms\User $user User to generate the code for
+	 * @param array $options Details of the challenge request:
+	 *                       - 'mode': Purpose of the code ('login', 'password-reset' or '2fa')
+	 *                       - 'timeout': Number of seconds the code will be valid for
+	 * @todo set return type to `null` once support for PHP 8.1 is dropped
+	 */
+	public static function create(User $user, array $options): string|null
+	{
+		// the user's app will generate the code, we only verify it
+		return null;
+	}
+
+	/**
+	 * Verifies the provided code against the created one
+	 *
+	 * @param \Kirby\Cms\User $user User to check the code for
+	 * @param string $code Code to verify
+	 */
+	public static function verify(User $user, string $code): bool
+	{
+		// verify if code is current, previous or next TOTP code
+		$secret = $user->secret('totp');
+		$totp   = new Totp($secret);
+		return $totp->verify($code);
+	}
+}