Bug 30843: Add mfa_range configuration option for TOTP

This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"

Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works

14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works

20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 6a0955946e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

C4/Auth.pm

@@ -883,7 +883,7 @@ sub checkauth {
         {
             my $patron    = Koha::Patrons->find( { userid => $userid } );
             my $auth      = Koha::Auth::TwoFactorAuth->new( { patron => $patron } );
-            my $verified = $auth->verify($otp_token, 1);
+            my $verified = $auth->verify($otp_token);
             $auth->clear;
             if ( $verified ) {
                 # The token is correct, the user is fully logged in!

Koha/Auth/TwoFactorAuth.pm

@@ -19,6 +19,7 @@ use Modern::Perl;
 use GD::Barcode;
 use MIME::Base64 qw( encode_base64 );
 
+use C4::Context;
 use C4::Letters;
 use Koha::Exceptions;
 use Koha::Exceptions::Patron;
@@ -106,4 +107,24 @@ sub qr_code {
     return "data:image/png;base64,". encode_base64( $data, q{} ); # does not contain newlines
 }
 
+=head3 verify
+
+    my $verified = $auth->verify($otp_token);
+
+    Replacement for Auth::GoogleAuth::verify.
+    This uses a system wide default for range.
+
+=cut
+
+sub verify {
+    my ( $self, $code, $range, $secret32, $timestamp, $interval ) = @_;
+    if ( !defined $range ) {
+        my $mfa_range = C4::Context->config('mfa_range') ? int( C4::Context->config('mfa_range') ) : 1;
+        if ($mfa_range) {
+            $range = $mfa_range;
+        }
+    }
+    return $self->SUPER::verify( $code, $range, $secret32, $timestamp, $interval );
+}
+
 1;

Koha/REST/V1/TwoFactorAuth.pm

@@ -139,7 +139,7 @@ sub verification {
 
         my $verified = $auth->verify(
             $pin_code,
-            1,        # range
+            undef,    # range (default to 1 or mfa_range in koha-conf.xml)
             $secret32,
             undef,    # timestamp (defaults to now)
             30,       # interval (default 30)

debian/templates/koha-conf-site.xml.in

@@ -483,5 +483,7 @@ __END_SRU_PUBLICSERVER__
      <!-- Like: <domain><name>hotmail.com</name><belongs_to>outlook.com</belongs_to></domain> -->
  </message_domain_limits>
 
+ <mfa_range>1</mfa_range><!-- Number of 30 second iterations to allow for MFA code checking -->
+
 </config>
 </yazgfs>

etc/koha-conf.xml

@@ -294,5 +294,7 @@
      <!-- Like: <domain><name>hotmail.com</name><belongs_to>outlook.com</belongs_to></domain> -->
  </message_domain_limits>
 
+ <mfa_range>1</mfa_range><!-- Number of 30 second iterations to allow for MFA code checking -->
+
 </config>
 </yazgfs>