From 6a0955946e06354ecd05f714057a878794314155 Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 6 Sep 2023 05:12:50 +0000 Subject: [PATCH] Bug 30843: Add mfa_range configuration option for TOTP This change adds a mfa_range configuration option for TOTP to koha-conf.xml, and overrides the "verify" method from Auth::GoogleAuth in order to provide a new default for "range" Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication 3. Change the syspref to "Enable" 4. Go to http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51 5. Click "More" and "Manage two-factor authentication" 6. Register using an app 7. In an Incognito window, go to http://localhost:8081/cgi-bin/koha/mainpage.pl 8. Sign in with the "koha" user 9. Note down a code from your Authenticator app 10. Wait until after 60 seconds and try it 11. Note it says "Invalid two-factor code" 12. Try a new code from the app 13. Note that it works 14. Add 10 to /etc/koha/sites/kohadev/koha-conf.xml 15. Clear memcached and koha-plack --restart kohadev 16. Sign in with the "koha" user 17. Note down a code from your Authenticator app 18. Wait 4 minutes and then try it 19. Note that it works 20. Disable your two-factor authentication and click to re-enable it 21. Use a code older than 60 seconds when registering for the two factor authentication 22. Note that the code works Signed-off-by: Marcel de Rooy Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 2 +- Koha/Auth/TwoFactorAuth.pm | 21 +++++++++++++++++++++ Koha/REST/V1/TwoFactorAuth.pm | 2 +- debian/templates/koha-conf-site.xml.in | 2 ++ etc/koha-conf.xml | 2 ++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 9b298eed87..c25cf61876 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -883,7 +883,7 @@ sub checkauth { { my $patron = Koha::Patrons->find( { userid => $userid } ); my $auth = Koha::Auth::TwoFactorAuth->new( { patron => $patron } ); - my $verified = $auth->verify($otp_token, 1); + my $verified = $auth->verify($otp_token); $auth->clear; if ( $verified ) { # The token is correct, the user is fully logged in! diff --git a/Koha/Auth/TwoFactorAuth.pm b/Koha/Auth/TwoFactorAuth.pm index 6113493b67..5a00d4af10 100644 --- a/Koha/Auth/TwoFactorAuth.pm +++ b/Koha/Auth/TwoFactorAuth.pm @@ -19,6 +19,7 @@ use Modern::Perl; use GD::Barcode; use MIME::Base64 qw( encode_base64 ); +use C4::Context; use C4::Letters; use Koha::Exceptions; use Koha::Exceptions::Patron; @@ -106,4 +107,24 @@ sub qr_code { return "data:image/png;base64,". encode_base64( $data, q{} ); # does not contain newlines } +=head3 verify + + my $verified = $auth->verify($otp_token); + + Replacement for Auth::GoogleAuth::verify. + This uses a system wide default for range. + +=cut + +sub verify { + my ( $self, $code, $range, $secret32, $timestamp, $interval ) = @_; + if ( !defined $range ) { + my $mfa_range = C4::Context->config('mfa_range') ? int( C4::Context->config('mfa_range') ) : 1; + if ($mfa_range) { + $range = $mfa_range; + } + } + return $self->SUPER::verify( $code, $range, $secret32, $timestamp, $interval ); +} + 1; diff --git a/Koha/REST/V1/TwoFactorAuth.pm b/Koha/REST/V1/TwoFactorAuth.pm index b999371e10..96dc59e9c6 100644 --- a/Koha/REST/V1/TwoFactorAuth.pm +++ b/Koha/REST/V1/TwoFactorAuth.pm @@ -139,7 +139,7 @@ sub verification { my $verified = $auth->verify( $pin_code, - 1, # range + undef, # range (default to 1 or mfa_range in koha-conf.xml) $secret32, undef, # timestamp (defaults to now) 30, # interval (default 30) diff --git a/debian/templates/koha-conf-site.xml.in b/debian/templates/koha-conf-site.xml.in index 6d0e0f10db..8733dc6690 100644 --- a/debian/templates/koha-conf-site.xml.in +++ b/debian/templates/koha-conf-site.xml.in @@ -480,5 +480,7 @@ __END_SRU_PUBLICSERVER__ + 1 + diff --git a/etc/koha-conf.xml b/etc/koha-conf.xml index 67105b30c0..829ffd3e7d 100644 --- a/etc/koha-conf.xml +++ b/etc/koha-conf.xml @@ -291,5 +291,7 @@ + 1 + -- 2.39.5