1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-21 05:11:17 +00:00
nginx-sso/plugins/mfa/totp/mfa.go

101 lines
2.6 KiB
Go
Raw Normal View History

package totp
import (
"net/http"
"strings"
"time"
"github.com/pkg/errors"
"github.com/pquerna/otp"
"github.com/pquerna/otp/totp"
"github.com/Luzifer/nginx-sso/plugins"
)
type MFATOTP struct{}
// ProviderID needs to return an unique string to identify
// this special MFA provider
func (m MFATOTP) ProviderID() (id string) {
return "totp"
}
func New() *MFATOTP {
return &MFATOTP{}
}
// Configure loads the configuration for the Authenticator from the
// global config.yaml file which is passed as a byte-slice.
// If no configuration for the Authenticator is supplied the function
// needs to return the plugins.ErrProviderUnconfigured
func (m MFATOTP) Configure(yamlSource []byte) (err error) { return nil }
// ValidateMFA takes the user from the login cookie and performs a
// validation against the provided MFA configuration for this user
func (m MFATOTP) ValidateMFA(res http.ResponseWriter, r *http.Request, user string, mfaCfgs []plugins.MFAConfig) error {
// Look for mfaConfigs with own provider name
for _, c := range mfaCfgs {
// Provider has been renamed, keep "google" for backwards compatibility
if c.Provider != m.ProviderID() && c.Provider != "google" {
continue
}
token, err := m.exec(c)
if err != nil {
return errors.Wrap(err, "Generating the MFA token failed")
}
for key, values := range r.Form {
if strings.HasSuffix(key, plugins.MFALoginFieldName) && values[0] == token {
return nil
}
}
}
// Report this provider was not able to verify the MFA request
return plugins.ErrNoValidUserFound
}
func (m MFATOTP) exec(c plugins.MFAConfig) (string, error) {
secret := c.AttributeString("secret")
// By default use Google Authenticator compatible settings
generatorOpts := totp.ValidateOpts{
Period: 30,
Skew: 1,
Digits: otp.DigitsSix,
Algorithm: otp.AlgorithmSHA1,
}
if period := c.AttributeInt("period"); period > 0 {
generatorOpts.Period = uint(period)
}
if skew := c.AttributeInt("skew"); skew > 0 {
generatorOpts.Skew = uint(skew)
}
if digits := c.AttributeInt("digits"); digits > 0 {
generatorOpts.Digits = otp.Digits(digits)
}
if algorithm := c.AttributeString("algorithm"); algorithm != "" {
switch algorithm {
case "sha1":
generatorOpts.Algorithm = otp.AlgorithmSHA1
case "sha256":
generatorOpts.Algorithm = otp.AlgorithmSHA256
case "sha512":
generatorOpts.Algorithm = otp.AlgorithmSHA512
default:
return "", errors.Errorf("Unsupported algorithm %q", algorithm)
}
}
if n := len(secret) % 8; n != 0 {
secret += strings.Repeat("=", 8-n)
}
return totp.GenerateCodeCustom(strings.ToUpper(secret), time.Now(), generatorOpts)
}