From 83d10aceb3356e0bfcdddaa896fdba1dfe6503a5 Mon Sep 17 00:00:00 2001
From: REJack <info@rejack.de>
Date: Sun, 10 Feb 2019 19:23:29 +0100
Subject: [PATCH] added totp ability & updated tests

---
 app/Libraries/Aauth.php                    | 121 +++++++++++----------
 tests/Aauth/Libraries/Aauth/AccessTest.php |  12 ++
 2 files changed, 75 insertions(+), 58 deletions(-)

diff --git a/app/Libraries/Aauth.php b/app/Libraries/Aauth.php
index f0c9e4a..98d2c97 100644
--- a/app/Libraries/Aauth.php
+++ b/app/Libraries/Aauth.php
@@ -285,60 +285,62 @@ class Aauth
 			return false;
 		}
 
-		// if ($this->config->totpEnabled && ! $this->config->totpOnIpChange && $this->config->totpLogin)
-		// {
-		// 	if ($this->config->totpLogin == true)
-		// 	{
-		// 		$this->session->set('totp_required', true);
-		// 	}
-
-		// 	$totp_secret =  $userVariableModel->find($user['id'], 'totp_secret', true);
-		// 	if ( ! empty($totp_secret) && ! $totp_code) {
-		// 		$this->error(lang('Aauth.requiredTOTPCode'));
-		// 		return false;
-		// 	} else {
-		// 		if( ! empty($totp_secret)){
-		// 			$this->CI->load->helper('googleauthenticator');
-		// 			$ga = new PHPGangsta_GoogleAuthenticator();
-		// 			$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
-		// 			if ( ! $checkResult) {
-		// 				$this->error(lang('Aauth.invalidTOTPCode'));
-		// 				return false;
-		// 			}
-		// 		}
-		// 	}
-		// }
-		// else if ($this->config->totpEnabled && $this->config->totpOnIpChange)
-		// {
-		// 	$query = null;
-		// 	$query = $this->aauth_db->where($db_identifier, $identifier);
-		// 	$query = $this->aauth_db->get($this->config->users);
-		// 	$totp_secret =  $query->row()->totp_secret;
-		// 	$ip_address = $query->row()->ip_address;
-		// 	$current_ip_address = $this->CI->input->ip_address();
-		// 	if ($query->num_rows() > 0 AND !$totp_code) {
-		// 		if($ip_address != $current_ip_address ){
-		// 			if($this->config->totpLogin == false){
-		// 				$this->error(lang('Aauth.aauth_error_totp_code_required'));
-		// 				return false;
-		// 			} else if($this->config->totpLogin == true){
-		// 				$this->session->set('totp_required', true);
-		// 			}
-		// 		}
-		// 	}else {
-		// 		if(!empty($totp_secret)){
-		// 			if($ip_address != $current_ip_address ){
-		// 				$this->CI->load->helper('googleauthenticator');
-		// 				$ga = new PHPGangsta_GoogleAuthenticator();
-		// 				$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
-		// 				if (!$checkResult) {
-		// 					$this->error(lang('Aauth.aauth_error_totp_code_invalid'));
-		// 					return false;
-		// 				}
-		// 			}
-		// 		}
-		// 	}
-		// }
+		if ($this->config->totpEnabled)
+		{
+			$totpSecret = $userVariableModel->find($user['id'], 'totp_secret', true);
+			$request    = \Config\Services::request();
+
+			if ($this->config->totpLogin)
+			{
+				if (! $this->config->totpOnIpChange)
+				{
+					if (! empty($totpSecret) && ! $totpCode)
+					{
+						$this->error(lang('Aauth.requiredTOTPCode'));
+
+						return false;
+					}
+					else if (! $this->verifyUserTotpCode($totpCode, $user['id']))
+					{
+						$this->error(lang('Aauth.invalidTOTPCode'));
+
+						return false;
+					}
+				}
+				else if ($this->config->totpOnIpChange)
+				{
+					if ($request->getIPAddress() !== $lastIpAddress)
+					{
+						if (! empty($totpSecret) && ! $totpCode)
+						{
+							$this->error(lang('Aauth.requiredTOTPCode'));
+
+							return false;
+						}
+						else if (! $this->verifyUserTotpCode($totpCode, $user['id']))
+						{
+							$this->error(lang('Aauth.invalidTOTPCode'));
+
+							return false;
+						}
+					}
+				}
+			}
+			else if (! $this->config->totpLogin)
+			{
+				if (! $this->config->totpOnIpChange)
+				{
+					$this->session->set('totp_required', true);
+				}
+				else if ($this->config->totpOnIpChange)
+				{
+					if ($request->getIPAddress() !== $lastIpAddress)
+					{
+						$this->session->set('totp_required', true);
+					}
+				}
+			}
+		}
 
 		if (password_verify($password, $user['password']))
 		{
@@ -592,10 +594,13 @@ class Aauth
 	 */
 	public function isAllowed($permPar, int $userId = null)
 	{
-		// if($this->CI->session->userdata('totp_required')){
-		// 	$this->error($this->CI->lang->line('aauth_error_totp_verification_required'));
-		// 	redirect($this->config_vars['totp_two_step_login_redirect']);
-		// }
+		if ($this->config->totpEnabled && ! $this->config->totpLogin)
+		{
+			if ($this->isTotpRequired())
+			{
+				return redirect()->to($this->config->totpLink);
+			}
+		}
 
 		$userModel = new UserModel();
 
diff --git a/tests/Aauth/Libraries/Aauth/AccessTest.php b/tests/Aauth/Libraries/Aauth/AccessTest.php
index 53efad0..229fd54 100644
--- a/tests/Aauth/Libraries/Aauth/AccessTest.php
+++ b/tests/Aauth/Libraries/Aauth/AccessTest.php
@@ -159,6 +159,18 @@ class AccessTest extends CIDatabaseTestCase
 		$this->assertTrue($this->library->isAllowed('testPerm1'));
 		$session->remove('user');
 
+		$config->totpEnabled = true;
+
+		$session       = $this->getInstance();
+		$this->library = new Aauth($config, $session);
+		$session->set('user', [
+			'id'            => 1,
+			'loggedIn'      => true,
+			'totp_required' => true,
+		]);
+		$this->assertTrue($this->library->isAllowed('testPerm1') instanceof \CodeIgniter\HTTP\RedirectResponse);
+		$session->remove('user');
+
 		$this->assertFalse($this->library->isAllowed('testPerm99', 2));
 		$this->assertFalse($this->library->isAllowed('testPerm1', 99));
 	}