Skip to content

Tarea 4041 - Mejora la autentificación en dos pasos #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
daniel89fg wants to merge 3 commits into from
Closed

Tarea 4041 - Mejora la autentificación en dos pasos #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ed92eaf
Actualiza versiones de Bootstrap y FontAwesome en MenuTemplate.html.twig
Jun 27, 2025
f84bb1c
Actualiza versiones de Bootstrap y FontAwesome en MicroTemplate.html.…
Jun 27, 2025
8d00885
Añade soporte para autenticación de dos factores y mejora la gestión …
Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 92 additions & 55 deletions Core/Controller/EditUser.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php
/**
* This file is part of FacturaScripts
* Copyright (C) 2017-2024 Carlos Garcia Gomez <carlos@facturascripts.com>
* Copyright (C) 2017-2025 Carlos Garcia Gomez <carlos@facturascripts.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
Expand Down Expand Up @@ -76,6 +76,48 @@ private function allowUpdate(): bool
return $user->nick === $this->user->nick;
}

protected function authentication2factorAction(): bool
{
$user = $this->getModel();
if (false === $this->validateFormToken()) {
return false;
} elseif (false === $this->allowUpdate()) {
Tools::log()->error('not-allowed-modify');
return false;
} elseif (false === $user->loadFromCode($this->request->get('code'))) {
Tools::log()->error('record-not-found');
return false;
} elseif ($user->two_factor_enabled) {
Tools::log()->error('two-factor-authentication-already-enabled', ['%nick%' => $user->nick]);
return false;
}

// Obtener el código TOTP enviado en la solicitud
$totpCode = $this->request->request->get('code_totp');
if (empty($totpCode)) {
Tools::log()->error('totp-code-not-received');
return false;
}

// Validar el código TOTP
if (false === TwoFactorManager::verifyCode($user->two_factor_secret_key, $totpCode)) {
Tools::log()->error('incorrect-totp-code.');
return false;
}

// Activar la autenticación de dos factores y guardar el estado
$user->two_factor_enabled = true;
if (false === $user->save()) {
Tools::log()->error("error-saving two-factor-status-for-user", ['%nick%' => $user->nick]);
return false;
}

Tools::log()->info("totp-code-correct-two-step-authentication-has-been-activated-for-the-user", [
'%nick%' => $user->nick
]);
return true;
}

/**
* Load views
*/
Expand Down Expand Up @@ -146,13 +188,51 @@ protected function createViewsRole(string $viewName = 'EditRoleUser'): void
->disableColumn('user', true);
}

protected function deauthentication2factorAction(): bool
{
$user = $this->getModel();
if (false === $this->validateFormToken()) {
return false;
} elseif (false === $this->allowUpdate()) {
Tools::log()->error('not-allowed-modify');
return false;
} elseif (false === $user->loadFromCode($this->request->get('code'))) {
Tools::log()->error('record-not-found');
return false;
} elseif (false === $user->two_factor_enabled) {
Tools::log()->error('two-factor-authentication-already-enabled', ['%nick%' => $user->nick]);
Copy link

Copilot AI Jun 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the deauthentication2factorAction, the error message is misleading when two_factor_enabled is false. Consider changing it to reflect that two-factor authentication is not enabled, e.g. 'two-factor-authentication-not-enabled'.

Suggested change
Tools::log()->error('two-factor-authentication-already-enabled', ['%nick%' => $user->nick]);
Tools::log()->error('two-factor-authentication-not-enabled', ['%nick%' => $user->nick]);

Copilot uses AI. Check for mistakes.
return false;
}

// Disable two-factor authentication
$user->two_factor_enabled = false;
if (false === $user->save()) {
Tools::log()->error("error-saving two-factor-status-for-user", ['%nick%' => $user->nick]);
return false;
}

Tools::log()->info("two-step-authentication-has-been-deactivated-for-the-user", ['%nick%' => $user->nick]);
return true;
}

protected function deleteAction(): bool
{
// only admin can delete users
$this->permissions->allowDelete = $this->user->admin;
return parent::deleteAction();
}

protected function execPreviousAction($action)
{
if ($action === 'authentication2factor') {
return $this->authentication2factorAction();
} elseif ($action === 'deauthentication2factor') {
return $this->deauthentication2factorAction();
}

return parent::execPreviousAction($action);
}

protected function editAction(): bool
{
$this->permissions->allowUpdate = $this->allowUpdate();
Expand Down Expand Up @@ -180,13 +260,6 @@ protected function editAction(): bool
return $result;
}

protected function insertAction(): bool
{
// only admin can create users
$this->permissions->allowUpdate = $this->user->admin;
return parent::insertAction();
}

/**
* Return a list of pages where user has access.
*
Expand Down Expand Up @@ -225,53 +298,11 @@ protected function getUserPages(User $user): array
return $pageList;
}

protected function execAfterAction($action)
{
if ($action === 'modal2fa') {
// Obtener el código TOTP enviado en la solicitud
$totpCode = $this->request->request->get('codetime');

// Validar que el código no esté vacío
if (empty($totpCode)) {
Tools::log()->error('totp-code-not-received');
return parent::execAfterAction($action);
}

// Obtener el modelo de usuario para validar el TOTP
$userModel = $this->views['EditUser']->model;

// Validar el código TOTP
if ($this->validateTotpCode($userModel, $totpCode)) {
// Activar la autenticación de dos factores y guardar el estado
$userModel->two_factor_enabled = true;
if ($userModel->save()) {
Tools::log()->info("totp-code-correct-two-step-authentication-has-been-activated-for-the-user", ['%nick%' => $userModel->nick]);
} else {
Tools::log()->error("error-saving two-factor-status-for-user", ['%nick%' => $userModel->nick]);
}
} else {
Tools::log()->error('incorrect-totp-code.');
}
}

return parent::execAfterAction($action);
}

/**
* Valida el código TOTP proporcionado por el usuario.
*
* @param User $userModel El modelo del usuario.
* @param string $totpCode El código TOTP introducido.
* @return bool Verdadero si el código es válido, falso en caso contrario.
*/
private function validateTotpCode(User $userModel, string $totpCode): bool
protected function insertAction(): bool
{
if (empty($userModel->two_factor_secret_key)) {
Tools::log()->error("El usuario con nick {$userModel->nick} no tiene una clave secreta de TOTP configurada.");
return false;
}

return TwoFactorManager::verifyCode($userModel->two_factor_secret_key, $totpCode);
// only admin can create users
$this->permissions->allowUpdate = $this->user->admin;
return parent::insertAction();
}

/**
Expand All @@ -298,7 +329,7 @@ protected function loadData($viewName, $view)
$this->loadLanguageValues();

// guarda el usuario si no tiene clave secreta de dos factores
if (empty($view->model->two_factor_secret_key)) {
if ($view->model->exists() && empty($view->model->two_factor_secret_key)) {
$view->model->save();
}

Expand Down Expand Up @@ -327,6 +358,12 @@ protected function loadData($viewName, $view)
];
$view->loadData('', $where);
break;

case 'UserTwoFactor':
if (empty($this->getViewModelValue($mvn, 'two_factor_secret_key'))) {
$this->tab($viewName)->setSettings('active', false);
}
break;
}
}

Expand Down
71 changes: 37 additions & 34 deletions Core/Lib/TwoFactorManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?php
/**
* This file is part of FacturaScripts
* Copyright (C) 2024 Carlos Garcia Gomez <carlos@facturascripts.com>
* Copyright (C) 2024-2025 Carlos Garcia Gomez <carlos@facturascripts.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
Expand All @@ -28,11 +28,9 @@

class TwoFactorManager
{
// Constantes configurables
private const QR_CODE_SIZE = 400;
private const VERIFICATION_WINDOW = 8;

// Instancia de Google2FA reutilizable
private static $google2fa;

/**
Expand All @@ -48,69 +46,74 @@ private static function getGoogle2FA(): Google2FA

/**
* Genera una nueva clave secreta para la autenticación de dos factores.
*
* @return string La clave secreta generada.
*/
public static function getSecretKey(): string
{
return self::getGoogle2FA()->generateSecretKey();
try {
return self::getGoogle2FA()->generateSecretKey();
} catch (Exception $e) {
Tools::log()->error('error-generating-secret-key', [
'%message%' => $e->getMessage(),
]);
return '';
}
}

/**
* Genera la URL para el código QR que puede ser escaneado por una aplicación TOTP.
*
* @param string $companyName Nombre de la compañía.
* @param string $email Correo electrónico del usuario.
* @param string $secretKey La clave secreta generada.
* @return string La URL del código QR.
*/
public static function getQRCodeUrl(string $companyName, string $email, string $secretKey): string
{
return self::getGoogle2FA()->getQRCodeUrl($companyName, $email, $secretKey);
try {
return self::getGoogle2FA()->getQRCodeUrl($companyName, $email, $secretKey);
} catch (Exception $e) {
Tools::log()->error('error-generating-qr-code-url', [
'%message%' => $e->getMessage(),
'%companyName%' => $companyName,
'%email%' => $email,
'%secretKey%' => $secretKey,
]);
return '';
}
}

/**
* Genera una imagen de código QR en formato base64 a partir de una URL.
*
* @param string $url La URL del código QR.
* @return string La imagen del código QR codificada en base64.
* @throws Exception Si ocurre un error al generar la imagen.
*/
public static function getQRCodeImage(string $url): string
{
try {
$QRcode = QrCode::create($url)
$qrCode = QrCode::create($url)
->setSize(self::QR_CODE_SIZE)
->setForegroundColor(new Color(0, 0, 0))
->setBackgroundColor(new Color(255, 255, 255));

$writer = new PngWriter();
$result = $writer->write($QRcode);
$result = $writer->write($qrCode);
return $result->getDataUri();
/*$writer = new Writer(
new ImageRenderer(
new RendererStyle(self::QR_CODE_SIZE),
new ImagickImageBackEnd()
)
);

return base64_encode($writer->writeString($url));*/
} catch (Exception $e) {
// Loguea el error si ocurre
Tools::log()->error("Error generating QR code: " . $e->getMessage());
throw new Exception("Failed to generate QR code image.");
Tools::log()->error('error-generating-qr-code', [
'%message%' => $e->getMessage(),
'%url%' => $url,
]);
return '';
}
}

/**
* Verifica si un código TOTP es válido.
*
* @param string $secretKey La clave secreta asociada con el usuario.
* @param string $code El código TOTP introducido por el usuario.
* @return bool Verdadero si el código es válido, falso si no lo es.
*/
public static function verifyCode(string $secretKey, string $code): bool
{
return self::getGoogle2FA()->verifyKey($secretKey, $code, self::VERIFICATION_WINDOW);
try {
return self::getGoogle2FA()->verifyKey($secretKey, $code, self::VERIFICATION_WINDOW);
} catch (Exception $e) {
Tools::log()->error('error-verifying-code', [
'%message%' => $e->getMessage(),
'%secretKey%' => $secretKey,
'%code%' => $code,
]);
return false;
}
}
}
4 changes: 0 additions & 4 deletions Core/Model/User.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,10 +199,6 @@ public function getRoles(): array

public function getTwoFactorUrl(): string
{
if (empty($this->two_factor_secret_key)) {
$this->two_factor_secret_key = TwoFactorManager::getSecretKey();
}

return TwoFactorManager::getQRCodeUrl('FacturaScripts', $this->email, $this->two_factor_secret_key);
}

Expand Down
10 changes: 5 additions & 5 deletions Core/View/Master/MenuTemplate.html.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{#
/**
* This file is part of FacturaScripts
* Copyright (C) 2017-2024 Carlos Garcia Gomez <carlos@facturascripts.com>
* Copyright (C) 2017-2025 Carlos Garcia Gomez <carlos@facturascripts.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
Expand Down Expand Up @@ -43,8 +43,8 @@
{% include includeView['path'] %}
{% endfor %}
{% block css %}
<link rel="stylesheet" href="{{ asset('node_modules/bootstrap/dist/css/bootstrap.min.css') }}"/>
<link rel="stylesheet" href="{{ asset('node_modules/@fortawesome/fontawesome-free/css/all.min.css') }}"/>
<link rel="stylesheet" href="{{ asset('node_modules/bootstrap/dist/css/bootstrap.min.css') }}?v=5"/>
<link rel="stylesheet" href="{{ asset('node_modules/@fortawesome/fontawesome-free/css/all.min.css') }}?v=6"/>
<link rel="stylesheet" href="{{ asset('Dinamic/Assets/CSS/custom.css') }}?v=6"/>
{% endblock %}
{# Adds custom CSS assets #}
Expand All @@ -59,11 +59,11 @@
{% endfor %}
{% block javascripts %}
<script src="{{ asset('node_modules/jquery/dist/jquery.min.js') }}"></script>
<script src="{{ asset('node_modules/bootstrap/dist/js/bootstrap.bundle.min.js') }}"></script>
<script src="{{ asset('node_modules/bootstrap/dist/js/bootstrap.bundle.min.js') }}?v=5"></script>
<script src="{{ asset('node_modules/bootbox/dist/bootbox.min.js') }}"></script>
<script src="{{ asset('node_modules/bootbox/dist/bootbox.locales.min.js') }}"></script>
<script src="{{ asset('node_modules/pace-js/pace.min.js') }}"></script>
<script src="{{ asset('node_modules/@fortawesome/fontawesome-free/js/all.min.js') }}"></script>
<script src="{{ asset('node_modules/@fortawesome/fontawesome-free/js/all.min.js') }}?v=6"></script>
<script src="{{ asset('Dinamic/Assets/JS/Custom.js') }}?v=6"></script>
{% endblock %}
{# Adds custom JS assets #}
Expand Down
Loading
Loading