Merge pull request #65 from DarkGhostHunter/master

Version 4.0

.gitattributes

@@ -9,3 +9,4 @@
 /.scrutinizer.yml   export-ignore
 /tests              export-ignore
 /.editorconfig      export-ignore
+/laraguardlogo.png  export-ignore

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: composer
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "09:00"
+  open-pull-requests-limit: 10

.github/workflows/php.yml

@@ -11,12 +11,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: [8.0, 7.4]
-        laravel: [8.*]
+        php: [8.0]
+        laravel: [^8.39]
         dependency-version: [prefer-lowest, prefer-stable]
         include:
-          - laravel: 8.*
-            testbench: 6.*
+          - laravel: ^8.39
+            testbench: ^6.20.1
 
     name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }} - ${{ matrix.dependency-version }}
 

.gitignore

@@ -2,4 +2,7 @@ build
 composer.lock
 docs
 vendor
-coverage
+coverage
+.idea
+/.phpunit.result.cache
+/phpunit.xml.dist.bak

UPGRADE.md

@@ -0,0 +1,18 @@
+# Upgrading
+
+## Upgrade from 3.0
+
+If you're upgrading from Laraguard 3.0, you will need to migrate.
+
+Laraguard 4.0 encrypts the Shared Secret and Recovery Codes. This adds an extra layer of protection in case the database records are leaked to the wild, as recommended by the [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238).
+
+To upgrade, ensure you have installed `doctrine/dbal` so the migration can run, as it needs to change a column type.
+
+    composer require doctrine/dbal
+
+Then, publish the upgrading migration and run it:
+
+    php artisan vendor:publish --provider="DarkGhostHunter\Laraguard\LaraguardServiceProvider" --tag="upgrade"
+    php artisan migrate
+
+The migration will automatically encrypt all shared secrets, while also reverting the decryption on rolling back migrations.

composer.json

@@ -21,19 +21,22 @@
         }
     ],
     "require": {
-        "php": "^7.4||^8.0",
+        "php": "^8.0",
         "ext-json": "*",
         "bacon/bacon-qr-code": "^2.0",
         "paragonie/constant_time_encoding": "^2.4",
-        "illuminate/support": "^8.0",
-        "illuminate/http": "^8.20",
-        "illuminate/auth": "^8.0"
+        "illuminate/config": "^8.39",
+        "illuminate/validation": "^8.39",
+        "illuminate/database": "^8.39",
+        "illuminate/support": "^8.39",
+        "illuminate/http": "^8.39",
+        "illuminate/auth": "^8.39"
     },
     "require-dev": {
-        "orchestra/testbench": "^6.0",
-        "orchestra/canvas": "^6.0",
-        "mockery/mockery":"^1.4",
-        "phpunit/phpunit": "^9.3"
+        "doctrine/dbal": "^3.1",
+        "mockery/mockery": "^1.4",
+        "orchestra/testbench": "6.*",
+        "phpunit/phpunit": "^9.5.9"
     },
     "autoload": {
         "psr-4": {

config/laraguard.php

@@ -1,20 +1,6 @@
 <?php
 
 return [
-
-    /*
-    |--------------------------------------------------------------------------
-    | Listener hook
-    |--------------------------------------------------------------------------
-    |
-    | If a Listener class is present, Laraguard will hook into the Attempting
-    | and Validated events and check if it needs Two Factor Authentication.
-    | Set this to false or null to use your own 2FA logic without events.
-    |
-    */
-
-    'listener' => \DarkGhostHunter\Laraguard\Listeners\EnforceTwoFactorAuth::class,
-
     /*
     |--------------------------------------------------------------------------
     | TwoFactorAuthentication Model
@@ -28,19 +14,6 @@
 
     'model' => \DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthentication::class,
 
-    /*
-    |--------------------------------------------------------------------------
-    | Input name
-    |--------------------------------------------------------------------------
-    |
-    | When using the Listener, it will automatically check the Request for the
-    | input name containing the Two Factor Code. A safe default is set here,
-    | but you can override the value if it collides with other form input.
-    |
-    */
-
-    'input' => '2fa_code',
-
     /*
     |--------------------------------------------------------------------------
     | Cache Store
@@ -86,6 +59,7 @@
     */
 
     'safe_devices' => [
+        'cookie'          => '2fa_remember',
         'enabled'         => false,
         'max_devices'     => 3,
         'expiration_days' => 14,

database/factories/TwoFactorAuthenticationFactory.php

@@ -2,12 +2,12 @@
 
 namespace Database\Factories\DarkGhostHunter\Laraguard\Eloquent;
 
-use Faker\Generator as Faker;
+use DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthentication;
 use Illuminate\Database\Eloquent\Factories\Factory;
 use Illuminate\Support\Collection;
-use DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthentication;
 
-class TwoFactorAuthenticationFactory extends Factory {
+class TwoFactorAuthenticationFactory extends Factory
+{
     /**
      * The name of the factory's corresponding model.
      *
@@ -20,7 +20,7 @@ class TwoFactorAuthenticationFactory extends Factory {
      *
      * @return array
      */
-    public function definition()
+    public function definition(): array
     {
         $config = config('laraguard');
 
@@ -34,7 +34,7 @@ public function definition()
 
         if ($enabled) {
             $array['recovery_codes'] = TwoFactorAuthentication::generateRecoveryCodes($amount, $length);
-            $array['recovery_codes_generated_at'] = $this->faker->dateTimeBetween('-1 years');
+            $array['recovery_codes_generated_at'] = $this->faker->dateTimeBetween('-1 year');
         }
 
         return $array;
@@ -43,60 +43,54 @@ public function definition()
     /**
      * Returns a model with unused recovery codes.
      *
-     * @return TwoFactorAuthenticationFactory
+     * @return \Database\Factories\DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthenticationFactory
      */
-    public function withRecovery()
+    public function withRecovery(): static
     {
-        return $this->state(function(array $attributes) {
-            [$enabled, $amount, $length] = array_values(config('laraguard.recovery'));
+        [$enabled, $amount, $length] = array_values(config('laraguard.recovery'));
 
-            return [
-                'recovery_codes'              => TwoFactorAuthentication::generateRecoveryCodes($amount, $length),
-                'recovery_codes_generated_at' => $this->faker->dateTimeBetween('-1 years'),
-            ];
-        });
+        return $this->state([
+            'recovery_codes'              => TwoFactorAuthentication::generateRecoveryCodes($amount, $length),
+            'recovery_codes_generated_at' => $this->faker->dateTimeBetween('-1 years'),
+        ]);
     }
 
     /**
      * Returns an authentication with a list of safe devices.
      *
-     * @return TwoFactorAuthenticationFactory
+     * @return \Database\Factories\DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthenticationFactory
      */
-    public function withSafeDevices()
+    public function withSafeDevices(): static
     {
-        return $this->state(function (array $attributes) {
-            $max = config('laraguard.safe_devices.max_devices');
-
-            return [
-                'safe_devices' => Collection::times($max, function ($step) use ($max) {
-
-                    $expiration_days = config('laraguard.safe_devices.expiration_days');
-
-                    $added_at = $max !== $step
-                        ? now()
-                        : $this->faker->dateTimeBetween(now()->subDays($expiration_days * 2), now()->subDays($expiration_days));
-
-                    return [
-                        '2fa_remember' => TwoFactorAuthentication::generateDefaultTwoFactorRemember(),
-                        'ip'           => $this->faker->ipv4,
-                        'added_at'     => $added_at,
-                    ];
-                }),
-            ];
-        });
+        $max = config('laraguard.safe_devices.max_devices');
+
+        return $this->state([
+            'safe_devices' => Collection::times($max, function ($step) use ($max) {
+                $expiration_days = config('laraguard.safe_devices.expiration_days');
+
+                $added_at = $max !== $step
+                    ? now()
+                    : $this->faker->dateTimeBetween(now()->subDays($expiration_days * 2),
+                        now()->subDays($expiration_days));
+
+                return [
+                    '2fa_remember' => TwoFactorAuthentication::generateDefaultTwoFactorRemember(),
+                    'ip'           => $this->faker->ipv4,
+                    'added_at'     => $added_at,
+                ];
+            }),
+        ]);
     }
 
     /**
      * Returns an enabled authentication.
      *
-     * @return TwoFactorAuthenticationFactory
+     * @return \Database\Factories\DarkGhostHunter\Laraguard\Eloquent\TwoFactorAuthenticationFactory
      */
-    public function enabled()
+    public function enabled(): static
     {
-        return $this->state(function (array $attributes) {
-            return [
-                'enabled_at' => null
-            ];
-        });
+        return $this->state([
+            'enabled_at' => null,
+        ]);
     }
 }

database/migrations/2020_04_02_000000_create_two_factor_authentications_table.php

@@ -11,19 +11,19 @@ class CreateTwoFactorAuthenticationsTable extends Migration
      *
      * @return void
      */
-    public function up()
+    public function up(): void
     {
         Schema::create('two_factor_authentications', function (Blueprint $table) {
-            $table->bigIncrements('id');
+            $table->id();
             $table->morphs('authenticatable', '2fa_auth_type_auth_id_index');
-            $table->string('shared_secret');
+            $table->text('shared_secret');
             $table->timestampTz('enabled_at')->nullable();
             $table->string('label');
             $table->unsignedTinyInteger('digits')->default(6);
             $table->unsignedTinyInteger('seconds')->default(30);
             $table->unsignedTinyInteger('window')->default(0);
             $table->string('algorithm', 16)->default('sha1');
-            $table->json('recovery_codes')->nullable();
+            $table->text('recovery_codes')->nullable();
             $table->timestampTz('recovery_codes_generated_at')->nullable();
             $table->json('safe_devices')->nullable();
             $table->timestampsTz();
@@ -35,7 +35,7 @@ public function up()
      *
      * @return void
      */
-    public function down()
+    public function down(): void
     {
         Schema::dropIfExists('two_factor_authentications');
     }

database/migrations/2020_04_02_000000_upgrade_two_factor_authentications_table.php

@@ -0,0 +1,85 @@
+<?php
+
+use Composer\InstalledVersions;
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+class UpgradeTwoFactorAuthenticationsTable extends Migration
+{
+    /**
+     * Creates a new Migration instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        if (! InstalledVersions::isInstalled('doctrine/dbal')) {
+            throw new OutOfBoundsException("Install the doctrine/dbal package to upgrade or downgrade.");
+        }
+    }
+
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up(): void
+    {
+        Schema::table('two_factor_authentications', static function (Blueprint $table): void {
+            $table->text('shared_secret')->change();
+            $table->text('recovery_codes')->nullable()->change();
+        });
+
+        // We need to encrypt all shared secrets so these can be used with Laraguard v4.0.
+        $this->chunkRows(true);
+    }
+
+    /**
+     * Returns a chunk of authentications to encrypt/decrypt them.
+     *
+     * @param  bool  $encrypt
+     *
+     * @return void
+     */
+    protected function chunkRows(bool $encrypt): void
+    {
+        $call = $encrypt ? 'encryptString' : 'decryptString';
+        $encrypter = Crypt::getFacadeRoot();
+        $query = DB::table('two_factor_authentications');
+
+        $query->clone()->select('id', 'shared_secret', 'recovery_codes')
+            ->chunkById(
+                1000,
+                static function (Collection $chunk) use ($encrypter, $query, $call): void {
+                    DB::beginTransaction();
+                    foreach ($chunk as $item) {
+                        $query->clone()->where('id', $item->id)->update([
+                            'shared_secret'  => $encrypter->$call($item->shared_secret),
+                            'recovery_codes' => $item->recovery_codes ? $encrypter->$call($item->recovery_codes) : null,
+                        ]);
+                    }
+                    DB::commit();
+                }
+            );
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down(): void
+    {
+        // Before changing the shared secret column, we will need to decrypt the shared secret.
+        $this->chunkRows(false);
+
+        Schema::table('two_factor_authentications', static function (Blueprint $table): void {
+            $table->string('shared_secret')->change();
+            $table->json('recovery_codes')->nullable()->change();
+        });
+    }
+}