Nodarx/authentication_provider_totp
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2025-12-21 10:00:51 -05:00
committed by Sebastian Krupinski
commit b3d456d453
17 changed files with 3693 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
lib/Controllers/EnrollmentController.php Normal file
View File

@@ -0,0 +1,204 @@
<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderTotp\Controllers;
use KTXC\Http\Response\JsonResponse;
use KTXC\SessionIdentity;
use KTXF\Controller\ControllerAbstract;
use KTXF\Routing\Attributes\AuthenticatedRoute;
use KTXM\AuthenticationProviderTotp\Services\EnrollmentService;
/**
* TOTP Enrollment Controller
*
* Handles TOTP device enrollment for users:
* - Get enrollment status
* - Begin enrollment (generate QR code)
* - Complete enrollment (verify code)
* - Remove enrollment
* - Regenerate recovery codes
*/
class EnrollmentController extends ControllerAbstract
{
public function __construct(
private readonly SessionIdentity $userIdentity,
private readonly EnrollmentService $enrollmentService,
) {}
/**
* Get TOTP enrollment status for the current user
*/
#[AuthenticatedRoute('/totp/status', name: 'totp.status', methods: ['GET'])]
public function status(): JsonResponse
{
$userId = $this->userIdentity->identifier();
if (!$userId) {
return new JsonResponse(
['error' => 'User not authenticated', 'error_code' => 'unauthorized'],
JsonResponse::HTTP_UNAUTHORIZED
);
}
$isEnrolled = $this->enrollmentService->isEnrolled($userId);
return new JsonResponse([
'enrolled' => $isEnrolled,
'provider' => 'totp',
'label' => 'TOTP Code',
]);
}
/**
* Begin TOTP enrollment - generates secret and QR code
*/
#[AuthenticatedRoute('/totp/enroll', name: 'totp.enroll.begin', methods: ['POST'])]
public function beginEnrollment(string $accountName = ''): JsonResponse
{
$userId = $this->userIdentity->identifier();
if (!$userId) {
return new JsonResponse(
['error' => 'User not authenticated', 'error_code' => 'unauthorized'],
JsonResponse::HTTP_UNAUTHORIZED
);
}
$config = [];
if (!empty($accountName)) {
$config['account_name'] = $accountName;
}
$result = $this->enrollmentService->beginEnrollment($userId, $config);
if (!$result['success']) {
return new JsonResponse(
['error' => $result['error'], 'error_code' => $result['error_code']],
JsonResponse::HTTP_BAD_REQUEST
);
}
$enrollment = $result['enrollment'] ?? [];
return new JsonResponse([
'status' => 'pending',
'secret' => $enrollment['secret'] ?? '',
'provisioning_uri' => $enrollment['provisioning_uri'] ?? '',
'qr_code' => $enrollment['qr_code'] ?? '',
'recovery_codes' => $enrollment['recovery_codes'] ?? [],
]);
}
/**
* Complete TOTP enrollment - verify the initial code
*/
#[AuthenticatedRoute('/totp/enroll/verify', name: 'totp.enroll.verify', methods: ['POST'])]
public function completeEnrollment(string $code): JsonResponse
{
$userId = $this->userIdentity->identifier();
if (!$userId) {
return new JsonResponse(
['error' => 'User not authenticated', 'error_code' => 'unauthorized'],
JsonResponse::HTTP_UNAUTHORIZED
);
}
if (empty($code)) {
return new JsonResponse(
['error' => 'Verification code is required', 'error_code' => 'invalid_request'],
JsonResponse::HTTP_BAD_REQUEST
);
}
$result = $this->enrollmentService->completeEnrollment($userId, $code);
if (!$result['success']) {
return new JsonResponse(
['error' => $result['error'], 'error_code' => $result['error_code']],
JsonResponse::HTTP_BAD_REQUEST
);
}
return new JsonResponse([
'status' => 'enrolled',
'message' => 'TOTP successfully enabled for your account',
]);
}
/**
* Remove TOTP enrollment (disable 2FA)
*/
#[AuthenticatedRoute('/totp/enroll', name: 'totp.enroll.remove', methods: ['DELETE'])]
public function removeEnrollment(string $code): JsonResponse
{
$userId = $this->userIdentity->identifier();
if (!$userId) {
return new JsonResponse(
['error' => 'User not authenticated', 'error_code' => 'unauthorized'],
JsonResponse::HTTP_UNAUTHORIZED
);
}
// Verify current code before removing
$verifyResult = $this->enrollmentService->verifyCode($userId, $code);
if (!$verifyResult['success']) {
return new JsonResponse(
['error' => 'Invalid verification code', 'error_code' => 'invalid_code'],
JsonResponse::HTTP_BAD_REQUEST
);
}
$result = $this->enrollmentService->removeEnrollment($userId);
if (!$result['success']) {
return new JsonResponse(
['error' => $result['error'], 'error_code' => $result['error_code']],
JsonResponse::HTTP_BAD_REQUEST
);
}
return new JsonResponse([
'status' => 'removed',
'message' => 'TOTP has been disabled for your account',
]);
}
/**
* Admin endpoint: Get TOTP enrollment status for any user
*/
#[AuthenticatedRoute('/admin/status/{uid}', name: 'totp.admin.status', methods: ['GET'])]
public function adminStatus(string $uid): JsonResponse
{
// TODO: Add permission check for admin operations
$isEnrolled = $this->enrollmentService->isEnrolled($uid);
return new JsonResponse([
'enrolled' => $isEnrolled,
'provider' => 'totp',
]);
}
/**
* Admin endpoint: Remove TOTP enrollment for any user (no code verification required)
*/
#[AuthenticatedRoute('/admin/enrollment/{uid}', name: 'totp.admin.remove', methods: ['DELETE'])]
public function adminRemoveEnrollment(string $uid): JsonResponse
{
// TODO: Add permission check for admin operations
$result = $this->enrollmentService->removeEnrollment($uid);
if (!$result['success']) {
return new JsonResponse(
['error' => $result['error'], 'error_code' => $result['error_code']],
JsonResponse::HTTP_BAD_REQUEST
);
}
return new JsonResponse([
'status' => 'removed',
'message' => 'TOTP enrollment removed successfully',
]);
}
}