Nodarx/authentication_provider_totp
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
renovate/configure
authentication_provider_totp/lib/Services/EnrollmentService.php
root b3d456d453 Initial commit
2026-02-10 20:06:34 -05:00

410 lines
12 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderTotp\Services;
use KTXC\SessionTenant;
use KTXM\AuthenticationProviderTotp\Stores\EnrollmentStore;
/**
* TOTP Enrollment Service
*
* Handles TOTP enrollment lifecycle:
* - Checking enrollment status
* - Beginning enrollment (generating secrets and QR codes)
* - Completing enrollment (verifying initial code)
* - Removing enrollment
* - Managing recovery codes
*/
class EnrollmentService
{
// TOTP Configuration defaults
private const DEFAULT_DIGITS = 6;
private const DEFAULT_PERIOD = 30;
private const DEFAULT_ALGORITHM = 'sha1';
private const SECRET_LENGTH = 20; // 160 bits as recommended by RFC 4226
public function __construct(
private readonly SessionTenant $tenant,
private readonly EnrollmentStore $enrollmentStore,
) {}
/**
* Check if user has a verified TOTP enrollment
*/
public function isEnrolled(string $userId): bool
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return false;
}
$enrollment = $this->enrollmentStore->getEnrollment($tenantId, $userId);
return $enrollment !== null && ($enrollment['verified'] ?? false) === true;
}
/**
* Begin TOTP enrollment - generates secret, provisioning URI, and recovery codes
*
* @param string $userId User identifier
* @param array $config Configuration options (issuer, account_name)
* @return array{success: bool, error?: string, error_code?: string, enrollment?: array}
*/
public function beginEnrollment(string $userId, array $config = []): array
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return [
'success' => false,
'error' => 'Invalid tenant context',
'error_code' => 'internal_error',
];
}
// Check if already enrolled
if ($this->isEnrolled($userId)) {
return [
'success' => false,
'error' => 'TOTP is already enrolled for this user',
'error_code' => 'already_enrolled',
];
}
// Generate new secret
$secret = $this->generateSecret();
// Generate recovery codes
$recoveryCodes = $this->generateRecoveryCodes();
// Store pending enrollment (not yet verified)
$this->enrollmentStore->storePendingEnrollment($tenantId, $userId, $secret, $recoveryCodes);
// Generate provisioning URI for QR code
$issuer = $config['issuer'] ?? 'Ktrix';
$accountName = $config['account_name'] ?? $userId;
$provisioningUri = $this->generateProvisioningUri($secret, $issuer, $accountName);
// Generate QR code data URL (empty for client-side generation)
$qrCodeDataUrl = $this->generateQrCodeDataUrl($provisioningUri);
return [
'success' => true,
'enrollment' => [
'secret' => $secret,
'provisioning_uri' => $provisioningUri,
'qr_code' => $qrCodeDataUrl,
'recovery_codes' => $recoveryCodes,
],
];
}
/**
* Complete TOTP enrollment by verifying the initial code
*
* @param string $userId User identifier
* @param string $code Verification code from authenticator app
* @return array{success: bool, error?: string, error_code?: string}
*/
public function completeEnrollment(string $userId, string $code): array
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return [
'success' => false,
'error' => 'Invalid tenant context',
'error_code' => 'internal_error',
];
}
// Get pending enrollment
$enrollment = $this->enrollmentStore->getPendingEnrollment($tenantId, $userId);
if (!$enrollment) {
return [
'success' => false,
'error' => 'No pending TOTP enrollment found',
'error_code' => 'no_pending_enrollment',
];
}
// Verify the code
if (!$this->verifyCode($enrollment['secret'], $code)) {
return [
'success' => false,
'error' => 'Invalid verification code',
'error_code' => 'invalid_code',
];
}
// Mark enrollment as verified
$this->enrollmentStore->confirmEnrollment($tenantId, $userId);
return ['success' => true];
}
/**
* Remove TOTP enrollment for a user
*
* @param string $userId User identifier
* @return array{success: bool, error?: string, error_code?: string}
*/
public function removeEnrollment(string $userId): array
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return [
'success' => false,
'error' => 'Invalid tenant context',
'error_code' => 'internal_error',
];
}
if (!$this->isEnrolled($userId)) {
return [
'success' => false,
'error' => 'TOTP is not enrolled for this user',
'error_code' => 'not_enrolled',
];
}
$this->enrollmentStore->removeEnrollment($tenantId, $userId);
return ['success' => true];
}
/**
* Verify a TOTP code for an enrolled user
*
* @param string $userId User identifier
* @param string $code Verification code
* @return array{success: bool, error?: string, error_code?: string, used_recovery_code?: bool}
*/
public function verifyCode(string $userId, string $code): array
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return [
'success' => false,
'error' => 'Invalid tenant context',
'error_code' => 'internal_error',
];
}
// Get enrollment
$enrollment = $this->enrollmentStore->getEnrollment($tenantId, $userId);
if (!$enrollment) {
return [
'success' => false,
'error' => 'TOTP is not enrolled for this user',
'error_code' => 'not_enrolled',
];
}
// Check if it's a recovery code
if ($this->verifyRecoveryCode($tenantId, $userId, $code)) {
return [
'success' => true,
'used_recovery_code' => true,
];
}
// Verify TOTP code
if (!$this->verifyTotpCode($enrollment['secret'], $code)) {
return [
'success' => false,
'error' => 'Invalid verification code',
'error_code' => 'invalid_code',
];
}
return ['success' => true];
}
/**
* Get the user's enrollment secret (for provider verification)
*/
public function getEnrollmentSecret(string $userId): ?string
{
$tenantId = $this->tenant->identifier();
if (!$tenantId) {
return null;
}
$enrollment = $this->enrollmentStore->getEnrollment($tenantId, $userId);
return $enrollment['secret'] ?? null;
}
/**
* Verify a TOTP code against a secret (for provider use)
*/
public function verifyTotpCode(string $secret, string $code, int $window = 1): bool
{
$code = preg_replace('/\s+/', '', $code);
if (strlen($code) !== self::DEFAULT_DIGITS) {
return false;
}
$timestamp = time();
$counter = (int) floor($timestamp / self::DEFAULT_PERIOD);
for ($i = -$window; $i <= $window; $i++) {
$expectedCode = $this->generateTotp($secret, $counter + $i);
if (hash_equals($expectedCode, $code)) {
return true;
}
}
return false;
}
/**
* Verify a recovery code
*/
public function verifyRecoveryCode(string $tenantId, string $userId, string $code): bool
{
$code = strtoupper(preg_replace('/\s+/', '', $code));
$validCodes = $this->enrollmentStore->getRecoveryCodes($tenantId, $userId);
foreach ($validCodes as $index => $storedCode) {
if (hash_equals($storedCode, $code)) {
$this->enrollmentStore->markRecoveryCodeUsed($tenantId, $userId, $index);
return true;
}
}
return false;
}
// =========================================================================
// Private Helper Methods
// =========================================================================
/**
* Generate a cryptographically secure secret
*/
private function generateSecret(): string
{
$bytes = random_bytes(self::SECRET_LENGTH);
return $this->base32Encode($bytes);
}
/**
* Generate a provisioning URI for QR codes (otpauth:// format)
*/
private function generateProvisioningUri(string $secret, string $issuer, string $accountName): string
{
$params = http_build_query([
'secret' => $secret,
'issuer' => $issuer,
'algorithm' => strtoupper(self::DEFAULT_ALGORITHM),
'digits' => self::DEFAULT_DIGITS,
'period' => self::DEFAULT_PERIOD,
]);
$label = rawurlencode($issuer) . ':' . rawurlencode($accountName);
return "otpauth://totp/{$label}?{$params}";
}
/**
* Generate QR code as data URL
*/
private function generateQrCodeDataUrl(string $uri): string
{
// Return empty for client-side QR generation
return '';
}
/**
* Generate recovery codes
*/
private function generateRecoveryCodes(int $count = 10): array
{
$codes = [];
for ($i = 0; $i < $count; $i++) {
$part1 = strtoupper(bin2hex(random_bytes(2)));
$part2 = strtoupper(bin2hex(random_bytes(2)));
$codes[] = "{$part1}-{$part2}";
}
return $codes;
}
/**
* Generate TOTP code for a given counter
*/
private function generateTotp(string $secret, int $counter): string
{
$secretBytes = $this->base32Decode($secret);
$counterBytes = pack('J', $counter);
$hash = hash_hmac(self::DEFAULT_ALGORITHM, $counterBytes, $secretBytes, true);
$offset = ord($hash[strlen($hash) - 1]) & 0x0F;
$binary = (ord($hash[$offset]) & 0x7F) << 24
| ord($hash[$offset + 1]) << 16
| ord($hash[$offset + 2]) << 8
| ord($hash[$offset + 3]);
$otp = $binary % (10 ** self::DEFAULT_DIGITS);
return str_pad((string) $otp, self::DEFAULT_DIGITS, '0', STR_PAD_LEFT);
}
/**
* Base32 encode (RFC 4648)
*/
private function base32Encode(string $data): string
{
$alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
$encoded = '';
$bitLen = 0;
$val = 0;
$len = strlen($data);
for ($i = 0; $i < $len; $i++) {
$val = ($val << 8) | ord($data[$i]);
$bitLen += 8;
while ($bitLen >= 5) {
$bitLen -= 5;
$encoded .= $alphabet[($val >> $bitLen) & 0x1F];
}
}
if ($bitLen > 0) {
$encoded .= $alphabet[($val << (5 - $bitLen)) & 0x1F];
}
return $encoded;
}
/**
* Base32 decode (RFC 4648)
*/
private function base32Decode(string $data): string
{
$alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
$data = strtoupper(str_replace('=', '', $data));
$decoded = '';
$val = 0;
$bitLen = 0;
$len = strlen($data);
for ($i = 0; $i < $len; $i++) {
$pos = strpos($alphabet, $data[$i]);
if ($pos === false) continue;
$val = ($val << 5) | $pos;
$bitLen += 5;
if ($bitLen >= 8) {
$bitLen -= 8;
$decoded .= chr(($val >> $bitLen) & 0xFF);
}
}
return $decoded;
}
}
Reference in New Issue View Git Blame Copy Permalink