Merge pull request #313 from uzulla/issue292/mfa-email

メールによる多要素認証（MFA）の実装

Author: fc2dev

app/config.sample.php

@@ -21,11 +21,16 @@
 // Please edit the path when change `app` and `public` relative path condition.
 define('WWW_DIR', __DIR__ . '/../public/'); // this path need finish with slash.
 
+// パスワード再発行機能などで送信されるメールのFROMとするメールアドレス
 define("ADMIN_MAIL_ADDRESS", "[email protected]");
+
 // メールが送信出来ない環境で、パスワードリセットする場合にのみ1を設定してください。
 // パスワードリセットが成功した後は必ず "1" 以外の "0" 等の値に変更してください。
 define("EMERGENCY_PASSWORD_RESET_ENABLE", "0");
 
+// ログイン時にメール認証を有効化するか
+define("MFA_EMAIL", "0");
+
 // If you want get error log on display.
 // define('ERROR_ON_DISPLAY', "1");
 // ini_set('display_errors', '1');

app/config_read_from_env.php

@@ -51,6 +51,7 @@
 }
 define("SENDMAIL_PATH", (string)getenv("FC2_SENDMAIL_PATH"));
 define("EMERGENCY_PASSWORD_RESET_ENABLE", (string)getenv("FC2_EMERGENCY_PASSWORD_RESET_ENABLE"));
+define("MFA_EMAIL", (string)getenv("FC2_MFA_EMAIL"));
 
 if (strlen((string)getenv("FC2_GITHUB_REPO")) > 0) {
     define("GITHUB_REPO", (string)getenv("FC2_GITHUB_REPO"));

app/db/0_initialize.sql

@@ -184,6 +184,28 @@ CREATE TABLE `comments`
   DEFAULT CHARSET = utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `email_login_token`
+--
+
+DROP TABLE IF EXISTS `email_login_token`;
+/*!40101 SET @saved_cs_client = @@character_set_client */;
+/*!40101 SET character_set_client = utf8mb4 */;
+CREATE TABLE `email_login_token`
+(
+    `id`         bigint(20)                              NOT NULL AUTO_INCREMENT,
+    `user_id`    int(11)                                 NOT NULL,
+    `token`      varchar(128) COLLATE utf8mb4_unicode_ci NOT NULL,
+    `expire_at`  datetime                                NOT NULL,
+    `updated_at` datetime                                NOT NULL,
+    `created_at` datetime                                NOT NULL,
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `email_login_token_token_uindex` (`token`)
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4
+  COLLATE = utf8mb4_unicode_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `entries`
 --

app/locale/en_US.UTF-8/LC_MESSAGES/messages.mo

@@ -2591,3 +2591,23 @@ msgstr ""
 msgid "You can change your login password at the following URL."
 msgstr ""
 
+msgid "Sent login mail."
+msgstr "ログインURLをメールしました"
+
+msgid "Sent one time login url to your mail address. Please check your mailbox."
+msgstr "一度だけ利用可能なログインURLが記載されたメールを送信しました、メールを確認してください。"
+
+msgid "[Fc2blog OSS] Your login url"
+msgstr "[Fc2blog OSS] ログインURLのおしらせ"
+
+msgid "You can login by the following URL."
+msgstr "以下のURLにアクセスし、ログインしてください。"
+
+msgid "You requested site login."
+msgstr "ログイン要求を受け付けました。"
+
+msgid "Login request expired."
+msgstr "ログインURLは無効です"
+
+msgid "Login request was expired. Please try again login form."
+msgstr "このログインURLは無効です、再度ログインフォームから要求してください。"

app/locale/en_US.UTF-8/LC_MESSAGES/messages.po

@@ -2638,3 +2638,23 @@ msgstr "※ もしこのメールに心当たりがない場合には、無視
 msgid "You can change your login password at the following URL."
 msgstr "以下のURLにアクセスして、パスワードを再設定してください。"
 
+msgid "Sent login mail."
+msgstr "ログインURLをメールしました"
+
+msgid "Sent one time login url to your mail address. Please check your mailbox."
+msgstr "一度だけ利用可能なログインURLが記載されたメールを送信しました、メールを確認してください。"
+
+msgid "[Fc2blog OSS] Your login url"
+msgstr "[Fc2blog OSS] ログインURLのおしらせ"
+
+msgid "You can login by the following URL."
+msgstr "以下のURLにアクセスし、ログインしてください。"
+
+msgid "You requested site login."
+msgstr "ログイン要求を受け付けました。"
+
+msgid "Login request expired."
+msgstr "ログインURLは無効です"
+
+msgid "Login request was expired. Please try again login form."
+msgstr "このログインURLは無効です、再度ログインフォームから要求してください。"

app/locale/ja_JP.UTF-8/LC_MESSAGES/messages.mo

@@ -0,0 +1,57 @@
+<?php
+declare(strict_types=1);
+
+namespace Fc2blog\Model;
+
+use Fc2blog\App;
+use Fc2blog\Web\Html;
+use Fc2blog\Web\Request;
+
+class EmailLoginToken
+{
+    public $id;
+    public $user_id;
+    public $token;
+    public $expire_at;
+    public $updated_at;
+    public $created_at;
+
+    public static function factoryWithUser(User $user): self
+    {
+        $self = new static();
+        $self->user_id = $user->id;
+        $self->token = App::genRandomString();
+        $self->expire_at = date("Y-m-d H:i:s", time() + 60 * 60 * 24);
+        $self->updated_at = date("Y-m-d H:i:s");
+        $self->created_at = date("Y-m-d H:i:s");
+        return $self;
+    }
+
+    public static function factoryFromArray(array $list): self
+    {
+        $self = new static();
+        $self->id = $list['id'];
+        $self->user_id = $list['user_id'];
+        $self->token = $list['token'];
+        $self->expire_at = $list['expire_at'];
+        $self->updated_at = $list['updated_at'];
+        $self->created_at = $list['created_at'];
+        return $self;
+    }
+
+    public function isExpired(): bool
+    {
+        return strtotime($this->expire_at) < time();
+    }
+
+    public function getLoginUrl(Request $request): string
+    {
+        return Html::adminUrl(
+            $request,
+            'Session',
+            'mailLogin',
+            ['token' => $this->token],
+            true
+        );
+    }
+}

app/locale/ja_JP.UTF-8/LC_MESSAGES/messages.po

@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+namespace Fc2blog\Model;
+
+class EmailLoginTokenModel extends Model
+{
+    public function getTableName(): string
+    {
+        return 'email_login_token';
+    }
+
+    /**
+     * バリデート処理
+     * @param array $data
+     * @param array|null $valid_data
+     * @param array $white_list
+     * @return array
+     */
+    public function validate(array $data, ?array &$valid_data = [], array $white_list = []): array
+    {
+        // バリデートを定義
+        $this->validates = array(
+            'login_id' => array(
+                'required' => true,
+                'maxlength' => array('max' => 512),
+            ),
+        );
+
+        return parent::validate($data, $valid_data, $white_list);
+    }
+
+    /**
+     * @param array $values
+     * @param array $options
+     * @return int|null last insert id or null
+     */
+    public function insert(array $values, array $options = []): ?int
+    {
+        unset($values['id']); // insertのため、pkを削除
+        $values['updated_at'] = $values['created_at'] = date('Y-m-d H:i:s');
+        $last_insert_id = parent::insert($values, $options);
+        return $last_insert_id === false ? null : (int)$last_insert_id;
+    }
+}

app/src/Model/EmailLoginToken.php

@@ -0,0 +1,65 @@
+<?php
+declare(strict_types=1);
+
+namespace Fc2blog\Model;
+
+use Fc2blog\Config;
+use Fc2blog\Service\MailService;
+use Fc2blog\Service\TwigService;
+use Fc2blog\Web\Request;
+use RuntimeException;
+
+class EmailLoginTokenService
+{
+    public static function create(EmailLoginToken $token): ?int
+    {
+        $pr_model = new EmailLoginTokenModel();
+        return $pr_model->insert((array)$token);
+    }
+
+    public static function getByToken(string $token): ?EmailLoginToken
+    {
+        $pr_model = new EmailLoginTokenModel();
+        $result = $pr_model->find('row', [
+            'where' => 'token = :token',
+            'params' => ['token' => $token]
+        ]);
+
+        if ($result === false) return null;
+
+        return EmailLoginToken::factoryFromArray($result);
+    }
+
+    public static function revokeToken(EmailLoginToken $token): void
+    {
+        $pr_model = new EmailLoginTokenModel();
+        $pr_model->deleteById($token->id);
+    }
+
+    public static function createAndSendToken(Request $request, User $user): bool
+    {
+        // create token
+        $token = EmailLoginToken::factoryWithUser($user);
+        if (is_null(static::create($token))) {
+            throw new RuntimeException("create password reset token failed.");
+        }
+
+        // mail sending.
+        $login_url = $token->getLoginUrl($request);
+
+        $email = new Email();
+        $email->setFrom(
+            Config::get("ADMIN_MAIL_ADDRESS"),
+            "Fc2blog OSS"
+        );
+        $email->setTo($user->login_id);
+        $email->setSubjectAndBodyByTwig(
+            TwigService::getTwigInstance(),
+            'mail/email_login.twig',
+            ['url' => $login_url]
+        );
+        return MailService::send($email);
+    }
+
+    // TODO clean up token.
+}

app/src/Model/EmailLoginTokenModel.php

@@ -38,6 +38,7 @@ public function getListAndPaging(array $condition)
             $url .= '&device=' . $condition['device'];
         }
 
+        // TODO offline mode
         $json = file_get_contents($url);
         $json = json_decode($json, true);
 
@@ -74,6 +75,7 @@ public function findByIdAndDevice(string $id, string $device)
     {
         $url = 'https://admin.blog.fc2.com/oss_api.php?action=template_view&id=' . $id . '&device=' . $device;
 
+        // TODO Offline mode
         $json = file_get_contents($url);
         $json = json_decode($json, true);
         $json['id'] = $id;

app/src/Model/EmailLoginTokenService.php

@@ -3,7 +3,15 @@
 
 namespace Fc2blog\Model;
 
-class User
+use ArrayAccess;
+use ArrayIterator;
+use Countable;
+use Iterator;
+use IteratorAggregate;
+use ReflectionClass;
+use ReflectionException;
+
+class User implements ArrayAccess, IteratorAggregate, Countable
 {
     public $id;
     public $login_id;
@@ -44,4 +52,42 @@ public function verifyPassword(string $input_password): bool
         return password_verify($input_password, $this->password);
     }
 
+    // ==== for array access ====
+    public function offsetExists($offset): bool
+    {
+        return isset($this->{$offset});
+    }
+
+    public function offsetGet($offset)
+    {
+        return $this->offsetExists($offset) ? $this->{$offset} : null;
+    }
+
+    public function offsetSet($offset, $value)
+    {
+        $r = new ReflectionClass(static::class);
+        try {
+            $prop = $r->getProperty($offset);
+            if ($prop->isPublic()) {
+                $this->{$prop->getName()} = $value;
+            }
+        } catch (ReflectionException $e) {
+        }
+    }
+
+    public function offsetUnset($offset)
+    {
+        // don't un-settable
+    }
+
+    public function getIterator(): Iterator
+    {
+        return new ArrayIterator((array)$this);
+    }
+
+    public function count(): int
+    {
+        $r = new ReflectionClass(static::class);
+        return count($r->getProperties());
+    }
 }

app/src/Model/Fc2TemplatesModel.php

@@ -14,6 +14,13 @@ public static function getByLoginId(string $login_id): ?User
         return User::factory($repo->findByLoginId($login_id));
     }
 
+    public static function getByLoginIdAndPassword(string $login_id, string $password): ?User
+    {
+        $repo = new UsersModel();
+        $user = User::factory($repo->findByLoginId($login_id));
+        return !is_null($user) && $user->verifyPassword($password) ? $user : null;
+    }
+
     public static function updatePassword(User $user, string $password): bool
     {
         $user->setPassword($password);