Add MFA protection to several pages of the PAUSE

cpanfile

@@ -1,4 +1,5 @@
 requires 'Apache::Session::Counted';
+requires 'Auth::GoogleAuth', '1.05';
 requires 'BSD::Resource';
 requires 'CPAN::Checksums', '1.050';
 requires 'CPAN::DistnameInfo';
@@ -22,6 +23,7 @@ requires 'HTML::Entities';
 requires 'HTTP::Date';
 requires 'HTTP::Status';
 requires 'HTTP::Tiny', '0.059';
+requires 'Imager::QRCode';
 requires 'IO::Socket::SSL', '1.56';
 requires 'IPC::Run3';
 requires 'JSON';

doc/authen_pause.schema.txt

@@ -56,6 +56,8 @@ CREATE TABLE usertable (
   `changed` int(11) DEFAULT NULL,
   changedby char(10) DEFAULT NULL,
   lastvisit datetime DEFAULT NULL,
+  mfa_secret32 varchar(16) DEFAULT NULL,
+  mfa_recovery_codes text DEFAULT NULL,
   PRIMARY KEY (`user`),
   KEY usertable_password (`password`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1 PACK_KEYS=1;

doc/schemas/authen_pause.schema.sqlite

@@ -36,6 +36,8 @@ CREATE TABLE usertable (
   changed int(11) DEFAULT NULL,
   changedby char(10) DEFAULT NULL,
   lastvisit datetime DEFAULT NULL,
+  mfa_secret32 varchar(16) DEFAULT NULL,
+  mfa_recovery_codes text DEFAULT NULL,
   PRIMARY KEY (user)
 );
 

lib/PAUSE.pm

@@ -92,6 +92,7 @@ $PAUSE::Config ||=
      HTTP_ERRORLOG => '/var/log/nginx/error.log', # harmless use in cron-daily
      INCOMING => 'file://data/pause/incoming/',
      INCOMING_LOC => '/data/pause/incoming',
+     INCOMING_TMP => '/data/pause/tmp/',
      MAIL_MAILER => ["sendmail"],
      MAXRETRIES => 16,
      MIRRORCONFIG => '/usr/local/mirror/mymirror.config',

lib/pause_2017/PAUSE/Web.pm

@@ -33,6 +33,7 @@ sub startup {
 
   # Load plugins to modify path/set stash values/provide helper methods
   $app->plugin("WithCSRFProtection");
+  $app->plugin("PAUSE::Web::Plugin::WithMFAProtection");
   $app->plugin("PAUSE::Web::Plugin::ConfigPerRequest");
   $app->plugin("PAUSE::Web::Plugin::IsPauseClosed");
   $app->plugin("PAUSE::Web::Plugin::GetActiveUserRecord");
@@ -80,7 +81,9 @@ sub startup {
       my $action = $app->pause->config->action($name);
       for my $method (qw/get post/) {
         my $route = $private->$method("/$name");
-        $route->with_csrf_protection if $method eq "post" and $action->{x_csrf_protection};
+        $route->with_csrf_protection         if $method eq "post" and $action->{x_csrf_protection};
+        $route->with_mfa_protection          if $method eq "post" and $action->{x_mfa_protection};
+        $route->with_csrf_and_mfa_protection if $method eq "post" and $action->{x_csrf_and_mfa_protection};
         $route->to($action->{x_mojo_to});
       }
     }

lib/pause_2017/PAUSE/Web/Config.pm

@@ -111,6 +111,7 @@ our %Actions = (
     cat => "User/01Files/01up",
     desc => "This is the heart of the <b>Upload Server</b>, the page most heavily used on PAUSE.",
     method => 'POST',
+    x_mfa_protection => 1,
     x_form => {
       HIDDENNAME => {form_type => "hidden_field"},
       CAN_MULTIPART => {form_type => "hidden_field"},
@@ -427,7 +428,7 @@ our %Actions = (
     cat => "User/06Account/02",
     desc => "Change your password any time you want.",
     method => 'POST',
-    x_csrf_protection => 1,
+    x_csrf_and_mfa_protection => 1,
     x_form => {
       HIDDENNAME => {form_type => "hidden_field"},
       ABRA => {form_type => "hidden_field"},
@@ -443,7 +444,7 @@ our %Actions = (
     cat => "User/06Account/01",
     desc => "Edit your user name, your email addresses (both public and secret one), change the URL of your homepage.",
     method => 'POST',
-    x_csrf_protection => 1,
+    x_csrf_and_mfa_protection => 1,
     x_form => {
       HIDDENNAME => {form_type => "hidden_field"},
       pause99_edit_cred_fullname => {form_type => "text_field"},
@@ -456,6 +457,21 @@ our %Actions = (
       pause99_edit_cred_sub => {form_type => "submit_button"},
     },
   },
+  mfa => {
+    x_mojo_to => "user-mfa#edit",
+    verb => "Multifactor Auth",
+    priv => "user",
+    cat => "User/06Account/03",
+    desc => "Multifactor Authentication.",
+    method => 'POST',
+    x_csrf_protection => 1,
+    x_form => {
+      HIDDENNAME => {form_type => "hidden_field"},
+      pause99_mfa_code => {form_type => "text_field"},
+      pause99_mfa_reset => {form_type => "hidden_field"},
+      pause99_mfa_sub => {form_type => "submit_button"},
+    },
+  },
   pause_logout => {
     x_mojo_to => "user#pause_logout",
     verb => "About Logging Out",
@@ -493,6 +509,7 @@ our %Actions = (
     cat => "01usr/01add",
     desc => "Admins can add users or mailinglists.",
     method => 'POST',
+    x_mfa_protection => 1,
     x_form => {
       SUBMIT_pause99_add_user_Soundex => {form_type => "submit_button"},
       SUBMIT_pause99_add_user_Metaphone => {form_type => "submit_button"},
@@ -520,6 +537,7 @@ our %Actions = (
     cat => "01usr/02",
     desc => "Admins and mailing list representatives can change the name, address and description of a mailing list.",
     method => 'POST',
+    x_mfa_protection => 1,
     x_form => {
       HIDDENNAME => {form_type => "hidden_field"},
       pause99_edit_ml_3 => {form_type => "select_field"}, # mailing lists
@@ -544,6 +562,7 @@ our %Actions = (
     cat => "01usr/03",
     desc => "Admins can access PAUSE as-if they were somebody else. Here they select a user/action pair.",
     method => 'POST',
+    x_mfa_protection => 1,
     x_form => {
       HIDDENNAME => {form_type => "select_field"},
       ACTIONREQ => {form_type => "select_field"},

lib/pause_2017/PAUSE/Web/Context.pm

@@ -10,6 +10,7 @@ use Email::MIME;
 use Data::Dumper;
 use PAUSE::Web::Config;
 use PAUSE::Web::Exception;
+use Auth::GoogleAuth;
 
 our $VERSION = "1072";
 
@@ -40,6 +41,17 @@ sub version {
   $version;
 }
 
+sub authenticator_for {
+  my ($self, $user) = @_;
+  my $userid   = lc($user->{userid});
+  my $secret32 = $user->{mfa_secret32};
+  return Auth::GoogleAuth->new({
+    secret32 => $secret32,
+    issuer   => $PAUSE::Config->{MFA_ISSUER} || 'PAUSE',
+    key_id   => $userid,
+  });
+}
+
 sub hostname {
   my $self = shift;
   $PAUSE::Config->{SERVER_NAME} || Sys::Hostname::hostname();

lib/pause_2017/PAUSE/Web/Controller/User/Mfa.pm

@@ -0,0 +1,95 @@
+package PAUSE::Web::Controller::User::Mfa;
+
+use Mojo::Base "Mojolicious::Controller";
+use Auth::GoogleAuth;
+use PAUSE::Crypt;
+use Crypt::URandom qw(urandom);
+use Convert::Base32 qw(encode_base32);
+use Imager::QRCode qw(plot_qrcode);
+use URI;
+
+sub edit {
+  my $c = shift;
+  my $pause = $c->stash(".pause");
+  my $mgr = $c->app->pause;
+  my $req = $c->req;
+  my $u = $c->active_user_record;
+
+  my $auth = $c->app->pause->authenticator_for($u);
+  $pause->{mfa_qrcode} = _generate_qrcode($auth);
+  if (!$u->{mfa_secret32}) {
+    my $dbh = $mgr->authen_connect;
+    my $tbl = $PAUSE::Config->{AUTHEN_USER_TABLE};
+    my $sql = "UPDATE $tbl SET mfa_secret32 = ?, changed = ?, changedby = ? WHERE user = ?";
+    $dbh->do($sql, undef, $auth->secret32, time, $pause->{User}{userid}, $u->{userid})
+      or push @{$pause->{ERROR}}, sprintf(qq{Could not enter the data into the database: <i>%s</i>.},$dbh->errstr);
+  }
+
+  if (uc $req->method eq 'POST' and $req->param("pause99_mfa_sub")) {
+    my $code = $req->param("pause99_mfa_code");
+    $req->param("pause99_mfa_code", undef);
+    my $verified;
+    if ($code =~ /\A[0-9]{6}\z/ && $auth->verify($code)) {
+        $verified = 1;
+    } elsif ($code =~ /\A[a-z0-9]{5}\-[a-z0-9]{5}\z/ && $u->{mfa_recovery_codes} && $req->param("pause99_mfa_reset")) {
+        my @recovery_codes = split / /, $u->{mfa_recovery_codes} // '';
+        if (grep { PAUSE::Crypt::password_verify($code, $_) } @recovery_codes) {
+            $verified = 1;
+        }
+    }
+    unless ($verified) {
+        $pause->{error}{invalid_code} = 1;
+        return;
+    }
+    my ($secret32, $recovery_codes);
+    if ($req->param("pause99_mfa_reset")) {
+        $secret32 = undef;
+        $recovery_codes = undef;
+        $c->flash(mfa_disabled => 1);
+    } else {
+        $secret32 = $auth->secret32;
+        $c->flash(mfa_enabled => 1);
+        my @codes = _generate_recovery_codes();
+        $c->flash(recovery_codes => \@codes);
+        $recovery_codes = join " ", map { PAUSE::Crypt::hash_password($_) } @codes;
+    }
+    my $dbh = $mgr->authen_connect;
+    my $tbl = $PAUSE::Config->{AUTHEN_USER_TABLE};
+    my $sql = "UPDATE $tbl SET mfa_secret32 = ?, mfa_recovery_codes = ?, changed = ?, changedby = ? WHERE user = ?";
+    if ($dbh->do($sql, undef, $secret32, $recovery_codes, time, $pause->{User}{userid}, $u->{userid})) {
+      my $mailblurb = $c->render_to_string("email/user/mfa/edit", format => "email");
+      my $header = {Subject => "User update for $u->{userid}"};
+      my @to = $u->{secretemail};
+      $mgr->send_mail_multi(\@to, $header, $mailblurb);
+    } else {
+      push @{$pause->{ERROR}}, sprintf(qq{Could not enter the data
+        into the database: <i>%s</i>.},$dbh->errstr);
+    }
+    $c->redirect_to('/authenquery?ACTION=mfa');
+  }
+}
+
+sub _generate_recovery_codes {
+    my @codes;
+    for (1 .. 8) {
+        my $code = encode_base32(urandom(6));
+        $code =~ tr/lo/89/;
+        $code =~ s/^(.{5})/$1-/;
+        push @codes, $code;
+    }
+    @codes;
+}
+
+# using $auth->qr_code directly is handy but insecure
+sub _generate_qrcode {
+    my $auth = shift;
+    my $otpauth = $auth->qr_code(undef, undef, undef, 1);
+    my $img = plot_qrcode($otpauth, { casesensitive => 1, size => 4, margin => 4, version => 1, level => 'M' });
+    $img->write(data => \my $qr_png, type => 'png') or die "Failed to write image: " . $img->errstr;
+    my $data = URI->new("data:");
+    $data->data($qr_png);
+    $data->media_type('image/png');
+    $data;
+}
+
+1;

lib/pause_2017/PAUSE/Web/Controller/User/Uri.pm

@@ -12,6 +12,7 @@ sub add {
   my $req = $c->req;
 
   $PAUSE::Config->{INCOMING_LOC} =~ s|/$||;
+  $PAUSE::Config->{INCOMING_TMP} =~ s|/$||;
 
   my $u = $c->active_user_record;
   die PAUSE::Web::Exception
@@ -26,11 +27,20 @@ sub add {
 
   if ($req->param("SUBMIT_pause99_add_uri_HTTPUPLOAD")
       || $req->param("SUBMIT_pause99_add_uri_httpupload")) {
-    my $upl = $req->upload('pause99_add_uri_httpupload');
-    unless ($upl->size) {
-      warn "Warning: maybe they hit RETURN, no upload size, not doing HTTPUPLOAD";
-      $req->param("SUBMIT_pause99_add_uri_HTTPUPLOAD","");
-      $req->param("SUBMIT_pause99_add_uri_httpupload","");
+    if (my $stashed = $req->param("pause99_add_uri_httpupload_stashed")) {
+      my $stashed_file = "$PAUSE::Config->{INCOMING_TMP}/$stashed";
+      if (!-e $stashed_file) {
+        warn "Warning: maybe their files are already gone, not doing HTTPUPLOAD";
+        $req->param("SUBMIT_pause99_add_uri_HTTPUPLOAD","");
+        $req->param("SUBMIT_pause99_add_uri_httpupload","");
+      }
+    } else {
+      my $upl = $req->upload('pause99_add_uri_httpupload');
+      unless ($upl->size) {
+        warn "Warning: maybe they hit RETURN, no upload size, not doing HTTPUPLOAD";
+        $req->param("SUBMIT_pause99_add_uri_HTTPUPLOAD","");
+        $req->param("SUBMIT_pause99_add_uri_httpupload","");
+      }
     }
   }
   if (!   $req->param("SUBMIT_pause99_add_uri_HTTPUPLOAD")
@@ -54,7 +64,25 @@ sub add {
      ) {
     { # $pause->{UseModuleSet} eq "ApReq"
       my $upl;
-      if (
+      if (my $filename = $req->param("pause99_add_uri_httpupload_stashed")) {
+          my $stashed_file = "$PAUSE::Config->{INCOMING_TMP}/$filename";
+          my $to = "$PAUSE::Config->{INCOMING_LOC}/$filename";
+          rename $stashed_file => $to or die PAUSE::Web::Exception
+                ->new(ERROR => "Couldn't copy file '$filename' to '$to': $!");
+          $pause->{successfully_copied_to} = $to;
+          warn "h1[File successfully copied to '$to']filename[$filename]";
+          if ($req->param("pause99_add_uri_httpupload_renamed_from")) {
+            require Dumpvalue;
+            my $dv = Dumpvalue->new;
+            $req->param("pause99_add_uri_httpupload",$filename);
+            $pause->{upload_is_renamed} = {
+              from => $dv->stringify($req->param("pause99_add_uri_httpupload_renamed_from")),
+              to => $dv->stringify($filename),
+            };
+          }
+          $uri = $filename;
+      }
+      elsif (
           $upl = $req->upload("pause99_add_uri_httpupload") or # from 990806
           $upl = $req->upload("HTTPUPLOAD")
          ) {