Add trusted browsers user setting module

- Add trusted browsers help section
This commit is contained in:
Hypolite Petovan 2021-01-19 23:44:19 -05:00
parent 54fa2e8f12
commit 5a949911ba
6 changed files with 174 additions and 1 deletions

View File

@ -72,3 +72,10 @@ We recommend generating a single app-specific password for each separate third-p
You can also revoke any and all app-specific password you generated this way.
This may log you out of the third-party application(s) you used the revoked app-specific password to log in with.
## Trusted browsers
As a convenience, during two-factor authentication it is possible to identify a browser as trusted.
This will skip all further two-factor authentication prompt on this browser.
You can remove any or all of these trusted browsers in the two-factor authentication settings.

View File

@ -78,6 +78,11 @@ class Index extends BaseSettings
DI::baseUrl()->redirect('settings/2fa/app_specific?t=' . self::getFormSecurityToken('settings_2fa_password'));
}
break;
case 'trusted':
if ($has_secret) {
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
}
break;
case 'configure':
if (!$verified) {
DI::baseUrl()->redirect('settings/2fa/verify?t=' . self::getFormSecurityToken('settings_2fa_password'));
@ -130,6 +135,7 @@ class Index extends BaseSettings
'$disable_label' => DI::l10n()->t('Disable two-factor authentication'),
'$recovery_codes_label' => DI::l10n()->t('Show recovery codes'),
'$app_specific_passwords_label' => DI::l10n()->t('Manage app-specific passwords'),
'$trusted_browsers_label' => DI::l10n()->t('Manage trusted browsers'),
'$configure_label' => DI::l10n()->t('Finish app configuration'),
]);
}

View File

@ -0,0 +1,110 @@
<?php
namespace Friendica\Module\Settings\TwoFactor;
use Friendica\Core\Renderer;
use Friendica\DI;
use Friendica\Module\BaseSettings;
use Friendica\Security\TwoFactor;
use Friendica\Util\Temporal;
use UAParser\Parser;
/**
* Manages users' two-factor trusted browsers in the 2fa_trusted_browsers table
*/
class Trusted extends BaseSettings
{
public static function init(array $parameters = [])
{
if (!local_user()) {
return;
}
$verified = DI::pConfig()->get(local_user(), '2fa', 'verified');
if (!$verified) {
DI::baseUrl()->redirect('settings/2fa');
}
if (!self::checkFormSecurityToken('settings_2fa_password', 't')) {
notice(DI::l10n()->t('Please enter your password to access this page.'));
DI::baseUrl()->redirect('settings/2fa');
}
}
public static function post(array $parameters = [])
{
if (!local_user()) {
return;
}
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
if (!empty($_POST['action'])) {
self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
switch ($_POST['action']) {
case 'remove_all' :
$trustedBrowserRepository->removeAllForUser(local_user());
info(DI::l10n()->t('Trusted browsers successfully removed.'));
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
break;
}
}
if (!empty($_POST['remove_id'])) {
self::checkFormSecurityTokenRedirectOnError('settings/2fa/trusted', 'settings_2fa_trusted');
if ($trustedBrowserRepository->removeForUser(local_user(), $_POST['remove_id'])) {
info(DI::l10n()->t('Trusted browser successfully removed.'));
}
DI::baseUrl()->redirect('settings/2fa/trusted?t=' . self::getFormSecurityToken('settings_2fa_password'));
}
}
public static function content(array $parameters = []): string
{
parent::content($parameters);
$trustedBrowserRepository = new TwoFactor\Repository\TrustedBrowser(DI::dba(), DI::logger());
$trustedBrowsers = $trustedBrowserRepository->selectAllByUid(local_user());
$parser = Parser::create();
$trustedBrowserDisplay = array_map(function (TwoFactor\Model\TrustedBrowser $trustedBrowser) use ($parser) {
$dates = [
'created_ago' => Temporal::getRelativeDate($trustedBrowser->created),
'last_used_ago' => Temporal::getRelativeDate($trustedBrowser->last_used),
];
$result = $parser->parse($trustedBrowser->user_agent);
$uaData = [
'os' => $result->os->family,
'device' => $result->device->family,
'browser' => $result->ua->family,
];
return $trustedBrowser->toArray() + $dates + $uaData;
}, $trustedBrowsers->getArrayCopy());
return Renderer::replaceMacros(Renderer::getMarkupTemplate('settings/twofactor/trusted_browsers.tpl'), [
'$form_security_token' => self::getFormSecurityToken('settings_2fa_trusted'),
'$password_security_token' => self::getFormSecurityToken('settings_2fa_password'),
'$title' => DI::l10n()->t('Two-factor Trusted Browsers'),
'$message' => DI::l10n()->t('Trusted browsers are individual browsers you chose to skip two-factor authentication to access Friendica. Please use this feature sparingly, as it can negate the benefit of two-factor authentication.'),
'$device_label' => DI::l10n()->t('Device'),
'$os_label' => DI::l10n()->t('OS'),
'$browser_label' => DI::l10n()->t('Browser'),
'$created_label' => DI::l10n()->t('Trusted'),
'$last_used_label' => DI::l10n()->t('Last Use'),
'$remove_label' => DI::l10n()->t('Remove'),
'$remove_all_label' => DI::l10n()->t('Remove All'),
'$trusted_browsers' => $trustedBrowserDisplay,
]);
}
}

View File

@ -385,6 +385,7 @@ return [
'/recovery' => [Module\Settings\TwoFactor\Recovery::class, [R::GET, R::POST]],
'/app_specific' => [Module\Settings\TwoFactor\AppSpecific::class, [R::GET, R::POST]],
'/verify' => [Module\Settings\TwoFactor\Verify::class, [R::GET, R::POST]],
'/trusted' => [Module\Settings\TwoFactor\Trusted::class, [R::GET, R::POST]],
],
'/delegation[/{action}/{user_id}]' => [Module\Settings\Delegation::class, [R::GET, R::POST]],
'/display' => [Module\Settings\Display::class, [R::GET, R::POST]],

View File

@ -30,6 +30,7 @@
{{if $has_secret && $verified}}
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="recovery">{{$recovery_codes_label}}</button></p>
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="app_specific">{{$app_specific_passwords_label}}</button></p>
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="trusted">{{$trusted_browsers_label}}</button></p>
{{/if}}
{{if $has_secret && !$verified}}
<p><button type="submit" name="action" id="confirm-submit-button" class="btn btn-primary confirm-button" value="configure">{{$configure_label}}</button></p>

View File

@ -0,0 +1,48 @@
<div class="generic-page-wrapper">
<h1>{{$title}} <a href="help/Two-Factor-Authentication" title="{{$help_label}}" class="btn btn-default btn-sm"><i aria-hidden="true" class="fa fa-question fa-2x"></i></a></h1>
<div>{{$message nofilter}}</div>
<form action="settings/2fa/trusted?t={{$password_security_token}}" method="post">
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
<table class="trusted-passwords table table-hover table-condensed table-striped">
<thead>
<tr>
<th>{{$device_label}}</th>
<th>{{$os_label}}</th>
<th>{{$browser_label}}</th>
<th>{{$created_label}}</th>
<th>{{$last_used_label}}</th>
<th><button type="submit" name="action" class="btn btn-primary btn-small" value="remove_all">{{$remove_all_label}}</button></th>
</tr>
</thead>
<tbody>
{{foreach $trusted_browsers as $trusted_browser}}
<tr{{if $generated_trusted_browser && $trusted_browser.id == $generated_trusted_browser.id}} class="success"{{/if}}>
<td>
{{$trusted_browser.device}}
</td>
<td>
{{$trusted_browser.os}}
</td>
<td>
{{$trusted_browser.browser}}
</td>
<td>
<span class="time" title="{{$trusted_browser.created}}" data-toggle="tooltip">
<time datetime="{{$trusted_browser.created}}">{{$trusted_browser.created_ago}}</time>
</span>
</td>
<td>
<span class="time" title="{{$trusted_browser.last_used}}" data-toggle="tooltip">
<time datetime="{{$trusted_browser.last_used}}">{{$trusted_browser.last_used_ago}}</time>
</span>
</td>
<td>
<button type="submit" name="remove_id" class="btn btn-default btn-small" value="{{$trusted_browser.cookie_hash}}">{{$remove_label}}</button>
</td>
</tr>
{{/foreach}}
</tbody>
</table>
</form>
</div>