2FA for server login (#16094)

* AA2FA

* Its always dbconfig

* Extra security

* oops
This commit is contained in:
AffectedArc07
2021-05-30 16:19:56 +00:00
committed by GitHub
parent f68220879d
commit 8e6787a791
17 changed files with 257 additions and 10 deletions
+131
View File
@@ -0,0 +1,131 @@
// This is in its own file as it has so much stuff to contend with
/client/proc/edit_2fa()
if(!config._2fa_auth_host)
alert(usr, "This server does not have 2FA enabled.")
return
// Client does not have 2FA enabled. Set it up.
if(prefs._2fa_status == _2FA_DISABLED)
// Get us an auth token
var/datum/http_response/qrcr = wrap_http_get("[config._2fa_auth_host]/generateQR?ckey=[ckey]")
// If this fails, shits gone bad
if(qrcr.errored)
alert(usr, "Something has gone VERY wrong ingame. Please inform the server host.\nError details: [qrcr.error]")
return
if(qrcr.status_code != 200)
alert(usr, "2FA QR code generation returned a non-200 code. Please inform the server host.\nError code: [qrcr.status_code]\nError details: [qrcr.body]")
return
var/list/data = json_decode(qrcr.body)
var/qr_img_src = data["qr_image"]
var/datum/browser/B = new(usr, "2fa_qrc", "2FA QR Code", 600, 400)
var/title_text = "<p>Below is a QR code to scan inside your authenticator app to generate 2FA codes. Please verify it before closing this window. (Behind this window is a text box)</p>"
var/img_data = "<div style=\"text-align:center;\"><img src=\"[qr_img_src]\"></div>"
B.set_content("[title_text][img_data]")
B.open(FALSE)
var/entered_code = input(usr, "Please enter a code from your auth app. Failure to enter the code correctly will abort 2FA setup.", "2FA Validation")
if(!entered_code)
// Cleanup so they can start again
var/datum/db_query/dbq = SSdbcore.NewQuery("DELETE FROM [format_table_name("2fa_secrets")] WHERE ckey=:ckey", list("ckey" = ckey))
dbq.warn_execute()
alert(usr, "2FA Setup aborted!")
B.close()
return
var/datum/http_response/vr = wrap_http_get("[config._2fa_auth_host]/validateCode?ckey=[ckey]&code=[entered_code]")
// If this fails, shits gone bad
if(vr.errored)
alert(usr, "Something has gone VERY wrong ingame. Please inform the server host.\nError details: [vr.error]")
B.close()
return
if(vr.status_code != 200)
// Cleanup so they can start again
var/datum/db_query/dbq = SSdbcore.NewQuery("DELETE FROM [format_table_name("2fa_secrets")] WHERE ckey=:ckey", list("ckey" = ckey))
dbq.warn_execute()
// See if its unauthorised. I used 400 for that dont at me
if(vr.status_code == 400)
alert(usr, "Invalid code entered. 2FA Setup aborted!")
B.close()
else
alert(usr, "2FA validation returned a non-200 code. Please inform the server host.\nError code: [vr.status_code]\nError details: [vr.body]")
B.close()
return
// If we are here, they authed successfully
alert(usr, "Congratulations. 2FA is now setup properly for your account. In preferences, you can change whether you want it to ask for a code on every connection or only when your IP changes")
B.close()
// Default to IP change only
prefs._2fa_status = _2FA_ENABLED_IP
prefs.save_preferences(src)
prefs.ShowChoices(usr)
return
// If we are here, they just want to change the mode
var/option = alert(usr, "Would you like to change 2FA mode or disable it entirely?", "2FA Mode", "Enable (Always)", "Enable (On IP Change)", "Deactivate")
switch(option)
if("Enable (Always)")
prefs._2fa_status = _2FA_ENABLED_ALWAYS
prefs.save_preferences(src)
prefs.ShowChoices(usr)
if("Enable (On IP Change)")
prefs._2fa_status = _2FA_ENABLED_IP
prefs.save_preferences(src)
prefs.ShowChoices(usr)
if("Deactivate")
var/confirm = alert(usr, "Are you SURE you want to deactivate 2FA?", "WARNING", "Yes", "No")
if(confirm != "Yes")
return
// Prompt them for a code to make sure they know what they are doing
var/entered_code = input(usr, "Please enter a code from your auth app", "2FA Validation")
if(!entered_code)
alert(usr, "2FA deactivation aborted!")
return
var/datum/http_response/vr = wrap_http_get("[config._2fa_auth_host]/validateCode?ckey=[ckey]&code=[entered_code]")
// If this fails, shits gone bad
if(vr.errored)
alert(usr, "Something has gone VERY wrong ingame. Please inform the server host.\nError details: [vr.error]")
return
if(vr.status_code != 200)
// See if its unauthorised. I used 400 for that dont at me
if(vr.status_code == 400)
alert(usr, "Invalid code entered. 2FA deactivation aborted!")
else
alert(usr, "2FA validation returned non-200 code. Please inform the server host.\nError code: [vr.status_code]\nError details: [vr.body]")
return
// If we are here, they authed properly
var/datum/db_query/dbq = SSdbcore.NewQuery("DELETE FROM [format_table_name("2fa_secrets")] WHERE ckey=:ckey", list("ckey" = ckey))
dbq.warn_execute()
prefs._2fa_status = _2FA_DISABLED
prefs.save_preferences(src)
prefs.ShowChoices(usr)
alert(usr, "2FA disabled successfully")
/datum/preferences/proc/_2fastatus_to_text()
switch(_2fa_status)
if(_2FA_DISABLED)
return "Disabled"
if(_2FA_ENABLED_IP)
return "Enabled (Will prompt on IP changes)"
if(_2FA_ENABLED_ALWAYS)
return "Enabled (Will prompt every time)"
// Proc to wrap HTTP requests properly, without needing SShttp firing
/proc/wrap_http_get(url)
var/datum/http_request/req = new()
req.prepare(RUSTG_HTTP_METHOD_GET, url)
req.begin_async()
// Check if we are complete
UNTIL(req.is_complete())
var/datum/http_response/res = req.into_response()
return res
@@ -205,6 +205,8 @@ GLOBAL_LIST_INIT(special_role_times, list( //minimum age (in days) for accounts
var/gear_tab = "General"
// Parallax
var/parallax = PARALLAX_HIGH
/// 2FA status
var/_2fa_status = _2FA_DISABLED
/// Do we want to force our runechat colour to be white?
var/force_white_runechat = FALSE
@@ -448,6 +450,7 @@ GLOBAL_LIST_INIT(special_role_times, list( //minimum age (in days) for accounts
// LEFT SIDE OF THE PAGE
dat += "<table><tr><td width='340px' height='300px' valign='top'>"
dat += "<h2>General Settings</h2>"
dat += "<b>2FA Setup:</b> <a href='?_src_=prefs;preference=edit_2fa'>[_2fastatus_to_text()]</a><br>"
if(user.client.holder)
dat += "<b>Adminhelp sound:</b> <a href='?_src_=prefs;preference=hear_adminhelps'><b>[(sound & SOUND_ADMINHELP)?"On":"Off"]</b></a><br>"
dat += "<b>AFK Cryoing:</b> <a href='?_src_=prefs;preference=afk_watch'>[(toggles2 & PREFTOGGLE_2_AFKWATCH) ? "Yes" : "No"]</a><br>"
@@ -2144,6 +2147,11 @@ GLOBAL_LIST_INIT(special_role_times, list( //minimum age (in days) for accounts
if(parent && parent.mob && parent.mob.hud_used)
parent.mob.hud_used.update_parallax_pref()
if("edit_2fa")
// Do this async so we arent holding up a topic() call
INVOKE_ASYNC(user.client, /client.proc/edit_2fa)
return // We return here to avoid focus being lost
ShowChoices(user)
return 1
@@ -16,7 +16,8 @@
clientfps,
atklog,
fuid,
parallax
parallax,
2fa_status
FROM [format_table_name("player")]
WHERE ckey=:ckey"}, list(
"ckey" = C.ckey
@@ -45,6 +46,7 @@
atklog = text2num(query.item[14])
fuid = text2num(query.item[15])
parallax = text2num(query.item[16])
_2fa_status = query.item[17]
qdel(query)
@@ -93,7 +95,8 @@
volume_mixer=:volume_mixer,
lastchangelog=:lastchangelog,
clientfps=:clientfps,
parallax=:parallax
parallax=:parallax,
2fa_status=:_2fa_status
WHERE ckey=:ckey"}, list(
// OH GOD THE PARAMETERS
"ooccolour" = ooccolor,
@@ -111,7 +114,8 @@
"lastchangelog" = lastchangelog,
"clientfps" = clientfps,
"parallax" = parallax,
"ckey" = C.ckey
"_2fa_status" = _2fa_status,
"ckey" = C.ckey,
)
)