StaffCP Two Factor Auth (#3448)

* Add two factor auth to StaffCP login * Add toggle for StaffCP two factor auth
NamelessMC · Nov 20, 2023 · fc0fd48 · fc0fd48
1 parent de5177d
commit fc0fd48
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 13 deletions.
diff --git a/custom/languages/en_UK.json b/custom/languages/en_UK.json
@@ -575,6 +575,7 @@
     "admin/render_profile_post_hook_info": "Render profile post",
     "admin/report_hook_info": "Report creation",
     "admin/require_integration": "Require users to link and verify integration",
+    "admin/require_two_factor_for_staffcp": "Require two factor authentication for StaffCP login (if enabled for the user)",
     "admin/required": "Required",
     "admin/resend_activation_email": "Resend Activation Email",
     "admin/reset_background": "Reset Background",
@@ -1292,6 +1293,7 @@
     "user/to": "To",
     "user/topic_updates": "Get emails for topics you follow",
     "user/two_factor_auth": "Two Factor Authentication",
+    "user/two_factor_auth_code": "Two Factor Authentication Code",
     "user/unable_to_connect_to_authme_db": "Unable to connect to the AuthMe database. If this error persists, please contact an administrator.",
     "user/unable_to_send_forgot_password_email": "Unable to send forgot password email. Please contact an administrator.",
     "user/unblock_user": "Unblock User",

diff --git a/custom/panel_templates/Default/auth.tpl b/custom/panel_templates/Default/auth.tpl
@@ -21,6 +21,12 @@
                                     <input type="password" name="password" id="password"
                                         class="form-control form-control-user" placeholder="{$PASSWORD}">
                                 </div>
+                                {if isset($TWO_FACTOR_AUTH)}
+                                    <div class="form-group has-feedback">
+                                        <input type="text" name="tfa_code" id="tfa"
+                                            class="form-control form-control-user" placeholder="{$TFA_ENTER_CODE}">
+                                    </div>
+                                {/if}
                                 <div class="row">
                                     <div class="col-6">
                                         <input type="hidden" name="token" value="{$TOKEN}">

diff --git a/custom/panel_templates/Default/core/general_settings.tpl b/custom/panel_templates/Default/core/general_settings.tpl
@@ -217,6 +217,17 @@
                                                 </option>
                                             </select>
                                         </div>
+                                        <div class="col-md-6">
+                                            <label for="inputRequirePanelTFA">{$REQUIRE_STAFFCP_TFA}</label>
+                                            <select name="require_staffcp_tfa" class="form-control" id="inputRequirePanelTFA">
+                                                <option value="true" {if $REQUIRE_STAFFCP_TFA_VALUE} selected{/if}>
+                                                    {$ENABLED}
+                                                </option>
+                                                <option value="false" {if !$REQUIRE_STAFFCP_TFA_VALUE} selected{/if}>
+                                                    {$DISABLED}
+                                                </option>
+                                            </select>
+                                        </div>
                                     </div>
                                 </div>
                                 <div class="form-group">

diff --git a/modules/Core/pages/panel/auth.php b/modules/Core/pages/panel/auth.php
@@ -41,24 +41,44 @@
 
         if ($validation->passed()) {
             $user = new User();
-            $login = $user->adminLogin($user->data()->email, Input::get('password'), 'email');
 
-            if ($login) {
-                // Get IP
-                $ip = HttpUtils::getRemoteAddress();
+            if ($user->checkCredentials($user->data()->email, Input::get('password'))) {
+                $success = true;
 
-                // Create log
-                Log::getInstance()->log(Log::Action('admin/login'));
+                if (
+                    Settings::get('require_staffcp_tfa') &&
+                    $user->data()->tfa_type === 1 &&
+                    $user->data()->tfa_complete == 1
+                ) {
+                    $success = false;
+                    $tfa = new \RobThree\Auth\TwoFactorAuth('NamelessMC');
 
-                // Redirect to a certain page?
-                if (isset($_SESSION['last_page']) && substr($_SESSION['last_page'], -1) != '=') {
-                    Redirect::back();
-                } else {
-                    Redirect::to(URL::build('/panel'));
+                    if ($tfa->verifyCode($user->data()->tfa_secret, str_replace(' ', '', $_POST['tfa_code'])) !== true) {
+                        Session::flash('adm_auth_error', $language->get('user', 'invalid_tfa'));
+                    } else {
+                        $success = true;
+                    }
                 }
-            }
 
-            Session::flash('adm_auth_error', $language->get('user', 'incorrect_details'));
+                if ($success) {
+                    // Get IP
+                    $ip = HttpUtils::getRemoteAddress();
+
+                    // Create log
+                    Log::getInstance()->log(Log::Action('admin/login'));
+
+                    $user->adminLogin($user->data()->email, Input::get('password'));
+
+                    // Redirect to a certain page?
+                    if (isset($_SESSION['last_page']) && substr($_SESSION['last_page'], -1) != '=') {
+                        Redirect::back();
+                    } else {
+                        Redirect::to(URL::build('/panel'));
+                    }
+                }
+            } else {
+                Session::flash('adm_auth_error', $language->get('user', 'incorrect_details'));
+            }
         } else {
             Session::flash('adm_auth_error', $language->get('user', 'incorrect_details'));
         }
@@ -76,6 +96,17 @@
     'CANCEL' => $language->get('general', 'cancel')
 ]);
 
+if (
+    Settings::get('require_staffcp_tfa') &&
+    $user->data()->tfa_type === 1 &&
+    $user->data()->tfa_complete == 1
+) {
+    $smarty->assign([
+        'TWO_FACTOR_AUTH' => $language->get('user', 'two_factor_auth'),
+        'TFA_ENTER_CODE' => $language->get('user', 'two_factor_auth_code'),
+    ]);
+}
+
 if (Session::exists('adm_auth_error')) {
     $smarty->assign('ERROR', Session::flash('adm_auth_error'));
 }

diff --git a/modules/Core/pages/panel/general_settings.php b/modules/Core/pages/panel/general_settings.php
@@ -165,6 +165,9 @@
             // Auto language
             Settings::set('auto_language_detection', $_POST['auto_language'] === 'true' ? 1 : 0);
 
+            // StaffCP two-factor auth
+            Settings::set('require_staffcp_tfa', $_POST['require_staffcp_tfa'] === 'true' ? 1 : 0);
+
             Log::getInstance()->log(Log::Action('admin/core/general'));
 
             Session::flash('general_language', $language->get('admin', 'settings_updated_successfully'));
@@ -294,6 +297,8 @@
     'AUTO_LANGUAGE_VALUE' => Settings::get('auto_language_detection'),
     'ENABLE_AUTO_LANGUAGE' => $language->get('admin', 'enable_auto_language'),
     'AUTO_LANGUAGE_HELP' => $language->get('admin', 'auto_language_help'),
+    'REQUIRE_STAFFCP_TFA' => $language->get('admin', 'require_two_factor_for_staffcp'),
+    'REQUIRE_STAFFCP_TFA_VALUE' => Settings::get('require_staffcp_tfa'),
 ]);
 
 $template->onPageLoad();