1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.MFA do
12 alias Pleroma.MFA.BackupCodes
13 alias Pleroma.MFA.Changeset
14 alias Pleroma.MFA.Settings
15 alias Pleroma.MFA.TOTP
18 Returns MFA methods the user has enabled.
22 iex> Pleroma.MFA.supported_method(User)
25 @spec supported_methods(User.t()) :: String.t()
26 def supported_methods(user) do
27 settings = fetch_settings(user)
29 Settings.mfa_methods()
30 |> Enum.reduce([], fn m, acc ->
31 if method_enabled?(m, settings) do
40 @doc "Checks that user enabled MFA"
42 fetch_settings(user).enabled
46 Display MFA settings of user
48 def mfa_settings(user) do
49 settings = fetch_settings(user)
51 Settings.mfa_methods()
52 |> Enum.map(fn m -> [m, method_enabled?(m, settings)] end)
53 |> Enum.into(%{enabled: settings.enabled}, fn [a, b] -> {a, b} end)
57 def fetch_settings(%User{} = user) do
58 user.multi_factor_authentication_settings || %Settings{}
61 @doc "clears backup codes"
62 def invalidate_backup_code(%User{} = user, hash_code) do
63 %{backup_codes: codes} = fetch_settings(user)
66 |> Changeset.cast_backup_codes(codes -- [hash_code])
67 |> User.update_and_set_cache()
70 @doc "generates backup codes"
71 @spec generate_backup_codes(User.t()) :: {:ok, list(binary)} | {:error, String.t()}
72 def generate_backup_codes(%User{} = user) do
73 with codes <- BackupCodes.generate(),
74 hashed_codes <- Enum.map(codes, &Pbkdf2.hash_pwd_salt/1),
75 changeset <- Changeset.cast_backup_codes(user, hashed_codes),
76 {:ok, _} <- User.update_and_set_cache(changeset) do
85 Generates secret key and set delivery_type to 'app' for TOTP method.
87 @spec setup_totp(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
88 def setup_totp(user) do
90 |> Changeset.setup_totp(%{secret: TOTP.generate_secret(), delivery_type: "app"})
91 |> User.update_and_set_cache()
95 Confirms the TOTP method for user.
98 `password` - current user password
101 @spec confirm_totp(User.t(), map()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t() | atom()}
102 def confirm_totp(%User{} = user, attrs) do
103 with settings <- user.multi_factor_authentication_settings.totp,
104 {:ok, :pass} <- TOTP.validate_token(settings.secret, attrs["code"]) do
106 |> Changeset.confirm_totp()
107 |> User.update_and_set_cache()
112 Disables the TOTP method for user.
115 `password` - current user password
117 @spec disable_totp(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
118 def disable_totp(%User{} = user) do
120 |> Changeset.disable_totp()
121 |> Changeset.disable()
122 |> User.update_and_set_cache()
126 Force disables all MFA methods for user.
128 @spec disable(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
129 def disable(%User{} = user) do
131 |> Changeset.disable_totp()
132 |> Changeset.disable(true)
133 |> User.update_and_set_cache()
137 Checks if the user has MFA method enabled.
139 def method_enabled?(method, settings) do
140 with {:ok, %{confirmed: true} = _} <- Map.fetch(settings, method) do
148 Checks if the user has enabled at least one MFA method.
150 def enabled?(settings) do
151 Settings.mfa_methods()
152 |> Enum.map(fn m -> method_enabled?(m, settings) end)