1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.MFA do
13 alias Pleroma.MFA.BackupCodes
14 alias Pleroma.MFA.Changeset
15 alias Pleroma.MFA.Settings
16 alias Pleroma.MFA.TOTP
19 Returns MFA methods the user has enabled.
23 iex> Pleroma.MFA.supported_method(User)
26 @spec supported_methods(User.t()) :: String.t()
27 def supported_methods(user) do
28 settings = fetch_settings(user)
30 Settings.mfa_methods()
31 |> Enum.reduce([], fn m, acc ->
32 if method_enabled?(m, settings) do
41 @doc "Checks that user enabled MFA"
43 fetch_settings(user).enabled
47 Display MFA settings of user
49 def mfa_settings(user) do
50 settings = fetch_settings(user)
52 Settings.mfa_methods()
53 |> Enum.map(fn m -> [m, method_enabled?(m, settings)] end)
54 |> Enum.into(%{enabled: settings.enabled}, fn [a, b] -> {a, b} end)
58 def fetch_settings(%User{} = user) do
59 user.multi_factor_authentication_settings || %Settings{}
62 @doc "clears backup codes"
63 def invalidate_backup_code(%User{} = user, hash_code) do
64 %{backup_codes: codes} = fetch_settings(user)
67 |> Changeset.cast_backup_codes(codes -- [hash_code])
68 |> User.update_and_set_cache()
71 @doc "generates backup codes"
72 @spec generate_backup_codes(User.t()) :: {:ok, list(binary)} | {:error, String.t()}
73 def generate_backup_codes(%User{} = user) do
74 with codes <- BackupCodes.generate(),
75 hashed_codes <- Enum.map(codes, &Pbkdf2.hashpwsalt/1),
76 changeset <- Changeset.cast_backup_codes(user, hashed_codes),
77 {:ok, _} <- User.update_and_set_cache(changeset) do
86 Generates secret key and set delivery_type to 'app' for TOTP method.
88 @spec setup_totp(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
89 def setup_totp(user) do
91 |> Changeset.setup_totp(%{secret: TOTP.generate_secret(), delivery_type: "app"})
92 |> User.update_and_set_cache()
96 Confirms the TOTP method for user.
99 `password` - current user password
102 @spec confirm_totp(User.t(), map()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t() | atom()}
103 def confirm_totp(%User{} = user, attrs) do
104 with settings <- user.multi_factor_authentication_settings.totp,
105 {:ok, :pass} <- TOTP.validate_token(settings.secret, attrs["code"]) do
107 |> Changeset.confirm_totp()
108 |> User.update_and_set_cache()
113 Disables the TOTP method for user.
116 `password` - current user password
118 @spec disable_totp(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
119 def disable_totp(%User{} = user) do
121 |> Changeset.disable_totp()
122 |> Changeset.disable()
123 |> User.update_and_set_cache()
127 Force disables all MFA methods for user.
129 @spec disable(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()}
130 def disable(%User{} = user) do
132 |> Changeset.disable_totp()
133 |> Changeset.disable(true)
134 |> User.update_and_set_cache()
138 Checks if the user has MFA method enabled.
140 def method_enabled?(method, settings) do
141 with {:ok, %{confirmed: true} = _} <- Map.fetch(settings, method) do
149 Checks if the user has enabled at least one MFA method.
151 def enabled?(settings) do
152 Settings.mfa_methods()
153 |> Enum.map(fn m -> method_enabled?(m, settings) end)