Added an service for generating Backup codes and added some tests.

2025-07-24 21:05:03 +02:00 · 2019-12-27 15:20:06 +01:00 · 2019-12-27 15:20:06 +01:00 · fba5f9794f
commit fba5f9794f
parent 452fc3e78a
16 changed files with 245 additions and 7 deletions
--- a/src/Entity/UserSystem/User.php
+++ b/src/Entity/UserSystem/User.php
@ -191,7 +191,7 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
     * @var string[]|null A list of backup codes that can be used, if the user has no access to its Google Authenticator device
     * @ORM\Column(type="json")
     */
-    protected $backupCodes;
+    protected $backupCodes = [];

    /** @var \DateTime The time when the backup codes were generated
     * @ORM\Column(type="datetime", nullable=true)
@ -201,7 +201,7 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
    /** @var int The version of the trusted device cookie. Used to invalidate all trusted device cookies at once.
     *  @ORM\Column(type="integer")
     */
-    protected $trustedDeviceCookieVersion;
+    protected $trustedDeviceCookieVersion = 0;

    /** @var Collection<TwoFactorKeyInterface>
      * @ORM\OneToMany(targetEntity="App\Entity\UserSystem\U2FKey", mappedBy="user")
@ -775,15 +775,19 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
    public function setBackupCodes(array $codes) : self
    {
        $this->backupCodes = $codes;
-        $this->backupCodesGenerationDate = new \DateTime();
+        if(empty($codes)) {
+            $this->backupCodesGenerationDate = null;
+        } else {
+            $this->backupCodesGenerationDate = new \DateTime();
+        }
        return $this;
    }

    /**
     * Return the date when the backup codes were generated.
-     * @return \DateTime
+     * @return \DateTime|null
     */
-    public function getBackupCodesGenerationDate() : \DateTime
+    public function getBackupCodesGenerationDate() : ?\DateTime
    {
        return $this->backupCodesGenerationDate;
    }
@ -806,24 +810,39 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
        $this->trustedDeviceCookieVersion++;
    }

+    /**
+     * Check if U2F is enabled
+     * @return bool
+     */
    public function isU2FAuthEnabled(): bool
    {
        return count($this->u2fKeys) > 0;
    }

-    /** @return Collection<TwoFactorKeyInterface> */
+    /**
+     * Get all U2F Keys that are associated with this user
+     * @return Collection<TwoFactorKeyInterface>
+     */
    public function getU2FKeys(): Collection
    {
        return $this->u2fKeys;
    }

+    /**
+     * Add a U2F key to this user.
+     * @param  TwoFactorKeyInterface  $key
+     */
    public function addU2FKey(TwoFactorKeyInterface $key): void
    {
        $this->u2fKeys->add($key);
    }

+    /**
+     * Remove a U2F key from this user.
+     * @param  TwoFactorKeyInterface  $key
+     */
    public function removeU2FKey(TwoFactorKeyInterface $key): void
    {
-        $this->u2fKeys->remove($key);
+        $this->u2fKeys->removeElement($key);
    }
 }
--- a/src/Services/TFA/BackupCodeGenerator.php
+++ b/src/Services/TFA/BackupCodeGenerator.php
@ -0,0 +1,60 @@
+<?php
+
+
+namespace App\Services\TFA;
+
+/**
+ * This class generates random backup codes for two factor authentication
+ * @package App\Services\TFA
+ */
+class BackupCodeGenerator
+{
+    protected $code_length;
+    protected $code_count;
+
+    /**
+     * BackupCodeGenerator constructor.
+     * @param  int  $code_length How many characters a single code should have.
+     * @param  int  $code_count How many codes are generated for a whole backup set.
+     */
+    public function __construct(int $code_length, int $code_count)
+    {
+        if ($code_length > 32) {
+            throw new \RuntimeException('Backup code can have maximum 32 digits!');
+        }
+        if ($code_length < 6) {
+            throw new \RuntimeException('Code must have at least 6 digits to ensure security!');
+        }
+
+        $this->code_count = $code_count;
+        $this->code_length = $code_length;
+    }
+
+    /**
+     * Generates a single backup code.
+     * It is a random hexadecimal value with the digit count configured in constructor
+     * @return string The generated backup code (e.g. 1f3870be2)
+     * @throws \Exception If no entropy source is available.
+     */
+    public function generateSingleCode() : string
+    {
+        $bytes = random_bytes(32);
+        return substr(md5($bytes), 0, $this->code_length);
+    }
+
+
+    /**
+     * Returns a full backup code set. The code count can be configured in the constructor
+     * @return string[] An array containing different backup codes.
+     * @throws \Exception If no entropy source is available
+     */
+    public function generateCodeSet() : array
+    {
+        $array = [];
+        for($n=0; $n<$this->code_count; $n++) {
+            $array[] = $this->generateSingleCode();
+        }
+
+        return $array;
+    }
+}