defmodule GitGudWeb.UserAuth do
use GitGudWeb, :verified_routes
import Plug.Conn
import Phoenix.Controller
alias GitGud.Accounts
alias GitGud.Accounts.Scope
# Make the remember me cookie valid for 14 days. This should match
# the session validity setting in UserToken.
@max_cookie_age_in_days 14
@remember_me_cookie "_git_gud_web_user_remember_me"
@remember_me_options [
sign: true,
max_age: @max_cookie_age_in_days * 24 * 60 * 60,
same_site: "Lax"
]
# How old the session token should be before a new one is issued. When a request is made
# with a session token older than this value, then a new session token will be created
# and the session and remember-me cookies (if set) will be updated with the new token.
# Lowering this value will result in more tokens being created by active users. Increasing
# it will result in less time before a session token expires for a user to get issued a new
# token. This can be set to a value greater than `@max_cookie_age_in_days` to disable
# the reissuing of tokens completely.
@session_reissue_age_in_days 7
@doc """
Logs the user in.
Redirects to the session's `:user_return_to` path
or falls back to the `signed_in_path/1`.
"""
def log_in_user(conn, user, params \\ %{}) do
user_return_to = get_session(conn, :user_return_to)
cond do
mfa_enabled?(user) ->
# Stash the user id + intended destination, then bounce to the
# second-factor challenge. Primary auth succeeded; the session
# is not yet logged in.
conn
|> renew_session(nil)
|> put_session(:two_factor_user_id, user.id)
|> put_session(:two_factor_remember_me, params["remember_me"] == "true")
|> put_session(:two_factor_return_to, user_return_to)
|> redirect(to: ~p"/users/log-in/two-factor")
true ->
conn
|> create_or_extend_session(user, params)
|> redirect(to: user_return_to || signed_in_path(conn))
end
end
# A user is in "MFA on" state if they have a TOTP secret OR at least
# one WebAuthn credential. Either alone is sufficient; recovery codes
# work as a fallback for both.
defp mfa_enabled?(user) do
GitGud.Accounts.TwoFactor.enabled?(user) or
GitGud.Accounts.Webauthn.has_credentials?(user)
end
@doc """
Complete login after a successful second-factor challenge. Consumes
the pending-2FA session keys set by `log_in_user/3`.
"""
def complete_two_factor(conn, user) do
return_to = get_session(conn, :two_factor_return_to)
remember = get_session(conn, :two_factor_remember_me) || false
conn
|> delete_session(:two_factor_user_id)
|> delete_session(:two_factor_remember_me)
|> delete_session(:two_factor_return_to)
|> create_or_extend_session(user, %{"remember_me" => to_string(remember)})
|> redirect(to: return_to || signed_in_path(conn))
end
@doc """
Logs the user out.
It clears all session data for safety. See renew_session.
"""
def log_out_user(conn) do
user_token = get_session(conn, :user_token)
user_token && Accounts.delete_user_session_token(user_token)
if live_socket_id = get_session(conn, :live_socket_id) do
GitGudWeb.Endpoint.broadcast(live_socket_id, "disconnect", %{})
end
conn
|> renew_session(nil)
|> delete_resp_cookie(@remember_me_cookie, @remember_me_options)
|> redirect(to: ~p"/")
end
@doc """
Authenticates the user by looking into the session and remember me token.
Will reissue the session token if it is older than the configured age.
"""
def fetch_current_scope_for_user(conn, _opts) do
with {token, conn} <- ensure_user_token(conn),
{user, token_inserted_at} <- Accounts.get_user_by_session_token(token) do
conn
|> assign(:current_scope, Scope.for_user(user))
|> maybe_reissue_user_session_token(user, token_inserted_at)
else
nil -> assign(conn, :current_scope, Scope.for_user(nil))
end
end
defp ensure_user_token(conn) do
if token = get_session(conn, :user_token) do
{token, conn}
else
conn = fetch_cookies(conn, signed: [@remember_me_cookie])
if token = conn.cookies[@remember_me_cookie] do
{token, conn |> put_token_in_session(token) |> put_session(:user_remember_me, true)}
else
nil
end
end
end
# Reissue the session token if it is older than the configured reissue age.
defp maybe_reissue_user_session_token(conn, user, token_inserted_at) do
token_age = DateTime.diff(DateTime.utc_now(:second), token_inserted_at, :day)
if token_age >= @session_reissue_age_in_days do
create_or_extend_session(conn, user, %{})
else
conn
end
end
# This function is the one responsible for creating session tokens
# and storing them safely in the session and cookies. It may be called
# either when logging in, during sudo mode, or to renew a session which
# will soon expire.
#
# When the session is created, rather than extended, the renew_session
# function will clear the session to avoid fixation attacks. See the
# renew_session function to customize this behaviour.
defp create_or_extend_session(conn, user, params) do
token = Accounts.generate_user_session_token(user)
remember_me = get_session(conn, :user_remember_me)
conn
|> renew_session(user)
|> put_token_in_session(token)
|> maybe_write_remember_me_cookie(token, params, remember_me)
end
# Do not renew session if the user is already logged in
# to prevent CSRF errors or data being lost in tabs that are still open
defp renew_session(conn, user) when conn.assigns.current_scope.user.id == user.id do
conn
end
# This function renews the session ID and erases the whole
# session to avoid fixation attacks. If there is any data
# in the session you may want to preserve after log in/log out,
# you must explicitly fetch the session data before clearing
# and then immediately set it after clearing, for example:
#
# defp renew_session(conn, _user) do
# delete_csrf_token()
# preferred_locale = get_session(conn, :preferred_locale)
#
# conn
# |> configure_session(renew: true)
# |> clear_session()
# |> put_session(:preferred_locale, preferred_locale)
# end
#
defp renew_session(conn, _user) do
delete_csrf_token()
conn
|> configure_session(renew: true)
|> clear_session()
end
defp maybe_write_remember_me_cookie(conn, token, %{"remember_me" => "true"}, _),
do: write_remember_me_cookie(conn, token)
defp maybe_write_remember_me_cookie(conn, token, _params, true),
do: write_remember_me_cookie(conn, token)
defp maybe_write_remember_me_cookie(conn, _token, _params, _), do: conn
defp write_remember_me_cookie(conn, token) do
conn
|> put_session(:user_remember_me, true)
|> put_resp_cookie(@remember_me_cookie, token, @remember_me_options)
end
defp put_token_in_session(conn, token) do
conn
|> put_session(:user_token, token)
|> put_session(:live_socket_id, user_session_topic(token))
end
@doc """
Disconnects existing sockets for the given tokens.
"""
def disconnect_sessions(tokens) do
Enum.each(tokens, fn %{token: token} ->
GitGudWeb.Endpoint.broadcast(user_session_topic(token), "disconnect", %{})
end)
end
defp user_session_topic(token), do: "users_sessions:#{Base.url_encode64(token)}"
@doc """
Handles mounting and authenticating the current_scope in LiveViews.
## `on_mount` arguments
* `:mount_current_scope` - Assigns current_scope
to socket assigns based on user_token, or nil if
there's no user_token or no matching user.
* `:require_authenticated` - Authenticates the user from the session,
and assigns the current_scope to socket assigns based
on user_token.
Redirects to login page if there's no logged user.
## Examples
Use the `on_mount` lifecycle macro in LiveViews to mount or authenticate
the `current_scope`:
defmodule GitGudWeb.PageLive do
use GitGudWeb, :live_view
on_mount {GitGudWeb.UserAuth, :mount_current_scope}
...
end
Or use the `live_session` of your router to invoke the on_mount callback:
live_session :authenticated, on_mount: [{GitGudWeb.UserAuth, :require_authenticated}] do
live "/profile", ProfileLive, :index
end
"""
def on_mount(:mount_current_scope, _params, session, socket) do
{:cont, socket |> mount_current_scope(session) |> assign_editor_theme()}
end
def on_mount(:require_authenticated, params, session, socket) do
socket = socket |> mount_current_scope(session) |> assign_editor_theme()
if socket.assigns.current_scope && socket.assigns.current_scope.user do
enforce_two_factor(socket, params)
else
socket =
socket
|> Phoenix.LiveView.put_flash(:error, "You must log in to access this page.")
|> Phoenix.LiveView.redirect(to: ~p"/users/log-in")
{:halt, socket}
end
end
def on_mount(:require_admin, _params, session, socket) do
socket = socket |> mount_current_scope(session) |> assign_editor_theme()
case socket.assigns.current_scope && socket.assigns.current_scope.user do
%_{is_admin: true} ->
{:cont, socket}
_ ->
socket =
socket
|> Phoenix.LiveView.put_flash(:error, "Admin only.")
|> Phoenix.LiveView.redirect(to: ~p"/")
{:halt, socket}
end
end
def on_mount(:require_sudo_mode, _params, session, socket) do
socket = mount_current_scope(socket, session)
if Accounts.sudo_mode?(socket.assigns.current_scope.user, -10) do
{:cont, socket}
else
socket =
socket
|> Phoenix.LiveView.put_flash(:error, "You must re-authenticate to access this page.")
|> Phoenix.LiveView.redirect(to: ~p"/users/log-in")
{:halt, socket}
end
end
defp mount_current_scope(socket, session) do
Phoenix.Component.assign_new(socket, :current_scope, fn ->
{user, _} =
if user_token = session["user_token"] do
Accounts.get_user_by_session_token(user_token)
end || {nil, nil}
Scope.for_user(user)
end)
end
# When instance policy requires TOTP and the user's grace window has
# expired, redirect any LiveView mount to the enrollment page. The
# enrollment LiveView itself is excluded so the user can actually
# complete the flow.
defp enforce_two_factor(socket, _params) do
user = socket.assigns.current_scope.user
case GitGud.Accounts.TwoFactor.enforcement_status(user) do
:enforced ->
if on_enrollment_page?(socket) do
{:cont, socket}
else
socket =
socket
|> Phoenix.LiveView.put_flash(
:error,
"This instance requires two-factor authentication. Enroll to continue."
)
|> Phoenix.LiveView.redirect(to: ~p"/users/settings/two-factor")
{:halt, socket}
end
_ ->
{:cont, socket}
end
end
defp on_enrollment_page?(socket) do
case socket do
%{view: GitGudWeb.UserLive.TwoFactorSetup} -> true
_ -> false
end
end
# Resolves the editor / syntax-highlight theme from current_scope so
# every LiveView mounted through these hooks can pass it into
# markdown + source rendering without re-deriving it.
defp assign_editor_theme(socket) do
Phoenix.Component.assign_new(socket, :editor_theme, fn ->
GitGud.Themes.Editor.for_scope(socket.assigns[:current_scope])
end)
end
@doc "Returns the path to redirect to after log in."
# the user was already logged in, redirect to settings
def signed_in_path(%Plug.Conn{assigns: %{current_scope: %Scope{user: %Accounts.User{}}}}) do
~p"/users/settings"
end
def signed_in_path(_), do: ~p"/"
@doc """
Plug for routes that require the user to be authenticated.
"""
def require_authenticated_user(conn, _opts) do
if conn.assigns.current_scope && conn.assigns.current_scope.user do
conn
else
conn
|> put_flash(:error, "You must log in to access this page.")
|> maybe_store_return_to()
|> redirect(to: ~p"/users/log-in")
|> halt()
end
end
defp maybe_store_return_to(%{method: "GET"} = conn) do
put_session(conn, :user_return_to, current_path(conn))
end
defp maybe_store_return_to(conn), do: conn
end
12.3 KiB · text
5af55d9