From 3296318dccfcc83cc99d6da58affe5ee8a46fedb Mon Sep 17 00:00:00 2001
From: e-macgregor <122734173+e-macgregor@users.noreply.github.com>
Date: Sun, 29 Oct 2023 17:20:36 -0600
Subject: totp

---
 .../api/security/CodeRequiredException.java        | 22 +++++++++++++++++
 .../org/traccar/api/security/LoginService.java     | 28 +++++++++++++++-------
 .../api/security/SecurityRequestFilter.java        |  2 +-
 3 files changed, 43 insertions(+), 9 deletions(-)
 create mode 100644 src/main/java/org/traccar/api/security/CodeRequiredException.java

(limited to 'src/main/java/org/traccar/api/security')

diff --git a/src/main/java/org/traccar/api/security/CodeRequiredException.java b/src/main/java/org/traccar/api/security/CodeRequiredException.java
new file mode 100644
index 000000000..d522c6540
--- /dev/null
+++ b/src/main/java/org/traccar/api/security/CodeRequiredException.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2023 Anton Tananaev (anton@traccar.org)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.traccar.api.security;
+
+public class CodeRequiredException extends SecurityException {
+    public CodeRequiredException() {
+        super("Code not provided");
+    }
+}
diff --git a/src/main/java/org/traccar/api/security/LoginService.java b/src/main/java/org/traccar/api/security/LoginService.java
index 91e964ee9..8eb5537fa 100644
--- a/src/main/java/org/traccar/api/security/LoginService.java
+++ b/src/main/java/org/traccar/api/security/LoginService.java
@@ -15,6 +15,7 @@
  */
 package org.traccar.api.security;
 
+import com.warrenstrange.googleauth.GoogleAuthenticator;
 import org.traccar.api.signature.TokenManager;
 import org.traccar.config.Config;
 import org.traccar.config.Keys;
@@ -70,7 +71,7 @@ public class LoginService {
         return user;
     }
 
-    public User login(String email, String password) throws StorageException {
+    public User login(String email, String password, Integer code) throws StorageException {
         if (forceOpenId) {
             return null;
         }
@@ -84,6 +85,7 @@ public class LoginService {
         if (user != null) {
             if (ldapProvider != null && user.getLogin() != null && ldapProvider.login(user.getLogin(), password)
                     || !forceLdap && user.isPasswordValid(password)) {
+                checkUserCode(user, code);
                 checkUserEnabled(user);
                 return user;
             }
@@ -98,15 +100,12 @@ public class LoginService {
         return null;
     }
 
-    public User login(String email, String name, Boolean administrator) throws StorageException {
+    public User login(String email, String name, boolean administrator) throws StorageException {
         User user = storage.getObject(User.class, new Request(
             new Columns.All(),
             new Condition.Equals("email", email)));
 
-        if (user != null) {
-            checkUserEnabled(user);
-            return user;
-        } else {
+        if (user == null) {
             user = new User();
             UserUtil.setUserDefaults(user, config);
             user.setName(name);
@@ -114,9 +113,9 @@ public class LoginService {
             user.setFixedEmail(true);
             user.setAdministrator(administrator);
             user.setId(storage.addObject(user, new Request(new Columns.Exclude("id"))));
-            checkUserEnabled(user);
-            return user;
         }
+        checkUserEnabled(user);
+        return user;
     }
 
     private void checkUserEnabled(User user) throws SecurityException {
@@ -126,4 +125,17 @@ public class LoginService {
         user.checkDisabled();
     }
 
+    private void checkUserCode(User user, Integer code) throws SecurityException {
+        String key = user.getTotpKey();
+        if (key != null) {
+            if (code == null) {
+                throw new CodeRequiredException();
+            }
+            GoogleAuthenticator authenticator = new GoogleAuthenticator();
+            if (!authenticator.authorize(key, code)) {
+                throw new SecurityException("User authorization failed");
+            }
+        }
+    }
+
 }
diff --git a/src/main/java/org/traccar/api/security/SecurityRequestFilter.java b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
index ee964c9e4..cb523177e 100644
--- a/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
+++ b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
@@ -87,7 +87,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
                         user = loginService.login(authHeader.substring(7));
                     } else {
                         String[] auth = decodeBasicAuth(authHeader);
-                        user = loginService.login(auth[0], auth[1]);
+                        user = loginService.login(auth[0], auth[1], null);
                     }
                     if (user != null) {
                         statisticsManager.registerRequest(user.getId());
-- 
cgit v1.2.3