feat: introducing configurable options

README.md

@@ -32,6 +32,65 @@ The app is available through the [app store](https://apps.nextcloud.com/apps/two
 ![](screenshots/enter_challenge.png)
 ![](screenshots/settings.png)
 
+## Setting options for security hardening
+
+The secret generated by this application is 32 characters long and includes only the characters A-Z and the numbers 2, 3, 4, 5, 6, and 7 ([RFC 4648 Base32 alphabet](https://datatracker.ietf.org/doc/html/rfc4648#section-6)), meeting the recommended 160-bit depth by [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226#section-4).
+
+Every 30 seconds, a 6-character numeric one-time password (OTP) is generated using the SHA-1 hash algorithm on both - the server and the TOTP authenticator app on your smartphone /-device. So whoever has the secret can get access to the second factor. That's why TOTP apps are (should be) usually very well secured. 
+
+### Configurable options by admin
+
+1. **Secret Length:**
+    ||characters|bits|
+    |-|-|-|
+    |Default:|32|160
+    |Minimum:|26|130
+    |Maximum:|128|640
+
+    Adjust the default secret length using the number of characters as value:
+
+    ```sh
+    occ config:app:set --value=64 -- twofactor_totp secret_length
+    ```
+
+2. **Hash Algorithm:**
+    ||algorithm|key|
+    |-|-|-|
+    |Default:|SHA1|1
+    |Optional:|SHA256|2
+    |Optional:|SHA512|3
+
+    Adjust the default algorithm using the key as value:
+
+    ```sh
+    occ config:app:set --value=3 -- twofactor_totp hash_algorithm
+    ```
+
+3. **Token Length:**
+
+    ||digits|
+    |-|-|
+    |Default:|6
+    |Maximum:|8
+
+    Adjust the default token length of the OTP using the number of digits as value:
+
+    ```sh
+    occ config:app:set --value=8 -- twofactor_totp token_length
+    ```
+
+### Configurable options by user
+
+During activation and setup by the user, a QR code is generated with the secret based on the default values as described here. By scanning that QR code with any TOTP app, the secret can be immediately activated with the first matching OTP. An "Advanced Settings" button gives the user access to further setting options that go beyond the default values:
+
+* Own secret
+* Token length in a range from 4 to 10
+* Validity period of the OTP from 15 to 60 seconds
+
+Not all apps can use all of these setting options or not to this extent, so these values cannot be set by the admin by default, otherwise only a small number of TOTP apps would be compatible.
+
+If an app does not support a setting, then either the generated QR code is not accepted by the app, there may be an error message, or the first OTP is incorrect and the secret cannot be activated. It can be varied until a QR code works.
+
 ## Login with external apps
 Once you enable OTP with Two Factor Totp, your aplications (for example your Android app or your GNOME app) will need to login using device passwords. To manage it, [know more here](https://docs.nextcloud.com/server/stable/user_manual/en/session_management.html#managing-devices)
 
@@ -40,3 +99,4 @@ Once you enable OTP with Two Factor Totp, your aplications (for example your And
 * `composer i`
 * `npm ci`
 * `npm run build` or `npm run dev` [more info](https://docs.nextcloud.com/server/latest/developer_manual/digging_deeper/npm.html)
+

appinfo/routes.php

@@ -4,6 +4,7 @@
 
 /**
  * @author Christoph Wurst <[email protected]>
+ * @author 2024 [ernolf] Raphael Gradenwitz <[email protected]>
  *
  * Two-factor TOTP
  *
@@ -32,5 +33,15 @@
 			'url' => '/settings/enable',
 			'verb' => 'POST'
 		],
+		[
+			'name' => 'settings#updateSettings',
+			'url' => '/settings/update',
+			'verb' => 'POST'
+		],
+		[
+			'name' => 'settings#getDefaults',
+			'url' => '/settings/defaults',
+			'verb' => 'GET'
+		],
 	]
 ];

js/twofactor_totp-main-login-setup.js.LICENSE.txt

@@ -21,14 +21,42 @@
  * Date: 2020-01-18T06:04:33.222Z
  */
 
+/*!
+ * vuex v3.6.2
+ * (c) 2021 Evan You
+ * @license MIT
+ */
+
 /*! ieee754. BSD-3-Clause License. Feross Aboukhadijeh <https://feross.org/opensource> */
 
 /**
  * @copyright 2019 Christoph Wurst <[email protected]>
  *
  * @author 2019 Christoph Wurst <[email protected]>
  *
- * @license GNU AGPL version 3 or any later version
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * @copyright 2019 Christoph Wurst <[email protected]>
+ *
+ * @author 2019 Christoph Wurst <[email protected]>
+ * @author 2024 [ernolf] Raphael Gradenwitz <[email protected]>
+ *
+ * @license AGPL-3.0-or-later
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as

js/twofactor_totp-main-settings.js.LICENSE.txt

@@ -54,7 +54,7 @@
  *
  * @author 2018 Christoph Wurst <[email protected]>
  *
- * @license GNU AGPL version 3 or any later version
+ * @license AGPL-3.0-or-later
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -75,7 +75,29 @@
  *
  * @author 2019 Christoph Wurst <[email protected]>
  *
- * @license GNU AGPL version 3 or any later version
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * @copyright 2019 Christoph Wurst <[email protected]>
+ *
+ * @author 2019 Christoph Wurst <[email protected]>
+ * @author 2024 [ernolf] Raphael Gradenwitz <[email protected]>
+ *
+ * @license AGPL-3.0-or-later
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as

lib/Controller/SettingsController.php

@@ -4,6 +4,7 @@
 
 /**
  * @author Christoph Wurst <[email protected]>
+ * @author 2024 [ernolf] Raphael Gradenwitz <[email protected]>
  *
  * Two-factor TOTP
  *
@@ -25,11 +26,14 @@
 
 use InvalidArgumentException;
 use OCA\TwoFactorTOTP\Service\ITotp;
+use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Authentication\TwoFactorAuth\ALoginSetupController;
 use OCP\Defaults;
 use OCP\IRequest;
+use OCP\IURLGenerator;
 use OCP\IUserSession;
+use Psr\Log\LoggerInterface;
 use RuntimeException;
 use function is_null;
 
@@ -44,11 +48,27 @@ class SettingsController extends ALoginSetupController {
 	/** @var Defaults */
 	private $defaults;
 
-	public function __construct(string $appName, IRequest $request, IUserSession $userSession, ITotp $totp, Defaults $defaults) {
+	/** @var IURLGenerator */
+	private $urlGenerator;
+
+	/** @var LoggerInterface */
+	private $logger;
+
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		IUserSession $userSession,
+		ITotp $totp,
+		Defaults $defaults,
+		IURLGenerator $urlGenerator,
+		LoggerInterface $logger
+	) {
 		parent::__construct($appName, $request);
 		$this->userSession = $userSession;
 		$this->totp = $totp;
 		$this->defaults = $defaults;
+		$this->urlGenerator = $urlGenerator;
+		$this->logger = $logger;
 	}
 
 	/**
@@ -62,6 +82,9 @@ public function state(): JSONResponse {
 		}
 		return new JSONResponse([
 			'state' => $this->totp->hasSecret($user) ? ITotp::STATE_ENABLED : ITotp::STATE_DISABLED,
+			'algorithm' => $this->totp->getAlgorithmId($user),
+			'digits' => $this->totp->getDigits($user),
+			'period' => $this->totp->getPeriod($user)
 		]);
 	}
 
@@ -71,28 +94,54 @@ public function state(): JSONResponse {
 	 *
 	 * @param int $state
 	 * @param string|null $code for verification
+	 * @param string|null $secret
+	 * @param int $algorithm
+	 * @param int $digits
+	 * @param int $period
 	 */
-	public function enable(int $state, string $code = null): JSONResponse {
+	public function enable(int $state, string $code = null, string $secret = null, int $algorithm = null, int $digits = null, int $period = ITotp::DEFAULT_PERIOD) {
+		$this->logger->debug('Enable called', [
+			'state' => $state,
+			'code' => $code,
+			/* sensitive parameter
+			'secret' => $secret,
+			*/
+			'algorithm' => $algorithm,
+			'digits' => $digits,
+			'period' => $period
+		]);
+
+		// Use defaults as set by admin if null
+		$algorithm = $algorithm ?? $this->totp->getDefaultAlgorithm();
+		$digits = $digits ?? $this->totp->getDefaultDigits();
+
+		$this->logger->debug('Enable after default values', [
+			'algorithm' => $algorithm,
+			'digits' => $digits,
+		]);
+
 		$user = $this->userSession->getUser();
 		if (is_null($user)) {
 			throw new \Exception('user not available');
 		}
+
 		switch ($state) {
 			case ITotp::STATE_DISABLED:
 				$this->totp->deleteSecret($user);
 				return new JSONResponse([
 					'state' => ITotp::STATE_DISABLED,
 				]);
 			case ITotp::STATE_CREATED:
-				$secret = $this->totp->createSecret($user);
-
+				$secret = $secret ?? $this->totp->createSecret($user, null, $algorithm, $digits, $period);
 				$secretName = $this->getSecretName();
 				$issuer = $this->getSecretIssuer();
-				$qrUrl = "otpauth://totp/$secretName?secret=$secret&issuer=$issuer";
+				$algorithmName = strtoupper($this->totp->getAlgorithmById($algorithm));
+				$faviconUrl = $this->getFaviconUrl();
+				$qrUrl = "otpauth://totp/$secretName?secret=$secret&issuer=$issuer&algorithm=$algorithmName&digits=$digits&period=$period&image=$faviconUrl";
 				return new JSONResponse([
 					'state' => ITotp::STATE_CREATED,
 					'secret' => $secret,
-					'qrUrl' => $qrUrl,
+					'qrUrl' => $qrUrl
 				]);
 			case ITotp::STATE_ENABLED:
 				if ($code === null) {
@@ -107,6 +156,55 @@ public function enable(int $state, string $code = null): JSONResponse {
 		}
 	}
 
+	/**
+	 * Update TOTP settings after TOTP has been enabled.
+	 *
+	 * @NoAdminRequired
+	 * @PasswordConfirmationRequired
+	 *
+	 * @param string|null $secret
+	 * @param int $algorithm
+	 * @param int $digits
+	 * @param int $period
+	 * @return JSONResponse
+	 */
+	public function updateSettings(string $secret = null, int $algorithm, int $digits, int $period): JSONResponse {
+		$user = $this->userSession->getUser();
+		if (is_null($user)) {
+			throw new \Exception('user not available');
+		}
+
+		$this->totp->updateSettings($user, $secret, $algorithm, $digits, $period);
+		return new JSONResponse([
+			'secret' => $secret,
+			'algorithm' => $algorithm,
+			'digits' => $digits,
+			'period' => $period
+		]);
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function getDefaults(): DataResponse {
+		return new DataResponse([
+			'defaultAlgorithm' => $this->totp->getDefaultAlgorithm(),
+			'defaultDigits' => $this->totp->getDefaultDigits(),
+			'defaultPeriod' => ITotp::DEFAULT_PERIOD
+		]);
+	}
+
+	public function getSettings(): JSONResponse {
+		$user = $this->userSession->getUser();
+		if (is_null($user)) {
+			throw new \Exception('user not available');
+		}
+
+		$settings = $this->totp->getSettings($user);
+		return new JSONResponse($settings);
+	}
+
 	/**
 	 * The user's cloud id, e.g. "[email protected]/owncloud"
 	 *
@@ -131,4 +229,15 @@ private function getSecretIssuer(): string {
 		$productName = $this->defaults->getName();
 		return rawurlencode($productName);
 	}
+
+	/**
+	 * FaviconUrl for FreeOTP
+	 *
+	 * @return string
+	 */
+	private function getFaviconUrl(): string {
+		$baseUrl = $this->urlGenerator->getBaseUrl();
+		$subPath = $this->urlGenerator->linkToRoute('theming.Icon.getFavicon', ['app' => 'core']);
+		return $baseUrl . $subPath;
+	}
 }