# frozen-string-literal: true
module Rodauth
Feature.define(:recovery_codes, :RecoveryCodes) do
depends :two_factor_base
additional_form_tags 'recovery_auth'
additional_form_tags 'recovery_codes'
before 'add_recovery_codes'
before 'view_recovery_codes'
before 'recovery_auth'
after 'add_recovery_codes'
button 'Add Authentication Recovery Codes', 'add_recovery_codes'
button 'Authenticate via Recovery Code', 'recovery_auth'
button 'View Authentication Recovery Codes', 'view_recovery_codes'
error_flash "Error authenticating via recovery code", 'invalid_recovery_code'
error_flash "Unable to add recovery codes", 'add_recovery_codes'
error_flash "Unable to view recovery codes", 'view_recovery_codes'
notice_flash "Additional authentication recovery codes have been added", 'recovery_codes_added'
redirect(:recovery_auth){recovery_auth_path}
redirect(:add_recovery_codes){recovery_codes_path}
loaded_templates %w'add-recovery-codes recovery-auth recovery-codes password-field'
view 'add-recovery-codes', 'Authentication Recovery Codes', 'add_recovery_codes'
view 'recovery-auth', 'Enter Authentication Recovery Code', 'recovery_auth'
view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
auth_value_method :add_recovery_codes_param, 'add'
translatable_method :add_recovery_codes_heading, '
Add Additional Recovery Codes
'
auth_value_method :auto_add_recovery_codes?, false
auth_value_method :auto_remove_recovery_codes?, false
translatable_method :invalid_recovery_code_message, "Invalid recovery code"
auth_value_method :recovery_codes_limit, 16
auth_value_method :recovery_codes_column, :code
auth_value_method :recovery_codes_id_column, :id
translatable_method :recovery_codes_label, 'Recovery Code'
auth_value_method :recovery_codes_param, 'recovery-code'
auth_value_method :recovery_codes_table, :account_recovery_codes
translatable_method :recovery_auth_link_text, "Authenticate Using Recovery Code"
translatable_method :recovery_codes_link_text, "View Authentication Recovery Codes"
auth_cached_method :recovery_codes
auth_value_methods(
:recovery_codes_primary?
)
auth_methods(
:add_recovery_code,
:can_add_recovery_codes?,
:new_recovery_code,
:recovery_code_match?,
:recovery_codes_available?,
)
internal_request_method :recovery_codes
internal_request_method :recovery_auth
internal_request_method :valid_recovery_auth?
route(:recovery_auth) do |r|
require_login
require_account_session
require_two_factor_setup
require_two_factor_not_authenticated('recovery_code')
before_recovery_auth_route
r.get do
recovery_auth_view
end
r.post do
if recovery_code_match?(param(recovery_codes_param))
before_recovery_auth
two_factor_authenticate('recovery_code')
end
set_response_error_reason_status(:invalid_recovery_code, invalid_key_error_status)
set_field_error(recovery_codes_param, invalid_recovery_code_message)
set_error_flash invalid_recovery_code_error_flash
recovery_auth_view
end
end
route(:recovery_codes) do |r|
require_account
unless recovery_codes_primary?
require_two_factor_setup
require_two_factor_authenticated
end
before_recovery_codes_route
r.get do
recovery_codes_view
end
r.post do
if two_factor_password_match?(param(password_param))
if can_add_recovery_codes?
if param_or_nil(add_recovery_codes_param)
transaction do
before_add_recovery_codes
add_recovery_codes(recovery_codes_limit - recovery_codes.length)
after_add_recovery_codes
end
set_notice_now_flash recovery_codes_added_notice_flash
end
self.recovery_codes_button = add_recovery_codes_button
end
before_view_recovery_codes
add_recovery_codes_view
else
if param_or_nil(add_recovery_codes_param)
set_error_flash add_recovery_codes_error_flash
else
set_error_flash view_recovery_codes_error_flash
end
set_response_error_reason_status(:invalid_password, invalid_password_error_status)
set_field_error(password_param, invalid_password_message)
recovery_codes_view
end
end
end
attr_accessor :recovery_codes_button
def two_factor_remove
super
recovery_codes_remove
end
def otp_add_key
super if defined?(super)
auto_add_missing_recovery_codes
end
def sms_confirm
super if defined?(super)
auto_add_missing_recovery_codes
end
def add_webauthn_credential(_)
super if defined?(super)
auto_add_missing_recovery_codes
end
def recovery_codes_remove
recovery_codes_ds.delete
end
def recovery_code_match?(code)
recovery_codes.each do |s|
if timing_safe_eql?(code, s)
recovery_codes_ds.where(recovery_codes_column=>code).delete
if recovery_codes_primary?
add_recovery_code
end
return true
end
end
false
end
def can_add_recovery_codes?
recovery_codes.length < recovery_codes_limit
end
def add_recovery_codes(number)
return if number <= 0
transaction do
number.times do
add_recovery_code
end
end
remove_instance_variable(:@recovery_codes)
end
def add_recovery_code
# This should never raise uniqueness violations unless the recovery code is the same, and the odds of that
# are 1/256**32 assuming a good random number generator. Still, attempt to handle that case by retrying
# on such a uniqueness violation.
retry_on_uniqueness_violation do
recovery_codes_ds.insert(recovery_codes_id_column=>session_value, recovery_codes_column=>new_recovery_code)
end
end
def recovery_codes_available?
!recovery_codes_ds.empty?
end
def possible_authentication_methods
methods = super
methods << 'recovery_code' unless recovery_codes_ds.empty?
methods
end
private
def _two_factor_auth_links
links = super
links << [40, recovery_auth_path, recovery_auth_link_text] if recovery_codes_available?
links
end
def _two_factor_setup_links
links = super
links << [40, recovery_codes_path, recovery_codes_link_text] if (recovery_codes_primary? || uses_two_factor_authentication?)
links
end
def _two_factor_remove_all_from_session
two_factor_remove_session('recovery_code')
super
end
def after_otp_disable
super if defined?(super)
auto_remove_recovery_codes
end
def after_sms_disable
super if defined?(super)
auto_remove_recovery_codes
end
def after_webauthn_remove
super if defined?(super)
auto_remove_recovery_codes
end
def new_recovery_code
random_key
end
def recovery_codes_primary?
(features & [:otp, :sms_codes, :webauthn]).empty?
end
def auto_add_missing_recovery_codes
if auto_add_recovery_codes?
add_recovery_codes(recovery_codes_limit - recovery_codes.length)
end
end
def auto_remove_recovery_codes
if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
recovery_codes_remove
end
end
def _recovery_codes
recovery_codes_ds.select_map(recovery_codes_column)
end
def recovery_codes_ds
db[recovery_codes_table].where(recovery_codes_id_column=>session_value)
end
end
end