2024-02-09 12:15:09 +08:00
|
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace app\controllers;
|
|
|
|
|
|
2024-03-14 20:29:45 +08:00
|
|
|
|
use app\models\PublicKeyCredentialSourceRepository;
|
2024-02-09 12:15:09 +08:00
|
|
|
|
use app\models\User;
|
2024-03-02 19:16:38 +08:00
|
|
|
|
use app\utils\FileSizeHelper;
|
2024-03-17 15:37:13 +08:00
|
|
|
|
use JsonException;
|
2024-03-05 16:54:24 +08:00
|
|
|
|
use OTPHP\TOTP;
|
2024-03-13 18:33:02 +08:00
|
|
|
|
use Random\RandomException;
|
2024-02-27 15:41:25 +08:00
|
|
|
|
use ReCaptcha\ReCaptcha;
|
2024-03-13 18:33:02 +08:00
|
|
|
|
use Throwable;
|
|
|
|
|
use Webauthn\AttestationStatement\AttestationStatementSupportManager;
|
|
|
|
|
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
|
|
|
|
|
use Webauthn\AuthenticatorAssertionResponse;
|
|
|
|
|
use Webauthn\AuthenticatorAssertionResponseValidator;
|
|
|
|
|
use Webauthn\AuthenticatorAttestationResponse;
|
|
|
|
|
use Webauthn\AuthenticatorAttestationResponseValidator;
|
2024-03-17 17:24:26 +08:00
|
|
|
|
use Webauthn\CeremonyStep\CeremonyStepManagerFactory;
|
2024-03-14 20:29:45 +08:00
|
|
|
|
use Webauthn\Denormalizer\WebauthnSerializerFactory;
|
2024-03-13 18:33:02 +08:00
|
|
|
|
use Webauthn\Exception\AuthenticatorResponseVerificationException;
|
|
|
|
|
use Webauthn\PublicKeyCredential;
|
|
|
|
|
use Webauthn\PublicKeyCredentialCreationOptions;
|
|
|
|
|
use Webauthn\PublicKeyCredentialDescriptor;
|
|
|
|
|
use Webauthn\PublicKeyCredentialRequestOptions;
|
|
|
|
|
use Webauthn\PublicKeyCredentialRpEntity;
|
2024-03-14 20:29:45 +08:00
|
|
|
|
use Webauthn\PublicKeyCredentialSource;
|
2024-03-13 18:33:02 +08:00
|
|
|
|
use Webauthn\PublicKeyCredentialUserEntity;
|
2024-02-09 12:15:09 +08:00
|
|
|
|
use Yii;
|
2024-02-09 12:47:48 +08:00
|
|
|
|
use yii\base\Exception;
|
2024-02-27 15:41:25 +08:00
|
|
|
|
use yii\base\InvalidConfigException;
|
2024-03-16 20:25:35 +08:00
|
|
|
|
use yii\data\ActiveDataProvider;
|
|
|
|
|
use yii\db\StaleObjectException;
|
2024-03-05 16:54:24 +08:00
|
|
|
|
use yii\filters\AccessControl;
|
2024-02-27 15:41:25 +08:00
|
|
|
|
use yii\httpclient\Client;
|
2024-02-09 12:15:09 +08:00
|
|
|
|
use yii\web\Controller;
|
|
|
|
|
use yii\web\NotFoundHttpException;
|
|
|
|
|
use yii\filters\VerbFilter;
|
2024-03-07 20:35:50 +08:00
|
|
|
|
use yii\web\RangeNotSatisfiableHttpException;
|
2024-02-09 12:47:48 +08:00
|
|
|
|
use yii\web\Response;
|
2024-02-09 12:15:09 +08:00
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* UserController implements the CRUD actions for User model.
|
|
|
|
|
*/
|
|
|
|
|
class UserController extends Controller
|
|
|
|
|
{
|
|
|
|
|
/**
|
|
|
|
|
* @inheritDoc
|
|
|
|
|
*/
|
2024-03-05 16:54:24 +08:00
|
|
|
|
public function behaviors(): array
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
|
|
|
|
return array_merge(
|
|
|
|
|
parent::behaviors(),
|
|
|
|
|
[
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'access' => [
|
|
|
|
|
'class' => AccessControl::class,
|
|
|
|
|
'rules' => [
|
|
|
|
|
[
|
|
|
|
|
'allow' => true,
|
|
|
|
|
'actions' => ['delete', 'info'],
|
2024-03-07 20:35:50 +08:00
|
|
|
|
'roles' => ['user'], // only user can do these
|
2024-03-05 16:54:24 +08:00
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'allow' => true,
|
2024-03-19 17:11:41 +08:00
|
|
|
|
'actions' => ['login', 'register', 'verify-two-factor', 'verify-assertion', 'request-assertion-options'],
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'roles' => ['?', '@'], // everyone can access public share
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'allow' => true,
|
2024-03-19 17:11:41 +08:00
|
|
|
|
'actions' => ['logout', 'setup-two-factor', 'change-password', 'download-recovery-codes', 'remove-two-factor', 'set-theme', 'change-name', 'create-credential-options', 'create-credential', 'credential-list', 'credential-delete'],
|
2024-03-09 14:38:42 +08:00
|
|
|
|
'roles' => ['@'], // only logged-in user can do these ( admin included )
|
2024-03-05 16:54:24 +08:00
|
|
|
|
]
|
|
|
|
|
],
|
|
|
|
|
],
|
2024-02-09 12:15:09 +08:00
|
|
|
|
'verbs' => [
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'class' => VerbFilter::class,
|
2024-02-09 12:15:09 +08:00
|
|
|
|
'actions' => [
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'login' => ['GET', 'POST'],
|
|
|
|
|
'logout' => ['GET', 'POST'],
|
|
|
|
|
'register' => ['GET', 'POST'],
|
2024-02-09 12:15:09 +08:00
|
|
|
|
'delete' => ['POST'],
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'info' => ['GET', 'POST'],
|
2024-03-03 15:32:49 +08:00
|
|
|
|
'change-password' => ['POST'],
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'setup-two-factor' => ['POST'],
|
2024-03-07 20:35:50 +08:00
|
|
|
|
'download-recovery-codes' => ['GET'],
|
|
|
|
|
'remove-two-factor' => ['POST'],
|
2024-03-08 16:20:22 +08:00
|
|
|
|
'verify-two-factor' => ['GET', 'POST'],
|
|
|
|
|
'set-theme' => ['POST'],
|
2024-03-09 14:38:42 +08:00
|
|
|
|
'change-name' => ['POST'],
|
2024-03-14 20:29:45 +08:00
|
|
|
|
'create-credential-options' => ['GET'],
|
|
|
|
|
'create-credential' => ['POST'],
|
|
|
|
|
'request-assertion-options' => ['GET'],
|
2024-03-16 20:25:35 +08:00
|
|
|
|
'verify-assertion' => ['POST'],
|
|
|
|
|
'credential-list' => ['GET'],
|
|
|
|
|
'credential-delete' => ['POST'],
|
2024-02-09 12:15:09 +08:00
|
|
|
|
],
|
|
|
|
|
],
|
|
|
|
|
]
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-21 14:00:10 +08:00
|
|
|
|
public function init(): void
|
|
|
|
|
{
|
|
|
|
|
parent::init();
|
|
|
|
|
|
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
$this->layout = 'admin_main';
|
|
|
|
|
} elseif (Yii::$app->user->isGuest) {
|
|
|
|
|
$this->layout = 'guest_main';
|
|
|
|
|
} else {
|
|
|
|
|
$this->layout = 'main';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:15:09 +08:00
|
|
|
|
/**
|
2024-03-05 16:54:24 +08:00
|
|
|
|
* 删除账户(仅自身)
|
|
|
|
|
* @return Response
|
2024-02-09 12:15:09 +08:00
|
|
|
|
*/
|
2024-03-04 16:51:19 +08:00
|
|
|
|
public function actionDelete(): Response
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
2024-03-04 16:51:19 +08:00
|
|
|
|
$model = Yii::$app->user->identity;
|
|
|
|
|
|
|
|
|
|
if ($model->deleteAccount()) {
|
|
|
|
|
Yii::$app->user->logout();
|
2024-03-05 16:54:24 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', '账户删除成功');
|
|
|
|
|
return $this->redirect(['user/login']);
|
2024-03-04 16:51:19 +08:00
|
|
|
|
} else {
|
2024-03-05 16:54:24 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', '账户删除失败');
|
|
|
|
|
return $this->redirect(['user/info']);
|
2024-03-04 16:51:19 +08:00
|
|
|
|
}
|
2024-02-09 12:15:09 +08:00
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-17 15:37:13 +08:00
|
|
|
|
/**
|
|
|
|
|
* @return array
|
|
|
|
|
* @throws InvalidConfigException
|
|
|
|
|
* @throws \yii\httpclient\Exception
|
|
|
|
|
*/
|
|
|
|
|
protected function checkCaptcha(): array
|
|
|
|
|
{
|
|
|
|
|
$verifyProvider = Yii::$app->params['verifyProvider'];
|
|
|
|
|
$captchaResponse = null;
|
|
|
|
|
$isCaptchaValid = false;
|
|
|
|
|
if ($verifyProvider === 'reCAPTCHA') {
|
|
|
|
|
$captchaResponse = Yii::$app->request->post('g-recaptcha-response');
|
|
|
|
|
$isCaptchaValid = $this->validateRecaptcha($captchaResponse);
|
|
|
|
|
} elseif ($verifyProvider === 'hCaptcha') {
|
|
|
|
|
$captchaResponse = Yii::$app->request->post('h-captcha-response');
|
|
|
|
|
$isCaptchaValid = $this->validateHcaptcha($captchaResponse);
|
|
|
|
|
} elseif ($verifyProvider === 'Turnstile') {
|
|
|
|
|
$captchaResponse = Yii::$app->request->post('cf-turnstile-response');
|
|
|
|
|
$isCaptchaValid = $this->validateTurnstile($captchaResponse);
|
|
|
|
|
}
|
|
|
|
|
return array($verifyProvider, $captchaResponse, $isCaptchaValid);
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:15:09 +08:00
|
|
|
|
/**
|
|
|
|
|
* Finds the User model based on its primary key value.
|
|
|
|
|
* If the model is not found, a 404 HTTP exception will be thrown.
|
|
|
|
|
* @param int $id ID
|
|
|
|
|
* @return User the loaded model
|
|
|
|
|
* @throws NotFoundHttpException if the model cannot be found
|
|
|
|
|
*/
|
2024-03-05 16:54:24 +08:00
|
|
|
|
protected function findModel(int $id): User
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
|
|
|
|
if (($model = User::findOne(['id' => $id])) !== null) {
|
|
|
|
|
return $model;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw new NotFoundHttpException('The requested page does not exist.');
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-16 20:25:35 +08:00
|
|
|
|
/**
|
2024-03-17 15:37:13 +08:00
|
|
|
|
* 查找公钥凭证模型
|
2024-03-16 20:25:35 +08:00
|
|
|
|
* @param $id
|
|
|
|
|
* @return PublicKeyCredentialSourceRepository|null
|
|
|
|
|
* @throws NotFoundHttpException
|
|
|
|
|
*/
|
2024-03-17 15:37:13 +08:00
|
|
|
|
protected function findCredentialModel($id): ?PublicKeyCredentialSourceRepository
|
2024-03-16 20:25:35 +08:00
|
|
|
|
{
|
|
|
|
|
if (($model = PublicKeyCredentialSourceRepository::findOne(['id' => $id])) !== null) {
|
|
|
|
|
return $model;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw new NotFoundHttpException('The requested page does not exist.');
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:15:09 +08:00
|
|
|
|
/**
|
2024-03-19 17:11:41 +08:00
|
|
|
|
* 显示登录页并接收登录请求
|
|
|
|
|
* GET时显示登录页,如果带有username参数则直接到输入密码页
|
|
|
|
|
* POST时验证用户名密码,如果用户启用了二步验证则重定向到二步验证页面
|
2024-02-09 12:47:48 +08:00
|
|
|
|
*
|
2024-03-19 17:11:41 +08:00
|
|
|
|
* @param string|null $username
|
2024-02-16 13:59:54 +08:00
|
|
|
|
* @return string|Response
|
2024-03-05 16:54:24 +08:00
|
|
|
|
* @throws InvalidConfigException
|
|
|
|
|
* @throws \yii\httpclient\Exception
|
2024-02-09 12:15:09 +08:00
|
|
|
|
*/
|
2024-03-19 17:11:41 +08:00
|
|
|
|
public function actionLogin(string $username = null): Response|string
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
|
|
|
|
if (!Yii::$app->user->isGuest) {
|
2024-03-05 16:54:24 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', '账户已登录,请不要重复登录');
|
2024-02-09 12:15:09 +08:00
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:47:48 +08:00
|
|
|
|
$model = new User(['scenario' => 'login']);
|
2024-02-09 12:15:09 +08:00
|
|
|
|
|
2024-03-19 17:11:41 +08:00
|
|
|
|
if (($model->load(Yii::$app->request->post()) && $model->validate()) | $username !== null) {
|
|
|
|
|
if ($model->password === null) {
|
|
|
|
|
if ($username !== null) {
|
|
|
|
|
$model->username = $username;
|
|
|
|
|
}
|
2024-03-07 20:35:50 +08:00
|
|
|
|
$user = User::findOne(['username' => $model->username]);
|
2024-03-19 17:11:41 +08:00
|
|
|
|
if ($user === null) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '用户不存在');
|
|
|
|
|
return $this->render('login', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
} elseif ($user->status === 0) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '用户已停用,请联系管理员获取支持');
|
|
|
|
|
return $this->render('login', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
$publicKeyCredentialSourceRepository = new PublicKeyCredentialSourceRepository();
|
|
|
|
|
$fidoCredentials = $publicKeyCredentialSourceRepository->findAllForUserEntity($user);
|
|
|
|
|
if (empty($fidoCredentials) | $username !== null) { //未设置FIDO
|
|
|
|
|
return $this->render('_login1', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
} else { //已设置FIDO
|
|
|
|
|
return $this->render('_login2', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// 根据 verifyProvider 的值选择使用哪种验证码服务
|
|
|
|
|
list($verifyProvider, $captchaResponse, $isCaptchaValid) = $this->checkCaptcha();
|
|
|
|
|
|
|
|
|
|
if (($captchaResponse !== null && $isCaptchaValid) || ($verifyProvider === 'None')) {
|
|
|
|
|
// 验证用户名和密码
|
|
|
|
|
$user = User::findOne(['username' => $model->username]);
|
|
|
|
|
if ($user !== null && $user->validatePassword($model->password)) {
|
|
|
|
|
// 如果用户启用了二步验证,将用户重定向到二步验证页面
|
|
|
|
|
if ($user->is_otp_enabled) {
|
|
|
|
|
Yii::$app->session->set('login_verification', ['id' => $user->id]);
|
|
|
|
|
return $this->redirect(['user/verify-two-factor']);
|
|
|
|
|
} else {
|
|
|
|
|
//login without 2FA
|
|
|
|
|
$user->last_login = date('Y-m-d H:i:s');
|
|
|
|
|
$user->last_login_ip = Yii::$app->request->userIP;
|
|
|
|
|
if (!$user->save(false)) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '登陆成功,但出现了内部错误');
|
|
|
|
|
}
|
|
|
|
|
Yii::$app->user->login($user, $model->rememberMe ? 3600 * 24 * 30 : 0);
|
2024-03-21 14:00:10 +08:00
|
|
|
|
// user to home page, admin to admin/index
|
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/index']);
|
|
|
|
|
} else {
|
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
}
|
2024-03-19 17:11:41 +08:00
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '用户名密码错误或账户已禁用');
|
2024-03-01 18:04:04 +08:00
|
|
|
|
}
|
2024-02-27 15:41:25 +08:00
|
|
|
|
} else {
|
2024-03-19 17:11:41 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', '请等待验证码加载并完成验证');
|
2024-02-27 15:41:25 +08:00
|
|
|
|
}
|
2024-02-09 12:15:09 +08:00
|
|
|
|
}
|
2024-03-19 17:11:41 +08:00
|
|
|
|
} else {
|
|
|
|
|
return $this->render('login', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
2024-02-09 12:15:09 +08:00
|
|
|
|
}
|
2024-03-19 17:11:41 +08:00
|
|
|
|
return $this->render('_login1', [
|
2024-02-09 12:15:09 +08:00
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
/**
|
|
|
|
|
* @return Response|string
|
|
|
|
|
*/
|
|
|
|
|
public function actionVerifyTwoFactor(): Response|string
|
|
|
|
|
{
|
|
|
|
|
if (!Yii::$app->session->has('login_verification')) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '非法访问');
|
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$model = new User();
|
|
|
|
|
$user = User::findOne(Yii::$app->session->get('login_verification')['id']);
|
|
|
|
|
|
|
|
|
|
if ($model->load(Yii::$app->request->post())) {
|
|
|
|
|
// 验证二步验证代码
|
2024-03-09 14:38:42 +08:00
|
|
|
|
if (!is_null($model->totp_input)) {
|
2024-03-08 16:43:22 +08:00
|
|
|
|
$otp = TOTP::createFromSecret($user->otp_secret);
|
|
|
|
|
if ($otp->verify($model->totp_input)) {
|
|
|
|
|
$user->last_login = date('Y-m-d H:i:s');
|
|
|
|
|
$user->last_login_ip = Yii::$app->request->userIP;
|
|
|
|
|
if (!$user->save(false)) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '登陆成功,但出现了内部错误');
|
|
|
|
|
}
|
|
|
|
|
Yii::$app->user->login($user, $model->rememberMe ? 3600 * 24 * 30 : 0);
|
|
|
|
|
Yii::$app->session->remove('login_verification');
|
2024-03-21 14:00:10 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/index']);
|
|
|
|
|
} else {
|
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
2024-03-08 16:43:22 +08:00
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '二步验证代码错误');
|
2024-03-07 20:35:50 +08:00
|
|
|
|
}
|
2024-03-09 14:38:42 +08:00
|
|
|
|
} elseif (!is_null($model->recoveryCode_input)) {
|
2024-03-08 16:43:22 +08:00
|
|
|
|
$recoveryCodes = explode(',', $user->recovery_codes);
|
|
|
|
|
if (in_array($model->recoveryCode_input, $recoveryCodes)) {
|
|
|
|
|
//remove the used recovery code
|
|
|
|
|
$recoveryCodes = array_diff($recoveryCodes, [$model->recoveryCode_input]);
|
|
|
|
|
$user->recovery_codes = implode(',', $recoveryCodes);
|
|
|
|
|
$user->last_login = date('Y-m-d H:i:s');
|
|
|
|
|
$user->last_login_ip = Yii::$app->request->userIP;
|
|
|
|
|
if (!$user->save(false)) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '登陆成功,但出现了内部错误');
|
|
|
|
|
}
|
|
|
|
|
Yii::$app->session->setFlash('success', '登陆成功,但请注意已经使用的恢复代码已失效');
|
|
|
|
|
Yii::$app->user->login($user, $model->rememberMe ? 3600 * 24 * 30 : 0);
|
|
|
|
|
Yii::$app->session->remove('login_verification');
|
2024-03-21 14:00:10 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/index']);
|
|
|
|
|
} else {
|
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
2024-03-08 16:43:22 +08:00
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '恢复代码错误');
|
|
|
|
|
}
|
2024-03-09 14:38:42 +08:00
|
|
|
|
} else {
|
2024-03-08 16:43:22 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', '请输入二步验证代码或恢复代码');
|
2024-03-07 20:35:50 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $this->render('verifyTwoFactor', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-27 15:41:25 +08:00
|
|
|
|
/**
|
|
|
|
|
* 验证 reCAPTCHA 的响应
|
|
|
|
|
* 无法保证这项服务在中国大陆的可用性
|
|
|
|
|
* @param $recaptchaResponse
|
|
|
|
|
* @return bool
|
|
|
|
|
*/
|
|
|
|
|
private function validateRecaptcha($recaptchaResponse): bool
|
|
|
|
|
{
|
|
|
|
|
$recaptcha = new ReCaptcha(Yii::$app->params['reCAPTCHA']['secret']);
|
|
|
|
|
$resp = $recaptcha->verify($recaptchaResponse, $_SERVER['REMOTE_ADDR']);
|
|
|
|
|
|
|
|
|
|
return $resp->isSuccess();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 验证 hCaptcha 的响应
|
|
|
|
|
* @param $hcaptchaResponse
|
|
|
|
|
* @return bool
|
|
|
|
|
* @throws InvalidConfigException
|
|
|
|
|
* @throws \yii\httpclient\Exception
|
|
|
|
|
*/
|
|
|
|
|
private function validateHcaptcha($hcaptchaResponse): bool
|
|
|
|
|
{
|
|
|
|
|
$hcaptchaSecret = Yii::$app->params['hCaptcha']['secret'];
|
|
|
|
|
$verifyUrl = 'https://api.hcaptcha.com/siteverify';
|
|
|
|
|
|
2024-03-17 15:37:13 +08:00
|
|
|
|
return $this->verifyResponse($verifyUrl, $hcaptchaSecret, $hcaptchaResponse);
|
2024-02-27 15:41:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 验证 Turnstile 的响应
|
|
|
|
|
* @param $turnstileResponse
|
|
|
|
|
* @return bool
|
|
|
|
|
* @throws InvalidConfigException
|
|
|
|
|
* @throws \yii\httpclient\Exception
|
|
|
|
|
*/
|
|
|
|
|
private function validateTurnstile($turnstileResponse): bool
|
|
|
|
|
{
|
|
|
|
|
$turnstileSecret = Yii::$app->params['Turnstile']['secret'];
|
|
|
|
|
$verifyUrl = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
|
|
|
|
|
|
2024-03-17 15:37:13 +08:00
|
|
|
|
return $this->verifyResponse($verifyUrl, $turnstileSecret, $turnstileResponse);
|
2024-02-27 15:41:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:15:09 +08:00
|
|
|
|
/**
|
|
|
|
|
* Logs out the current user.
|
2024-02-16 13:59:54 +08:00
|
|
|
|
* @return Response
|
2024-02-09 12:15:09 +08:00
|
|
|
|
*/
|
2024-03-05 16:54:24 +08:00
|
|
|
|
public function actionLogout(): Response
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
|
|
|
|
Yii::$app->user->logout();
|
2024-03-21 14:00:10 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', '已登出');
|
2024-02-09 12:15:09 +08:00
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Displays the registration page.
|
2024-02-09 12:47:48 +08:00
|
|
|
|
* visit via https://devs.chenx221.cyou:8081/index.php?r=user%2Fregister
|
|
|
|
|
* @return string|Response
|
|
|
|
|
* @throws Exception
|
2024-02-09 12:15:09 +08:00
|
|
|
|
*/
|
2024-02-27 15:41:25 +08:00
|
|
|
|
public function actionRegister(): Response|string
|
2024-02-09 12:15:09 +08:00
|
|
|
|
{
|
2024-03-05 16:54:24 +08:00
|
|
|
|
if (!Yii::$app->user->isGuest) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '账户已登录,无法进行注册操作');
|
|
|
|
|
return $this->goHome();
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-09 12:47:48 +08:00
|
|
|
|
$model = new User(['scenario' => 'register']);
|
2024-02-09 12:15:09 +08:00
|
|
|
|
if ($model->load(Yii::$app->request->post()) && $model->validate()) {
|
2024-02-27 15:41:25 +08:00
|
|
|
|
// 根据 verifyProvider 的值选择使用哪种验证码服务
|
2024-03-17 15:37:13 +08:00
|
|
|
|
list($verifyProvider, $captchaResponse, $isCaptchaValid) = $this->checkCaptcha();
|
2024-02-27 15:41:25 +08:00
|
|
|
|
|
2024-02-28 16:07:39 +08:00
|
|
|
|
if (($captchaResponse !== null && $isCaptchaValid) || ($verifyProvider === 'None')) {
|
2024-02-27 15:41:25 +08:00
|
|
|
|
$raw_password = $model->password;
|
|
|
|
|
$model->password = Yii::$app->security->generatePasswordHash($raw_password);
|
|
|
|
|
$model->auth_key = Yii::$app->security->generateRandomString();
|
2024-03-01 18:04:04 +08:00
|
|
|
|
$model->created_at = date('Y-m-d H:i:s');
|
2024-03-21 14:00:10 +08:00
|
|
|
|
$model->role = 'user'; // 管理员只能通过现有管理员操作添加
|
2024-03-03 14:25:14 +08:00
|
|
|
|
$model->name = $model->username; //用户默认昵称为用户名,后期可以修改
|
2024-02-27 15:41:25 +08:00
|
|
|
|
if ($model->save(false)) { // save without validation
|
2024-03-04 15:51:45 +08:00
|
|
|
|
$userFolder = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->id;
|
|
|
|
|
if (!is_dir($userFolder)) {
|
|
|
|
|
mkdir($userFolder);
|
|
|
|
|
}
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$secretFolder = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . $model->id . '.secret';
|
2024-03-10 16:37:22 +08:00
|
|
|
|
if (!is_dir($secretFolder)) {
|
|
|
|
|
mkdir($secretFolder);
|
|
|
|
|
}
|
2024-02-27 15:41:25 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', 'Registration successful. You can now log in.');
|
|
|
|
|
return $this->redirect(['login']);
|
|
|
|
|
} else {
|
|
|
|
|
$model->password = $raw_password;
|
|
|
|
|
Yii::$app->session->setFlash('error', 'Failed to register user.');
|
|
|
|
|
}
|
2024-02-09 12:15:09 +08:00
|
|
|
|
} else {
|
2024-02-27 15:41:25 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', 'Invalid captcha.');
|
2024-02-09 12:15:09 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $this->render('register', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
]);
|
|
|
|
|
}
|
2024-03-01 18:04:04 +08:00
|
|
|
|
|
|
|
|
|
/**
|
2024-03-09 14:38:42 +08:00
|
|
|
|
* 显示用户信息
|
|
|
|
|
* 同时接收post请求来修改用户bio
|
|
|
|
|
* 支持参数focus指定页面加载时自动展开哪一块区域 [null,storage,bio,password,advanced]
|
|
|
|
|
*
|
2024-03-07 20:35:50 +08:00
|
|
|
|
* @param string|null $focus
|
2024-03-01 18:04:04 +08:00
|
|
|
|
* @return string|Response
|
|
|
|
|
*/
|
2024-03-03 15:32:49 +08:00
|
|
|
|
public function actionInfo(string $focus = null): Response|string
|
2024-03-01 18:04:04 +08:00
|
|
|
|
{
|
|
|
|
|
$model = Yii::$app->user->identity;
|
2024-03-10 16:37:22 +08:00
|
|
|
|
$usedSpace = FileSizeHelper::getUserHomeDirSize();
|
|
|
|
|
$vaultUsedSpace = FileSizeHelper::getUserVaultDirSize();
|
2024-03-02 19:16:38 +08:00
|
|
|
|
$storageLimit = $model->storage_limit;
|
2024-03-05 16:54:24 +08:00
|
|
|
|
$totp_secret = null;
|
|
|
|
|
$totp_url = null;
|
|
|
|
|
if (!$model->is_otp_enabled) {
|
|
|
|
|
$totp = TOTP::generate();
|
|
|
|
|
$totp_secret = $totp->getSecret();
|
2024-03-07 20:35:50 +08:00
|
|
|
|
$totp->setLabel('NetDisk_' . $model->name);
|
2024-03-05 16:54:24 +08:00
|
|
|
|
$totp_url = $totp->getProvisioningUri();
|
|
|
|
|
}
|
2024-03-03 14:25:14 +08:00
|
|
|
|
if (Yii::$app->request->isPost && $model->load(Yii::$app->request->post())) {
|
2024-03-03 15:32:49 +08:00
|
|
|
|
if ($model->save()) {
|
2024-03-03 14:25:14 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', '个人简介已更新');
|
2024-03-03 15:32:49 +08:00
|
|
|
|
return $this->render('info', [
|
|
|
|
|
'model' => $model,
|
|
|
|
|
'usedSpace' => $usedSpace, // B
|
|
|
|
|
'vaultUsedSpace' => $vaultUsedSpace, // B
|
|
|
|
|
'storageLimit' => $storageLimit, // MB
|
|
|
|
|
'focus' => 'bio',
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'totp_secret' => $totp_secret,
|
|
|
|
|
'totp_url' => $totp_url,
|
2024-03-07 20:35:50 +08:00
|
|
|
|
'is_otp_enabled' => $model->is_otp_enabled
|
2024-03-03 15:32:49 +08:00
|
|
|
|
]);
|
2024-03-03 14:25:14 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
2024-03-01 18:04:04 +08:00
|
|
|
|
return $this->render('info', [
|
|
|
|
|
'model' => $model,
|
2024-03-02 19:16:38 +08:00
|
|
|
|
'usedSpace' => $usedSpace, // B
|
2024-03-03 13:45:31 +08:00
|
|
|
|
'vaultUsedSpace' => $vaultUsedSpace, // B
|
2024-03-02 19:16:38 +08:00
|
|
|
|
'storageLimit' => $storageLimit, // MB
|
2024-03-03 15:32:49 +08:00
|
|
|
|
'focus' => $focus,
|
2024-03-05 16:54:24 +08:00
|
|
|
|
'totp_secret' => $totp_secret,
|
|
|
|
|
'totp_url' => $totp_url,
|
2024-03-07 20:35:50 +08:00
|
|
|
|
'is_otp_enabled' => $model->is_otp_enabled == 1
|
2024-03-01 18:04:04 +08:00
|
|
|
|
]);
|
|
|
|
|
}
|
2024-03-02 19:16:38 +08:00
|
|
|
|
|
2024-03-03 15:32:49 +08:00
|
|
|
|
/**
|
2024-03-07 20:35:50 +08:00
|
|
|
|
* 更改密码
|
2024-03-03 15:32:49 +08:00
|
|
|
|
* @return Response|string
|
|
|
|
|
* @throws Exception
|
|
|
|
|
*/
|
|
|
|
|
public function actionChangePassword(): Response|string
|
|
|
|
|
{
|
|
|
|
|
$model = Yii::$app->user->identity;
|
|
|
|
|
$model->scenario = 'changePassword';
|
2024-03-28 17:21:02 +08:00
|
|
|
|
$org_password = $model->password;
|
|
|
|
|
//verify old password
|
2024-03-03 15:32:49 +08:00
|
|
|
|
if ($model->load(Yii::$app->request->post()) && $model->validate()) {
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (!Yii::$app->security->validatePassword($model->oldPassword, $org_password)) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '原密码错误');
|
2024-03-03 15:32:49 +08:00
|
|
|
|
} else {
|
2024-03-28 17:21:02 +08:00
|
|
|
|
$model->password = Yii::$app->security->generatePasswordHash($model->newPassword);
|
|
|
|
|
if ($model->save(false)) {
|
|
|
|
|
Yii::$app->session->setFlash('success', 'Password changed successfully.');
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', 'Failed to change password.');
|
|
|
|
|
}
|
2024-03-03 15:32:49 +08:00
|
|
|
|
}
|
2024-03-28 17:21:02 +08:00
|
|
|
|
}else{
|
|
|
|
|
Yii::$app->session->setFlash('error', 'Failed to validate password.');
|
|
|
|
|
}
|
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info', 'focus' => 'password']);
|
2024-03-03 15:32:49 +08:00
|
|
|
|
}
|
|
|
|
|
return $this->redirect(['user/info', 'focus' => 'password']);
|
|
|
|
|
}
|
2024-03-04 15:51:45 +08:00
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
/**
|
|
|
|
|
* 启用二步验证
|
|
|
|
|
* @return Response
|
|
|
|
|
* @throws Exception
|
|
|
|
|
*/
|
|
|
|
|
public function actionSetupTwoFactor(): Response
|
2024-03-05 16:54:24 +08:00
|
|
|
|
{
|
2024-03-07 20:35:50 +08:00
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
|
|
|
|
|
if ($user->load(Yii::$app->request->post())) {
|
|
|
|
|
$totp_secret = $user->otp_secret;
|
|
|
|
|
$totp_input = $user->totp_input;
|
|
|
|
|
|
|
|
|
|
$otp = TOTP::createFromSecret($totp_secret);
|
|
|
|
|
if ($otp->verify($totp_input)) {
|
|
|
|
|
$recoveryCodes = $this->generateRecoveryCodes();
|
|
|
|
|
$user->is_otp_enabled = 1;
|
|
|
|
|
$user->recovery_codes = implode(',', $recoveryCodes);
|
|
|
|
|
$user->save();
|
|
|
|
|
Yii::$app->session->setFlash('success', '二步验证已启用');
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '二步验证启用失败,请重新添加');
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info']);
|
|
|
|
|
}
|
2024-03-07 20:35:50 +08:00
|
|
|
|
return $this->redirect(['user/info']);
|
|
|
|
|
}
|
2024-03-05 16:54:24 +08:00
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
/**
|
|
|
|
|
* 移除二步验证
|
|
|
|
|
*/
|
|
|
|
|
public function actionRemoveTwoFactor(): void
|
|
|
|
|
{
|
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
if ($user->is_otp_enabled) {
|
|
|
|
|
$user->otp_secret = null;
|
|
|
|
|
$user->is_otp_enabled = 0;
|
|
|
|
|
$user->recovery_codes = null;
|
2024-03-26 14:26:59 +08:00
|
|
|
|
$user->save(false);
|
2024-03-07 20:35:50 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', '二步验证已关闭');
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '二步验证未启用,无需关闭');
|
|
|
|
|
}
|
2024-03-06 20:14:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
/**
|
|
|
|
|
* 生成10组随机的恢复代码
|
|
|
|
|
* @return array
|
|
|
|
|
* @throws Exception
|
|
|
|
|
*/
|
|
|
|
|
private function generateRecoveryCodes(): array
|
2024-03-06 20:14:47 +08:00
|
|
|
|
{
|
|
|
|
|
$codes = [];
|
2024-03-07 20:35:50 +08:00
|
|
|
|
for ($i = 0; $i < 10; $i++) {
|
|
|
|
|
$codes[] = Yii::$app->security->generateRandomString(10);
|
2024-03-06 20:14:47 +08:00
|
|
|
|
}
|
|
|
|
|
return $codes;
|
2024-03-05 16:54:24 +08:00
|
|
|
|
}
|
2024-03-04 15:51:45 +08:00
|
|
|
|
|
2024-03-07 20:35:50 +08:00
|
|
|
|
/**
|
|
|
|
|
* 获取恢复代码(以txt文本的形式提供)
|
|
|
|
|
* @return Response|\yii\console\Response
|
|
|
|
|
* @throws RangeNotSatisfiableHttpException
|
|
|
|
|
*/
|
|
|
|
|
public function actionDownloadRecoveryCodes(): Response|\yii\console\Response
|
|
|
|
|
{
|
|
|
|
|
// 获取当前登录的用户模型
|
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
|
|
|
|
|
// 检查用户是否启用了 TOTP
|
|
|
|
|
if ($user->is_otp_enabled) {
|
|
|
|
|
// 获取恢复代码
|
|
|
|
|
$recoveryCodesString = implode("\n", explode(',', $user->recovery_codes));
|
|
|
|
|
// 发送恢复代码给用户
|
|
|
|
|
return Yii::$app->response->sendContentAsFile(
|
|
|
|
|
$recoveryCodesString,
|
|
|
|
|
'recovery_codes.txt',
|
|
|
|
|
['mimeType' => 'text/plain']
|
|
|
|
|
);
|
|
|
|
|
} else {
|
|
|
|
|
// 如果用户没有启用 TOTP,返回一个错误消息
|
|
|
|
|
Yii::$app->session->setFlash('error', '获取失败,您还没有启用二步验证。');
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info', 'focus' => 'advanced']);
|
|
|
|
|
}
|
2024-03-09 14:38:42 +08:00
|
|
|
|
return $this->redirect(['user/info', 'focus' => 'advanced']);
|
2024-03-07 20:35:50 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
2024-03-08 16:20:22 +08:00
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 更改用户主题
|
|
|
|
|
* @return Response
|
|
|
|
|
*/
|
|
|
|
|
public function actionSetTheme(): Response
|
|
|
|
|
{
|
|
|
|
|
$darkMode = Yii::$app->request->post('dark_mode', 0);
|
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
$user->dark_mode = $darkMode;
|
|
|
|
|
$user->save();
|
|
|
|
|
return $this->asJson(['success' => true]);
|
|
|
|
|
}
|
2024-03-09 14:38:42 +08:00
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* 修改用户昵称
|
|
|
|
|
* @return Response
|
|
|
|
|
*/
|
|
|
|
|
public function actionChangeName(): Response
|
|
|
|
|
{
|
|
|
|
|
$model = Yii::$app->user->identity;
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if ($model->load(Yii::$app->request->post()) && $model->save(true, ['name'])) {
|
2024-03-09 14:38:42 +08:00
|
|
|
|
Yii::$app->session->setFlash('success', '昵称已更新');
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '昵称更新失败');
|
|
|
|
|
}
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info']);
|
|
|
|
|
}
|
2024-03-09 14:38:42 +08:00
|
|
|
|
return $this->redirect(['user/info']);
|
|
|
|
|
}
|
2024-03-13 18:33:02 +08:00
|
|
|
|
|
2024-03-16 20:25:35 +08:00
|
|
|
|
/**
|
2024-03-17 15:37:13 +08:00
|
|
|
|
* 获取所有的公钥凭证
|
2024-03-16 20:25:35 +08:00
|
|
|
|
* @return Response|string
|
|
|
|
|
*/
|
|
|
|
|
public function actionCredentialList(): Response|string
|
|
|
|
|
{
|
|
|
|
|
if (Yii::$app->request->isAjax) {
|
|
|
|
|
return $this->renderAjax('_creIndex', [
|
|
|
|
|
'dataProvider' => new ActiveDataProvider([
|
|
|
|
|
'query' => PublicKeyCredentialSourceRepository::find()->where(['user_id' => Yii::$app->user->id]),
|
|
|
|
|
]),
|
|
|
|
|
]);
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '非Ajax请求');
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info']);
|
|
|
|
|
}
|
2024-03-16 20:25:35 +08:00
|
|
|
|
return $this->redirect('info');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2024-03-17 15:37:13 +08:00
|
|
|
|
* 删除指定的公钥凭证
|
2024-03-16 20:25:35 +08:00
|
|
|
|
* @param $id
|
|
|
|
|
* @return Response|string
|
|
|
|
|
* @throws NotFoundHttpException
|
|
|
|
|
* @throws Throwable
|
|
|
|
|
* @throws StaleObjectException
|
|
|
|
|
*/
|
|
|
|
|
public function actionCredentialDelete($id): Response|string
|
|
|
|
|
{
|
|
|
|
|
if (Yii::$app->request->isPjax) {
|
2024-03-17 15:37:13 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository = $this->findCredentialModel($id);
|
2024-03-17 17:24:26 +08:00
|
|
|
|
if ($publicKeyCredentialSourceRepository->user_id !== Yii::$app->user->id) {
|
2024-03-17 15:37:13 +08:00
|
|
|
|
Yii::$app->session->setFlash('error', '非法操作');
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info']);
|
|
|
|
|
}
|
2024-03-17 15:37:13 +08:00
|
|
|
|
return $this->redirect('info');
|
|
|
|
|
}
|
|
|
|
|
$publicKeyCredentialSourceRepository->delete();
|
2024-03-16 20:25:35 +08:00
|
|
|
|
return $this->renderAjax('_creIndex', [
|
|
|
|
|
'dataProvider' => new ActiveDataProvider([
|
|
|
|
|
'query' => PublicKeyCredentialSourceRepository::find()->where(['user_id' => Yii::$app->user->id]),
|
|
|
|
|
]),
|
|
|
|
|
]);
|
|
|
|
|
} else {
|
|
|
|
|
Yii::$app->session->setFlash('error', '非Pjax请求,无法删除');
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->redirect(['admin/info']);
|
|
|
|
|
}
|
2024-03-16 20:25:35 +08:00
|
|
|
|
return $this->redirect('info');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-17 17:24:26 +08:00
|
|
|
|
/*
|
|
|
|
|
* 以下WebAuthn(FIFO)验证代码已经调好了,不要乱动
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
2024-03-13 18:33:02 +08:00
|
|
|
|
/**
|
2024-03-14 20:29:45 +08:00
|
|
|
|
* 创建公钥凭证选项
|
2024-03-13 18:33:02 +08:00
|
|
|
|
* @return Response
|
|
|
|
|
* @throws RandomException
|
|
|
|
|
*/
|
|
|
|
|
public function actionCreateCredentialOptions(): Response
|
|
|
|
|
{
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$id = Yii::$app->params['domain'];
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
|
|
|
|
|
$rpEntity = PublicKeyCredentialRpEntity::create(
|
|
|
|
|
'NetDisk Application',
|
|
|
|
|
$id
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$userEntity = PublicKeyCredentialUserEntity::create(
|
|
|
|
|
$user->username,
|
|
|
|
|
$user->id,
|
|
|
|
|
$user->name,
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$challenge = random_bytes(16);
|
|
|
|
|
$publicKeyCredentialCreationOptions =
|
|
|
|
|
PublicKeyCredentialCreationOptions::create(
|
|
|
|
|
$rpEntity,
|
|
|
|
|
$userEntity,
|
|
|
|
|
$challenge
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// 将选项存储在会话中,以便在后续的验证步骤中使用
|
|
|
|
|
Yii::$app->session->set('publicKeyCredentialCreationOptions', $publicKeyCredentialCreationOptions);
|
|
|
|
|
|
|
|
|
|
// 将选项发送给客户端
|
|
|
|
|
return $this->asJson($publicKeyCredentialCreationOptions);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2024-03-14 20:29:45 +08:00
|
|
|
|
* 创建公钥凭证
|
|
|
|
|
* @return Response
|
2024-03-13 18:33:02 +08:00
|
|
|
|
*/
|
2024-03-14 20:29:45 +08:00
|
|
|
|
public function actionCreateCredential(): Response
|
2024-03-13 18:33:02 +08:00
|
|
|
|
{
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$data = Yii::$app->request->getRawBody();
|
2024-03-17 17:24:26 +08:00
|
|
|
|
$json_decode = json_decode($data, true);
|
|
|
|
|
$fido_name = empty($json_decode['fido_name']) ? '未命名的设备' : $json_decode['fido_name'];
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$attestationStatementSupportManager = AttestationStatementSupportManager::create();
|
|
|
|
|
$attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());
|
|
|
|
|
$webauthnSerializerFactory = new WebauthnSerializerFactory($attestationStatementSupportManager);
|
|
|
|
|
$serializer = $webauthnSerializerFactory->create();
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$publicKeyCredential = $serializer->deserialize($data, PublicKeyCredential::class, 'json');
|
|
|
|
|
$authenticatorAttestationResponse = $publicKeyCredential->response;
|
|
|
|
|
if (!$authenticatorAttestationResponse instanceof AuthenticatorAttestationResponse) {
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['message' => 'Invalid response type']);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
2024-03-17 17:24:26 +08:00
|
|
|
|
// 什么时候更新开发文档?
|
|
|
|
|
$ceremonyStepManagerFactory = new CeremonyStepManagerFactory();
|
|
|
|
|
$ceremonyStepManager = $ceremonyStepManagerFactory->creationCeremony();
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$authenticatorAttestationResponseValidator = AuthenticatorAttestationResponseValidator::create(
|
2024-03-17 17:24:26 +08:00
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
$ceremonyStepManager
|
2024-03-13 18:33:02 +08:00
|
|
|
|
);
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$publicKeyCredentialCreationOptions = Yii::$app->session->get('publicKeyCredentialCreationOptions');
|
|
|
|
|
try {
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check( //response -> source
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$authenticatorAttestationResponse,
|
|
|
|
|
$publicKeyCredentialCreationOptions,
|
2024-03-14 20:29:45 +08:00
|
|
|
|
Yii::$app->params['domain']
|
2024-03-13 18:33:02 +08:00
|
|
|
|
);
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository = new PublicKeyCredentialSourceRepository();
|
2024-03-17 17:24:26 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository->saveCredential($publicKeyCredentialSource, $fido_name); //receive source
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['verified' => true]);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
} catch (Throwable $e) {
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['message' => $e->getMessage(), 'verified' => false]);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2024-03-14 20:29:45 +08:00
|
|
|
|
* 请求验证选项
|
2024-03-19 17:11:41 +08:00
|
|
|
|
* @param string|null $username
|
2024-03-13 18:33:02 +08:00
|
|
|
|
* @return Response
|
|
|
|
|
* @throws RandomException
|
|
|
|
|
*/
|
2024-03-19 17:11:41 +08:00
|
|
|
|
public function actionRequestAssertionOptions(string $username = null): Response
|
2024-03-13 18:33:02 +08:00
|
|
|
|
{
|
2024-03-19 17:11:41 +08:00
|
|
|
|
$user = null;
|
|
|
|
|
if ($username !== null) {
|
|
|
|
|
$user = User::findOne(['username' => $username]);
|
|
|
|
|
if ($user === null) {
|
|
|
|
|
return $this->asJson(['message' => 'User not found']);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
$user = Yii::$app->user->identity;
|
|
|
|
|
}
|
|
|
|
|
if ($user === null) {
|
|
|
|
|
return $this->asJson(['message' => 'Guest? Sure?']);
|
|
|
|
|
}
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository = new PublicKeyCredentialSourceRepository();
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($user);
|
|
|
|
|
|
|
|
|
|
$allowedCredentials = array_map(
|
2024-03-14 20:29:45 +08:00
|
|
|
|
static function (PublicKeyCredentialSourceRepository $credential): PublicKeyCredentialDescriptor {
|
|
|
|
|
$data = $credential->data;
|
|
|
|
|
$webauthnSerializerFactory = new WebauthnSerializerFactory(new AttestationStatementSupportManager());
|
|
|
|
|
$publicKeyCredentialSource = $webauthnSerializerFactory->create()->deserialize($data, PublicKeyCredentialSource::class, 'json');
|
|
|
|
|
return $publicKeyCredentialSource->getPublicKeyCredentialDescriptor();
|
2024-03-13 18:33:02 +08:00
|
|
|
|
},
|
|
|
|
|
$registeredAuthenticators
|
|
|
|
|
);
|
|
|
|
|
$publicKeyCredentialRequestOptions =
|
|
|
|
|
PublicKeyCredentialRequestOptions::create(
|
|
|
|
|
random_bytes(32), // Challenge
|
|
|
|
|
allowCredentials: $allowedCredentials
|
|
|
|
|
);
|
|
|
|
|
Yii::$app->session->set('publicKeyCredentialRequestOptions', $publicKeyCredentialRequestOptions);
|
|
|
|
|
|
|
|
|
|
return $this->asJson($publicKeyCredentialRequestOptions);
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
2024-03-13 18:33:02 +08:00
|
|
|
|
/**
|
2024-03-14 20:29:45 +08:00
|
|
|
|
* 验证断言
|
2024-03-17 15:37:13 +08:00
|
|
|
|
* 用于已登录情况下验证fifo设置是否成功
|
2024-03-19 17:11:41 +08:00
|
|
|
|
* @param int $is_login
|
|
|
|
|
* @param int $remember
|
2024-03-14 20:29:45 +08:00
|
|
|
|
* @return Response
|
2024-03-17 15:37:13 +08:00
|
|
|
|
* @throws JsonException
|
2024-03-13 18:33:02 +08:00
|
|
|
|
*/
|
2024-03-21 14:00:10 +08:00
|
|
|
|
public function actionVerifyAssertion(int $is_login = 0, int $remember = 0): Response
|
2024-03-13 18:33:02 +08:00
|
|
|
|
{
|
2024-03-14 20:29:45 +08:00
|
|
|
|
$data = Yii::$app->request->getRawBody();
|
|
|
|
|
|
|
|
|
|
$attestationStatementSupportManager = AttestationStatementSupportManager::create();
|
|
|
|
|
$attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());
|
|
|
|
|
$webauthnSerializerFactory = new WebauthnSerializerFactory($attestationStatementSupportManager);
|
|
|
|
|
$serializer = $webauthnSerializerFactory->create();
|
|
|
|
|
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$publicKeyCredential = $serializer->deserialize($data, PublicKeyCredential::class, 'json');
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$authenticatorAssertionResponse = $publicKeyCredential->response;
|
|
|
|
|
if (!$authenticatorAssertionResponse instanceof AuthenticatorAssertionResponse) {
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['message' => 'Invalid response type']);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
|
|
|
|
$publicKeyCredentialSourceRepository = new PublicKeyCredentialSourceRepository();
|
|
|
|
|
$publicKeyCredentialSourceRepository1 = $publicKeyCredentialSourceRepository->findOneByCredentialId(
|
|
|
|
|
$publicKeyCredential->id
|
2024-03-13 18:33:02 +08:00
|
|
|
|
);
|
2024-03-14 20:29:45 +08:00
|
|
|
|
if ($publicKeyCredentialSourceRepository1 === null) {
|
2024-03-16 20:25:35 +08:00
|
|
|
|
return $this->asJson(['message' => 'Invalid credential']);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
2024-03-14 20:29:45 +08:00
|
|
|
|
|
|
|
|
|
$PKCS = $webauthnSerializerFactory->create()->deserialize($publicKeyCredentialSourceRepository1->data, PublicKeyCredentialSource::class, 'json');
|
2024-03-17 17:24:26 +08:00
|
|
|
|
$ceremonyStepManagerFactory = new CeremonyStepManagerFactory();
|
|
|
|
|
$ceremonyStepManager = $ceremonyStepManagerFactory->requestCeremony();
|
|
|
|
|
$authenticatorAssertionResponseValidator = AuthenticatorAssertionResponseValidator::create(
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
null,
|
|
|
|
|
$ceremonyStepManager
|
|
|
|
|
);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$publicKeyCredentialRequestOptions = Yii::$app->session->get('publicKeyCredentialRequestOptions');
|
|
|
|
|
try {
|
|
|
|
|
$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
|
2024-03-16 20:25:35 +08:00
|
|
|
|
$PKCS, //credential source
|
|
|
|
|
$authenticatorAssertionResponse, //user response
|
2024-03-13 18:33:02 +08:00
|
|
|
|
$publicKeyCredentialRequestOptions,
|
2024-03-14 20:29:45 +08:00
|
|
|
|
Yii::$app->params['domain'],
|
2024-03-17 15:37:13 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository1->user_id //我也不知道这个是什么,不过看了眼源码,移动设备验证时userhandle传入的是Null
|
2024-03-13 18:33:02 +08:00
|
|
|
|
);
|
|
|
|
|
} catch (AuthenticatorResponseVerificationException $e) {
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['message' => $e->getMessage(), 'verified' => false]);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
|
|
|
|
|
2024-03-19 17:11:41 +08:00
|
|
|
|
|
|
|
|
|
if ($is_login === 1) {
|
|
|
|
|
$user = User::findOne(['id' => $publicKeyCredentialSourceRepository1->user_id]);
|
|
|
|
|
$user->last_login = date('Y-m-d H:i:s');
|
|
|
|
|
$user->last_login_ip = Yii::$app->request->userIP;
|
|
|
|
|
if (!$user->save(false)) {
|
|
|
|
|
Yii::$app->session->setFlash('error', '登陆成功,但出现了内部错误');
|
|
|
|
|
}
|
2024-03-21 14:00:10 +08:00
|
|
|
|
Yii::$app->user->login($user, $remember === 1 ? 3600 * 24 * 30 : 0);
|
|
|
|
|
$publicKeyCredentialSourceRepository1->saveCredential($publicKeyCredentialSource, '', false);
|
2024-03-28 17:21:02 +08:00
|
|
|
|
if (Yii::$app->user->can('admin')) {
|
|
|
|
|
return $this->asJson(['verified' => true, 'redirectTo' => 'index.php?r=admin%2Findex']);
|
2024-03-21 14:00:10 +08:00
|
|
|
|
}
|
2024-03-28 17:21:02 +08:00
|
|
|
|
return $this->asJson(['verified' => true, 'redirectTo' => 'index.php']);
|
2024-03-19 17:11:41 +08:00
|
|
|
|
}
|
2024-03-14 20:29:45 +08:00
|
|
|
|
// Optional, but highly recommended, you can save the credential source as it may be modified
|
|
|
|
|
// during the verification process (counter may be higher).
|
2024-03-19 17:11:41 +08:00
|
|
|
|
$publicKeyCredentialSourceRepository1->saveCredential($publicKeyCredentialSource, '', false);
|
2024-03-14 20:29:45 +08:00
|
|
|
|
return $this->asJson(['verified' => true]);
|
2024-03-13 18:33:02 +08:00
|
|
|
|
}
|
2024-03-17 15:37:13 +08:00
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @param string $verifyUrl
|
|
|
|
|
* @param mixed $hcaptchaSecret
|
|
|
|
|
* @param $hcaptchaResponse
|
|
|
|
|
* @return bool
|
|
|
|
|
* @throws InvalidConfigException
|
|
|
|
|
* @throws \yii\httpclient\Exception
|
|
|
|
|
*/
|
|
|
|
|
private function verifyResponse(string $verifyUrl, mixed $hcaptchaSecret, $hcaptchaResponse): bool
|
|
|
|
|
{
|
|
|
|
|
$client = new Client();
|
|
|
|
|
$response = $client->createRequest()
|
|
|
|
|
->setMethod('POST')
|
|
|
|
|
->setUrl($verifyUrl)
|
|
|
|
|
->setData(['secret' => $hcaptchaSecret, 'response' => $hcaptchaResponse])
|
|
|
|
|
->send();
|
|
|
|
|
|
|
|
|
|
if ($response->isOk) {
|
|
|
|
|
$responseData = $response->getData();
|
|
|
|
|
return isset($responseData['success']) && $responseData['success'] === true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2024-02-09 12:15:09 +08:00
|
|
|
|
}
|