chore: 2FA

packages/libs/lib-server/src/basic/constants.ts

@@ -75,6 +75,10 @@ export const Constants = {
       code: 10010,
       message: '站点已关闭',
     },
+    need2fa:{
+      code: 10020,
+      message: '需要2FA认证',
+    },
     openKeyError: {
       code: 20000,
       message: 'ApiToken错误',

packages/libs/lib-server/src/basic/exception/auth-exception.ts

@@ -4,7 +4,15 @@ import { BaseException } from './base-exception.js';
  * 授权异常
  */
 export class AuthException extends BaseException {
-  constructor(message) {
+  constructor(message?:string) {
     super('AuthException', Constants.res.auth.code, message ? message : Constants.res.auth.message);
   }
 }
+
+
+export class Need2FAException extends BaseException {
+  constructor(message?:string) {
+    super('Need2FAException', Constants.res.need2fa.code, message ? message : Constants.res.need2fa.message);
+  }
+}
+

packages/ui/certd-client/src/router/source/modules/certd.ts

@@ -143,6 +143,17 @@ export const certdResources = [
               keepAlive: true,
             },
           },
+          {
+            title: "认证安全设置",
+            name: "UserSecurity",
+            path: "/certd/mine/security",
+            component: "/certd/mine/security/index.vue",
+            meta: {
+              icon: "ion:locked-outline",
+              auth: true,
+              isMenu: true,
+            },
+          },
           {
             title: "账号信息",
             name: "UserProfile",

packages/ui/certd-client/src/views/certd/mine/security/api.ts

@@ -38,3 +38,10 @@ export async function TwoFactorAuthenticatorSave(req: AuthenticatorSaveReq) {
     data: req,
   });
 }
+
+export async function TwoFactorAuthenticatorOff() {
+  return await request({
+    url: apiPrefix + "/twoFactor/authenticator/off",
+    method: "post",
+  });
+}

packages/ui/certd-client/src/views/certd/mine/security/index.vue

@@ -1,35 +1,39 @@
 <template>
   <fs-page class="page-user-settings page-two-factor">
     <template #header>
-      <div class="title">多重认证设置</div>
+      <div class="title">认证安全设置</div>
     </template>
     <div class="user-settings-form settings-form">
       <a-form :model="formState" name="basic" :label-col="{ span: 8 }" :wrapper-col="{ span: 16 }" autocomplete="off">
-        <a-form-item label="Authenticator APP认证" :name="['authenticator', 'enabled']">
+        <a-form-item label="OTP多重验证登录" :name="['authenticator', 'enabled']">
-          <div class="flex">
+          <div class="flex mt-5">
-            <a-switch v-model:checked="formState.authenticator.enabled" />
+            <a-switch v-model:checked="formState.authenticator.enabled" @change="onAuthenticatorEnabledChanged" />
 
-            <a-button v-if="formState.authenticator.enabled && formState.authenticator.verified" class="ml-1" type="primary" @click="authenticatorForm.open = true">修改</a-button>
+            <a-button v-if="formState.authenticator.enabled && formState.authenticator.verified" :disabled="authenticatorOpenRef" size="small" class="ml-2" type="primary" @click="authenticatorForm.open = true">
+              重新绑定
+            </a-button>
           </div>
 
-          <div class="helper">创建流水线时默认使用此定时时间</div>
+          <div class="helper">是否开启多重验证登录</div>
         </a-form-item>
-        <div v-if="authenticatorOpenRef" class="authenticator-config">
+        <a-form-item v-if="authenticatorOpenRef" label="绑定设备" class="authenticator-config">
-          <h3>1. 安装任意一款 Authenticator APP</h3>
+          <h3 class="font-bold m-5">1. 安装任意一款 Authenticator APP</h3>
-          <div>比如：Microsoft Authenticator / Google Authenticator / Authy / Synology Secure SignIn 等</div>
+          <div class="ml-20">比如：Microsoft Authenticator / Google Authenticator / Authy / Synology Secure SignIn 等</div>
-          <h3>2. 扫描二维码添加账号</h3>
+          <h3 class="font-bold m-10">2. 扫描二维码添加账号</h3>
           <div v-if="authenticatorForm.qrcodeSrc" class="qrcode">
-            <img style="width: 400px; height: 400px" :src="authenticatorForm.qrcodeSrc" />
+            <div class="ml-20">
+              <img class="full-w" :src="authenticatorForm.qrcodeSrc" />
             </div>
-          <h3>3. 输入验证码</h3>
+          </div>
-          <div>
+          <h3 class="font-bold m-10">3. 输入验证码</h3>
+          <div class="ml-20">
             <a-input v-model:value="authenticatorForm.verifyCode" placeholder="请输入验证码" />
           </div>
-          <div>
+          <div class="ml-20 flex mt-10">
             <loading-button type="primary" html-type="button" :click="doAuthenticatorSave">确认</loading-button>
             <a-button class="ml-1" @click="authenticatorForm.open = false">取消</a-button>
           </div>
-        </div>
+        </a-form-item>
       </a-form>
     </div>
   </fs-page>
@@ -39,11 +43,11 @@
 import { computed, reactive, watch } from "vue";
 import * as api from "./api";
 import { UserTwoFactorSetting } from "./api";
-import { notification } from "ant-design-vue";
+import { Modal, notification } from "ant-design-vue";
 import { merge } from "lodash-es";
 
 defineOptions({
-  name: "UserSettingsTwoFactor",
+  name: "UserSecurity",
 });
 
 const formState = reactive<Partial<UserTwoFactorSetting>>({});
@@ -63,9 +67,8 @@ watch(
   },
   async open => {
     if (open) {
-      const data = await api.TwoFactorAuthenticatorGet();
       //base64 转图片
-      authenticatorForm.qrcodeSrc = `data:image/png;base64,${data}`;
+      authenticatorForm.qrcodeSrc = await api.TwoFactorAuthenticatorGet();
     } else {
       authenticatorForm.qrcodeSrc = "";
       authenticatorForm.verifyCode = "";
@@ -86,13 +89,36 @@ const doAuthenticatorSave = async (form: any) => {
   notification.success({
     message: "保存成功",
   });
+  authenticatorForm.open = false;
 };
+
+function onAuthenticatorEnabledChanged(value) {
+  if (!value) {
+    //要关闭
+    if (formState.authenticator.verified) {
+      Modal.confirm({
+        title: "确认",
+        content: `确定要关闭多重验证登录吗？`,
+        async onOk() {
+          await api.TwoFactorAuthenticatorOff();
+          notification.success({
+            message: "关闭成功",
+          });
+          loadUserSettings();
+        },
+        onCancel() {
+          formState.authenticator.enabled = true;
+        },
+      });
+    }
+  }
+}
 </script>
 
 <style lang="less">
 .page-user-settings {
   .user-settings-form {
-    width: 500px;
+    width: 600px;
     margin: 20px;
   }
 }

packages/ui/certd-client/src/views/framework/login/index.vue

@@ -1,14 +1,6 @@
 <template>
   <div class="main login-page">
-    <a-form
+    <a-form ref="formRef" class="user-layout-login" name="custom-validation" :model="formState" v-bind="layout" @finish="handleFinish" @finish-failed="handleFinishFailed">
-      ref="formRef"
-      class="user-layout-login"
-      name="custom-validation"
-      :model="formState"
-      v-bind="layout"
-      @finish="handleFinish"
-      @finish-failed="handleFinishFailed"
-    >
       <!--      <div class="login-title">登录</div>-->
       <a-tabs v-model:active-key="formState.loginType" :tab-bar-style="{ textAlign: 'center', borderBottom: 'unset' }">
         <a-tab-pane key="password" tab="密码登录" :disabled="sysPublicSettings.passwordLoginEnabled !== true">
@@ -44,13 +36,7 @@
             </a-form-item>
 
             <a-form-item name="smsCode" :rules="rules.smsCode">
-              <sms-code
+              <sms-code v-model:value="formState.smsCode" :img-code="formState.imgCode" :mobile="formState.mobile" :phone-code="formState.phoneCode" :random-str="formState.randomStr" />
-                v-model:value="formState.smsCode"
-                :img-code="formState.imgCode"
-                :mobile="formState.mobile"
-                :phone-code="formState.phoneCode"
-                :random-str="formState.randomStr"
-              />
             </a-form-item>
           </template>
         </a-tab-pane>
@@ -89,42 +75,42 @@ export default defineComponent({
       loginType: "password", //password
       imgCode: "",
       smsCode: "",
-      randomStr: ""
+      randomStr: "",
     });
 
     const rules = {
       mobile: [
         {
           required: true,
-          message: "请输入手机号"
+          message: "请输入手机号",
-        }
+        },
       ],
       username: [
         {
           required: true,
-          message: "请输入用户名"
+          message: "请输入用户名",
-        }
+        },
       ],
       password: [
         {
           required: true,
-          message: "请输入登录密码"
+          message: "请输入登录密码",
-        }
+        },
       ],
       smsCode: [
         {
           required: true,
-          message: "请输入短信验证码"
+          message: "请输入短信验证码",
-        }
+        },
-      ]
+      ],
     };
     const layout = {
       labelCol: {
-        span: 0
+        span: 0,
       },
       wrapperCol: {
-        span: 24
+        span: 24,
-      }
+      },
     };
 
     const handleFinish = async (values: any) => {
@@ -163,9 +149,9 @@ export default defineComponent({
       resetForm,
       isLoginError,
       sysPublicSettings,
-      hasRegisterTypeEnabled
+      hasRegisterTypeEnabled,
     };
-  }
+  },
 });
 </script>
 

packages/ui/certd-server/src/controller/user/login/login-controller.ts

@@ -23,13 +23,16 @@ export class LoginController extends BaseController {
     user: any
   ) {
     const token = await this.loginService.loginByPassword(user);
-    this.ctx.cookies.set('token', token.token, {
+    this.writeTokenCookie(token);
-      maxAge: 1000 * token.expire,
-    });
-
     return this.ok(token);
   }
 
+  private writeTokenCookie(token: { expire: any; token: any }) {
+    this.ctx.cookies.set("token", token.token, {
+      maxAge: 1000 * token.expire
+    });
+  }
+
   @Post('/loginBySms', { summary: Constants.per.guest })
   public async loginBySms(
     @Body(ALL)
@@ -48,10 +51,23 @@ export class LoginController extends BaseController {
       randomStr: body.randomStr,
     });
 
-    this.ctx.cookies.set('token', token.token, {
+    this.writeTokenCookie(token);
-      maxAge: 1000 * token.expire,
+
+    return this.ok(token);
+  }
+
+  @Post('/loginByTwoFactor', { summary: Constants.per.guest })
+  public async loginByTwoFactor(
+    @Body(ALL)
+    body: any
+  ) {
+
+    const token = await this.loginService.loginByTwoFactor({
+      loginCode: body.loginCode,
+      verifyCode: body.verifyCode,
     });
 
+    this.writeTokenCookie(token);
     return this.ok(token);
   }
 

packages/ui/certd-server/src/controller/user/mine/setting-two-factor-controller.ts

@@ -58,4 +58,11 @@ export class UserTwoFactorSettingController extends BaseController {
     return this.ok();
   }
 
+  @Post("/authenticator/off", { summary: Constants.per.authOnly })
+  async authenticatorOff() {
+    const userId = this.getUserId();
+    await this.twoFactorService.offAuthenticator(userId);
+    return this.ok();
+  }
+
 }

packages/ui/certd-server/src/modules/login/service/login-service.ts

@@ -1,14 +1,16 @@
 import {Config, Inject, Provide, Scope, ScopeEnum} from '@midwayjs/core';
 import {UserService} from '../../sys/authority/service/user-service.js';
 import jwt from 'jsonwebtoken';
-import {CommonException} from '@certd/lib-server';
+import { AuthException, CommonException, Need2FAException } from "@certd/lib-server";
 import {RoleService} from '../../sys/authority/service/role-service.js';
 import {UserEntity} from '../../sys/authority/entity/user.js';
 import {SysSettingsService} from '@certd/lib-server';
 import {SysPrivateSettings} from '@certd/lib-server';
-import {cache} from '@certd/basic';
+import {cache, utils} from '@certd/basic';
 import {LoginErrorException} from '@certd/lib-server/dist/basic/exception/login-error-exception.js';
 import {CodeService} from '../../basic/service/code-service.js';
+import { TwoFactorService } from "../../mine/service/two-factor-service.js";
+import { UserSettingsService } from '../../mine/service/user-settings-service.js';
 
 /**
  * 系统用户
@@ -28,6 +30,10 @@ export class LoginService {
 
   @Inject()
   sysSettingsService: SysSettingsService;
+  @Inject()
+  userSettingsService: UserSettingsService;
+  @Inject()
+  twoFactorService: TwoFactorService;
 
   checkIsBlocked(username: string) {
     const blockDurationKey = `login_block_duration:${username}`;
@@ -138,21 +144,50 @@ export class LoginService {
     return this.onLoginSuccess(info);
   }
 
-  private async onLoginSuccess(info: UserEntity) {
+  async checkTwoFactorEnabled(userId:number) {
+    //检查是否开启多重认证
 
+    const twoFactorSetting = await this.twoFactorService.getSetting(userId)
+
+    const authenticatorSetting = twoFactorSetting.authenticator
+    if (authenticatorSetting.enabled){
+      //要检查
+      const randomKey = utils.id.simpleNanoId(12)
+      cache.set(`login_2fa_code:${randomKey}`, userId, {
+        ttl: 60 * 1000,
+      })
+      throw new Need2FAException('已开启多重认证，请在60秒内输入验证码')
+    }
+
+  }
+
+  async loginByTwoFactor(req: {  loginCode: string; verifyCode: string }){
+      const userId = cache.get(`login_2fa_code:${req.loginCode}`)
+    if (!userId){
+      throw new AuthException('登录状态已失效，请重新登录')
+    }
+    await this.twoFactorService.verifyAuthenticatorCode(userId, req.verifyCode)
+
+    return this.generateToken(await this.userService.findOne(userId))
+  }
+
+  private async onLoginSuccess(info: UserEntity) {
     if (info.status === 0) {
       throw new CommonException('用户已被禁用');
     }
-    const roleIds = await this.roleService.getRoleIdsByUserId(info.id);
+    await this.checkTwoFactorEnabled(info.id)
-    return this.generateToken(info, roleIds);
+    return this.generateToken(info);
   }
 
+
+
   /**
    * 生成token
    * @param user 用户对象
    * @param roleIds
    */
-  async generateToken(user: UserEntity, roleIds: number[]) {
+  async generateToken(user: UserEntity) {
+    const roleIds = await this.roleService.getRoleIdsByUserId(user.id);
     const tokenInfo = {
       username: user.username,
       id: user.id,

packages/ui/certd-server/src/modules/mine/service/models.ts

@@ -14,7 +14,6 @@ export class UserTwoFactorSetting extends BaseSettings {
   authenticator: TwoFactorAuthenticator = {
     enabled:false,
     verified:false,
-    type: "totp"
   };
 
 }

packages/ui/certd-server/src/modules/mine/service/two-factor-service.ts

@@ -1,7 +1,6 @@
 import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
 import { UserSettingsService } from "./user-settings-service.js";
 import { UserTwoFactorSetting } from "./models.js";
-import { utils } from "@certd/basic";
 import { UserService } from "../../sys/authority/service/user-service.js";
 
 /**
@@ -17,17 +16,19 @@ export class TwoFactorService {
 
 
   async getAuthenticatorQrCode(userId: any) {
-    const setting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
+    const setting = await this.getSetting(userId)
 
-    const authenticator = setting.authenticator;
+    const authenticatorSetting = setting.authenticator;
-    if (!authenticator.secret) {
+    if (!authenticatorSetting.secret) {
-      authenticator.secret = utils.id.simpleNanoId(16);
+      const { authenticator  } = await import("otplib");
+
+      authenticatorSetting.secret = authenticator.generateSecret()
       await this.userSettingsService.saveSetting(userId, setting);
     }
 
     const user = await this.userService.info(userId);
     const username = user.username;
-    const secret = authenticator.secret;
+    const secret = authenticatorSetting.secret;
     const qrcodeContent = `otpauth://totp/Certd:${username}?secret=${secret}&issuer=Certd`;
 
     //生成qrcode base64
@@ -39,13 +40,13 @@ export class TwoFactorService {
   async saveAuthenticator(req: { userId: any; verifyCode: any }) {
     const userId = req.userId;
     const { authenticator } = await import("otplib");
-    const tfSetting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
+    const setting = await this.getSetting(userId)
 
-    const setting = tfSetting.authenticator;
+    const authenticatorSetting = setting.authenticator;
-    if (!setting.secret) {
+    if (!authenticatorSetting.secret) {
       throw new Error("secret is required");
     }
-    const secret = setting.secret;
+    const secret = authenticatorSetting.secret;
     const token = req.verifyCode;
 
     const isValid = authenticator.verify({ token, secret });
@@ -54,9 +55,38 @@ export class TwoFactorService {
     }
 
     //校验成功，保存开启状态
-    setting.enabled = true;
+    authenticatorSetting.enabled = true;
-    setting.verified = true;
+    authenticatorSetting.verified = true;
 
     await this.userSettingsService.saveSetting(userId, setting);
   }
+
+  async offAuthenticator(userId:number) {
+    if (!userId) {
+      throw new Error("userId is required");
+    }
+
+    const setting = await this.getSetting(userId)
+    setting.authenticator.enabled = false;
+    setting.authenticator.verified = false;
+    setting.authenticator.secret = '';
+    await this.userSettingsService.saveSetting(userId, setting);
+  }
+
+  async getSetting(userId:number) {
+    return await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
+
+  }
+
+  async verifyAuthenticatorCode(userId: any, verifyCode: string) {
+    const { authenticator } = await import("otplib");
+    const setting = await this.getSetting(userId)
+    if (!setting.authenticator.enabled) {
+      throw new Error("authenticator 未开启");
+    }
+    if (!authenticator.verify({ token: verifyCode, secret: setting.authenticator.secret })) {
+      throw new Error("验证码错误");
+    }
+    return true;
+  }
 }

packages/ui/certd-server/src/modules/mine/service/user-settings-service.ts

@@ -95,6 +95,9 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
 
     const type: any = bean.constructor;
     const key = type.__key__;
+    if(!key){
+      throw new Error(`${type.name} must have __key__`);
+    }
     const entity = await this.getByKey(key,userId);
     const newEntity = new UserSettingsEntity();
     if (entity) {
@@ -104,8 +107,8 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
       newEntity.title = type.__title__;
       newEntity.userId = userId;
     }
-    entity.setting = JSON.stringify(bean);
+    newEntity.setting = JSON.stringify(bean);
-    await this.repository.save(entity);
+    await this.repository.save(newEntity);
   }
 
 }