extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2024-11-25 17:54:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Complete merge with refactoring for better integration

Browse Source
This commit is contained in:
Bubka 2024-04-23 16:28:42 +02:00
parent e75589526b
commit e498350f62
30 changed files with 640 additions and 518 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.env.example
View File

@ -179,6 +179,12 @@ LOGIN_THROTTLE=5
AUTHENTICATION_GUARD=web-guard AUTHENTICATION_GUARD=web-guard
# Authentication log retention time, in days.
# Log entries older than that are automatically deleted.
AUTHENTICATION_LOG_RETENTION=365
# Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level. # Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level.
# Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...) # Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...)
# (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard') # (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard')

3
Dockerfile vendored
View File

@ -186,6 +186,9 @@ ENV \
# authentication checks. That means your proxy is fully responsible of the authentication process, 2FAuth will # authentication checks. That means your proxy is fully responsible of the authentication process, 2FAuth will
# trust him as long as headers are presents. # trust him as long as headers are presents.
AUTHENTICATION_GUARD=web-guard \ AUTHENTICATION_GUARD=web-guard \
# Authentication log retention time, in days.
# Log entries older than that are automatically deleted.
AUTHENTICATION_LOG_RETENTION=365 \
# Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level. # Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level.
# Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...) # Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...)
# (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard') # (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard')

442
_ide_helper.php
View File

@ -5,7 +5,7 @@
/** /**
* A helper file for Laravel, to provide autocomplete information to your IDE * A helper file for Laravel, to provide autocomplete information to your IDE
* Generated for Laravel 10.48.4. * Generated for Laravel 10.48.8.
* *
* This file should not be included in your code, only analyzed by your IDE! * This file should not be included in your code, only analyzed by your IDE!
* *
@ -1640,36 +1640,6 @@
/** /**
* *
* *
* @method static bool attempt(array $credentials = [], bool $remember = false)
* @method static bool once(array $credentials = [])
* @method static void login(\Illuminate\Contracts\Auth\Authenticatable $user, bool $remember = false)
* @method static \Illuminate\Contracts\Auth\Authenticatable|bool loginUsingId(mixed $id, bool $remember = false)
* @method static \Illuminate\Contracts\Auth\Authenticatable|bool onceUsingId(mixed $id)
* @method static bool viaRemember()
* @method static void logout()
* @method static \Symfony\Component\HttpFoundation\Response|null basic(string $field = 'email', array $extraConditions = [])
* @method static \Symfony\Component\HttpFoundation\Response|null onceBasic(string $field = 'email', array $extraConditions = [])
* @method static bool attemptWhen(array $credentials = [], array|callable|null $callbacks = null, bool $remember = false)
* @method static void logoutCurrentDevice()
* @method static \Illuminate\Contracts\Auth\Authenticatable|null logoutOtherDevices(string $password, string $attribute = 'password')
* @method static void attempting(mixed $callback)
* @method static \Illuminate\Contracts\Auth\Authenticatable getLastAttempted()
* @method static string getName()
* @method static string getRecallerName()
* @method static \Illuminate\Auth\SessionGuard setRememberDuration(int $minutes)
* @method static \Illuminate\Contracts\Cookie\QueueingFactory getCookieJar()
* @method static void setCookieJar(\Illuminate\Contracts\Cookie\QueueingFactory $cookie)
* @method static \Illuminate\Contracts\Events\Dispatcher getDispatcher()
* @method static void setDispatcher(\Illuminate\Contracts\Events\Dispatcher $events)
* @method static \Illuminate\Contracts\Session\Session getSession()
* @method static \Illuminate\Contracts\Auth\Authenticatable|null getUser()
* @method static \Symfony\Component\HttpFoundation\Request getRequest()
* @method static \Illuminate\Auth\SessionGuard setRequest(\Symfony\Component\HttpFoundation\Request $request)
* @method static \Illuminate\Support\Timebox getTimebox()
* @method static void macro(string $name, object|callable $macro)
* @method static void mixin(object $mixin, bool $replace = true)
* @method static bool hasMacro(string $name)
* @method static void flushMacros()
* @see \Illuminate\Auth\AuthManager * @see \Illuminate\Auth\AuthManager
* @see \Illuminate\Auth\SessionGuard * @see \Illuminate\Auth\SessionGuard
*/ class Auth { */ class Auth {
@ -1851,24 +1821,336 @@
return $instance->getDefaultUserProvider(); return $instance->getDefaultUserProvider();
} }
/** /**
* {@inheritDoc} * Get the currently authenticated user.
* *
* @return \App\Models\User|null
* @static * @static
*/ public static function user() */ public static function user()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->user(); return $instance->user();
}
/**
* Get the ID for the currently authenticated user.
*
* @return int|string|null
* @static
*/ public static function id()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->id();
}
/**
* Log a user into the application without sessions or cookies.
*
* @param array $credentials
* @return bool
* @static
*/ public static function once($credentials = [])
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->once($credentials);
}
/**
* Log the given user ID into the application without sessions or cookies.
*
* @param mixed $id
* @return \App\Models\User|false
* @static
*/ public static function onceUsingId($id)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->onceUsingId($id);
} }
/** /**
* Validate a user's credentials. * Validate a user's credentials.
* *
* @param array $credentials
* @return bool * @return bool
* @codeCoverageIgnore
* @static * @static
*/ public static function validate($credentials = []) */ public static function validate($credentials = [])
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->validate($credentials); return $instance->validate($credentials);
}
/**
* Attempt to authenticate using HTTP Basic Auth.
*
* @param string $field
* @param array $extraConditions
* @return \Symfony\Component\HttpFoundation\Response|null
* @throws \Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException
* @static
*/ public static function basic($field = 'email', $extraConditions = [])
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->basic($field, $extraConditions);
}
/**
* Perform a stateless HTTP Basic login attempt.
*
* @param string $field
* @param array $extraConditions
* @return \Symfony\Component\HttpFoundation\Response|null
* @throws \Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException
* @static
*/ public static function onceBasic($field = 'email', $extraConditions = [])
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->onceBasic($field, $extraConditions);
}
/**
* Attempt to authenticate a user using the given credentials.
*
* @param array $credentials
* @param bool $remember
* @return bool
* @static
*/ public static function attempt($credentials = [], $remember = false)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->attempt($credentials, $remember);
}
/**
* Attempt to authenticate a user with credentials and additional callbacks.
*
* @param array $credentials
* @param array|callable|null $callbacks
* @param bool $remember
* @return bool
* @static
*/ public static function attemptWhen($credentials = [], $callbacks = null, $remember = false)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->attemptWhen($credentials, $callbacks, $remember);
}
/**
* Log the given user ID into the application.
*
* @param mixed $id
* @param bool $remember
* @return \App\Models\User|false
* @static
*/ public static function loginUsingId($id, $remember = false)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->loginUsingId($id, $remember);
}
/**
* Log a user into the application.
*
* @param \Illuminate\Contracts\Auth\Authenticatable $user
* @param bool $remember
* @return void
* @static
*/ public static function login($user, $remember = false)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->login($user, $remember);
}
/**
* Log the user out of the application.
*
* @return void
* @static
*/ public static function logout()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->logout();
}
/**
* Log the user out of the application on their current device only.
*
* This method does not cycle the "remember" token.
*
* @return void
* @static
*/ public static function logoutCurrentDevice()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->logoutCurrentDevice();
}
/**
* Invalidate other sessions for the current user.
*
* The application must be using the AuthenticateSession middleware.
*
* @param string $password
* @param string $attribute
* @return \App\Models\User|null
* @throws \Illuminate\Auth\AuthenticationException
* @static
*/ public static function logoutOtherDevices($password, $attribute = 'password')
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->logoutOtherDevices($password, $attribute);
}
/**
* Register an authentication attempt event listener.
*
* @param mixed $callback
* @return void
* @static
*/ public static function attempting($callback)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->attempting($callback);
}
/**
* Get the last user we attempted to authenticate.
*
* @return \App\Models\User
* @static
*/ public static function getLastAttempted()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getLastAttempted();
}
/**
* Get a unique identifier for the auth session value.
*
* @return string
* @static
*/ public static function getName()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getName();
}
/**
* Get the name of the cookie used to store the "recaller".
*
* @return string
* @static
*/ public static function getRecallerName()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getRecallerName();
}
/**
* Determine if the user was authenticated via "remember me" cookie.
*
* @return bool
* @static
*/ public static function viaRemember()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->viaRemember();
}
/**
* Set the number of minutes the remember me cookie should be valid for.
*
* @param int $minutes
* @return \Illuminate\Auth\SessionGuard
* @static
*/ public static function setRememberDuration($minutes)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->setRememberDuration($minutes);
}
/**
* Get the cookie creator instance used by the guard.
*
* @return \Illuminate\Contracts\Cookie\QueueingFactory
* @throws \RuntimeException
* @static
*/ public static function getCookieJar()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getCookieJar();
}
/**
* Set the cookie creator instance used by the guard.
*
* @param \Illuminate\Contracts\Cookie\QueueingFactory $cookie
* @return void
* @static
*/ public static function setCookieJar($cookie)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->setCookieJar($cookie);
}
/**
* Get the event dispatcher instance.
*
* @return \Illuminate\Contracts\Events\Dispatcher
* @static
*/ public static function getDispatcher()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getDispatcher();
}
/**
* Set the event dispatcher instance.
*
* @param \Illuminate\Contracts\Events\Dispatcher $events
* @return void
* @static
*/ public static function setDispatcher($events)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
$instance->setDispatcher($events);
}
/**
* Get the session store used by the guard.
*
* @return \Illuminate\Contracts\Session\Session
* @static
*/ public static function getSession()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getSession();
}
/**
* Return the currently cached user.
*
* @return \App\Models\User|null
* @static
*/ public static function getUser()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getUser();
}
/**
* Set the current user.
*
* @param \Illuminate\Contracts\Auth\Authenticatable $user
* @return \Illuminate\Auth\SessionGuard
* @static
*/ public static function setUser($user)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->setUser($user);
}
/**
* Get the current request instance.
*
* @return \Symfony\Component\HttpFoundation\Request
* @static
*/ public static function getRequest()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getRequest();
}
/**
* Set the current request instance.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* @return \Illuminate\Auth\SessionGuard
* @static
*/ public static function setRequest($request)
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->setRequest($request);
}
/**
* Get the timebox instance used by the guard.
*
* @return \Illuminate\Support\Timebox
* @static
*/ public static function getTimebox()
{
/** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getTimebox();
} }
/** /**
* Determine if the current user is authenticated. If not, throw an exception. * Determine if the current user is authenticated. If not, throw an exception.
@ -1878,7 +2160,7 @@
* @static * @static
*/ public static function authenticate() */ public static function authenticate()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->authenticate(); return $instance->authenticate();
} }
/** /**
@ -1888,7 +2170,7 @@
* @static * @static
*/ public static function hasUser() */ public static function hasUser()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->hasUser(); return $instance->hasUser();
} }
/** /**
@ -1898,7 +2180,7 @@
* @static * @static
*/ public static function check() */ public static function check()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->check(); return $instance->check();
} }
/** /**
@ -1908,38 +2190,17 @@
* @static * @static
*/ public static function guest() */ public static function guest()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->guest(); return $instance->guest();
}
/**
* Get the ID for the currently authenticated user.
*
* @return int|string|null
* @static
*/ public static function id()
{
/** @var \App\Services\Auth\ReverseProxyGuard $instance */
return $instance->id();
}
/**
* Set the current user.
*
* @param \Illuminate\Contracts\Auth\Authenticatable $user
* @return \App\Services\Auth\ReverseProxyGuard
* @static
*/ public static function setUser($user)
{
/** @var \App\Services\Auth\ReverseProxyGuard $instance */
return $instance->setUser($user);
} }
/** /**
* Forget the current user. * Forget the current user.
* *
* @return \App\Services\Auth\ReverseProxyGuard * @return \Illuminate\Auth\SessionGuard
* @static * @static
*/ public static function forgetUser() */ public static function forgetUser()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->forgetUser(); return $instance->forgetUser();
} }
/** /**
@ -1949,7 +2210,7 @@
* @static * @static
*/ public static function getProvider() */ public static function getProvider()
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
return $instance->getProvider(); return $instance->getProvider();
} }
/** /**
@ -1960,8 +2221,50 @@
* @static * @static
*/ public static function setProvider($provider) */ public static function setProvider($provider)
{ {
/** @var \App\Services\Auth\ReverseProxyGuard $instance */ /** @var \Illuminate\Auth\SessionGuard $instance */
$instance->setProvider($provider); $instance->setProvider($provider);
}
/**
* Register a custom macro.
*
* @param string $name
* @param object|callable $macro
* @return void
* @static
*/ public static function macro($name, $macro)
{
\Illuminate\Auth\SessionGuard::macro($name, $macro);
}
/**
* Mix another object into the class.
*
* @param object $mixin
* @param bool $replace
* @return void
* @throws \ReflectionException
* @static
*/ public static function mixin($mixin, $replace = true)
{
\Illuminate\Auth\SessionGuard::mixin($mixin, $replace);
}
/**
* Checks if macro is registered.
*
* @param string $name
* @return bool
* @static
*/ public static function hasMacro($name)
{
return \Illuminate\Auth\SessionGuard::hasMacro($name);
}
/**
* Flush the existing macros.
*
* @return void
* @static
*/ public static function flushMacros()
{
\Illuminate\Auth\SessionGuard::flushMacros();
} }
} }
/** /**
@ -8569,6 +8872,17 @@
{ {
/** @var \Illuminate\Support\Testing\Fakes\NotificationFake $instance */ /** @var \Illuminate\Support\Testing\Fakes\NotificationFake $instance */
return $instance->hasSent($notifiable, $notification); return $instance->hasSent($notifiable, $notification);
}
/**
* Specify if notification should be serialized and restored when being "pushed" to the queue.
*
* @param bool $serializeAndRestore
* @return \Illuminate\Support\Testing\Fakes\NotificationFake
* @static
*/ public static function serializeAndRestore($serializeAndRestore = true)
{
/** @var \Illuminate\Support\Testing\Fakes\NotificationFake $instance */
return $instance->serializeAndRestore($serializeAndRestore);
} }
/** /**
* Get the notifications that have been sent. * Get the notifications that have been sent.

8
app/Console/Commands/PurgeAuthenticationLog.php → app/Console/Commands/PurgeAuthLog.php
View File

@ -24,17 +24,17 @@
namespace App\Console\Commands; namespace App\Console\Commands;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use Illuminate\Console\Command; use Illuminate\Console\Command;
class PurgeAuthenticationLog extends Command class PurgeAuthLog extends Command
{ {
/** /**
* The name and signature of the console command. * The name and signature of the console command.
* *
* @var string * @var string
*/ */
public $signature = 'authentication-log:purge'; public $signature = '2fauth:purge-log';
/** /**
* The console command description. * The console command description.
@ -50,7 +50,7 @@ public function handle() : void
{ {
$this->comment('Clearing authentication log...'); $this->comment('Clearing authentication log...');
$deleted = AuthenticationLog::where('login_at', '<', now()->subDays(config('authentication-log.purge'))->format('Y-m-d H:i:s'))->delete(); $deleted = AuthLog::where('login_at', '<', now()->subDays(config('2fauth.authLogRetentionTime'))->format('Y-m-d H:i:s'))->delete();
$this->info($deleted . ' authentication logs cleared.'); $this->info($deleted . ' authentication logs cleared.');
} }

2
app/Console/Commands/Utils/ResetTrait.php
View File

@ -70,7 +70,7 @@ protected function flushDB() : void
DB::table('groups')->delete(); DB::table('groups')->delete();
DB::table('users')->delete(); DB::table('users')->delete();
DB::table('options')->delete(); DB::table('options')->delete();
DB::table(config('authentication-log.table_name'))->delete(); DB::table('auth_logs')->delete();
$this->line('Database cleaned'); $this->line('Database cleaned');
} }

26
app/Events/VisitedByProxyUser.php Normal file
View File

@ -0,0 +1,26 @@
<?php
namespace App\Events;
use App\Models\User;
use Illuminate\Contracts\Auth\Authenticatable;
class VisitedByProxyUser
{
/**
* The authenticated user.
*
* @var User|Authenticatable
*/
public $user;
/**
* Create a new event instance.
*
* @return void
*/
public function __construct(User|Authenticatable $user)
{
$this->user = $user;
}
}

4
app/Listeners/Authentication/AccessAbstractListener.php → app/Listeners/Authentication/AbstractAccessListener.php
View File

@ -4,7 +4,7 @@
use Illuminate\Http\Request; use Illuminate\Http\Request;
abstract class AccessAbstractListener abstract class AbstractAccessListener
{ {
/** /**
* The current request * The current request
@ -22,6 +22,8 @@ public function __construct(Request $request)
} }
/** /**
* Handle the event.
*
* @return void * @return void
*/ */
abstract public function handle(mixed $event); abstract public function handle(mixed $event);

81
app/Listeners/Authentication/AuthProxyListener.php
View File

@ -1,81 +0,0 @@
<?php
/**
* The MIT License (MIT)
* Copyright (c) 2024 Bubka
* Copyright (c) 2024 Anthony Rappa
* Copyright (c) 2017 Yaakov Dahan
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
* associated documentation files (the "Software"), to deal in the Software without restriction,
* including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial
* portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
namespace App\Listeners\Authentication;
use Illuminate\Auth\Events\Login;
use Illuminate\Http\Request;
use Illuminate\Support\Carbon;
use App\Notifications\SignedInWithNewDevice;
use App\Models\Traits\AuthenticationLoggable;
class AuthProxyListener extends AccessAbstractListener
{
public Request $request;
public function __construct(Request $request)
{
$this->request = $request;
}
public function handle(mixed $event): void
{
$listener = config('authentication-log.events.login', Login::class);
if (! $event instanceof $listener) {
return;
}
if ($event->user) {
if(! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) {
return;
}
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$user = $event->user;
$userAgent = $this->request->userAgent();
$known = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first();
$newUser = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1;
/** @disregard Undefined function */
$log = $user->authentications()->create([
'ip_address' => $ip,
'user_agent' => $userAgent,
'login_at' => now(),
'login_successful' => true,
'location' => config('authentication-log.notifications.new-device.location') ? optional(geoip()->getLocation($ip))->toArray() : null
]);
if (! $known && ! $newUser && config('authentication-log.notifications.new-device.enabled')) {
$newDevice = config('authentication-log.notifications.new-device.template') ?? SignedInWithNewDevice::class;
$user->notify(new $newDevice($log));
}
}
}
}

44
app/Listeners/Authentication/FailedLoginListener.php
View File

@ -25,54 +25,40 @@
namespace App\Listeners\Authentication; namespace App\Listeners\Authentication;
use App\Notifications\FailedLogin; use App\Notifications\FailedLogin;
use App\Models\Traits\AuthenticationLoggable;
use Illuminate\Auth\Events\Failed; use Illuminate\Auth\Events\Failed;
use Illuminate\Http\Request;
class FailedLoginListener extends AccessAbstractListener class FailedLoginListener extends AbstractAccessListener
{ {
public Request $request; /**
* Handle the event.
public function __construct(Request $request) *
{ * @return void
$this->request = $request; */
}
public function handle(mixed $event) : void public function handle(mixed $event) : void
{ {
$listener = config('authentication-log.events.failed', Failed::class); if (! $event instanceof Failed) {
if (! $event instanceof $listener) {
return; return;
} }
if ($event->user) { if ($event->user) {
if (! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) { /**
return; * @var \App\Models\User
} */
$user = $event->user;
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$guard = $event->guard; $guard = $event->guard;
$ip = config('2fauth.proxy_headers.forIp') ?? $this->request->ip();
/** @disregard Undefined function */ $log = $user->authentications()->create([
$log = $event->user->authentications()->create([
'ip_address' => $ip, 'ip_address' => $ip,
'user_agent' => $this->request->userAgent(), 'user_agent' => $this->request->userAgent(),
'login_at' => now(), 'login_at' => now(),
'login_successful' => false, 'login_successful' => false,
'location' => config('authentication-log.notifications.new-device.location') ? optional(geoip()->getLocation($ip))->toArray() : null,
'guard' => $guard, 'guard' => $guard,
'login_method' => $this->loginMethod(), 'login_method' => $this->loginMethod(),
]); ]);
if (config('authentication-log.notifications.failed-login.enabled')) { if ($user->preferences['notifyOnFailedLogin']) {
$failedLogin = config('authentication-log.notifications.failed-login.template') ?? FailedLogin::class; $user->notify(new FailedLogin($log));
$event->user->notify(new $failedLogin($log));
} }
} }
} }

33
app/Listeners/Authentication/LoginListener.php
View File

@ -24,57 +24,44 @@
namespace App\Listeners\Authentication; namespace App\Listeners\Authentication;
use App\Models\Traits\AuthenticationLoggable;
use App\Notifications\SignedInWithNewDevice; use App\Notifications\SignedInWithNewDevice;
use Illuminate\Auth\Events\Login; use Illuminate\Auth\Events\Login;
use Illuminate\Http\Request;
use Illuminate\Support\Carbon; use Illuminate\Support\Carbon;
class LoginListener extends AccessAbstractListener class LoginListener extends AbstractAccessListener
{ {
/** /**
* Handle the event.
* *
* @return void
*/ */
public function handle(mixed $event) : void public function handle(mixed $event) : void
{ {
$listener = config('authentication-log.events.login', Login::class); if (! $event instanceof Login) {
if (! $event instanceof $listener) {
return; return;
} }
if ($event->user) { /**
if (! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) { * @var \App\Models\User
return; */
}
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$user = $event->user; $user = $event->user;
$ip = config('2fauth.proxy_headers.forIp') ?? $this->request->ip();
$userAgent = $this->request->userAgent(); $userAgent = $this->request->userAgent();
$known = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first(); $known = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first();
$newUser = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1; $newUser = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1;
$guard = $event->guard; $guard = $event->guard;
/** @disregard Undefined function */
$log = $user->authentications()->create([ $log = $user->authentications()->create([
'ip_address' => $ip, 'ip_address' => $ip,
'user_agent' => $userAgent, 'user_agent' => $userAgent,
'login_at' => now(), 'login_at' => now(),
'login_successful' => true, 'login_successful' => true,
'location' => config('authentication-log.notifications.new-device.location') ? optional(geoip()->getLocation($ip))->toArray() : null,
'guard' => $guard, 'guard' => $guard,
'login_method' => $this->loginMethod(), 'login_method' => $this->loginMethod(),
]); ]);
if (! $known && ! $newUser && config('authentication-log.notifications.new-device.enabled')) { if (! $known && ! $newUser && $user->preferences['notifyOnNewAuthDevice']) {
$newDevice = config('authentication-log.notifications.new-device.template') ?? SignedInWithNewDevice::class; $user->notify(new SignedInWithNewDevice($log));
$user->notify(new $newDevice($log));
}
} }
} }
} }

42
app/Listeners/Authentication/LogoutListener.php
View File

@ -24,47 +24,33 @@
namespace App\Listeners\Authentication; namespace App\Listeners\Authentication;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use App\Models\Traits\AuthenticationLoggable;
use Illuminate\Auth\Events\Logout; use Illuminate\Auth\Events\Logout;
use Illuminate\Http\Request;
class LogoutListener extends AccessAbstractListener class LogoutListener extends AbstractAccessListener
{ {
public Request $request; /**
* Handle the event.
public function __construct(Request $request) *
{ * @return void
$this->request = $request; */
}
public function handle(mixed $event) : void public function handle(mixed $event) : void
{ {
$listener = config('authentication-log.events.logout', Logout::class); if (! $event instanceof Logout) {
if (! $event instanceof $listener) {
return;
}
if ($event->user) {
if (! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) {
return; return;
} }
/**
* @var \App\Models\User
*/
$user = $event->user; $user = $event->user;
$ip = config('2fauth.proxy_headers.forIp') ?? $this->request->ip();
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$userAgent = $this->request->userAgent(); $userAgent = $this->request->userAgent();
$log = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereGuard($event->guard)->orderByDesc('login_at')->first(); $log = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereGuard($event->guard)->orderByDesc('login_at')->first();
$guard = $event->guard; $guard = $event->guard;
if (! $log) { if (! $log) {
$log = new AuthenticationLog([ $log = new AuthLog([
'ip_address' => $ip, 'ip_address' => $ip,
'user_agent' => $userAgent, 'user_agent' => $userAgent,
'guard' => $guard, 'guard' => $guard,
@ -72,8 +58,6 @@ public function handle(mixed $event) : void
} }
$log->logout_at = now(); $log->logout_at = now();
$user->authentications()->save($log); $user->authentications()->save($log);
} }
}
} }

47
app/Listeners/Authentication/OtherDeviceLogoutListener.php
View File

@ -24,47 +24,33 @@
namespace App\Listeners\Authentication; namespace App\Listeners\Authentication;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use App\Models\Traits\AuthenticationLoggable;
use Illuminate\Auth\Events\OtherDeviceLogout; use Illuminate\Auth\Events\OtherDeviceLogout;
use Illuminate\Http\Request;
class OtherDeviceLogoutListener extends AccessAbstractListener class OtherDeviceLogoutListener extends AbstractAccessListener
{ {
public Request $request; /**
* Handle the event.
public function __construct(Request $request) *
{ * @return void
$this->request = $request; */
}
public function handle(mixed $event) : void public function handle(mixed $event) : void
{ {
$listener = config('authentication-log.events.other-device-logout', OtherDeviceLogout::class); if (! $event instanceof OtherDeviceLogout) {
if (! $event instanceof $listener) {
return;
}
if ($event->user) {
if (! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) {
return; return;
} }
/**
* @var \App\Models\User
*/
$user = $event->user; $user = $event->user;
$ip = config('2fauth.proxy_headers.forIp') ?? $this->request->ip();
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$userAgent = $this->request->userAgent(); $userAgent = $this->request->userAgent();
$authenticationLog = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->first(); $authLog = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->first();
$guard = $event->guard; $guard = $event->guard;
if (! $authenticationLog) { if (! $authLog) {
$authenticationLog = new AuthenticationLog([ $authLog = new AuthLog([
'ip_address' => $ip, 'ip_address' => $ip,
'user_agent' => $userAgent, 'user_agent' => $userAgent,
'guard' => $guard, 'guard' => $guard,
@ -72,7 +58,7 @@ public function handle(mixed $event) : void
} }
foreach ($user->authentications()->whereLoginSuccessful(true)->whereNull('logout_at')->get() as $log) { foreach ($user->authentications()->whereLoginSuccessful(true)->whereNull('logout_at')->get() as $log) {
if ($log->id !== $authenticationLog->id) { if ($log->id !== $authLog->id) {
$log->update([ $log->update([
'cleared_by_user' => true, 'cleared_by_user' => true,
'logout_at' => now(), 'logout_at' => now(),
@ -80,5 +66,4 @@ public function handle(mixed $event) : void
} }
} }
} }
}
} }

41
app/Listeners/Authentication/VisitedByProxyUserListener.php
View File

@ -3,56 +3,41 @@
namespace App\Authentication\Listeners; namespace App\Authentication\Listeners;
use App\Events\VisitedByProxyUser; use App\Events\VisitedByProxyUser;
use App\Listeners\Authentication\AccessAbstractListener; use App\Listeners\Authentication\AbstractAccessListener;
use App\Models\Traits\AuthenticationLoggable;
use App\Notifications\SignedInWithNewDevice; use App\Notifications\SignedInWithNewDevice;
use Illuminate\Http\Request;
use Illuminate\Support\Carbon; use Illuminate\Support\Carbon;
class VisitedByProxyUserListener extends AccessAbstractListener class VisitedByProxyUserListener extends AbstractAccessListener
{ {
public Request $request; /**
* Handle the event.
public function __construct(Request $request) *
{ * @return void
$this->request = $request; */
}
public function handle(mixed $event): void public function handle(mixed $event): void
{ {
if (! $event instanceof VisitedByProxyUser) { if (! $event instanceof VisitedByProxyUser) {
return; return;
} }
if ($event->user) { /**
if(! in_array(AuthenticationLoggable::class, class_uses_recursive(get_class($event->user)))) { * @var \App\Models\User
return; */
}
if (config('authentication-log.behind_cdn')) {
$ip = $this->request->server(config('authentication-log.behind_cdn.http_header_field'));
} else {
$ip = $this->request->ip();
}
$user = $event->user; $user = $event->user;
$ip = config('2fauth.proxy_headers.forIp') ?? $this->request->ip();
$userAgent = $this->request->userAgent(); $userAgent = $this->request->userAgent();
$known = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first(); $known = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first();
$newUser = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1; $newUser = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1;
/** @disregard Undefined function */
$log = $user->authentications()->create([ $log = $user->authentications()->create([
'ip_address' => $ip, 'ip_address' => $ip,
'user_agent' => $userAgent, 'user_agent' => $userAgent,
'login_at' => now(), 'login_at' => now(),
'login_successful' => true, 'login_successful' => true,
'location' => config('authentication-log.notifications.new-device.location') ? optional(geoip()->getLocation($ip))->toArray() : null,
]); ]);
if (! $known && ! $newUser && config('authentication-log.notifications.new-device.enabled')) { if (! $known && ! $newUser && $user->preferences['notifyOnNewAuthDevice']) {
$newDevice = config('authentication-log.notifications.new-device.template') ?? SignedInWithNewDevice::class; $user->notify(new SignedInWithNewDevice($log));
$user->notify(new $newDevice($log));
}
} }
} }
} }

32
app/Models/AuthenticationLog.php → app/Models/AuthLog.php
View File

@ -37,22 +37,16 @@
* @property bool $login_successful * @property bool $login_successful
* @property \Illuminate\Support\Carbon|null $logout_at * @property \Illuminate\Support\Carbon|null $logout_at
* @property bool $cleared_by_user * @property bool $cleared_by_user
* @property array|null $location
* @property string|null $guard * @property string|null $guard
* @property string|null $method * @property string|null $method
*/ */
class AuthenticationLog extends Model class AuthLog extends Model
{ {
/** /**
* Indicates if the model should be timestamped. * Indicates if the model should be timestamped.
*/ */
public $timestamps = false; public $timestamps = false;
/**
* The table associated with the model.
*/
protected $table = 'authentication_log';
/** /**
* The attributes that are mass assignable. * The attributes that are mass assignable.
*/ */
@ -63,7 +57,6 @@ class AuthenticationLog extends Model
'login_successful', 'login_successful',
'logout_at', 'logout_at',
'cleared_by_user', 'cleared_by_user',
'location',
'guard', 'guard',
'login_method', 'login_method',
]; ];
@ -73,36 +66,15 @@ class AuthenticationLog extends Model
*/ */
protected $casts = [ protected $casts = [
'cleared_by_user' => 'boolean', 'cleared_by_user' => 'boolean',
'location' => 'array',
'login_successful' => 'boolean', 'login_successful' => 'boolean',
'login_at' => 'datetime', 'login_at' => 'datetime',
'logout_at' => 'datetime', 'logout_at' => 'datetime',
]; ];
/**
* Create a new Eloquent AuthenticationLog instance
*/
public function __construct(array $attributes = [])
{
if (! isset($this->connection)) {
$this->setConnection(config('authentication-log.db_connection'));
}
parent::__construct($attributes);
}
/**
* Get the table associated with the model.
*/
public function getTable()
{
return config('authentication-log.table_name', parent::getTable());
}
/** /**
* MorphTo relation to get the associated authenticatable user * MorphTo relation to get the associated authenticatable user
* *
* @return MorphTo<\Illuminate\Database\Eloquent\Model, AuthenticationLog> * @return MorphTo<\Illuminate\Database\Eloquent\Model, AuthLog>
*/ */
public function authenticatable() public function authenticatable()
{ {

19
app/Models/Traits/AuthenticationLoggable.php → app/Models/Traits/HasAuthenticationLog.php
View File

@ -24,32 +24,31 @@
namespace App\Models\Traits; namespace App\Models\Traits;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use Illuminate\Support\Carbon; use Illuminate\Support\Carbon;
use Illuminate\Support\Collection;
trait AuthenticationLoggable trait HasAuthenticationLog
{ {
/** /**
* Get all user's authentications from the auth log * Get all user's authentications from the auth log
* *
* @return \Illuminate\Database\Eloquent\Relations\MorphMany<AuthenticationLog> * @return \Illuminate\Database\Eloquent\Relations\MorphMany<AuthLog>
*/ */
public function authentications() public function authentications()
{ {
return $this->morphMany(AuthenticationLog::class, 'authenticatable')->latest('id'); return $this->morphMany(AuthLog::class, 'authenticatable')->latest('id');
} }
/** /**
* Get authentications for the provided timespan (in month) * Get authentications for the provided timespan (in month)
* *
* @return \Illuminate\Database\Eloquent\Collection<int, AuthenticationLog> * @return \Illuminate\Database\Eloquent\Collection<int, AuthLog>
*/ */
public function authenticationsByPeriod(int $period = 1) public function authenticationsByPeriod(int $period = 1)
{ {
$from = Carbon::now()->subMonths($period); $from = Carbon::now()->subMonths($period);
return $this->authentications->filter(function (AuthenticationLog $authentication) use ($from) { return $this->authentications->filter(function (AuthLog $authentication) use ($from) {
return $authentication->login_at >= $from || $authentication->logout_at >= $from; return $authentication->login_at >= $from || $authentication->logout_at >= $from;
}); });
} }
@ -57,11 +56,11 @@ public function authenticationsByPeriod(int $period = 1)
/** /**
* Get the user's latest authentication * Get the user's latest authentication
* *
* @return \Illuminate\Database\Eloquent\Relations\MorphOne<AuthenticationLog> * @return \Illuminate\Database\Eloquent\Relations\MorphOne<AuthLog>
*/ */
public function latestAuthentication() public function latestAuthentication()
{ {
return $this->morphOne(AuthenticationLog::class, 'authenticatable')->latestOfMany('login_at'); return $this->morphOne(AuthLog::class, 'authenticatable')->latestOfMany('login_at');
} }
/** /**
@ -115,7 +114,7 @@ public function previousLoginIp() : ?string
/** /**
* The notification channels to be used for notifications * The notification channels to be used for notifications
*/ */
public function notifyAuthenticationLogVia() : array public function notifyAuthLogVia() : array
{ {
return ['mail']; return ['mail'];
} }

8
app/Models/User.php
View File

@ -3,7 +3,7 @@
namespace App\Models; namespace App\Models;
use App\Models\Traits\WebAuthnManageCredentials; use App\Models\Traits\WebAuthnManageCredentials;
use App\Models\Traits\AuthenticationLoggable; use App\Models\Traits\HasAuthenticationLog;
use Illuminate\Auth\Events\PasswordReset; use Illuminate\Auth\Events\PasswordReset;
use Illuminate\Auth\Notifications\ResetPassword; use Illuminate\Auth\Notifications\ResetPassword;
use Illuminate\Contracts\Translation\HasLocalePreference; use Illuminate\Contracts\Translation\HasLocalePreference;
@ -43,9 +43,9 @@
* @property-read int|null $web_authn_credentials_count * @property-read int|null $web_authn_credentials_count
* @property string|null $oauth_id * @property string|null $oauth_id
* @property string|null $oauth_provider * @property string|null $oauth_provider
* @property-read \Illuminate\Database\Eloquent\Collection<int, \App\Models\AuthenticationLog> $authentications * @property-read \Illuminate\Database\Eloquent\Collection<int, \App\Models\AuthLog> $authentications
* @property-read int|null $authentications_count * @property-read int|null $authentications_count
* @property-read \App\Models\AuthenticationLog|null $latestAuthentication * @property-read \App\Models\AuthLog|null $latestAuthentication
* *
* @method static \Illuminate\Database\Eloquent\Builder|User admins() * @method static \Illuminate\Database\Eloquent\Builder|User admins()
* *
@ -53,7 +53,7 @@
*/ */
class User extends Authenticatable implements HasLocalePreference, WebAuthnAuthenticatable class User extends Authenticatable implements HasLocalePreference, WebAuthnAuthenticatable
{ {
use AuthenticationLoggable; use HasAuthenticationLog;
use HasApiTokens, HasFactory, Notifiable; use HasApiTokens, HasFactory, Notifiable;
use WebAuthnAuthentication, WebAuthnManageCredentials; use WebAuthnAuthentication, WebAuthnManageCredentials;

37
app/Notifications/FailedLogin.php
View File

@ -2,24 +2,37 @@
namespace App\Notifications; namespace App\Notifications;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use Illuminate\Bus\Queueable; use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue; use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Messages\MailMessage; use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Notifications\Notification; use Illuminate\Notifications\Notification;
use Jenssegers\Agent\Agent;
class FailedLogin extends Notification implements ShouldQueue class FailedLogin extends Notification implements ShouldQueue
{ {
use Queueable; use Queueable;
/** /**
* The AuthenticationLog model instance * A user agent parser instance.
*
* @var mixed
*/ */
public AuthenticationLog $authenticationLog; protected $agent;
public function __construct(AuthenticationLog $authenticationLog) /**
* The AuthLog model instance
*/
public AuthLog $authLog;
/**
* Create a new FailedLogin instance
*/
public function __construct(AuthLog $authLog)
{ {
$this->authenticationLog = $authenticationLog; $this->authLog = $authLog;
$this->agent = new Agent();
$this->agent->setUserAgent($authLog->user_agent);
} }
/** /**
@ -27,7 +40,7 @@ public function __construct(AuthenticationLog $authenticationLog)
*/ */
public function via(mixed $notifiable) : array|string public function via(mixed $notifiable) : array|string
{ {
return $notifiable->notifyAuthenticationLogVia(); return $notifiable->notifyAuthLogVia();
} }
/** /**
@ -36,13 +49,13 @@ public function via(mixed $notifiable) : array|string
public function toMail(mixed $notifiable) : MailMessage public function toMail(mixed $notifiable) : MailMessage
{ {
return (new MailMessage()) return (new MailMessage())
->subject(__('A failed login to your account')) ->subject(__('notifications.failed_login.subject'))
->markdown('authentication-log::emails.failed', [ ->markdown('emails.failedLogin', [
'account' => $notifiable, 'account' => $notifiable,
'time' => $this->authenticationLog->login_at, 'time' => $this->authLog->login_at,
'ipAddress' => $this->authenticationLog->ip_address, 'ipAddress' => $this->authLog->ip_address,
'browser' => $this->authenticationLog->user_agent, 'browser' => $this->authLog->user_agent,
'location' => $this->authenticationLog->location, 'platform' => $this->agent->platform(),
]); ]);
} }
} }

21
app/Notifications/SignedInWithNewDevice.php
View File

@ -2,7 +2,7 @@
namespace App\Notifications; namespace App\Notifications;
use App\Models\AuthenticationLog; use App\Models\AuthLog;
use Illuminate\Bus\Queueable; use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue; use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Messages\MailMessage; use Illuminate\Notifications\Messages\MailMessage;
@ -13,7 +13,10 @@ class SignedInWithNewDevice extends Notification implements ShouldQueue
{ {
use Queueable; use Queueable;
public AuthenticationLog $authenticationLog; /**
* The AuthLog model instance
*/
public AuthLog $authLog;
/** /**
* A user agent parser instance. * A user agent parser instance.
@ -25,16 +28,16 @@ class SignedInWithNewDevice extends Notification implements ShouldQueue
/** /**
* Create a new SignedInWithNewDevice instance * Create a new SignedInWithNewDevice instance
*/ */
public function __construct(AuthenticationLog $authenticationLog) public function __construct(AuthLog $authLog)
{ {
$this->authenticationLog = $authenticationLog; $this->authLog = $authLog;
$this->agent = new Agent(); $this->agent = new Agent();
$this->agent->setUserAgent($authenticationLog->user_agent); $this->agent->setUserAgent($authLog->user_agent);
} }
public function via(mixed $notifiable) : array|string public function via(mixed $notifiable) : array|string
{ {
return $notifiable->notifyAuthenticationLogVia(); return $notifiable->notifyAuthLogVia();
} }
/** /**
@ -44,10 +47,10 @@ public function toMail(mixed $notifiable) : MailMessage
{ {
return (new MailMessage()) return (new MailMessage())
->subject(__('notifications.new_device.subject')) ->subject(__('notifications.new_device.subject'))
->markdown('emails.newDevice', [ ->markdown('emails.SignedInWithNewDevice', [
'account' => $notifiable, 'account' => $notifiable,
'time' => $this->authenticationLog->login_at, 'time' => $this->authLog->login_at,
'ipAddress' => $this->authenticationLog->ip_address, 'ipAddress' => $this->authLog->ip_address,
'browser' => $this->agent->browser(), 'browser' => $this->agent->browser(),
'platform' => $this->agent->platform(), 'platform' => $this->agent->platform(),
]); ]);

4
app/Providers/EventServiceProvider.php
View File

@ -4,6 +4,7 @@
use App\Events\GroupDeleted; use App\Events\GroupDeleted;
use App\Events\GroupDeleting; use App\Events\GroupDeleting;
use App\Events\VisitedByProxyUser;
use App\Events\ScanForNewReleaseCalled; use App\Events\ScanForNewReleaseCalled;
use App\Events\TwoFAccountDeleted; use App\Events\TwoFAccountDeleted;
use App\Listeners\Authentication\FailedLoginListener; use App\Listeners\Authentication\FailedLoginListener;
@ -64,6 +65,9 @@ class EventServiceProvider extends ServiceProvider
Logout::class => [ Logout::class => [
LogoutListener::class, LogoutListener::class,
], ],
// VisitedByProxyUser::class => [
// ProxyUserAccessListener::class,
// ],
]; ];
/** /**

14
config/2fauth.php
View File

@ -28,6 +28,18 @@
'outgoingProxy' => env('PROXY_FOR_OUTGOING_REQUESTS', ''), 'outgoingProxy' => env('PROXY_FOR_OUTGOING_REQUESTS', ''),
'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null), 'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
'appSubdirectory' => env('APP_SUBDIRECTORY', ''), 'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
'authLogRetentionTime' => env('AUTHENTICATION_LOG_RETENTION', 365),
],
/*
|--------------------------------------------------------------------------
| Proxy headers
|--------------------------------------------------------------------------
|
*/
'proxy_headers' => [
'forIp' => env('PROXY_HEADER_FOR_IP', null),
], ],
/* /*
@ -110,6 +122,8 @@
'formatPasswordBy' => 0.5, 'formatPasswordBy' => 0.5,
'lang' => 'browser', 'lang' => 'browser',
'getOtpOnRequest' => true, 'getOtpOnRequest' => true,
'notifyOnNewAuthDevice' => true,
'notifyOnFailedLogin' => true,
], ],
]; ];

71
config/authentication-log.php
View File

@ -1,71 +0,0 @@
<?php
/**
* The MIT License (MIT)
* Copyright (c) 2024 Bubka
* Copyright (c) 2024 Anthony Rappa
* Copyright (c) 2017 Yaakov Dahan
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
* associated documentation files (the "Software"), to deal in the Software without restriction,
* including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial
* portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
use App\Notifications\FailedLogin;
use App\Notifications\SignedInWithNewDevice;
return [
// The database table name
// You can change this if the database keys get too long for your driver
'table_name' => 'authentication_log',
// The database connection where the authentication_log table resides. Leave empty to use the default
'db_connection' => null,
'notifications' => [
'new-device' => [
// Send the NewDevice notification
'enabled' => env('NEW_DEVICE_NOTIFICATION', true),
// Use torann/geoip to attempt to get a location
'location' => false,
// The Notification class to send
'template' => SignedInWithNewDevice::class,
],
'failed-login' => [
// Send the FailedLogin notification
'enabled' => env('FAILED_LOGIN_NOTIFICATION', false),
// Use torann/geoip to attempt to get a location
'location' => false,
// The Notification class to send
'template' => FailedLogin::class,
],
],
// When the clean-up command is run, delete old logs greater than `purge` days
// Don't schedule the clean-up command if you want to keep logs forever.
'purge' => 365,
// If you are behind an CDN proxy, set 'behind_cdn.http_header_field' to the corresponding http header field of your cdn
// For cloudflare you can have look at: https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/
// 'behind_cdn' => [
// 'http_header_field' => 'HTTP_CF_CONNECTING_IP' // used by Cloudflare
// ],
// If you are not a cdn user, use false
'behind_cdn' => false,
];

5
database/migrations/2024_04_14_082519_create_authentication_log_table.php → database/migrations/2024_04_14_082519_create_auth_logs_table.php
View File

@ -30,7 +30,7 @@
{ {
public function up(): void public function up(): void
{ {
Schema::create(config('authentication-log.table_name'), function (Blueprint $table) { Schema::create('auth_logs', function (Blueprint $table) {
$table->id(); $table->id();
$table->morphs('authenticatable'); $table->morphs('authenticatable');
$table->string('ip_address', 45)->nullable(); $table->string('ip_address', 45)->nullable();
@ -39,7 +39,6 @@ public function up(): void
$table->boolean('login_successful')->default(false); $table->boolean('login_successful')->default(false);
$table->timestamp('logout_at')->nullable(); $table->timestamp('logout_at')->nullable();
$table->boolean('cleared_by_user')->default(false); $table->boolean('cleared_by_user')->default(false);
$table->json('location')->nullable();
$table->string('guard', 40)->nullable(); $table->string('guard', 40)->nullable();
$table->string('login_method', 40)->nullable(); $table->string('login_method', 40)->nullable();
}); });
@ -47,6 +46,6 @@ public function up(): void
public function down(): void public function down(): void
{ {
Schema::dropIfExists(config('authentication-log.table_name')); Schema::dropIfExists('auth_logs');
} }
}; };

3
docker/docker-compose.yml
View File

@ -83,6 +83,9 @@ services:
# authentication checks. That means your proxy is fully responsible of the authentication process, 2FAuth will # authentication checks. That means your proxy is fully responsible of the authentication process, 2FAuth will
# trust him as long as headers are presents. # trust him as long as headers are presents.
- AUTHENTICATION_GUARD=web-guard - AUTHENTICATION_GUARD=web-guard
# Authentication log retention time, in days.
# Log entries older than that are automatically deleted.
- AUTHENTICATION_LOG_RETENTION=365
# Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level. # Name of the HTTP headers sent by the reverse proxy that identifies the authenticated user at proxy level.
# Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...) # Check your proxy documentation to find out how these headers are named (i.e 'REMOTE_USER', 'REMOTE_EMAIL', etc...)
# (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard') # (only relevant when AUTHENTICATION_GUARD is set to 'reverse-proxy-guard')

2
phpstan.neon
View File

@ -11,6 +11,4 @@ parameters:
analyse: analyse:
- app/Protobuf/* - app/Protobuf/*
ignoreErrors: ignoreErrors:
-
message: '#.*geoip.*#'
checkMissingIterableValueType: false checkMissingIterableValueType: false

6
resources/lang/en/notifications.php
View File

@ -27,4 +27,10 @@
'connection_details' => 'Here are the details of this connection', 'connection_details' => 'Here are the details of this connection',
'recommandations' => 'If this was you, you can ignore this alert. If you suspect any suspicious activity on your account, please change your password.' 'recommandations' => 'If this was you, you can ignore this alert. If you suspect any suspicious activity on your account, please change your password.'
], ],
'failed_login' => [
'subject' => 'Failed login to 2FAuth',
'resume' => 'There has been a failed login attempt to your 2FAuth account.',
'connection_details' => 'Here are the details of this connection attempt',
'recommandations' => 'If this was you, you can ignore this alert. If further attempts fail, you should contact the 2FAuth administrator to review security settings and take action against this attacker.'
],
]; ];

0
resources/views/emails/newDevice.blade.php → resources/views/emails/SignedInWithNewDevice.blade.php vendored
View File

18
resources/views/emails/failed.blade.php vendored
View File

@ -1,18 +0,0 @@
@component('mail::message')
# @lang('Hello!')
@lang('There has been a failed login attempt to your :app account.', ['app' => config('app.name')])
> **@lang('Account:')** {{ $account->email }}<br/>
> **@lang('Time:')** {{ $time->toCookieString() }}<br/>
> **@lang('IP Address:')** {{ $ipAddress }}<br/>
> **@lang('Browser:')** {{ $browser }}<br/>
@if ($location && $location['default'] === false)
> **@lang('Location:')** {{ $location['city'] ?? __('Unknown City') }}, {{ $location['state'], __('Unknown State') }}
@endif
@lang('If this was you, you can ignore this alert. If you suspect any suspicious activity on your account, please change your password.')
@lang('Regards,')<br/>
{{ config('app.name') }}
@endcomponent

18
resources/views/emails/failedLogin.blade.php vendored Normal file
View File

@ -0,0 +1,18 @@
@component('mail::message')
@lang('notifications.hello_user', ['username' => $account->name])
<br/><br/>
**@lang('notifications.failed_login.resume')**<br/>
@lang('notifications.failed_login.connection_details'):
<x-mail::panel>
@lang('commons.time'): **{{ $time->toCookieString() }}**<br/>
@lang('commons.ip_address'): **{{ $ipAddress }}**<br/>
@lang('commons.device'): **@lang('admin.browser_on_platform', ['browser' => $browser, 'platform' => $platform])**<br/>
</x-mail::panel>
@lang('notifications.failed_login.recommandations')<br/>
@lang('notifications.regards'),<br/>
{{ config('app.name') }}
@endcomponent

4
routes/web.php
View File

@ -19,7 +19,7 @@
// use App\Models\User; // use App\Models\User;
// use App\Notifications\SignedInWithNewDevice; // use App\Notifications\SignedInWithNewDevice;
// use App\Models\AuthenticationLog; // use App\Models\AuthLog;
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
@ -95,7 +95,7 @@
// Route::get('/notification', function () { // Route::get('/notification', function () {
// $user = User::find(1); // $user = User::find(1);
// return (new SignedInWithNewDevice(AuthenticationLog::find(9))) // return (new SignedInWithNewDevice(AuthLog::find(9)))
// ->toMail($user); // ->toMail($user);
// }); // });

15
tests/Api/v1/Controllers/UserManagerControllerTest.php
View File

@ -523,21 +523,6 @@ public function test_demote_the_only_admin_returns_forbidden() : void
->assertForbidden(); ->assertForbidden();
} }
/**
* @test
*/
public function test_authLog_events_are_listened_by_authLog_listeners()
{
Event::fake();
foreach (config('authentication-log.listeners') as $type => $listenerClass) {
Event::assertListening(
config('authentication-log.events.' . $type),
$listenerClass
);
}
}
/** /**
* Local feeder because Factory cannot be used here * Local feeder because Factory cannot be used here
*/ */