Implement totp validation for improved security

dormant-user · dormant-user · commit 8158be3d10d6 · 2025-11-01T13:36:40.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -52,3 +52,5 @@ thevickypedia_scripts/*.json
 
 # Result of the command 'go mod vendor'
 vendor/
+venv/
+*.png
diff --git a/auth/json.go b/auth/json.go
@@ -230,7 +230,7 @@ func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, s
 		return nil, os.ErrPermission
 	}
 
-	if !users.CheckOtp(cred.Otp) {
+	if !users.CheckOtp(cred.Otp, settings.AuthenticatorToken) {
 		log.Printf("Warning: Login error for %s - invalid otp: [%s]", cred.Username, cred.Otp)
 		handleAuthError(r)
 		return nil, os.ErrPermission
diff --git a/go.mod b/go.mod
@@ -18,6 +18,7 @@ require (
 	github.com/mholt/archives v0.1.3
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pelletier/go-toml/v2 v2.2.4
+	github.com/pquerna/otp v1.5.0
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/spf13/afero v1.14.0
 	github.com/spf13/cobra v1.9.1
@@ -41,6 +42,7 @@ require (
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.1 // indirect
 	github.com/bodgit/windows v1.0.1 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect
diff --git a/go.sum b/go.sum
@@ -42,6 +42,8 @@ github.com/bodgit/sevenzip v1.6.1 h1:kikg2pUMYC9ljU7W9SaqHXhym5HyKm8/M/jd31fYan4
 github.com/bodgit/sevenzip v1.6.1/go.mod h1:GVoYQbEVbOGT8n2pfqCIMRUaRjQ8F9oSqoBEqZh5fQ8=
 github.com/bodgit/windows v1.0.1 h1:tF7K6KOluPYygXa3Z2594zxlkbKPAOvqr97etrGNIz4=
 github.com/bodgit/windows v1.0.1/go.mod h1:a6JLwrB4KrTR5hBpp8FI9/9W9jJfeQ2h4XDXU74ZCdM=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
@@ -193,6 +195,8 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
@@ -223,6 +227,7 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
diff --git a/http/static.go b/http/static.go
@@ -78,10 +78,8 @@ func handleWithStaticData(w http.ResponseWriter, _ *http.Request, d *data, fSys
 			data["ReCaptchaKey"] = auther.ReCaptcha.Key
 		}
 
-		//nolint:godox // reason: placeholder until real TOTP added
-		// TODO: This should be using TOTP library for real OTP validation.
 		// If AUTHENTICATOR_TOKEN environment variable is set, enable OTP on frontend.
-		if os.Getenv("AUTHENTICATOR_TOKEN") != "" {
+		if settings.AuthenticatorToken != "" {
 			data["Otp"] = true
 		}
 	}
diff --git a/settings/settings.go b/settings/settings.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"io/fs"
 	"log"
+	"os"
 	"strings"
 	"time"
 
@@ -15,6 +16,14 @@ const DefaultMinimumPasswordLength = 12
 const DefaultFileMode = 0640
 const DefaultDirMode = 0750
 
+// Use env variable instead of config/database to easily override as/when needed.
+var AuthenticatorToken = func(a, b string) string {
+	if a != "" {
+		return a
+	}
+	return b
+}(os.Getenv("AUTHENTICATOR_TOKEN"), os.Getenv("authenticator_token"))
+
 // AuthMethod describes an authentication method.
 type AuthMethod string
 
diff --git a/thevickypedia_scripts/otp.py b/thevickypedia_scripts/otp.py
@@ -0,0 +1,96 @@
+"""This module provides functionality for generating a QR code for TOTP (Time-based One-Time Password) setup."""
+
+import os
+import warnings
+
+from dataclasses import dataclass
+
+try:
+    import pyotp
+except (ImportError, ModuleNotFoundError):
+    raise ImportError(
+        "pyotp is required for OTP functionality. Please install it via 'pip install pyotp'."
+    )
+
+try:
+    import qrcode
+except (ImportError, ModuleNotFoundError):
+    raise ImportError(
+        "qrcode is required for OTP functionality. Please install it via 'pip install qrcode[pil]'."
+    )
+
+
+def getenv(key: str, default: str | None = None) -> str | None:
+    """Gets an environment variable or returns a default value.
+
+    Args:
+        key: The environment variable key.
+        default: The default value to return if the key is not found.
+    Returns:
+        The value of the environment variable or the default value.
+    """
+    return os.environ.get(key.upper()) or os.environ.get(key.lower()) or default
+
+
+@dataclass
+class OTPConfig:
+    secret: str
+    qr_filename: str
+    authenticator_user: str
+    authenticator_app: str
+
+
+config = OTPConfig(
+    secret="",
+    qr_filename=getenv("authenticator_qr_filename", "totp_qr.png"),
+    authenticator_user=getenv("authenticator_user", "thevickypedia"),
+    authenticator_app=getenv("authenticator_app", "FileBrowser"),
+)
+
+
+def display_secret() -> None:
+    """Displays the TOTP secret key."""
+    try:
+        term_size = os.get_terminal_size().columns
+    except OSError:
+        term_size = 120
+    base = "*" * term_size
+    print(
+        f"\n{base}\n"
+        f"\nYour TOTP secret key is: {config.secret}"
+        f"\nStore this key as the environment variable `authenticator_token`\n"
+        f"\nQR code saved as {config.qr_filename!r} (you can scan this with your Authenticator app).\n"
+        f"\n{base}",
+    )
+
+
+def generate_qr() -> None:
+    """Generates a QR code for TOTP setup."""
+    if getenv("authenticator_token"):
+        warnings.warn(
+            "\n\nAuthenticator token already set — skipping OTP setup. "
+            "To create a new one, remove the 'authenticator_token' environment variable.\n",
+            UserWarning,
+        )
+        return
+
+    # STEP 1: Generate a new secret key for the user (store this securely!)
+    secret = pyotp.random_base32()
+
+    # STEP 2: Create a provisioning URI (for the QR code)
+    uri = pyotp.TOTP(secret).provisioning_uri(
+        name=str(config.authenticator_user), issuer_name=config.authenticator_app
+    )
+
+    # STEP 3: Generate a QR code (scan this with your authenticator app)
+    qr = qrcode.make(uri)
+    # Save the QR code
+    qr.save(config.qr_filename)
+
+    # STEP 4: Update the config with the new secret
+    config.secret = secret
+    display_secret()
+
+
+if __name__ == "__main__":
+    generate_qr()
diff --git a/users/otp.go b/users/otp.go
@@ -1,14 +1,14 @@
 package users
 
-import "os"
+import (
+	"github.com/pquerna/otp/totp"
+)
 
-func CheckOtp(otp string) bool {
+func CheckOtp(otp, authenticatorToken string) bool {
 	// OTP validation: only enforce if AUTHENTICATOR_TOKEN environment variable is set.
-	//nolint:godox // reason: placeholder until real TOTP added
-	// TODO: This should be using TOTP library for real OTP validation.
-	envOtp := os.Getenv("AUTHENTICATOR_TOKEN")
-	if envOtp != "" {
-		return otp == envOtp
+	if authenticatorToken == "" {
+		return true
 	}
-	return true
+	// Validate the TOTP code using the TOTP library
+	return totp.Validate(otp, authenticatorToken)
 }

-Original file line number
+Diff line change
 # Result of the command 'go mod vendor'
 vendor/
 +venv/
 +*.png
Original file line number	Diff line number	Diff line change
`@@ -230,7 +230,7 @@ func (a JSONAuth) Auth(r http.Request, usr users.Store, _ settings.Settings, s`
`230`	`230`	`return nil, os.ErrPermission`
`231`	`231`	`}`
`232`	`232`
`233`		`- if !users.CheckOtp(cred.Otp) {`
	`233`	`+ if !users.CheckOtp(cred.Otp, settings.AuthenticatorToken) {`
`234`	`234`	`log.Printf("Warning: Login error for %s - invalid otp: [%s]", cred.Username, cred.Otp)`
`235`	`235`	`handleAuthError(r)`
`236`	`236`	`return nil, os.ErrPermission`
Original file line number	Diff line number	Diff line change
`@@ -78,10 +78,8 @@ func handleWithStaticData(w http.ResponseWriter, _ http.Request, d data, fSys`
`78`	`78`	`data["ReCaptchaKey"] = auther.ReCaptcha.Key`
`79`	`79`	`}`
`80`	`80`
`81`		`- //nolint:godox // reason: placeholder until real TOTP added`
`82`		`- // TODO: This should be using TOTP library for real OTP validation.`
`83`	`81`	`// If AUTHENTICATOR_TOKEN environment variable is set, enable OTP on frontend.`
`84`		`- if os.Getenv("AUTHENTICATOR_TOKEN") != "" {`
	`82`	`+ if settings.AuthenticatorToken != "" {`
`85`	`83`	`data["Otp"] = true`
`86`	`84`	`}`
`87`	`85`	`}`