diff --git a/pom.xml b/pom.xml
index 56ef2940..2d8b1287 100644
--- a/pom.xml
+++ b/pom.xml
@@ -286,6 +286,10 @@
org.bstats
fr.xephi.authme.libs.org.bstats
+
+ com.warrenstrange
+ fr.xephi.authme.libs.com.warrenstrange
+
@@ -461,6 +465,13 @@
true
+
+
+ com.warrenstrange
+ googleauth
+ 1.1.2
+
+
org.spigotmc
diff --git a/src/main/java/fr/xephi/authme/command/CommandInitializer.java b/src/main/java/fr/xephi/authme/command/CommandInitializer.java
index dc5f740f..7f0d33e7 100644
--- a/src/main/java/fr/xephi/authme/command/CommandInitializer.java
+++ b/src/main/java/fr/xephi/authme/command/CommandInitializer.java
@@ -40,6 +40,10 @@ import fr.xephi.authme.command.executable.email.ShowEmailCommand;
import fr.xephi.authme.command.executable.login.LoginCommand;
import fr.xephi.authme.command.executable.logout.LogoutCommand;
import fr.xephi.authme.command.executable.register.RegisterCommand;
+import fr.xephi.authme.command.executable.totp.AddTotpCommand;
+import fr.xephi.authme.command.executable.totp.ConfirmTotpCommand;
+import fr.xephi.authme.command.executable.totp.RemoveTotpCommand;
+import fr.xephi.authme.command.executable.totp.TotpBaseCommand;
import fr.xephi.authme.command.executable.unregister.UnregisterCommand;
import fr.xephi.authme.command.executable.verification.VerificationCommand;
import fr.xephi.authme.permission.AdminPermission;
@@ -134,6 +138,9 @@ public class CommandInitializer {
.executableCommand(ChangePasswordCommand.class)
.register();
+ // Create totp base command
+ CommandDescription totpBase = buildTotpBaseCommand();
+
// Register the base captcha command
CommandDescription captchaBase = CommandDescription.builder()
.parent(null)
@@ -156,16 +163,8 @@ public class CommandInitializer {
.executableCommand(VerificationCommand.class)
.register();
- List baseCommands = ImmutableList.of(
- authMeBase,
- emailBase,
- loginBase,
- logoutBase,
- registerBase,
- unregisterBase,
- changePasswordBase,
- captchaBase,
- verificationBase);
+ List baseCommands = ImmutableList.of(authMeBase, emailBase, loginBase, logoutBase,
+ registerBase, unregisterBase, changePasswordBase, totpBase, captchaBase, verificationBase);
setHelpOnAllBases(baseCommands);
commands = baseCommands;
@@ -543,6 +542,56 @@ public class CommandInitializer {
return emailBase;
}
+ /**
+ * Creates a command description object for {@code /totp} including its children.
+ *
+ * @return the totp base command description
+ */
+ private CommandDescription buildTotpBaseCommand() {
+ // Register the base totp command
+ CommandDescription totpBase = CommandDescription.builder()
+ .parent(null)
+ .labels("totp", "2fa")
+ .description("TOTP commands")
+ .detailedDescription("Performs actions related to two-factor authentication.")
+ .executableCommand(TotpBaseCommand.class)
+ .register();
+
+ // Register totp add
+ CommandDescription.builder()
+ .parent(totpBase)
+ .labels("add")
+ .description("Enables TOTP")
+ .detailedDescription("Enables two-factor authentication for your account.")
+ .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+ .executableCommand(AddTotpCommand.class)
+ .register();
+
+ // Register totp confirm
+ CommandDescription.builder()
+ .parent(totpBase)
+ .labels("confirm")
+ .description("Enables TOTP after successful code")
+ .detailedDescription("Saves the generated TOTP secret after confirmation.")
+ .withArgument("code", "Code from the given secret from /totp add", false)
+ .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+ .executableCommand(ConfirmTotpCommand.class)
+ .register();
+
+ // Register totp remove
+ CommandDescription.builder()
+ .parent(totpBase)
+ .labels("remove")
+ .description("Removes TOTP")
+ .detailedDescription("Disables two-factor authentication for your account.")
+ .withArgument("code", "Current 2FA code", false)
+ .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+ .executableCommand(RemoveTotpCommand.class)
+ .register();
+
+ return totpBase;
+ }
+
/**
* Sets the help command on all base commands, e.g. to register /authme help or /register help.
*
diff --git a/src/main/java/fr/xephi/authme/command/executable/totp/AddTotpCommand.java b/src/main/java/fr/xephi/authme/command/executable/totp/AddTotpCommand.java
new file mode 100644
index 00000000..44eef5d8
--- /dev/null
+++ b/src/main/java/fr/xephi/authme/command/executable/totp/AddTotpCommand.java
@@ -0,0 +1,41 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.message.MessageKey;
+import fr.xephi.authme.security.TotpService;
+import fr.xephi.authme.security.TotpService.TotpGenerationResult;
+import fr.xephi.authme.service.CommonService;
+import org.bukkit.ChatColor;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command for a player to enable TOTP.
+ */
+public class AddTotpCommand extends PlayerCommand {
+
+ @Inject
+ private TotpService totpService;
+
+ @Inject
+ private DataSource dataSource;
+
+ @Inject
+ private CommonService commonService;
+
+ @Override
+ protected void runCommand(Player player, List arguments) {
+ PlayerAuth auth = dataSource.getAuth(player.getName());
+ if (auth.getTotpKey() == null) {
+ TotpGenerationResult createdTotpInfo = totpService.generateTotpKey(player);
+ commonService.send(player, MessageKey.TWO_FACTOR_CREATE,
+ createdTotpInfo.getTotpKey(), createdTotpInfo.getAuthenticatorQrCodeUrl());
+ } else {
+ player.sendMessage(ChatColor.RED + "Two-factor authentication is already enabled for your account!");
+ }
+ }
+}
diff --git a/src/main/java/fr/xephi/authme/command/executable/totp/ConfirmTotpCommand.java b/src/main/java/fr/xephi/authme/command/executable/totp/ConfirmTotpCommand.java
new file mode 100644
index 00000000..1bf59f7d
--- /dev/null
+++ b/src/main/java/fr/xephi/authme/command/executable/totp/ConfirmTotpCommand.java
@@ -0,0 +1,39 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.security.TotpService;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command to enable TOTP by supplying the proper code as confirmation.
+ */
+public class ConfirmTotpCommand extends PlayerCommand {
+
+ @Inject
+ private TotpService totpService;
+
+ @Inject
+ private DataSource dataSource;
+
+ @Override
+ protected void runCommand(Player player, List arguments) {
+ // TODO #1141: Check if player already has TOTP
+
+ final String totpKey = totpService.retrieveGeneratedSecret(player);
+ if (totpKey == null) {
+ player.sendMessage("No TOTP key has been generated for you or it has expired. Please run /totp add");
+ } else {
+ boolean isTotpCodeValid = totpService.confirmCodeForGeneratedTotpKey(player, arguments.get(0));
+ if (isTotpCodeValid) {
+ dataSource.setTotpKey(player.getName(), totpKey);
+ player.sendMessage("Successfully enabled two-factor authentication for your account");
+ } else {
+ player.sendMessage("Wrong code or code has expired. Please use /totp add again");
+ }
+ }
+ }
+}
diff --git a/src/main/java/fr/xephi/authme/command/executable/totp/RemoveTotpCommand.java b/src/main/java/fr/xephi/authme/command/executable/totp/RemoveTotpCommand.java
new file mode 100644
index 00000000..abf0b79c
--- /dev/null
+++ b/src/main/java/fr/xephi/authme/command/executable/totp/RemoveTotpCommand.java
@@ -0,0 +1,37 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.security.TotpService;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command for a player to remove 2FA authentication.
+ */
+public class RemoveTotpCommand extends PlayerCommand {
+
+ @Inject
+ private DataSource dataSource;
+
+ @Inject
+ private TotpService totpService;
+
+ @Override
+ protected void runCommand(Player player, List arguments) {
+ PlayerAuth auth = dataSource.getAuth(player.getName());
+ if (auth.getTotpKey() == null) {
+ player.sendMessage("Two-factor authentication is not enabled for your account!");
+ } else {
+ if (totpService.verifyCode(auth, arguments.get(0))) {
+ dataSource.removeTotpKey(auth.getNickname());
+ player.sendMessage("Successfully removed two-factor authentication from your account");
+ } else {
+ player.sendMessage("Invalid code!");
+ }
+ }
+ }
+}
diff --git a/src/main/java/fr/xephi/authme/command/executable/totp/TotpBaseCommand.java b/src/main/java/fr/xephi/authme/command/executable/totp/TotpBaseCommand.java
new file mode 100644
index 00000000..2b170a03
--- /dev/null
+++ b/src/main/java/fr/xephi/authme/command/executable/totp/TotpBaseCommand.java
@@ -0,0 +1,29 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.CommandMapper;
+import fr.xephi.authme.command.ExecutableCommand;
+import fr.xephi.authme.command.FoundCommandResult;
+import fr.xephi.authme.command.help.HelpProvider;
+import org.bukkit.command.CommandSender;
+
+import javax.inject.Inject;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Base command for /totp.
+ */
+public class TotpBaseCommand implements ExecutableCommand {
+
+ @Inject
+ private CommandMapper commandMapper;
+
+ @Inject
+ private HelpProvider helpProvider;
+
+ @Override
+ public void executeCommand(CommandSender sender, List arguments) {
+ FoundCommandResult result = commandMapper.mapPartsToCommand(sender, Collections.singletonList("totp"));
+ helpProvider.outputHelp(sender, result, HelpProvider.SHOW_CHILDREN);
+ }
+}
diff --git a/src/main/java/fr/xephi/authme/permission/PlayerPermission.java b/src/main/java/fr/xephi/authme/permission/PlayerPermission.java
index 1a89490f..12a4a422 100644
--- a/src/main/java/fr/xephi/authme/permission/PlayerPermission.java
+++ b/src/main/java/fr/xephi/authme/permission/PlayerPermission.java
@@ -68,7 +68,12 @@ public enum PlayerPermission implements PermissionNode {
/**
* Permission to use the email verification codes feature.
*/
- VERIFICATION_CODE("authme.player.security.verificationcode");
+ VERIFICATION_CODE("authme.player.security.verificationcode"),
+
+ /**
+ * Permission to enable and disable TOTP.
+ */
+ TOGGLE_TOTP_STATUS("authme.player.totp");
/**
* The permission node.
diff --git a/src/main/java/fr/xephi/authme/security/TotpService.java b/src/main/java/fr/xephi/authme/security/TotpService.java
new file mode 100644
index 00000000..dd8257b6
--- /dev/null
+++ b/src/main/java/fr/xephi/authme/security/TotpService.java
@@ -0,0 +1,113 @@
+package fr.xephi.authme.security;
+
+import com.warrenstrange.googleauth.GoogleAuthenticator;
+import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
+import com.warrenstrange.googleauth.GoogleAuthenticatorQRGenerator;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.initialization.HasCleanup;
+import fr.xephi.authme.service.BukkitService;
+import fr.xephi.authme.util.expiring.ExpiringMap;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Service for TOTP actions.
+ */
+public class TotpService implements HasCleanup {
+
+ private static final int NEW_TOTP_KEY_EXPIRATION_MINUTES = 5;
+
+ private final ExpiringMap totpKeys;
+ private final GoogleAuthenticator authenticator;
+ private final BukkitService bukkitService;
+
+ @Inject
+ TotpService(BukkitService bukkitService) {
+ this.bukkitService = bukkitService;
+ this.totpKeys = new ExpiringMap<>(NEW_TOTP_KEY_EXPIRATION_MINUTES, TimeUnit.MINUTES);
+ this.authenticator = new GoogleAuthenticator();
+ }
+
+ /**
+ * Generates a new TOTP key and returns the corresponding QR code. The generated key is saved temporarily
+ * for the user and can be later retrieved with a confirmation code from {@link #confirmCodeForGeneratedTotpKey}.
+ *
+ * @param player the player to save the TOTP key for
+ * @return TOTP generation result
+ */
+ public TotpGenerationResult generateTotpKey(Player player) {
+ GoogleAuthenticatorKey credentials = authenticator.createCredentials();
+ totpKeys.put(player.getName().toLowerCase(), credentials.getKey());
+ String qrCodeUrl = GoogleAuthenticatorQRGenerator.getOtpAuthURL(
+ bukkitService.getIp(), player.getName(), credentials);
+ return new TotpGenerationResult(credentials.getKey(), qrCodeUrl);
+ }
+
+ /**
+ * Returns the generated TOTP secret of a player, if available and not yet expired.
+ *
+ * @param player the player to retrieve the TOTP key for
+ * @return the totp secret
+ */
+ public String retrieveGeneratedSecret(Player player) {
+ return totpKeys.get(player.getName().toLowerCase());
+ }
+
+ /**
+ * Returns if the new totp code matches the newly generated totp key.
+ *
+ * @param player the player to retrieve the code for
+ * @param totpCodeConfirmation the input code confirmation
+ * @return the TOTP secret that was generated for the player, or null if not available or if the code is incorrect
+ */
+ // Maybe by allowing to retrieve without confirmation and exposing verifyCode(String, String)
+ public boolean confirmCodeForGeneratedTotpKey(Player player, String totpCodeConfirmation) {
+ String totpSecret = totpKeys.get(player.getName().toLowerCase());
+ if (totpSecret != null) {
+ if (checkCode(totpSecret, totpCodeConfirmation)) {
+ totpKeys.remove(player.getName().toLowerCase());
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public boolean verifyCode(PlayerAuth auth, String totpCode) {
+ return checkCode(auth.getTotpKey(), totpCode);
+ }
+
+ private boolean checkCode(String totpKey, String inputCode) {
+ try {
+ Integer totpCode = Integer.valueOf(inputCode);
+ return authenticator.authorize(totpKey, totpCode);
+ } catch (NumberFormatException e) {
+ // ignore
+ }
+ return false;
+ }
+
+ @Override
+ public void performCleanup() {
+ totpKeys.removeExpiredEntries();
+ }
+
+ public static final class TotpGenerationResult {
+ private final String totpKey;
+ private final String authenticatorQrCodeUrl;
+
+ TotpGenerationResult(String totpKey, String authenticatorQrCodeUrl) {
+ this.totpKey = totpKey;
+ this.authenticatorQrCodeUrl = authenticatorQrCodeUrl;
+ }
+
+ public String getTotpKey() {
+ return totpKey;
+ }
+
+ public String getAuthenticatorQrCodeUrl() {
+ return authenticatorQrCodeUrl;
+ }
+ }
+}
diff --git a/src/main/java/fr/xephi/authme/service/BukkitService.java b/src/main/java/fr/xephi/authme/service/BukkitService.java
index 6c9cd0cb..f7808098 100644
--- a/src/main/java/fr/xephi/authme/service/BukkitService.java
+++ b/src/main/java/fr/xephi/authme/service/BukkitService.java
@@ -376,4 +376,11 @@ public class BukkitService implements SettingsDependent {
public BanEntry banIp(String ip, String reason, Date expires, String source) {
return Bukkit.getServer().getBanList(BanList.Type.IP).addBan(ip, reason, expires, source);
}
+
+ /**
+ * @return the IP string that this server is bound to, otherwise empty string
+ */
+ public String getIp() {
+ return Bukkit.getServer().getIp();
+ }
}
diff --git a/src/main/resources/plugin.yml b/src/main/resources/plugin.yml
index 2bae573d..e60721de 100644
--- a/src/main/resources/plugin.yml
+++ b/src/main/resources/plugin.yml
@@ -46,6 +46,11 @@ commands:
aliases:
- changepass
- cp
+ totp:
+ description: TOTP commands
+ usage: /totp add|remove
+ aliases:
+ - 2fa
captcha:
description: Captcha command
usage: /captcha
@@ -233,6 +238,7 @@ permissions:
authme.player.register: true
authme.player.security.verificationcode: true
authme.player.seeownaccounts: true
+ authme.player.totp: true
authme.player.unregister: true
authme.player.canbeforced:
description: Permission for users a login can be forced to.
@@ -277,6 +283,9 @@ permissions:
authme.player.seeownaccounts:
description: Permission to use to see own other accounts.
default: true
+ authme.player.totp:
+ description: Permission to enable and disable TOTP.
+ default: true
authme.player.unregister:
description: Command permission to unregister.
default: true
diff --git a/src/test/java/fr/xephi/authme/command/CommandInitializerTest.java b/src/test/java/fr/xephi/authme/command/CommandInitializerTest.java
index 2b8215ba..133d0194 100644
--- a/src/test/java/fr/xephi/authme/command/CommandInitializerTest.java
+++ b/src/test/java/fr/xephi/authme/command/CommandInitializerTest.java
@@ -44,7 +44,7 @@ public class CommandInitializerTest {
// It obviously doesn't make sense to test much of the concrete data
// that is being initialized; we just want to guarantee with this test
// that data is indeed being initialized and we take a few "probes"
- assertThat(commands, hasSize(9));
+ assertThat(commands, hasSize(10));
assertThat(commandsIncludeLabel(commands, "authme"), equalTo(true));
assertThat(commandsIncludeLabel(commands, "register"), equalTo(true));
assertThat(commandsIncludeLabel(commands, "help"), equalTo(false));
diff --git a/src/test/java/fr/xephi/authme/security/TotpServiceTest.java b/src/test/java/fr/xephi/authme/security/TotpServiceTest.java
new file mode 100644
index 00000000..6350b4c4
--- /dev/null
+++ b/src/test/java/fr/xephi/authme/security/TotpServiceTest.java
@@ -0,0 +1,51 @@
+package fr.xephi.authme.security;
+
+import fr.xephi.authme.security.TotpService.TotpGenerationResult;
+import fr.xephi.authme.service.BukkitService;
+import org.bukkit.entity.Player;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import static fr.xephi.authme.AuthMeMatchers.stringWithLength;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.Assert.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Test for {@link TotpService}.
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class TotpServiceTest {
+
+ @InjectMocks
+ private TotpService totpService;
+
+ @Mock
+ private BukkitService bukkitService;
+
+ @Test
+ public void shouldGenerateTotpKey() {
+ // given
+ Player player = mock(Player.class);
+ given(player.getName()).willReturn("Bobby");
+ given(bukkitService.getIp()).willReturn("127.48.44.4");
+
+ // when
+ TotpGenerationResult key1 = totpService.generateTotpKey(player);
+ TotpGenerationResult key2 = totpService.generateTotpKey(player);
+
+ // then
+ assertThat(key1.getTotpKey(), stringWithLength(16));
+ assertThat(key2.getTotpKey(), stringWithLength(16));
+ assertThat(key1.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
+ assertThat(key2.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
+ assertThat(key1.getTotpKey(), not(equalTo(key2.getTotpKey())));
+ }
+
+}
diff --git a/src/test/java/fr/xephi/authme/service/BukkitServiceTest.java b/src/test/java/fr/xephi/authme/service/BukkitServiceTest.java
index 232d11ce..e6787c10 100644
--- a/src/test/java/fr/xephi/authme/service/BukkitServiceTest.java
+++ b/src/test/java/fr/xephi/authme/service/BukkitServiceTest.java
@@ -332,6 +332,19 @@ public class BukkitServiceTest {
assertThat(event.getPlayer(), equalTo(player));
}
+ @Test
+ public void shouldReturnServerIp() {
+ // given
+ String ip = "99.99.99.99";
+ given(server.getIp()).willReturn(ip);
+
+ // when
+ String result = bukkitService.getIp();
+
+ // then
+ assertThat(result, equalTo(ip));
+ }
+
// Note: This method is used through reflections
public static Player[] onlinePlayersImpl() {
return new Player[]{