32cc425458
All checks were successful
deploy / deploy (push) Successful in 3m28s
- Create dedicated /admin/account page for user account management - Move email, password, and 2FA settings from /admin/settings - Add Account link to top of admin sidebar navigation - Add TOTP-based two-factor authentication with NimbleTOTP - Add TOTP verification LiveView for login flow - Add AccountController for TOTP session management - Remove Advanced section from settings (duplicated in dev tools) - Remove user email from sidebar footer (replaced by Account link) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
493 lines
13 KiB
Elixir
493 lines
13 KiB
Elixir
defmodule Berrypod.Accounts do
|
|
@moduledoc """
|
|
The Accounts context.
|
|
"""
|
|
|
|
import Ecto.Query, warn: false
|
|
alias Berrypod.Repo
|
|
alias Berrypod.Vault
|
|
|
|
alias Berrypod.Accounts.{User, UserToken, UserNotifier}
|
|
|
|
@totp_issuer "Berrypod"
|
|
@backup_code_count 8
|
|
|
|
## Database getters
|
|
|
|
@doc """
|
|
Gets a user by email.
|
|
|
|
## Examples
|
|
|
|
iex> get_user_by_email("foo@example.com")
|
|
%User{}
|
|
|
|
iex> get_user_by_email("unknown@example.com")
|
|
nil
|
|
|
|
"""
|
|
def get_user_by_email(email) when is_binary(email) do
|
|
Repo.get_by(User, email: email)
|
|
end
|
|
|
|
@doc """
|
|
Gets a user by email and password.
|
|
|
|
## Examples
|
|
|
|
iex> get_user_by_email_and_password("foo@example.com", "correct_password")
|
|
%User{}
|
|
|
|
iex> get_user_by_email_and_password("foo@example.com", "invalid_password")
|
|
nil
|
|
|
|
"""
|
|
def get_user_by_email_and_password(email, password)
|
|
when is_binary(email) and is_binary(password) do
|
|
user = Repo.get_by(User, email: email)
|
|
if User.valid_password?(user, password), do: user
|
|
end
|
|
|
|
@doc """
|
|
Gets a single user.
|
|
|
|
Raises `Ecto.NoResultsError` if the User does not exist.
|
|
|
|
## Examples
|
|
|
|
iex> get_user!(123)
|
|
%User{}
|
|
|
|
iex> get_user!(456)
|
|
** (Ecto.NoResultsError)
|
|
|
|
"""
|
|
def get_user!(id), do: Repo.get!(User, id)
|
|
|
|
@doc """
|
|
Returns whether an admin user exists.
|
|
|
|
Berrypod is single-tenant — any user in the database is the admin.
|
|
"""
|
|
def has_admin? do
|
|
Repo.exists?(User)
|
|
end
|
|
|
|
@doc """
|
|
Returns the first (and typically only) admin user, or nil.
|
|
"""
|
|
def get_first_admin do
|
|
Repo.one(from u in User, limit: 1)
|
|
end
|
|
|
|
## User registration
|
|
|
|
@doc """
|
|
Registers a user.
|
|
|
|
## Examples
|
|
|
|
iex> register_user(%{field: value})
|
|
{:ok, %User{}}
|
|
|
|
iex> register_user(%{field: bad_value})
|
|
{:error, %Ecto.Changeset{}}
|
|
|
|
"""
|
|
def register_user(attrs) do
|
|
%User{}
|
|
|> User.email_changeset(attrs)
|
|
|> Repo.insert()
|
|
end
|
|
|
|
@doc """
|
|
Registers and immediately confirms the admin user during setup.
|
|
|
|
Checks `has_admin?/0` inside a transaction to prevent race conditions.
|
|
Returns `{:error, :admin_already_exists}` if an admin already exists.
|
|
"""
|
|
def register_and_confirm_admin(attrs) do
|
|
Repo.transact(fn ->
|
|
if has_admin?() do
|
|
{:error, :admin_already_exists}
|
|
else
|
|
%User{}
|
|
|> User.email_changeset(attrs)
|
|
|> User.password_changeset(attrs)
|
|
|> Ecto.Changeset.put_change(:confirmed_at, DateTime.utc_now(:second))
|
|
|> Repo.insert()
|
|
end
|
|
end)
|
|
end
|
|
|
|
@doc """
|
|
Generates a login token for a user without sending an email.
|
|
|
|
Used by the setup flow to create a token for the auto-login redirect.
|
|
Returns the URL-safe encoded token.
|
|
"""
|
|
def generate_login_token(%User{} = user) do
|
|
{encoded_token, user_token} = UserToken.build_email_token(user, "login")
|
|
Repo.insert!(user_token)
|
|
encoded_token
|
|
end
|
|
|
|
## Settings
|
|
|
|
@doc """
|
|
Checks whether the user is in sudo mode.
|
|
|
|
The user is in sudo mode when the last authentication was done no further
|
|
than 20 minutes ago. The limit can be given as second argument in minutes.
|
|
"""
|
|
def sudo_mode?(user, minutes \\ -20)
|
|
|
|
def sudo_mode?(%User{authenticated_at: ts}, minutes) when is_struct(ts, DateTime) do
|
|
DateTime.after?(ts, DateTime.utc_now() |> DateTime.add(minutes, :minute))
|
|
end
|
|
|
|
def sudo_mode?(_user, _minutes), do: false
|
|
|
|
@doc """
|
|
Returns an `%Ecto.Changeset{}` for changing the user email.
|
|
|
|
See `Berrypod.Accounts.User.email_changeset/3` for a list of supported options.
|
|
|
|
## Examples
|
|
|
|
iex> change_user_email(user)
|
|
%Ecto.Changeset{data: %User{}}
|
|
|
|
"""
|
|
def change_user_email(user, attrs \\ %{}, opts \\ []) do
|
|
User.email_changeset(user, attrs, opts)
|
|
end
|
|
|
|
@doc """
|
|
Updates the user email using the given token.
|
|
|
|
If the token matches, the user email is updated and the token is deleted.
|
|
"""
|
|
def update_user_email(user, token) do
|
|
context = "change:#{user.email}"
|
|
|
|
Repo.transact(fn ->
|
|
with {:ok, query} <- UserToken.verify_change_email_token_query(token, context),
|
|
%UserToken{sent_to: email} <- Repo.one(query),
|
|
{:ok, user} <- Repo.update(User.email_changeset(user, %{email: email})),
|
|
{_count, _result} <-
|
|
Repo.delete_all(from(UserToken, where: [user_id: ^user.id, context: ^context])) do
|
|
{:ok, user}
|
|
else
|
|
_ -> {:error, :transaction_aborted}
|
|
end
|
|
end)
|
|
end
|
|
|
|
@doc """
|
|
Returns an `%Ecto.Changeset{}` for changing the user password.
|
|
|
|
See `Berrypod.Accounts.User.password_changeset/3` for a list of supported options.
|
|
|
|
## Examples
|
|
|
|
iex> change_user_password(user)
|
|
%Ecto.Changeset{data: %User{}}
|
|
|
|
"""
|
|
def change_user_password(user, attrs \\ %{}, opts \\ []) do
|
|
User.password_changeset(user, attrs, opts)
|
|
end
|
|
|
|
@doc """
|
|
Updates the user password.
|
|
|
|
Returns a tuple with the updated user, as well as a list of expired tokens.
|
|
|
|
## Examples
|
|
|
|
iex> update_user_password(user, %{password: ...})
|
|
{:ok, {%User{}, [...]}}
|
|
|
|
iex> update_user_password(user, %{password: "too short"})
|
|
{:error, %Ecto.Changeset{}}
|
|
|
|
"""
|
|
def update_user_password(user, attrs) do
|
|
user
|
|
|> User.password_changeset(attrs)
|
|
|> update_user_and_delete_all_tokens()
|
|
end
|
|
|
|
## Session
|
|
|
|
@doc """
|
|
Generates a session token.
|
|
"""
|
|
def generate_user_session_token(user) do
|
|
{token, user_token} = UserToken.build_session_token(user)
|
|
Repo.insert!(user_token)
|
|
token
|
|
end
|
|
|
|
@doc """
|
|
Gets the user with the given signed token.
|
|
|
|
If the token is valid `{user, token_inserted_at}` is returned, otherwise `nil` is returned.
|
|
"""
|
|
def get_user_by_session_token(token) do
|
|
{:ok, query} = UserToken.verify_session_token_query(token)
|
|
Repo.one(query)
|
|
end
|
|
|
|
@doc """
|
|
Gets the user with the given magic link token.
|
|
"""
|
|
def get_user_by_magic_link_token(token) do
|
|
with {:ok, query} <- UserToken.verify_magic_link_token_query(token),
|
|
{user, _token} <- Repo.one(query) do
|
|
user
|
|
else
|
|
_ -> nil
|
|
end
|
|
end
|
|
|
|
@doc """
|
|
Logs the user in by magic link.
|
|
|
|
There are three cases to consider:
|
|
|
|
1. The user has already confirmed their email. They are logged in
|
|
and the magic link is expired.
|
|
|
|
2. The user has not confirmed their email and no password is set.
|
|
In this case, the user gets confirmed, logged in, and all tokens -
|
|
including session ones - are expired. In theory, no other tokens
|
|
exist but we delete all of them for best security practices.
|
|
|
|
3. The user has not confirmed their email but a password is set.
|
|
This cannot happen in the default implementation but may be the
|
|
source of security pitfalls. See the "Mixing magic link and password registration" section of
|
|
`mix help phx.gen.auth`.
|
|
"""
|
|
def login_user_by_magic_link(token) do
|
|
{:ok, query} = UserToken.verify_magic_link_token_query(token)
|
|
|
|
case Repo.one(query) do
|
|
# Prevent session fixation attacks by disallowing magic links for unconfirmed users with password
|
|
{%User{confirmed_at: nil, hashed_password: hash}, _token} when not is_nil(hash) ->
|
|
raise """
|
|
magic link log in is not allowed for unconfirmed users with a password set!
|
|
|
|
This cannot happen with the default implementation, which indicates that you
|
|
might have adapted the code to a different use case. Please make sure to read the
|
|
"Mixing magic link and password registration" section of `mix help phx.gen.auth`.
|
|
"""
|
|
|
|
{%User{confirmed_at: nil} = user, _token} ->
|
|
user
|
|
|> User.confirm_changeset()
|
|
|> update_user_and_delete_all_tokens()
|
|
|
|
{user, token} ->
|
|
Repo.delete!(token)
|
|
{:ok, {user, []}}
|
|
|
|
nil ->
|
|
{:error, :not_found}
|
|
end
|
|
end
|
|
|
|
@doc ~S"""
|
|
Delivers the update email instructions to the given user.
|
|
|
|
## Examples
|
|
|
|
iex> deliver_user_update_email_instructions(user, current_email, &url(~p"/users/settings/confirm-email/#{&1}"))
|
|
{:ok, %{to: ..., body: ...}}
|
|
|
|
"""
|
|
def deliver_user_update_email_instructions(%User{} = user, current_email, update_email_url_fun)
|
|
when is_function(update_email_url_fun, 1) do
|
|
{encoded_token, user_token} = UserToken.build_email_token(user, "change:#{current_email}")
|
|
|
|
Repo.insert!(user_token)
|
|
UserNotifier.deliver_update_email_instructions(user, update_email_url_fun.(encoded_token))
|
|
end
|
|
|
|
@doc """
|
|
Delivers the magic link login instructions to the given user.
|
|
"""
|
|
def deliver_login_instructions(%User{} = user, magic_link_url_fun)
|
|
when is_function(magic_link_url_fun, 1) do
|
|
{encoded_token, user_token} = UserToken.build_email_token(user, "login")
|
|
Repo.insert!(user_token)
|
|
UserNotifier.deliver_login_instructions(user, magic_link_url_fun.(encoded_token))
|
|
end
|
|
|
|
@doc """
|
|
Deletes the signed token with the given context.
|
|
"""
|
|
def delete_user_session_token(token) do
|
|
Repo.delete_all(from(UserToken, where: [token: ^token, context: "session"]))
|
|
:ok
|
|
end
|
|
|
|
## Token helper
|
|
|
|
defp update_user_and_delete_all_tokens(changeset) do
|
|
Repo.transact(fn ->
|
|
with {:ok, user} <- Repo.update(changeset) do
|
|
tokens_to_expire = Repo.all_by(UserToken, user_id: user.id)
|
|
|
|
Repo.delete_all(from(t in UserToken, where: t.id in ^Enum.map(tokens_to_expire, & &1.id)))
|
|
|
|
{:ok, {user, tokens_to_expire}}
|
|
end
|
|
end)
|
|
end
|
|
|
|
## TOTP 2FA
|
|
|
|
@doc """
|
|
Generates a new TOTP secret for setup.
|
|
|
|
Returns `{secret, otpauth_uri}` where secret is the raw binary
|
|
and otpauth_uri can be encoded as a QR code.
|
|
"""
|
|
def generate_totp_secret(user) do
|
|
secret = NimbleTOTP.secret()
|
|
uri = totp_uri(user, secret)
|
|
{secret, uri}
|
|
end
|
|
|
|
@doc """
|
|
Generates the otpauth URI for a given user and secret.
|
|
|
|
Used to regenerate the URI when restoring TOTP setup state from session.
|
|
"""
|
|
def totp_uri(user, secret) do
|
|
NimbleTOTP.otpauth_uri("#{@totp_issuer}:#{user.email}", secret, issuer: @totp_issuer)
|
|
end
|
|
|
|
@doc """
|
|
Enables TOTP for a user after verifying the code.
|
|
|
|
The secret should be the raw binary from `generate_totp_secret/1`.
|
|
Returns `{:ok, user, backup_codes}` or `{:error, reason}`.
|
|
"""
|
|
def enable_totp(user, secret, code) do
|
|
if valid_totp?(secret, code) do
|
|
backup_codes = generate_backup_codes()
|
|
hashed_codes = Enum.map(backup_codes, &Bcrypt.hash_pwd_salt/1)
|
|
|
|
{:ok, encrypted_secret} = Vault.encrypt(Base.encode32(secret))
|
|
{:ok, encrypted_codes} = Vault.encrypt(Jason.encode!(hashed_codes))
|
|
|
|
changeset =
|
|
user
|
|
|> Ecto.Changeset.change(%{
|
|
totp_secret_encrypted: encrypted_secret,
|
|
totp_backup_codes_encrypted: encrypted_codes,
|
|
totp_enabled_at: DateTime.utc_now(:second)
|
|
})
|
|
|
|
case Repo.update(changeset) do
|
|
{:ok, user} -> {:ok, user, backup_codes}
|
|
{:error, changeset} -> {:error, changeset}
|
|
end
|
|
else
|
|
{:error, :invalid_code}
|
|
end
|
|
end
|
|
|
|
@doc """
|
|
Disables TOTP for a user.
|
|
"""
|
|
def disable_totp(user) do
|
|
changeset =
|
|
user
|
|
|> Ecto.Changeset.change(%{
|
|
totp_secret_encrypted: nil,
|
|
totp_backup_codes_encrypted: nil,
|
|
totp_enabled_at: nil
|
|
})
|
|
|
|
Repo.update(changeset)
|
|
end
|
|
|
|
@doc """
|
|
Verifies a TOTP code for a user.
|
|
|
|
Also accepts backup codes, which are single-use.
|
|
"""
|
|
def verify_totp(user, code) do
|
|
cond do
|
|
valid_user_totp?(user, code) ->
|
|
:ok
|
|
|
|
valid_backup_code?(user, code) ->
|
|
consume_backup_code(user, code)
|
|
:ok
|
|
|
|
true ->
|
|
:error
|
|
end
|
|
end
|
|
|
|
@doc """
|
|
Returns true if the user has TOTP enabled.
|
|
"""
|
|
def totp_enabled?(user), do: User.totp_enabled?(user)
|
|
|
|
defp valid_totp?(secret, code) when is_binary(secret) and is_binary(code) do
|
|
NimbleTOTP.valid?(secret, code)
|
|
end
|
|
|
|
defp valid_totp?(_, _), do: false
|
|
|
|
defp valid_user_totp?(user, code) do
|
|
with encrypted when not is_nil(encrypted) <- user.totp_secret_encrypted,
|
|
{:ok, encoded} <- Vault.decrypt(encrypted),
|
|
{:ok, secret} <- Base.decode32(encoded) do
|
|
valid_totp?(secret, code)
|
|
else
|
|
_ -> false
|
|
end
|
|
end
|
|
|
|
defp valid_backup_code?(user, code) do
|
|
hashed_codes = get_hashed_backup_codes(user)
|
|
Enum.any?(hashed_codes, &Bcrypt.verify_pass(code, &1))
|
|
end
|
|
|
|
defp consume_backup_code(user, code) do
|
|
hashed_codes = get_hashed_backup_codes(user)
|
|
remaining = Enum.reject(hashed_codes, &Bcrypt.verify_pass(code, &1))
|
|
|
|
{:ok, encrypted} = Vault.encrypt(Jason.encode!(remaining))
|
|
|
|
user
|
|
|> Ecto.Changeset.change(%{totp_backup_codes_encrypted: encrypted})
|
|
|> Repo.update()
|
|
end
|
|
|
|
defp get_hashed_backup_codes(user) do
|
|
with encrypted when not is_nil(encrypted) <- user.totp_backup_codes_encrypted,
|
|
{:ok, json} <- Vault.decrypt(encrypted),
|
|
{:ok, codes} <- Jason.decode(json) do
|
|
codes
|
|
else
|
|
_ -> []
|
|
end
|
|
end
|
|
|
|
defp generate_backup_codes do
|
|
for _ <- 1..@backup_code_count do
|
|
:crypto.strong_rand_bytes(5)
|
|
|> Base.encode32(padding: false)
|
|
|> String.downcase()
|
|
end
|
|
end
|
|
end
|