# frozen-string-literal: true
module Rodauth
Feature.define(:sms_codes, :SmsCodes) do
depends :two_factor_base
additional_form_tags 'sms_auth'
additional_form_tags 'sms_confirm'
additional_form_tags 'sms_disable'
additional_form_tags 'sms_request'
additional_form_tags 'sms_setup'
before 'sms_auth'
before 'sms_confirm'
before 'sms_disable'
before 'sms_request'
before 'sms_setup'
after 'sms_confirm'
after 'sms_disable'
after 'sms_failure'
after 'sms_request'
after 'sms_setup'
button 'Authenticate via SMS Code', 'sms_auth'
button 'Confirm SMS Backup Number', 'sms_confirm'
button 'Disable Backup SMS Authentication', 'sms_disable'
button 'Send SMS Code', 'sms_request'
button 'Setup SMS Backup Number', 'sms_setup'
error_flash "Error authenticating via SMS code", 'sms_invalid_code'
error_flash "Error disabling SMS authentication", 'sms_disable'
error_flash "Error setting up SMS authentication", 'sms_setup'
error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again", 'sms_invalid_confirmation_code'
error_flash "No current SMS code for this account", 'no_current_sms_code'
error_flash "SMS authentication has been locked out", 'sms_lockout'
error_flash "SMS authentication has already been setup", 'sms_already_setup'
error_flash "SMS authentication has not been setup yet", 'sms_not_setup'
error_flash "SMS authentication needs confirmation", 'sms_needs_confirmation'
notice_flash "SMS authentication code has been sent", 'sms_request'
notice_flash "SMS authentication has been disabled", 'sms_disable'
notice_flash "SMS authentication has been setup", 'sms_confirm'
translatable_method :sms_auth_link_text, "Authenticate Using SMS Code"
translatable_method :sms_setup_link_text, "Setup Backup SMS Authentication"
translatable_method :sms_disable_link_text, "Disable SMS Authentication"
redirect :sms_already_setup
redirect :sms_confirm
redirect :sms_disable
redirect(:sms_auth){sms_auth_path}
redirect(:sms_needs_confirmation){sms_confirm_path}
redirect(:sms_needs_setup){sms_setup_path}
redirect(:sms_request){sms_request_path}
redirect(:sms_lockout){two_factor_auth_required_redirect}
loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
view 'sms-confirm', 'Confirm SMS Backup Number', 'sms_confirm'
view 'sms-disable', 'Disable Backup SMS Authentication', 'sms_disable'
view 'sms-request', 'Send SMS Code', 'sms_request'
view 'sms-setup', 'Setup SMS Backup Number', 'sms_setup'
auth_value_method :sms_already_setup_error_status, 403
auth_value_method :sms_needs_confirmation_error_status, 403
auth_value_method :sms_auth_code_length, 6
auth_value_method :sms_code_allowed_seconds, 300
auth_value_method :sms_code_column, :code
translatable_method :sms_code_label, 'SMS Code'
auth_value_method :sms_code_param, 'sms-code'
auth_value_method :sms_codes_table, :account_sms_codes
auth_value_method :sms_confirm_code_length, 12
auth_value_method :sms_failure_limit, 5
auth_value_method :sms_failures_column, :num_failures
auth_value_method :sms_id_column, :id
translatable_method :sms_invalid_code_message, "invalid SMS code"
translatable_method :sms_invalid_phone_message, "invalid SMS phone number"
auth_value_method :sms_issued_at_column, :code_issued_at
auth_value_method :sms_phone_column, :phone_number
translatable_method :sms_phone_label, 'Phone Number'
auth_value_method :sms_phone_input_type, 'tel'
auth_value_method :sms_phone_min_length, 7
auth_value_method :sms_phone_param, 'sms-phone'
auth_cached_method :sms
auth_value_methods :sms_codes_primary?
auth_methods(
:sms_auth_message,
:sms_available?,
:sms_code_issued_at,
:sms_code_match?,
:sms_confirm_message,
:sms_confirmation_match?,
:sms_current_auth?,
:sms_disable,
:sms_failures,
:sms_locked_out?,
:sms_needs_confirmation?,
:sms_new_auth_code,
:sms_new_confirm_code,
:sms_normalize_phone,
:sms_record_failure,
:sms_remove_failures,
:sms_send,
:sms_set_code,
:sms_setup,
:sms_setup?,
:sms_valid_phone?
)
route(:sms_request) do |r|
require_login
require_account_session
require_two_factor_not_authenticated('sms_code')
require_sms_available
before_sms_request_route
r.get do
sms_request_view
end
r.post do
transaction do
before_sms_request
sms_send_auth_code
after_sms_request
end
set_notice_flash sms_request_notice_flash
redirect sms_auth_redirect
end
end
route(:sms_auth) do |r|
require_login
require_account_session
require_two_factor_not_authenticated('sms_code')
require_sms_available
unless sms_current_auth?
if sms_code
sms_set_code(nil)
end
set_response_error_status(invalid_key_error_status)
set_redirect_error_flash no_current_sms_code_error_flash
redirect sms_request_redirect
end
before_sms_auth_route
r.get do
sms_auth_view
end
r.post do
transaction do
if sms_code_match?(param(sms_code_param))
before_sms_auth
sms_remove_failures
two_factor_authenticate('sms_code')
else
sms_record_failure
after_sms_failure
end
end
set_response_error_status(invalid_key_error_status)
set_field_error(sms_code_param, sms_invalid_code_message)
set_error_flash sms_invalid_code_error_flash
sms_auth_view
end
end
route(:sms_setup) do |r|
require_account
unless sms_codes_primary?
require_two_factor_setup
require_two_factor_authenticated
end
require_sms_not_setup
if sms_needs_confirmation?
set_redirect_error_status(sms_needs_confirmation_error_status)
set_redirect_error_flash sms_needs_confirmation_error_flash
redirect sms_needs_confirmation_redirect
end
before_sms_setup_route
r.get do
sms_setup_view
end
r.post do
catch_error do
unless two_factor_password_match?(param(password_param))
throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
end
phone = sms_normalize_phone(param(sms_phone_param))
unless sms_valid_phone?(phone)
throw_error_status(invalid_field_error_status, sms_phone_param, sms_invalid_phone_message)
end
transaction do
before_sms_setup
sms_setup(phone)
sms_send_confirm_code
after_sms_setup
end
set_notice_flash sms_needs_confirmation_error_flash
redirect sms_needs_confirmation_redirect
end
set_error_flash sms_setup_error_flash
sms_setup_view
end
end
route(:sms_confirm) do |r|
require_account
unless sms_codes_primary?
require_two_factor_setup
require_two_factor_authenticated
end
require_sms_not_setup
before_sms_confirm_route
r.get do
sms_confirm_view
end
r.post do
if sms_confirmation_match?(param(sms_code_param))
transaction do
before_sms_confirm
sms_confirm
after_sms_confirm
unless two_factor_authenticated?
two_factor_update_session('sms_code')
end
end
set_notice_flash sms_confirm_notice_flash
redirect sms_confirm_redirect
end
sms_confirm_failure
set_redirect_error_status(invalid_key_error_status)
set_redirect_error_flash sms_invalid_confirmation_code_error_flash
redirect sms_needs_setup_redirect
end
end
route(:sms_disable) do |r|
require_account
require_sms_setup
before_sms_disable_route
r.get do
sms_disable_view
end
r.post do
if two_factor_password_match?(param(password_param))
transaction do
before_sms_disable
sms_disable
if two_factor_login_type_match?('sms_code')
two_factor_remove_session('sms_code')
end
after_sms_disable
end
set_notice_flash sms_disable_notice_flash
redirect sms_disable_redirect
end
set_response_error_status(invalid_password_error_status)
set_field_error(password_param, invalid_password_message)
set_error_flash sms_disable_error_flash
sms_disable_view
end
end
def two_factor_remove
super
sms_disable
end
def two_factor_remove_auth_failures
super
sms_remove_failures
end
def require_sms_setup
unless sms_setup?
set_redirect_error_status(two_factor_not_setup_error_status)
set_redirect_error_flash sms_not_setup_error_flash
redirect sms_needs_setup_redirect
end
end
def require_sms_not_setup
if sms_setup?
set_redirect_error_status(sms_already_setup_error_status)
set_redirect_error_flash sms_already_setup_error_flash
redirect sms_already_setup_redirect
end
end
def require_sms_available
require_sms_setup
if sms_locked_out?
set_redirect_error_status(lockout_error_status)
set_redirect_error_flash sms_lockout_error_flash
redirect sms_lockout_redirect
end
end
def sms_code_match?(code)
return false unless sms_current_auth?
timing_safe_eql?(code, sms_code)
end
def sms_confirmation_match?(code)
sms_needs_confirmation? && sms_code_match?(code)
end
def sms_disable
sms_ds.delete
@sms = nil
end
def sms_confirm_failure
sms_ds.delete
end
def sms_setup(phone_number)
# Cannot handle uniqueness violation here, as the phone number given may not match the
# one in the table.
sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number)
remove_instance_variable(:@sms) if instance_variable_defined?(:@sms)
end
def sms_remove_failures
update_sms(sms_failures_column => 0, sms_code_column => nil)
end
def sms_confirm
sms_remove_failures
super if defined?(super)
end
def sms_send_auth_code
code = sms_new_auth_code
sms_set_code(code)
sms_send(sms_phone, sms_auth_message(code))
end
def sms_send_confirm_code
code = sms_new_confirm_code
sms_set_code(code)
sms_send(sms_phone, sms_confirm_message(code))
end
def sms_valid_phone?(phone)
phone.length >= sms_phone_min_length
end
def sms_auth_message(code)
"SMS authentication code for #{domain} is #{code}"
end
def sms_confirm_message(code)
"SMS confirmation code for #{domain} is #{code}"
end
def sms_set_code(code)
update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
end
def sms_record_failure
update_sms(sms_failures_column=>Sequel.expr(sms_failures_column)+1)
sms[sms_failures_column] = sms_ds.get(sms_failures_column)
end
def sms_phone
sms[sms_phone_column]
end
def sms_code
sms[sms_code_column]
end
def sms_code_issued_at
convert_timestamp(sms[sms_issued_at_column])
end
def sms_failures
sms[sms_failures_column]
end
def sms_setup?
return false unless sms
!sms_needs_confirmation?
end
def sms_needs_confirmation?
sms && sms_failures.nil?
end
def sms_available?
sms && !sms_needs_confirmation? && !sms_locked_out?
end
def sms_locked_out?
sms_failures >= sms_failure_limit
end
def sms_current_auth?
sms_code && sms_code_issued_at + sms_code_allowed_seconds > Time.now
end
def possible_authentication_methods
methods = super
methods << 'sms_code' if sms_setup?
methods
end
private
def _two_factor_auth_links
links = super
links << [30, sms_request_path, sms_auth_link_text] if sms_available?
links
end
def _two_factor_setup_links
links = super
links << [30, sms_setup_path, sms_setup_link_text] if !sms_setup? && (sms_codes_primary? || uses_two_factor_authentication?)
links
end
def _two_factor_remove_links
links = super
links << [30, sms_disable_path, sms_disable_link_text] if sms_setup?
links
end
def _two_factor_remove_all_from_session
two_factor_remove_session('sms_codes')
super
end
def sms_codes_primary?
(features & [:otp, :webauthn]).empty?
end
def sms_normalize_phone(phone)
phone.to_s.gsub(/\D+/, '')
end
def sms_new_auth_code
SecureRandom.random_number(10**sms_auth_code_length).to_s.rjust(sms_auth_code_length, "0")
end
def sms_new_confirm_code
SecureRandom.random_number(10**sms_confirm_code_length).to_s.rjust(sms_confirm_code_length, "0")
end
def sms_send(phone, message)
raise NotImplementedError, "sms_send needs to be defined in the Rodauth configuration for SMS sending to work"
end
def update_sms(values)
update_hash_ds(sms, sms_ds, values)
end
def _sms
sms_ds.first
end
def sms_ds
db[sms_codes_table].where(sms_id_column=>session_value)
end
end
end