Challenge-Response Authentication

Author: beixiao2777

app/Auth/NexusWebGuard.php

@@ -46,9 +46,11 @@ public function user()
         }
         $credentials = $this->request->cookie();
         if ($this->validate($credentials)) {
-            $user = $this->user;
+            $user = $this->provider->retrieveByCredentials($credentials);
             if ($this->provider->validateCredentials($user, $credentials)) {
-                return $user;
+               if ($user->checkIsNormal()) {
+                   return $this->user = $user;
+               }
             }
         }
     }
@@ -62,29 +64,13 @@ public function user()
      */
     public function validate(array $credentials = [])
     {
-        $required = ['c_secure_pass', 'c_secure_uid', 'c_secure_login'];
+        $required = ['c_secure_pass'];
         foreach ($required as $value) {
             if (empty($credentials[$value])) {
                 return false;
             }
         }
-        $b_id = base64($credentials["c_secure_uid"],false);
-        $id = intval($b_id ?? 0);
-        if (!$id || !is_valid_id($id) || strlen($credentials["c_secure_pass"]) != 32) {
-            return false;
-        }
-        $user = $this->provider->retrieveById($id);
-        if (!$user) {
-            return false;
-        }
-        try {
-            $user->checkIsNormal();
-            $this->user = $user;
-            return true;
-        } catch (\Throwable $e) {
-            do_log($e->getMessage());
-            return false;
-        }
+        return true;
     }
 
     public function logout()

app/Auth/NexusWebUserProvider.php

@@ -61,10 +61,15 @@ public function updateRememberToken(Authenticatable $user, $token)
      */
     public function retrieveByCredentials(array $credentials)
     {
-        if (!empty($credentials['c_secure_uid'])) {
-            $b_id = base64($credentials["c_secure_uid"],false);
-            return $this->query->find($b_id);
+        list($tokenJson, $signature) = explode('.', base64_decode($credentials["c_secure_pass"]));
+        if (empty($tokenJson) || empty($signature)) {
+            return null;
         }
+        $tokenData = json_decode($tokenJson, true);
+        if (!isset($tokenData['user_id'])) {
+            return null;
+        }
+        return $this->retrieveById($tokenData['user_id']);
     }
 
     /**
@@ -76,20 +81,9 @@ public function retrieveByCredentials(array $credentials)
      */
     public function validateCredentials(Authenticatable $user, array $credentials)
     {
-        if ($credentials["c_secure_login"] == base64("yeah")) {
-            /**
-             * Not IP related
-             * @since 1.8.0
-             */
-            if ($credentials["c_secure_pass"] != md5($user->passhash)) {
-                return false;
-            }
-        } else {
-            if ($credentials["c_secure_pass"] !== md5($user->passhash)) {
-                return false;
-            }
-        }
-        return true;
+        list($tokenJson, $signature) = explode('.', base64_decode($credentials["c_secure_pass"]));
+        $expectedSignature = hash_hmac('sha256', $tokenJson, $user->auth_key);
+        return  hash_equals($expectedSignature, $signature);
     }
 
     public function rehashPasswordIfRequired(Authenticatable $user, #[\SensitiveParameter] array $credentials, bool $force = false)

app/Console/Commands/Test.php

@@ -49,9 +49,8 @@ public function __construct()
      */
     public function handle()
     {
-        $r = config('nexus.ammds_secret');
-//        $r = SearchBox::query()->find(4)->ss()->orWhere("mode", 0)->get();
-        dd($r);
+        $result = getLogFile();
+        dd($result);
     }
 
 }

app/Http/Controllers/AuthenticateController.php

@@ -16,6 +16,7 @@
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Cookie;
 use Illuminate\Validation\Rule;
+use Nexus\Database\NexusDB;
 
 class AuthenticateController extends Controller
 {
@@ -53,17 +54,18 @@ public function passkeyLogin($passkey)
     {
         $deadline = Setting::get('security.login_secret_deadline');
         if ($deadline && $deadline > now()->toDateTimeString()) {
-            $user = User::query()->where('passkey', $passkey)->first(['id', 'passhash']);
+            $user = User::query()->where('passkey', $passkey)->first(['id', 'passhash', 'secret', 'auth_key']);
             if ($user) {
                 $ip = getip();
                 /**
                  * Not IP related
                  * @since 1.8.0
                  */
 //                $passhash = md5($user->passhash . $ip);
-                $passhash = md5($user->passhash);
-                do_log(sprintf('passhash: %s, ip: %s, md5: %s', $user->passhash, $ip, $passhash));
-                logincookie($user->id, $passhash,false, get_setting('system.cookie_valid_days', 365) * 86400, true, true, true);
+//                $passhash = md5($user->passhash);
+//                do_log(sprintf('passhash: %s, ip: %s, md5: %s', $user->passhash, $ip, $passhash));
+//                logincookie($user->id, $passhash,false, get_setting('system.cookie_valid_days', 365) * 86400, true, true, true);
+                logincookie($user->id, $user->auth_key);
                 $user->last_login = now();
                 $user->save();
                 $userRep = new UserRepository();
@@ -126,6 +128,29 @@ public function ammdsApprove(Request $request)
         }
     }
 
+    public function challenge(Request $request)
+    {
+        try {
+            $request->validate([
+                'username' => 'required|string',
+            ]);
+            $username = $request->username;
+            $challenge = mksecret();
+            NexusDB::cache_put(get_challenge_key($username), $challenge,300);
+            $user = User::query()->where("username", $username)->first(['secret']);
+            return $this->success([
+                "challenge" => $challenge,
+                'secret' => $user->secret ?? mksecret(),
+            ]);
+        } catch (\Exception $exception) {
+            $msg = $exception->getMessage();
+            $params = $request->all();
+            do_log(sprintf("challenge fail: %s, params: %s", $msg, nexus_json_encode($params)));
+            return $this->fail($params, $msg);
+        }
+    }
+
+
 
 
 

app/Models/Setting.php

@@ -105,4 +105,9 @@ public static function getDefaultLang()
         return self::get("main.defaultlang");
     }
 
+    public static function getIsUseChallengeResponseAuthentication(): bool
+    {
+        return self::get("security.use_challenge_response_authentication") == "yes";
+    }
+
 }

app/Models/User.php

@@ -194,7 +194,7 @@ protected function serializeDate(\DateTimeInterface $date): string
      * @var array
      */
     protected $hidden = [
-        'secret', 'passhash', 'passkey'
+        'secret', 'passhash', 'passkey', 'auth_key'
     ];
 
     /**

app/Providers/AuthServiceProvider.php

@@ -53,8 +53,9 @@ class AuthServiceProvider extends ServiceProvider
      */
     public function boot()
     {
+        //some plugin use this guard
         Auth::viaRequest('nexus-cookie', function (Request $request) {
-            return $this->getUserByCookie($request->cookie());
+            return get_user_from_cookie($request->cookie(), false);
         });
 
         Auth::extend('nexus-web', function ($app, $name, array $config) {
@@ -72,33 +73,4 @@ public function boot()
 
     }
 
-    private function getUserByCookie($cookie)
-    {
-        if (empty($cookie["c_secure_pass"]) || empty($cookie["c_secure_uid"]) || empty($cookie["c_secure_login"])) {
-            return null;
-        }
-        $b_id = base64($cookie["c_secure_uid"],false);
-        $id = intval($b_id ?? 0);
-        if (!$id || !is_valid_id($id) || strlen($cookie["c_secure_pass"]) != 32) {
-            return null;
-        }
-        $user = User::query()->find($id);
-        if (!$user) {
-            return null;
-        }
-        if ($cookie["c_secure_login"] == base64("yeah")) {
-            /**
-             * Not IP related
-             * @since 1.8.0
-             */
-            if ($cookie["c_secure_pass"] != md5($user->passhash)) {
-                return null;
-            }
-        } else {
-            if ($cookie["c_secure_pass"] !== md5($user->passhash)) {
-                return null;
-            }
-        }
-        return $user;
-    }
 }

database/migrations/2025_03_29_121708_change_users_table_passhash_field_length.php

@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string("passhash", 255)->default("")->nullable(false)->change();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        //
+    }
+};

database/migrations/2025_04_03_123951_add_auth_key_to_table_users.php

@@ -0,0 +1,28 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string("auth_key", 255)->default("")->nullable(false)->after("secret");
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn("auth_key");
+        });
+    }
+};