system76 · burden · Jan 30, 2025 · Mar 19, 2024 · Mar 26, 2024 · Mar 27, 2024
@@ -44,7 +44,7 @@ jobs:
           mix local.hex --force
 
       - name: Cache
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         id: cache
         with:
           key: elixir-${{ hashFiles('Dockerfile', 'mix.lock') }}-${{ github.ref }}-test
@@ -114,7 +114,7 @@ jobs:
           mix local.hex --force
 
       - name: Cache
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         id: cache
         with:
           key: elixir-${{ hashFiles('Dockerfile', 'mix.lock') }}-${{ github.ref }}-credo

@@ -64,7 +64,7 @@ jobs:
           image: ${{ steps.publish.outputs.image }}
 
       - name: Deploy
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.template.outputs.task-definition }}
           service: production-system76-recognizer

@@ -64,7 +64,7 @@ jobs:
           image: ${{ steps.publish.outputs.image }}
 
       - name: Deploy
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.template.outputs.task-definition }}
           service: staging-genesis76-recognizer

@@ -626,23 +626,21 @@ defmodule Recognizer.Accounts do
   Sends a new notification message to the user to verify their _new_ two factor
   settings.
   """
-  def send_new_two_factor_notification(user) do
+  def check_two_factor_notification_time(user) do
     {:ok, attrs} = get_new_two_factor_settings(user)
-    send_new_two_factor_notification(user, attrs)
+    check_two_factor_notification_time(attrs, 100)
   end
 
-  def send_new_two_factor_notification(user, attrs) do
+  def check_two_factor_notification_time(attrs, two_factor_issue_time) do
     %{
-      notification_preference: %{two_factor: preference},
-      two_factor_seed: seed
+      notification_preference: %{two_factor: preference}
     } = attrs
 
     if preference != "app" do
-      token = Authentication.generate_token(seed)
-      Notification.deliver_two_factor_token(user, token, String.to_existing_atom(preference))
+      {:ok, two_factor_issue_time}
+    else
+      {:ok, nil}
     end
-
-    :ok
   end
 
   @doc """
@@ -660,15 +658,17 @@ defmodule Recognizer.Accounts do
   @doc """
   Confirms the user's two factor settings and persists them to the database from our cache
   """
-  def confirm_and_save_two_factor_settings(code, user) do
-    with {:ok, %{two_factor_seed: seed} = attrs} <- get_new_two_factor_settings(user),
-         true <- Authentication.valid_token?(code, seed) do
+
+  def confirm_and_save_two_factor_settings(code, counter, user) do
+    with {:ok, %{notification_preference: %{two_factor: preference}, two_factor_seed: seed} = attrs} <-
+           get_new_two_factor_settings(user),
+         true <- Authentication.valid_token?(preference, code, counter, seed) do
       user
       |> Repo.preload([:notification_preference, :recovery_codes])
       |> User.two_factor_changeset(attrs)
       |> Repo.update()
     else
-      _ -> :error
+      _ -> {:error, nil}
     end
   end
 

@@ -1,6 +1,6 @@
 import EctoEnum
 
-defenum(Recognizer.TwoFactorPreference, ["app", "text", "voice"])
+defenum(Recognizer.TwoFactorPreference, ["app", "text", "voice", "email"])
 
 defenum(Recognizer.UserType, ["individual", "business"])
 defenum(Recognizer.OAuthService, ["facebook", "github", "google"])
@@ -70,6 +70,7 @@ defmodule Recognizer.Notifications.Account do
 
   def two_factor_method(:text), do: :TWO_FACTOR_METHOD_SMS
   def two_factor_method(:voice), do: :TWO_FACTOR_METHOD_VOICE
+  def two_factor_method(:email), do: :TWO_FACTOR_METHOD_EMAIL
 
   @doc """
   Deliver user recovery code used notification.

@@ -180,15 +180,42 @@ defmodule RecognizerWeb.Authentication do
   @doc """
   Generate a Time Based One Time Password
   """
-  def generate_token(%{two_factor_seed: two_factor_seed}), do: generate_token(two_factor_seed)
-  def generate_token(two_factor_seed), do: :pot.totp(two_factor_seed, addwindow: 1)
+  def generate_token(preference, counter, %{two_factor_seed: two_factor_seed}),
+    do: generate_token(preference, counter, two_factor_seed)
+
+  def generate_token(preference, counter, two_factor_seed) do
+    if preference == :app || preference == "app" do
+      generate_token_app(two_factor_seed)
+    else
+      generate_token_external(two_factor_seed, counter)
+    end
+  end
+
+  def generate_token_app(two_factor_seed), do: :pot.totp(two_factor_seed, interval: 30)
+
+  def generate_token_external(two_factor_seed, counter), do: :pot.hotp(two_factor_seed, counter)
 
   @doc """
   Validate a user provided token is valid
   """
-  def valid_token?(token, %{two_factor_seed: two_factor_seed}), do: valid_token?(token, two_factor_seed)
-  def valid_token?(_token, nil), do: false
-  def valid_token?(token, two_factor_seed), do: :pot.valid_totp(token, two_factor_seed, window: 1, addwindow: 1)
+
+  def valid_token?(preference, token, counter, %{two_factor_seed: two_factor_seed}),
+    do: valid_token?(preference, token, counter, two_factor_seed)
+
+  def valid_token?(preference, token, counter, two_factor_seed) do
+    if preference == :app || preference == "app" do
+      valid_token_app?(token, two_factor_seed)
+    else
+      valid_token_external?(token, two_factor_seed, counter)
+    end
+  end
+
+  def valid_token_app?(token, two_factor_seed), do: :pot.valid_totp(token, two_factor_seed, interval: 30)
+
+  def valid_token_external?(token, two_factor_seed, counter) do
+    # :pot.valid_hotp(token, two_factor_seed, last: counter)
+    token == :pot.hotp(two_factor_seed, counter)
+  end
 
   defp config(key) do
     Application.get_env(:recognizer, __MODULE__)[key]

@@ -5,7 +5,7 @@ defmodule RecognizerWeb.Accounts.Api.UserSettingsTwoFactorController do
   alias RecognizerWeb.{Authentication, ErrorView}
 
   @one_minute 60_000
-  @one_day 86_400_000
+  @one_hour 3_600_000
 
   plug Hammer.Plug,
        [
@@ -14,13 +14,17 @@ defmodule RecognizerWeb.Accounts.Api.UserSettingsTwoFactorController do
        ]
        when action in [:send]
 
+  #  when action in [:send, :update]
+
   plug Hammer.Plug,
        [
-         rate_limit: {"api:two_factor_daily", @one_day, 6},
+         rate_limit: {"api:two_factor_hour", @one_hour, 6},
          by: {:conn, &get_user_id_from_request/1}
        ]
        when action in [:send]
 
+  #  when action in [:send, :update]
+
   def show(conn, _params) do
     user = Authentication.fetch_current_user(conn)
 
@@ -48,8 +52,9 @@ defmodule RecognizerWeb.Accounts.Api.UserSettingsTwoFactorController do
 
   def update(conn, %{"verification" => code}) do
     user = Authentication.fetch_current_user(conn)
+    counter = get_session(conn, :two_factor_issue_time)
 
-    case Accounts.confirm_and_save_two_factor_settings(code, user) do
+    case Accounts.confirm_and_save_two_factor_settings(code, counter, user) do
       {:ok, updated_user} ->
         render(conn, "show.json", user: updated_user)
 
@@ -67,11 +72,34 @@ defmodule RecognizerWeb.Accounts.Api.UserSettingsTwoFactorController do
   def send(conn, _params) do
     user = Authentication.fetch_current_user(conn)
 
-    with {:ok, settings} <- Accounts.get_new_two_factor_settings(user),
-         :ok <- Accounts.send_new_two_factor_notification(user, settings) do
-      conn
-      |> put_status(202)
-      |> render("show.json", settings: settings, user: user)
+    with {:ok, settings} <- Accounts.get_new_two_factor_settings(user) do
+      # Get or initialize the two_factor_issue_time from the session
+
+      conn =
+        case get_session(conn, :two_factor_issue_time) do
+          nil -> put_session(conn, :two_factor_issue_time, System.system_time(:second))
+          _ -> conn
+        end
+
+      issue_time = get_session(conn, :two_factor_issue_time)
+
+      case Accounts.check_two_factor_notification_time(settings, issue_time) do
+        {:ok, updated_issue_time} when not is_nil(updated_issue_time) ->
+          conn
+          |> put_session(:two_factor_issue_time, updated_issue_time)
+          |> put_status(202)
+          |> render("show.json", settings: settings, user: user)
+
+        {:ok, nil} ->
+          conn
+          |> put_status(202)
+          |> render("show.json", settings: settings, user: user)
+
+        {:error, reason} ->
+          conn
+          |> put_status(400)
+          |> json(%{error: reason})
+      end
     end
   end
 end
@@ -36,8 +36,9 @@ defmodule RecognizerWeb.Accounts.Prompt.TwoFactorController do
   def update(conn, params) do
     user = conn.assigns.user
     two_factor_code = Map.get(params, "two_factor_code", "")
+    counter = get_session(conn, :two_factor_issue_time)
 
-    case Accounts.confirm_and_save_two_factor_settings(two_factor_code, user) do
+    case Accounts.confirm_and_save_two_factor_settings(two_factor_code, counter, user) do
       {:ok, updated_user} ->
         Authentication.log_in_user(conn, updated_user, params)
 

@@ -5,7 +5,7 @@ defmodule RecognizerWeb.Accounts.Prompt.VerificationController do
   alias RecognizerWeb.Authentication
 
   @one_minute 60_000
-  @one_day 86_400_000
+  @one_hour 3_600_000
 
   plug :ensure_user
 
@@ -16,13 +16,17 @@ defmodule RecognizerWeb.Accounts.Prompt.VerificationController do
        ]
        when action in [:resend]
 
+  #  when action in [:resend, :new]
+
   plug Hammer.Plug,
        [
-         rate_limit: {"user:verification_daily", @one_day, 6},
+         rate_limit: {"user:verification_hour", @one_hour, 6},
          by: {:conn, &get_user_id_from_unverified_request/1}
        ]
        when action in [:resend]
 
+  #  when action in [:resend, :new]
+
   def new(%{assigns: %{user: %{verified_at: nil} = user}} = conn, _params) do
     render(conn, "new.html", resend?: false, email: user.email)
   end

@@ -15,7 +15,7 @@ defmodule RecognizerWeb.Accounts.UserResetPasswordController do
 
   plug Hammer.Plug,
        [
-         rate_limit: {"user:reset_password_daily", @one_day, 10},
+         rate_limit: {"user:reset_password_daily", @one_day, 6},
          by: {:conn, &get_email_from_request/1}
        ]
        when action in [:create]

@@ -19,6 +19,7 @@ defmodule RecognizerWeb.Accounts.UserSessionController do
         conn
         |> put_session(:two_factor_user_id, user.id)
         |> put_session(:two_factor_sent, false)
+        |> put_session(:two_factor_issue_time, System.system_time(:second))
         |> redirect(to: Routes.user_two_factor_path(conn, :new))
 
       {:oauth, _user} ->