Generate TOTP 2FA QR-Code

Author: namePlayer

.env.example

@@ -48,3 +48,5 @@ MAILER_MAX_BATCH_SIZE=25
 #
 MFA_TOTP_DIGITS=6
 MFA_TOTP_PERIOD=30
+MFA_TOTP_TIME_WINDOW=10
+MFA_ISSUER=Web-Toolkit

composer.json

@@ -33,6 +33,7 @@
         "geoip2/geoip2": "~2.0",
         "ramsey/uuid": "^4.7",
         "phpmailer/phpmailer": "^6.8",
-        "spomky-labs/otphp": "^11.2"
+        "spomky-labs/otphp": "^11.2",
+        "endroid/qr-code": "^4.8"
     }
 }

composer.lock

@@ -32,11 +32,14 @@ public function load(ServerRequestInterface $request): ResponseInterface
             $this->create($account);
         }
 
+        $otp = $this->securityService->generateTOTPSecret();
+
         return new HtmlResponse(
             $this->template->render('account/security',
             [
                 'account' => $this->accountService->findAccountById($account->getId()),
-                'totpToken' => $this->securityService->generateTOTPSecret(),
+                'totpToken' => $otp,
+                'totpQrCode' => $this->securityService->generateTOTPQrCodeBase64($this->securityService->generateTOTPFromSecret($otp)),
                 'twoFactors' => $this->securityService->getTwoFactorByAccountID($account->getId())
             ]));
     }

src/App/Controller/Account/SecurityController.php

@@ -4,15 +4,21 @@
 
 use App\Model\Authentication\TwoFactor;
 use App\Service\Authentication\AccountService;
+use App\Software;
 use App\Table\Account\TwoFactorTable;
+use Endroid\QrCode\Builder\Builder;
+use Endroid\QrCode\ErrorCorrectionLevel\ErrorCorrectionLevelHigh;
+use Endroid\QrCode\RoundBlockSizeMode\RoundBlockSizeModeMargin;
+use Endroid\QrCode\Writer\SvgWriter;
 use OTPHP\TOTP;
+use ParagonIE\ConstantTime\Base32;
 
-class SecurityService
+readonly class SecurityService
 {
 
     public function __construct(
-        private readonly AccountService $accountService,
-        private readonly TwoFactorTable $twoFactorTable
+        private AccountService $accountService,
+        private TwoFactorTable $twoFactorTable
     )
     {
     }
@@ -26,9 +32,9 @@ public function add(TwoFactor $twoFactor, int $code): void
 
         $totp = $this->generateTOTPFromSecret($twoFactor->getSecret());
 
-        if($totp->verify($code, null, 5) === FALSE)
+        if($this->verifyTOTPBySecret($twoFactor->getSecret(), (string)$code) === FALSE)
         {
-            MESSAGES->add('danger', 'account-settings-security-two-factor-failed-code-invalid', $totp->now());
+            MESSAGES->add('danger', 'account-settings-security-two-factor-failed-code-invalid');
             return;
         }
 
@@ -62,7 +68,7 @@ public function verifyAccountTwoFactor(int $account, string $code): bool
     public function verifyTOTPBySecret(string $secret, string $code): bool
     {
         $totp = $this->generateTOTPFromSecret($secret);
-        return $totp->verify($code);
+        return $totp->verify($code, null, (int)$_ENV['MFA_TOTP_TIME_WINDOW'] ?? 5);
     }
 
     public function getTwoFactorByAccountID(int $account): array|false
@@ -72,14 +78,33 @@ public function getTwoFactorByAccountID(int $account): array|false
 
     public function generateTOTPSecret(): string
     {
-        return trim(\ParagonIE\ConstantTime\Base32::encodeUpper(random_bytes($_ENV['MFA_TOTP_GEN_BITS'] ?? 10)), '=');
+        return trim(Base32::encodeUpper(random_bytes(isset($_ENV['MFA_TOTP_GEN_BITS']) ? (int)$_ENV['MFA_TOTP_GEN_BITS'] : 10)), '=');
     }
 
-    private function generateTOTPFromSecret(string $secret): TOTP
+    public function generateTOTPQrCodeBase64(TOTP $totp): string
+    {
+
+        $qrcode = Builder::create()
+            ->writer(new SvgWriter())
+            ->data($totp->getProvisioningUri())
+            ->size(300)
+            ->errorCorrectionLevel(new ErrorCorrectionLevelHigh())
+            ->margin(15)
+            ->labelText('2 Factor Auth')
+            ->roundBlockSizeMode(new RoundBlockSizeModeMargin())
+            ->build();
+
+        return $qrcode->getString();
+
+    }
+
+    public function generateTOTPFromSecret(string $secret, string $label = ''): TOTP
     {
         $totp = TOTP::createFromSecret($secret);
-        $totp->setDigits(6);
-        $totp->setPeriod(30);
+        $totp->setDigits((int)$_ENV['MFA_TOTP_DIGITS'] ?? 6);
+        $totp->setPeriod((int)$_ENV['MFA_TOTP_PERIOD'] ?? 30);
+        $totp->setIssuer((string)$_ENV['MFA_ISSUER'] ?? 'Web-Toolkit');
+        $totp->setLabel(empty($label) ? $_ENV['SOFTWARE_TITLE'] : $label);
         return $totp;
     }
 

src/App/Service/Account/SecurityService.php

@@ -161,9 +161,11 @@
                     <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
                 </div>
                 <div class="modal-body">
+                    <div class="mb-3 text-center">
+                        <?= $totpQrCode ?>
+                    </div>
                     <div class="mb-3">
-                        <label for="addTwoFactorModalTFAToken" class="form-label">2 Faktor Schlüssel</label>
-                        <input type="text" class="form-control disabled" id="addTwoFactorModalTFAToken" name="addTwoFactorModalTFAToken" value="<?= $totpToken ?>">
+                        <input type="hidden" class="form-control" id="addTwoFactorModalTFAToken" name="addTwoFactorModalTFAToken" value="<?= $totpToken ?>">
                     </div>
                     <div class="mb-3">
                         <label for="addTwoFactorModalName" class="form-label">Name</label>