Icinga · jrauh01 · Jul 23, 2025 · Jul 24, 2025 · Jul 24, 2025 · Jul 26, 2025
diff --git a/application/controllers/AccountController.php b/application/controllers/AccountController.php
@@ -3,20 +3,27 @@
 
 namespace Icinga\Controllers;
 
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Application\Config;
+use Icinga\Authentication\TwoFactorTotp;
 use Icinga\Authentication\User\UserBackend;
+use Icinga\Common\Database;
 use Icinga\Data\ConfigObject;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Forms\Account\ChangePasswordForm;
+use Icinga\Forms\Account\TwoFactorConfigForm;
 use Icinga\Forms\PreferenceForm;
 use Icinga\User\Preferences\PreferencesStore;
 use Icinga\Web\Controller;
+use ipl\Html\Contract\Form;
 
 /**
  * My Account
  */
 class AccountController extends Controller
 {
+    use Database;
+
     /**
      * {@inheritdoc}
      */
@@ -67,6 +74,25 @@ public function indexAction()
             }
         }
 
+        if ($user->can('user/two-factor-authentication')) {
+            $twoFactor = TwoFactorTotp::loadFromDb($this->getDb(), $user->getUsername());
+            if ($twoFactor === null) {
+                $twoFactor = TwoFactorTotp::generate($user->getUsername());
+            }
+
+            $twoFactorForm = new TwoFactorConfigForm();
+            $twoFactorForm->setUser($user);
+            $twoFactorForm->setTwoFactor($twoFactor);
+            $twoFactorForm->on(Form::ON_SUBMIT, function (TwoFactorConfigForm $form) {
+                if ($redirectUrl = $form->getRedirectUrl()) {
+                    $this->redirectNow($redirectUrl);
+                }
+            });
+            $twoFactorForm->handleRequest(ServerRequest::fromGlobals());
+
+            $this->view->twoFactorForm = $twoFactorForm;
+        }
+
         $form = new PreferenceForm();
         $form->setPreferences($user->getPreferences());
         if (isset($config->config_resource)) {

diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
@@ -3,16 +3,21 @@
 
 namespace Icinga\Controllers;
 
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Application\Hook\AuthenticationHook;
 use Icinga\Application\Icinga;
 use Icinga\Application\Logger;
+use Icinga\Authentication\Auth;
+use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Common\Database;
 use Icinga\Exception\AuthenticationException;
 use Icinga\Forms\Authentication\LoginForm;
 use Icinga\Web\Controller;
 use Icinga\Web\Helper\CookieHelper;
 use Icinga\Web\RememberMe;
+use Icinga\Web\Session;
 use Icinga\Web\Url;
+use ipl\Html\Contract\Form;
 use RuntimeException;
 
 /**
@@ -41,7 +46,42 @@ public function loginAction()
         if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) {
             $this->redirectNow(Url::fromPath('setup'));
         }
-        $form = new LoginForm();
+
+        $form = (new LoginForm())
+            ->setAction(Url::fromRequest()->getAbsoluteUrl())
+            ->on(Form::ON_SUBMIT, function (LoginForm $form) {
+                if ($redirectUrl = $form->getRedirectUrl()) {
+                    $this->redirectNow($redirectUrl);
+                }
+            })
+            ->on(Form::ON_SENT, function (LoginForm $form) {
+                if (
+                    $form->getElement('CSRFToken')->isValid()
+                    && $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL_2FA
+                ) {
+                    Session::getSession()->purge();
+                    $this->redirectNow(Url::fromRequest());
+                }
+            })
+            ->on(Form::ON_REQUEST, function ($request, LoginForm $form) {
+                $auth = Auth::getInstance();
+                $onlyExternal = true;
+                // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal().
+                foreach ($auth->getAuthChain() as $backend) {
+                    if (! $backend instanceof ExternalBackend) {
+                        $onlyExternal = false;
+                    }
+                }
+                if ($onlyExternal) {
+                    $form->addMessage($this->translate(
+                        'You\'re currently not authenticated using any of the web server\'s authentication'
+                        . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.'
+                    ));
+                    $form->onError();
+                }
+            });
+
+        $skip2fa = false;
 
         if (RememberMe::hasCookie() && $this->hasDb()) {
             $authenticated = false;
@@ -52,6 +92,7 @@ public function loginAction()
                     $rememberMe = $rememberMeOld->renew();
                     $this->getResponse()->setCookie($rememberMe->getCookie());
                     $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV());
+                    $skip2fa = true;
                 }
             } catch (RuntimeException $e) {
                 Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage());
@@ -64,7 +105,7 @@ public function loginAction()
             }
         }
 
-        if ($this->Auth()->isAuthenticated()) {
+        if ($this->Auth()->isAuthenticated($skip2fa)) {
             // Call provided AuthenticationHook(s) when login action is called
             // but icinga web user is already authenticated
             AuthenticationHook::triggerLogin($this->Auth()->getUser());
@@ -76,7 +117,7 @@ public function loginAction()
                     $this->httpBadRequest('nope');
                 }
             } else {
-                $redirectUrl = $form->getRedirectUrl();
+                $redirectUrl = $form->createRedirectUrl();
             }
 
             $this->redirectNow($redirectUrl);
@@ -91,9 +132,10 @@ public function loginAction()
                     ->sendResponse();
                 exit;
             }
-            $form->handleRequest();
+            $form->handleRequest(ServerRequest::fromGlobals());
         }
         $this->view->form = $form;
+        $this->view->cancel2faForm = $cancel2faForm ?? null;
         $this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
         $this->view->requiresSetup = $requiresSetup;
     }

diff --git a/application/forms/Account/TwoFactorConfigForm.php b/application/forms/Account/TwoFactorConfigForm.php
@@ -0,0 +1,192 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Forms\Account;
+
+use Icinga\Authentication\TwoFactorTotp;
+use Icinga\Common\Database;
+use Icinga\User;
+use Icinga\Web\Form\Element\FakeFormElement;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
+use Icinga\Web\Notification;
+use ipl\Html\Attributes;
+use ipl\Html\HtmlElement;
+use ipl\Html\Text;
+use ipl\Web\Common\FormUid;
+use ipl\Web\Compat\CompatForm;
+use ipl\Web\Url;
+use ipl\Web\Widget\CopyToClipboard;
+
+/**
+ * Form for enabling and disabling 2FA or creating and updating the 2FA TOTP secret
+ *
+ * This form is used to manage the 2FA settings of a user account.
+ */
+class TwoFactorConfigForm extends CompatForm
+{
+    use Database;
+    use FormUid;
+
+    /** @var User|null The user to work with */
+    protected ?User $user = null;
+
+    /** @var TwoFactorTotp The TwoFactorTotp instance to work with */
+    protected TwoFactorTotp $twoFactor;
+
+    /** @var string The submit button to verify the 2FA TOTP secret */
+    protected const SUBMIT_VERIFY = 'btn_submit_verify';
+
+    /** @var string The submit button to disable 2FA */
+    protected const SUBMIT_DISABLE = 'btn_submit_disable';
+
+    public function __construct()
+    {
+        $this->setAttribute('name', 'form_config_2fa');
+    }
+
+    /**
+     * Set the user to work with
+     *
+     * @param User $user The user to work with
+     *
+     * @return $this
+     */
+    public function setUser(User $user): static
+    {
+        $this->user = $user;
+
+        return $this;
+    }
+
+    /**
+     * Set the TwoFactorTotp instance to work with
+     *
+     * @param TwoFactorTotp $twoFactor
+     *
+     * @return $this
+     */
+    public function setTwoFactor(TwoFactorTotp $twoFactor): static
+    {
+        $this->twoFactor = $twoFactor;
+
+        return $this;
+    }
+
+    protected function assemble(): void
+    {
+        $this->addElement($this->createUidElement());
+
+        if (TwoFactorTotp::hasDbSecret($this->getDb(), $this->user->getUsername())) {
+            $this->addElement(
+                'submit',
+                static::SUBMIT_DISABLE,
+                [
+                    'label'               => $this->translate('Disable 2FA'),
+                    'data-progress-label' => $this->translate('Disabling')
+                ]
+            );
+        } else {
+            $this->addElement(
+                'checkbox',
+                'enabled_2fa',
+                [
+                    'class'       => 'autosubmit',
+                    'label'       => $this->translate('Enable 2FA (TOTP)'),
+                    'description' => $this->translate(
+                        'This option allows you to enable or to disable the two factor authentication via TOTP.'
+                    ),
+                ]
+            );
+
+            if ($this->getPopulatedValue('enabled_2fa') === 'y') {
+                // Keep the secret after form submission, otherwise every form submission would generate a new secret.
+                // This would result in the following:
+                // - Users would have to scan a new QR code every time the verification fails.
+                // - Token verification would fail every time because the secret would have changed.
+                if ($secret = $this->getPopulatedValue('2fa_totp_secret')) {
+                    $this->twoFactor = TwoFactorTotp::createFromSecret($secret, $this->user->getUsername());
+                }
+
+                $this->addHtml(new FakeFormElement(
+                    HtmlElement::create('img', Attributes::create([
+                        'class' => 'two-factor-totp-qr-code',
+                        'src'   => $this->twoFactor->createQRCode()
+                    ])),
+                    $this->translate('QR Code'),
+                    $this->translate('Use your authenticator app to scan the QR code.')
+                ));
+
+                $manualAuthUrl = HtmlElement::create(
+                    'div',
+                    Attributes::create(['class' => 'two-factor-totp-auth-url']),
+                    new Text($this->twoFactor->getTotpAuthUrl()),
+                );
+                CopyToClipboard::attachTo($manualAuthUrl);
+                $this->addHtml(new FakeFormElement(
+                    $manualAuthUrl,
+                    $this->translate('Manual Auth URL'),
+                    $this->translate('If you have no camera to scan the QR code you can enter the auth URL manually.')
+                ));
+
+                $this->addElement(
+                    'text',
+                    '2fa_verification_token',
+                    [
+                        'required'    => true,
+                        'label'       => $this->translate('Verification Token'),
+                        'description' => $this->translate(
+                            'Please enter the token from your authenticator app to verify your setup.'
+                        ),
+                        'validators'  => [new TotpTokenValidator()]
+                    ]
+                );
+
+                $this->addElement(
+                    'submit',
+                    static::SUBMIT_VERIFY,
+                    [
+                        'label'               => $this->translate('Verify 2FA TOTP Secret'),
+                        'data-progress-label' => $this->translate('Verifying')
+                    ]
+                );
+            }
+        }
+
+        $this->addElement(
+            'hidden',
+            '2fa_totp_secret',
+            [
+                'value' => $this->twoFactor->getSecret()
+            ]
+        );
+    }
+
+    protected function onSuccess(): void
+    {
+        $twoFactor = TwoFactorTotp::createFromSecret($this->getValue('2fa_totp_secret'), $this->user->getUsername());
+
+        switch ($this->getPressedSubmitElement()?->getName()) {
+            case static::SUBMIT_VERIFY:
+                $token = $this->getValue('2fa_verification_token');
+                if ($token && $twoFactor->verify($token)) {
+                    $twoFactor->saveToDb();
+                    Notification::success($this->translate('2FA via TOTP has been configured successfully.'));
+                } else {
+                    Notification::error($this->translate('The verification token is invalid. Please try again.'));
+
+                    // Don't redirect in this case, as the user might want to try again.
+                    return;
+                }
+
+                break;
+            case static::SUBMIT_DISABLE:
+                $twoFactor->removeFromDb();
+                Notification::success($this->translate('2FA TOTP secret has been removed.'));
+
+                break;
+        }
+
+        $this->setRedirectUrl(Url::fromRequest());
+    }
+}