BookStack/app/Auth/Access/Mfa/MfaSession.php

<?php

namespace BookStack\Auth\Access\Mfa;

class MfaSession
{
    private const MFA_VERIFIED_SESSION_KEY = 'mfa-verification-passed';

    /**
     * Check if MFA is required for the current user.
     */
    public function requiredForCurrentUser(): bool
    {
        // TODO - Test both these cases
        return user()->mfaValues()->exists() || $this->currentUserRoleEnforcesMfa();
    }

    /**
     * Check if a role of the current user enforces MFA.
     */
    protected function currentUserRoleEnforcesMfa(): bool
    {
        return user()->roles()
            ->where('mfa_enforced', '=', true)
            ->exists();
    }

    /**
     * Check if the current MFA session has already been verified.
     */
    public function isVerified(): bool
    {
        return session()->get(self::MFA_VERIFIED_SESSION_KEY) === 'true';
    }

    /**
     * Mark the current session as MFA-verified.
     */
    public function markVerified(): void
    {
        session()->put(self::MFA_VERIFIED_SESSION_KEY, 'true');
    }

}
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 18:23:36 -04:00			`<?php`

			`namespace BookStack\Auth\Access\Mfa;`

			`class MfaSession`
			`{`
			`private const MFA_VERIFIED_SESSION_KEY = 'mfa-verification-passed';`

			`/**`
			`* Check if MFA is required for the current user.`
			`*/`
			`public function requiredForCurrentUser(): bool`
			`{`
			`// TODO - Test both these cases`
			`return user()->mfaValues()->exists() \|\| $this->currentUserRoleEnforcesMfa();`
			`}`

			`/**`
			`* Check if a role of the current user enforces MFA.`
			`*/`
			`protected function currentUserRoleEnforcesMfa(): bool`
			`{`
			`return user()->roles()`
			`->where('mfa_enforced', '=', true)`
			`->exists();`
			`}`

			`/**`
			`* Check if the current MFA session has already been verified.`
			`*/`
			`public function isVerified(): bool`
			`{`
			`return session()->get(self::MFA_VERIFIED_SESSION_KEY) === 'true';`
			`}`

			`/**`
			`* Mark the current session as MFA-verified.`
			`*/`
			`public function markVerified(): void`
			`{`
			`session()->put(self::MFA_VERIFIED_SESSION_KEY, 'true');`
			`}`

			`}`