From a7a66929aac237777c5916eee9c0f86eeac53735 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 2 Sep 2020 16:48:23 +0200
Subject: [PATCH 01/27] add user interface for managing 2fa

* update user schema with 2fa columns
---
 management/daemon.py                      |  55 +++++-
 management/mailconfig.py                  |  40 ++++
 management/templates/index.html           |   7 +-
 management/templates/two-factor-auth.html | 220 ++++++++++++++++++++++
 management/totp.py                        |  51 +++++
 setup/mail-users.sh                       |   3 +-
 setup/management.sh                       |   1 +
 7 files changed, 370 insertions(+), 7 deletions(-)
 create mode 100644 management/templates/two-factor-auth.html
 create mode 100644 management/totp.py

diff --git a/management/daemon.py b/management/daemon.py
index b7bf2a66..ebf112f6 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -1,14 +1,15 @@
 import os, os.path, re, json, time
-import subprocess
+import multiprocessing.pool, subprocess
 
 from functools import wraps
 
 from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response
 
-import auth, utils, multiprocessing.pool
+import auth, utils, totp
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
+from mailconfig import get_two_factor_info, set_two_factor_secret, remove_two_factor_secret
 
 env = utils.load_environment()
 
@@ -83,8 +84,8 @@ def authorized_personnel_only(viewfunc):
 def unauthorized(error):
 	return auth_service.make_unauthorized_response()
 
-def json_response(data):
-	return Response(json.dumps(data, indent=2, sort_keys=True)+'\n', status=200, mimetype='application/json')
+def json_response(data, status=200):
+	return Response(json.dumps(data, indent=2, sort_keys=True)+'\n', status=status, mimetype='application/json')
 
 ###################################
 
@@ -334,7 +335,7 @@ def ssl_get_status():
 
 	# What domains can we provision certificates for? What unexpected problems do we have?
 	provision, cant_provision = get_certificates_to_provision(env, show_valid_certs=False)
-	
+
 	# What's the current status of TLS certificates on all of the domain?
 	domains_status = get_web_domains_info(env)
 	domains_status = [
@@ -383,6 +384,50 @@ def ssl_provision_certs():
 	requests = provision_certificates(env, limit_domains=None)
 	return json_response({ "requests": requests })
 
+# Two Factor Auth
+
+@app.route('/two-factor-auth/status', methods=['GET'])
+@authorized_personnel_only
+def two_factor_auth_get_status():
+	email, privs = auth_service.authenticate(request, env)
+	two_factor_secret, two_factor_token = get_two_factor_info(email, env)
+
+	if two_factor_secret != None:
+		return json_response({ 'status': 'on' })
+
+	secret = totp.get_secret()
+	secret_url = totp.get_otp_uri(secret, email)
+	secret_qr = totp.get_qr_code(secret_url)
+
+	return json_response({
+		"status": 'off',
+		"secret": secret,
+		"qr_code": secret_qr
+	})
+
+@app.route('/two-factor-auth/setup', methods=['POST'])
+@authorized_personnel_only
+def two_factor_auth_post_setup():
+	email, privs = auth_service.authenticate(request, env)
+
+	secret = request.form.get('secret')
+	token = request.form.get('token')
+
+	if type(secret) != str or type(token) != str or len(token) != 6 or len(secret) != 32:
+		return json_response({ "error": 'bad_input' }, 400)
+
+	if (totp.validate(secret, token)):
+		set_two_factor_secret(email, secret, token, env)
+		return json_response({})
+
+	return json_response({ "error": 'token_mismatch' }, 400)
+
+@app.route('/two-factor-auth/disable', methods=['POST'])
+@authorized_personnel_only
+def two_factor_auth_post_disable():
+	email, privs = auth_service.authenticate(request, env)
+	remove_two_factor_secret(email, env)
+	return json_response({})
 
 # WEB
 
diff --git a/management/mailconfig.py b/management/mailconfig.py
index b061ea7d..3bc48897 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -547,6 +547,41 @@ def get_required_aliases(env):
 
 	return aliases
 
+def get_two_factor_info(email, env):
+	c = open_database(env)
+
+	c.execute('SELECT two_factor_secret, two_factor_last_used_token FROM users WHERE email=?', (email,))
+	rows = c.fetchall()
+	if len(rows) != 1:
+		raise ValueError("That's not a user (%s)." % email)
+	return (rows[0][0], rows[0][1])
+
+def set_two_factor_secret(email, secret, token, env):
+	validate_two_factor_secret(secret)
+
+	conn, c = open_database(env, with_connection=True)
+	c.execute("UPDATE users SET two_factor_secret=?, two_factor_last_used_token=? WHERE email=?", (secret, token, email))
+	if c.rowcount != 1:
+		raise ValueError("That's not a user (%s)." % email)
+	conn.commit()
+	return "OK"
+
+def set_two_factor_last_used_token(email, token, env):
+	conn, c = open_database(env, with_connection=True)
+	c.execute("UPDATE users SET two_factor_last_used_token=? WHERE email=?", (token, email))
+	if c.rowcount != 1:
+		raise ValueError("That's not a user (%s)." % email)
+	conn.commit()
+	return "OK"
+
+def remove_two_factor_secret(email, env):
+	conn, c = open_database(env, with_connection=True)
+	c.execute("UPDATE users SET two_factor_secret=null, two_factor_last_used_token=null WHERE email=?", (email,))
+	if c.rowcount != 1:
+		raise ValueError("That's not a user (%s)." % email)
+	conn.commit()
+	return "OK"
+
 def kick(env, mail_result=None):
 	results = []
 
@@ -608,6 +643,11 @@ def validate_password(pw):
 	if len(pw) < 8:
 		raise ValueError("Passwords must be at least eight characters.")
 
+def validate_two_factor_secret(secret):
+	if type(secret) != str or secret.strip() == "":
+		raise ValueError("No secret provided.")
+	if len(secret) != 32:
+		raise ValueError("Secret should be a 32 characters base32 string")
 
 if __name__ == "__main__":
 	import sys
diff --git a/management/templates/index.html b/management/templates/index.html
index 2c0d5a9a..3088ef63 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -93,6 +93,7 @@
                 <li class="dropdown-header">Advanced Pages</li>
                 <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                 <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
+                <li><a href="#two_factor_auth" onclick="return show_panel(this);">Two Factor Authentication</a></li>
                 <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
               </ul>
             </li>
@@ -131,7 +132,11 @@
       {% include "custom-dns.html" %}
       </div>
 
-      <div id="panel_login" class="admin_panel">
+      <div id="panel_two_factor_auth" class="admin_panel">
+      {% include "two-factor-auth.html" %}
+      </div>
+
+        <div id="panel_login" class="admin_panel">
       {% include "login.html" %}
       </div>
 
diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
new file mode 100644
index 00000000..9f1a8b5a
--- /dev/null
+++ b/management/templates/two-factor-auth.html
@@ -0,0 +1,220 @@
+<style>
+    .twofactor #setup-2fa,
+    .twofactor #disable-2fa,
+    .twofactor #output-2fa {
+        display: none;
+    }
+
+    .twofactor.loaded .loading-indicator {
+        display: none;
+    }
+
+    .twofactor.disabled #disable-2fa,
+    .twofactor.enabled #setup-2fa {
+        display: none;
+    }
+
+    .twofactor.disabled #setup-2fa,
+    .twofactor.enabled #disable-2fa {
+        display: block;
+    }
+
+    .twofactor #qr-2fa img {
+        display: block;
+        width: 256px;
+        max-width: 100%;
+        height: auto;
+    }
+
+    .twofactor #output-2fa.visible {
+        display: block;
+    }
+</style>
+
+<h2>Two Factor Authentication</h2>
+
+<div class="twofactor">
+    <div class="loading-indicator">Loading...</div>
+
+    <form id="setup-2fa">
+        <div class="form-group">
+            <h3>Setup</h3>
+            <p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
+            <p>1. Scan the QR code or enter the secret into an authenticator app (e.g. Google Authenticator)</p>
+            <div id="qr-2fa"></div>
+        </div>
+
+        <div class="form-group">
+            <label for="otp">2. Enter the code displayed in the Authenticator app</label>
+            <input type="text" id="setup-otp" class="form-control" placeholder="6-digit code" />
+        </div>
+
+        <input type="hidden" id="setup-secret" />
+
+        <div class="form-group">
+            <button id="setup-submit" disabled type="submit" class="btn">Enable two factor authentication</button>
+        </div>
+    </form>
+
+    <form id="disable-2fa">
+        <div class="form-group">
+            <p>Two factor authentication is active.</p>
+        </div>
+
+        <button type="submit" class="btn btn-danger">Disable two factor authentication</button>
+    </form>
+
+    <div id="output-2fa" class="panel panel-danger">
+        <div class="panel-body"></div>
+    </div>
+</div>
+
+<script>
+    var el = {
+        disableForm: document.getElementById('disable-2fa'),
+        output: document.getElementById('output-2fa'),
+        setupForm: document.getElementById('setup-2fa'),
+        setupInputOtp: document.getElementById('setup-otp'),
+        setupInputSecret: document.getElementById('setup-secret'),
+        setupQr: document.getElementById('qr-2fa'),
+        setupSubmit: document.querySelector('#setup-2fa button[type="submit"]'),
+        wrapper: document.querySelector('.twofactor')
+    }
+
+    function update_setup_disabled(evt) {
+        var val = evt.target.value.trim();
+
+        if (
+            typeof val !== 'string' ||
+            typeof el.setupInputSecret.value !== 'string' ||
+            val.length !== 6 ||
+            el.setupInputSecret.value.length !== 32 ||
+            !(/^\+?\d+$/.test(val))
+        ) {
+            el.setupSubmit.setAttribute('disabled', '');
+        } else {
+            el.setupSubmit.removeAttribute('disabled');
+        }
+    }
+
+    function render_setup(res) {
+        function render_qr_code(encoded) {
+            var img = document.createElement('img');
+            img.src = encoded;
+
+            var code = document.createElement('div');
+            code.innerHTML = `Secret: ${res.secret}`;
+
+            el.setupQr.appendChild(img);
+            el.setupQr.appendChild(code);
+        }
+
+        el.setupInputOtp.addEventListener('input', update_setup_disabled);
+        el.setupForm.addEventListener('submit', do_setup);
+
+        el.setupInputSecret.setAttribute('value', res.secret);
+
+        render_qr_code(res.qr_code);
+        el.wrapper.classList.add('disabled');
+    }
+
+    function render_disable() {
+        el.disableForm.addEventListener('submit', do_disable);
+        el.wrapper.classList.add('enabled');
+    }
+
+    function hide_error() {
+        el.output.querySelector('.panel-body').innerHTML = '';
+        el.output.classList.remove('visible');
+    }
+
+    function render_error(msg) {
+        el.output.querySelector('.panel-body').innerHTML = msg;
+        el.output.classList.add('visible');
+    }
+
+    function reset_view() {
+        el.wrapper.classList.remove('loaded', 'disabled', 'enabled');
+
+        el.disableForm.removeEventListener('submit', do_disable);
+
+        hide_error();
+
+        el.setupForm.reset();
+        el.setupForm.removeEventListener('submit', do_setup);
+
+        el.setupInputSecret.setAttribute('value', '');
+        el.setupInputOtp.removeEventListener('input', update_setup_disabled);
+
+        el.setupSubmit.setAttribute('disabled', '');
+        el.setupQr.innerHTML = '';
+    }
+
+    function show_two_factor_auth() {
+        reset_view();
+
+        api(
+            '/two-factor-auth/status',
+            'GET',
+            {},
+            function(res) {
+                el.wrapper.classList.add('loaded');
+                var isEnabled = res.status === 'on'
+                return isEnabled ? render_disable(res) : render_setup(res);
+            }
+        );
+    }
+
+    function do_disable(evt) {
+        evt.preventDefault();
+        hide_error();
+
+        api(
+            '/two-factor-auth/disable',
+            'POST',
+            {},
+            function() { show_two_factor_auth(); }
+        );
+
+        return false;
+    }
+
+    function do_setup(evt) {
+        evt.preventDefault();
+        hide_error();
+
+        api(
+            '/two-factor-auth/setup',
+            'POST',
+            {
+                token: $(el.setupInputOtp).val(),
+                secret: $(el.setupInputSecret).val()
+            },
+            function(res) { show_two_factor_auth(); },
+            function(res) {
+                var errorMessage = 'Something went wrong.';
+                var parsed;
+
+                try {
+                    parsed = JSON.parse(res);
+                } catch (err) {
+                    return render_error(errorMessage);
+                }
+
+                var error = parsed && parsed.error
+                    ? parsed.error
+                    : null;
+
+                if (error === 'token_mismatch') {
+                    errorMessage = 'Code does not match.';
+                } else if (error === 'bad_input') {
+                    errorMessage = 'Received request with malformed data.';
+                }
+
+                render_error(errorMessage);
+            }
+        );
+
+        return false;
+    }
+</script>
diff --git a/management/totp.py b/management/totp.py
new file mode 100644
index 00000000..52cdc256
--- /dev/null
+++ b/management/totp.py
@@ -0,0 +1,51 @@
+import base64
+import hmac
+import io
+import os
+import struct
+import time
+from urllib.parse import quote
+import qrcode
+
+def get_secret():
+	return base64.b32encode(os.urandom(20)).decode('utf-8')
+
+def get_otp_uri(secret, email):
+	site_name = 'mailinabox'
+
+	return 'otpauth://totp/{}:{}?secret={}&issuer={}'.format(
+		quote(site_name),
+		quote(email),
+		secret,
+		quote(site_name)
+	)
+
+def get_qr_code(data):
+	qr = qrcode.make(data)
+	byte_arr = io.BytesIO()
+	qr.save(byte_arr, format='PNG')
+
+	encoded = base64.b64encode(byte_arr.getvalue()).decode('utf-8')
+	return 'data:image/png;base64,{}'.format(encoded)
+
+def validate(secret, token):
+	"""
+	@see https://tools.ietf.org/html/rfc6238#section-4
+	@see https://tools.ietf.org/html/rfc4226#section-5.4
+	@see https://git.sr.ht/~sircmpwn/meta.sr.ht/tree/master/metasrht/totp.py
+	@see https://github.com/susam/mintotp/blob/master/mintotp.py
+	TODO: resynchronisation
+	"""
+	key = base64.b32decode(secret)
+	tm = int(time.time() / 30)
+	digits = 6
+
+	step = 0
+	counter = struct.pack('>Q', tm + step)
+
+	hm = hmac.HMAC(key, counter, 'sha1').digest()
+	offset = hm[-1] &0x0F
+	binary = struct.unpack(">L", hm[offset:offset + 4])[0] & 0x7fffffff
+
+	code = str(binary)[-digits:].rjust(digits, '0')
+	return token == code
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index e54485bb..3047489b 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -20,7 +20,8 @@ db_path=$STORAGE_ROOT/mail/users.sqlite
 # Create an empty database if it doesn't yet exist.
 if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
-	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
+    # TODO: Add migration
+	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '', two_factor_secret TEXT, two_factor_last_used_token TEXT);" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
 fi
 
diff --git a/setup/management.sh b/setup/management.sh
index 4b398aa2..ce78b171 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -50,6 +50,7 @@ hide_output $venv/bin/pip install --upgrade pip
 hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
 	flask dnspython python-dateutil \
+    qrcode[pil] \
 	"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver
 
 # CONFIGURATION

From 3c3683429b0774bad9210829cbe0caf43d3dc14d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 2 Sep 2020 17:23:32 +0200
Subject: [PATCH 02/27] implement two factor check during login

---
 management/auth.py              | 48 +++++++++++++++++++---
 management/daemon.py            | 34 ++++++++++++++--
 management/templates/index.html |  4 +-
 management/templates/login.html | 70 ++++++++++++++++++++++++++-------
 4 files changed, 130 insertions(+), 26 deletions(-)

diff --git a/management/auth.py b/management/auth.py
index 55f59664..83d9c1d6 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -2,12 +2,19 @@ import base64, os, os.path, hmac
 
 from flask import make_response
 
-import utils
+import utils, totp
 from mailconfig import get_mail_password, get_mail_user_privileges
+from mailconfig import get_two_factor_info, set_two_factor_last_used_token
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
 
+class MissingTokenError(ValueError):
+	pass
+
+class BadTokenError(ValueError):
+	pass
+
 class KeyAuthService:
 	"""Generate an API key for authenticating clients
 
@@ -76,23 +83,52 @@ class KeyAuthService:
 			return (None, ["admin"])
 		else:
 			# The user is trying to log in with a username and user-specific
-			# API key or password. Raises or returns privs.
-			return (username, self.get_user_credentials(username, password, env))
+			# API key or password. Raises or returns privs and an indicator
+			# whether the user is using their password or a user-specific API-key.
+			privs, is_user_key = self.get_user_credentials(username, password, env)
+
+			# If the user is using their API key to login, 2FA has been passed before
+			if is_user_key:
+				return (username, privs)
+
+			secret, last_token = get_two_factor_info(username, env)
+
+			# 2FA is not enabled, we can skip further checks
+			if secret == "" or secret == None:
+				return (username, privs)
+
+			# If 2FA is enabled, raise if:
+			# 1. no token is provided via `x-auth-token`
+			# 2. a previously supplied token is used (to counter replay attacks)
+			# 3. the token is invalid
+			# in that case, we need to raise and indicate to the client to supply a TOTP
+			token_header = request.headers.get('x-auth-token')
+			if token_header == None or token_header == "":
+				raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
+
+			# TODO: Should a token replay be handled as its own error?
+			if token_header == last_token or totp.validate(secret, token_header) != True:
+				raise BadTokenError("Two factor code incorrect")
+
+			set_two_factor_last_used_token(username, token_header, env)
+			return (username, privs)
 
 	def get_user_credentials(self, email, pw, env):
 		# Validate a user's credentials. On success returns a list of
 		# privileges (e.g. [] or ['admin']). On failure raises a ValueError
-		# with a login error message. 
+		# with a login error message.
 
 		# Sanity check.
 		if email == "" or pw == "":
 			raise ValueError("Enter an email address and password.")
 
+		is_user_key = False
+
 		# The password might be a user-specific API key. create_user_key raises
 		# a ValueError if the user does not exist.
 		if hmac.compare_digest(self.create_user_key(email, env), pw):
 			# OK.
-			pass
+			is_user_key = True
 		else:
 			# Get the hashed password of the user. Raise a ValueError if the
 			# email address does not correspond to a user.
@@ -119,7 +155,7 @@ class KeyAuthService:
 		if isinstance(privs, tuple): raise ValueError(privs[0])
 
 		# Return a list of privileges.
-		return privs
+		return (privs, is_user_key)
 
 	def create_user_key(self, email, env):
 		# Store an HMAC with the client. The hashed message of the HMAC will be the user's
diff --git a/management/daemon.py b/management/daemon.py
index ebf112f6..b80b1e73 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -40,14 +40,23 @@ def authorized_personnel_only(viewfunc):
 		error = None
 		try:
 			email, privs = auth_service.authenticate(request, env)
+		except auth.MissingTokenError as e:
+			privs = []
+			error = str(e)
+		except auth.BadTokenError as e:
+			# Write a line in the log recording the failed login
+			log_failed_login(request)
+
+			privs = []
+			error = str(e)
 		except ValueError as e:
+			# Write a line in the log recording the failed login
+			log_failed_login(request)
+
 			# Authentication failed.
 			privs = []
 			error = "Incorrect username or password"
 
-			# Write a line in the log recording the failed login
-			log_failed_login(request)
-
 		# Authorized to access an API view?
 		if "admin" in privs:
 			# Call view func.
@@ -119,6 +128,23 @@ def me():
 	# Is the caller authorized?
 	try:
 		email, privs = auth_service.authenticate(request, env)
+	except auth.MissingTokenError as e:
+		# Log the failed login
+		log_failed_login(request)
+
+		return json_response({
+			"status": "missing_token",
+			"reason": str(e),
+		})
+	except auth.BadTokenError as e:
+		# Log the failed login
+		log_failed_login(request)
+
+		return json_response({
+			"status": "bad_token",
+			"reason": str(e),
+		})
+
 	except ValueError as e:
 		# Log the failed login
 		log_failed_login(request)
@@ -126,7 +152,7 @@ def me():
 		return json_response({
 			"status": "invalid",
 			"reason": "Incorrect username or password",
-			})
+		})
 
 	resp = {
 		"status": "ok",
diff --git a/management/templates/index.html b/management/templates/index.html
index 3088ef63..b0d86dd3 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -297,7 +297,7 @@ function ajax_with_indicator(options) {
 }
 
 var api_credentials = ["", ""];
-function api(url, method, data, callback, callback_error) {
+function api(url, method, data, callback, callback_error, headers) {
   // from http://www.webtoolkit.info/javascript-base64.html
   function base64encode(input) {
     _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
@@ -335,7 +335,7 @@ function api(url, method, data, callback, callback_error) {
     method: method,
     cache: false,
     data: data,
-
+    headers: headers,
     // the custom DNS api sends raw POST/PUT bodies --- prevent URL-encoding
     processData: typeof data != "string",
     mimeType: typeof data == "string" ? "text/plain; charset=ascii" : null,
diff --git a/management/templates/login.html b/management/templates/login.html
index b6e74df6..0322dd5f 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -1,4 +1,29 @@
-<h1 style="margin: 1em; text-align: center">{{hostname}}</h1>
+<style>
+  .title {
+    margin: 1em;
+    text-align: center;
+  }
+
+  .subtitle {
+    margin: 2em;
+    text-align: center;
+  }
+
+  .login {
+    margin: 0 auto;
+    max-width: 32em;
+  }
+
+  .login #loginOtp {
+    display: none;
+  }
+
+  #loginForm.twofactor #loginOtp {
+    display: block
+  }
+</style>
+
+<h1 class="title">{{hostname}}</h1>
 
 {% if no_users_exist or no_admins_exist %}
 <div class="row">
@@ -20,10 +45,10 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
 </div>
 {% endif %}
 
-<p style="margin: 2em; text-align: center;">Log in here for your Mail-in-a-Box control panel.</p>
+<p class="subtitle">Log in here for your Mail-in-a-Box control panel.</p>
 
-<div style="margin: 0 auto; max-width: 32em;">
-  <form class="form-horizontal" role="form" onsubmit="do_login(); return false;" method="get">
+<div class="login">
+  <form id="loginForm" class="form-horizontal" role="form" onsubmit="do_login(); return false;" method="get">
     <div class="form-group">
       <label for="inputEmail3" class="col-sm-3 control-label">Email</label>
       <div class="col-sm-9">
@@ -45,6 +70,12 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
         </div>
       </div>
     </div>
+    <div class="form-group" id="loginOtp">
+        <label for="loginOtpInput" class="col-sm-3 control-label">Two Factor Code</label>
+        <div class="col-sm-9">
+            <input type="text" class="form-control" id="loginOtpInput" placeholder="123456">
+        </div>
+    </div>
     <div class="form-group">
       <div class="col-sm-offset-3 col-sm-9">
         <button type="submit" class="btn btn-default">Sign in</button>
@@ -53,7 +84,6 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
   </form>
 </div>
 
-
 <script>
 function do_login() {
   if ($('#loginEmail').val() == "") {
@@ -75,17 +105,21 @@ function do_login() {
   api(
   "/me",
   "GET",
-  { },
-  function(response){
+  {},
+  function(response) {
     // This API call always succeeds. It returns a JSON object indicating
     // whether the request was authenticated or not.
-    if (response.status != "ok") {
-      // Show why the login failed.
-      show_modal_error("Login Failed", response.reason)
-
-      // Reset any saved credentials.
-      do_logout();
+    if (response.status != 'ok') {
+      if (response.status === 'missing_token' && !$('#loginForm').hasClass('twofactor')) {
+        $('#loginForm').addClass('twofactor');
+      } else {
+        $('#loginForm').removeClass('twofactor');
+        // Show why the login failed.
+        show_modal_error("Login Failed", response.reason)
 
+        // Reset any saved credentials.
+        do_logout();
+      }
     } else if (!("api_key" in response)) {
       // Login succeeded but user might not be authorized!
       show_modal_error("Login Failed", "You are not an administrator on this system.")
@@ -102,6 +136,8 @@ function do_login() {
       // Try to wipe the username/password information.
       $('#loginEmail').val('');
       $('#loginPassword').val('');
+      $('#loginOtpInput').val('');
+      $('#loginForm').removeClass('twofactor');
 
       // Remember the credentials.
       if (typeof localStorage != 'undefined' && typeof sessionStorage != 'undefined') {
@@ -119,7 +155,11 @@ function do_login() {
       // which confuses the loading indicator.
       setTimeout(function() { show_panel(!switch_back_to_panel || switch_back_to_panel == "login" ? 'system_status' : switch_back_to_panel) }, 300);
     }
-  })
+  },
+  undefined,
+  {
+    'x-auth-token': $('#loginOtpInput').val()
+  });
 }
 
 function do_logout() {
@@ -132,6 +172,8 @@ function do_logout() {
 }
 
 function show_login() {
+  $('#loginForm').removeClass('twofactor');
+  $('#loginOtpInput').val('');
   $('#loginEmail,#loginPassword').each(function() {
     var input = $(this);
     if (!$.trim(input.val())) {

From f205c48564aaceeff11ae3823cec97efb8bdff27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 2 Sep 2020 19:12:15 +0200
Subject: [PATCH 03/27] Use pyotp for validating TOTP codes

* also implements resynchronisation support via `pyotp`'s `valid_window option
---
 management/totp.py  | 30 ++++++------------------------
 setup/management.sh |  2 +-
 2 files changed, 7 insertions(+), 25 deletions(-)

diff --git a/management/totp.py b/management/totp.py
index 52cdc256..908b4764 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -4,20 +4,16 @@ import io
 import os
 import struct
 import time
-from urllib.parse import quote
+import pyotp
 import qrcode
 
 def get_secret():
 	return base64.b32encode(os.urandom(20)).decode('utf-8')
 
 def get_otp_uri(secret, email):
-	site_name = 'mailinabox'
-
-	return 'otpauth://totp/{}:{}?secret={}&issuer={}'.format(
-		quote(site_name),
-		quote(email),
-		secret,
-		quote(site_name)
+	return pyotp.TOTP(secret).provisioning_uri(
+		name=email,
+		issuer_name='mailinabox'
 	)
 
 def get_qr_code(data):
@@ -32,20 +28,6 @@ def validate(secret, token):
 	"""
 	@see https://tools.ietf.org/html/rfc6238#section-4
 	@see https://tools.ietf.org/html/rfc4226#section-5.4
-	@see https://git.sr.ht/~sircmpwn/meta.sr.ht/tree/master/metasrht/totp.py
-	@see https://github.com/susam/mintotp/blob/master/mintotp.py
-	TODO: resynchronisation
 	"""
-	key = base64.b32decode(secret)
-	tm = int(time.time() / 30)
-	digits = 6
-
-	step = 0
-	counter = struct.pack('>Q', tm + step)
-
-	hm = hmac.HMAC(key, counter, 'sha1').digest()
-	offset = hm[-1] &0x0F
-	binary = struct.unpack(">L", hm[offset:offset + 4])[0] & 0x7fffffff
-
-	code = str(binary)[-digits:].rjust(digits, '0')
-	return token == code
+	totp = pyotp.TOTP(secret)
+	return totp.verify(token, valid_window=2)
diff --git a/setup/management.sh b/setup/management.sh
index ce78b171..ae942985 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -50,7 +50,7 @@ hide_output $venv/bin/pip install --upgrade pip
 hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "exclusiveprocess" \
 	flask dnspython python-dateutil \
-    qrcode[pil] \
+    qrcode[pil] pyotp \
 	"idna>=2.0.0" "cryptography==2.2.2" boto psutil postfix-mta-sts-resolver
 
 # CONFIGURATION

From 8597646a12fba8fbe53788930c2c04ac5c8c7e43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 2 Sep 2020 19:41:06 +0200
Subject: [PATCH 04/27] Update API route naming, update setup page

* Rename /two-factor-auth/ => /2fa/
* Nest totp routes under /2fa/totp/
* Update ids and methods in panel to allow for different setup types
---
 management/daemon.py                      | 28 ++++----
 management/templates/index.html           |  2 +-
 management/templates/two-factor-auth.html | 80 +++++++++++------------
 3 files changed, 56 insertions(+), 54 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index b80b1e73..e1e5be60 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -412,29 +412,31 @@ def ssl_provision_certs():
 
 # Two Factor Auth
 
-@app.route('/two-factor-auth/status', methods=['GET'])
+@app.route('/2fa/status', methods=['GET'])
 @authorized_personnel_only
 def two_factor_auth_get_status():
-	email, privs = auth_service.authenticate(request, env)
-	two_factor_secret, two_factor_token = get_two_factor_info(email, env)
+	email, _ = auth_service.authenticate(request, env)
+	two_factor_secret, _ = get_two_factor_info(email, env)
 
 	if two_factor_secret != None:
-		return json_response({ 'status': 'on' })
+		return json_response({
+			"type": 'totp'
+		})
 
 	secret = totp.get_secret()
 	secret_url = totp.get_otp_uri(secret, email)
 	secret_qr = totp.get_qr_code(secret_url)
 
 	return json_response({
-		"status": 'off',
-		"secret": secret,
-		"qr_code": secret_qr
+		"type": None,
+		"totp_secret": secret,
+		"totp_qr": secret_qr
 	})
 
-@app.route('/two-factor-auth/setup', methods=['POST'])
+@app.route('/2fa/totp/enable', methods=['POST'])
 @authorized_personnel_only
-def two_factor_auth_post_setup():
-	email, privs = auth_service.authenticate(request, env)
+def totp_post_enable():
+	email, _ = auth_service.authenticate(request, env)
 
 	secret = request.form.get('secret')
 	token = request.form.get('token')
@@ -448,10 +450,10 @@ def two_factor_auth_post_setup():
 
 	return json_response({ "error": 'token_mismatch' }, 400)
 
-@app.route('/two-factor-auth/disable', methods=['POST'])
+@app.route('/2fa/totp/disable', methods=['POST'])
 @authorized_personnel_only
-def two_factor_auth_post_disable():
-	email, privs = auth_service.authenticate(request, env)
+def totp_post_disable():
+	email, _ = auth_service.authenticate(request, env)
 	remove_two_factor_secret(email, env)
 	return json_response({})
 
diff --git a/management/templates/index.html b/management/templates/index.html
index b0d86dd3..7f8a1e32 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -136,7 +136,7 @@
       {% include "two-factor-auth.html" %}
       </div>
 
-        <div id="panel_login" class="admin_panel">
+      <div id="panel_login" class="admin_panel">
       {% include "login.html" %}
       </div>
 
diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
index 9f1a8b5a..810e600e 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/two-factor-auth.html
@@ -1,5 +1,5 @@
 <style>
-    .twofactor #setup-2fa,
+    .twofactor #totp-setup,
     .twofactor #disable-2fa,
     .twofactor #output-2fa {
         display: none;
@@ -10,16 +10,16 @@
     }
 
     .twofactor.disabled #disable-2fa,
-    .twofactor.enabled #setup-2fa {
+    .twofactor.enabled #totp-setup {
         display: none;
     }
 
-    .twofactor.disabled #setup-2fa,
+    .twofactor.disabled #totp-setup,
     .twofactor.enabled #disable-2fa {
         display: block;
     }
 
-    .twofactor #qr-2fa img {
+    .twofactor #totp-setup-qr img {
         display: block;
         width: 256px;
         max-width: 100%;
@@ -36,23 +36,23 @@
 <div class="twofactor">
     <div class="loading-indicator">Loading...</div>
 
-    <form id="setup-2fa">
+    <form id="totp-setup">
         <div class="form-group">
             <h3>Setup</h3>
             <p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
             <p>1. Scan the QR code or enter the secret into an authenticator app (e.g. Google Authenticator)</p>
-            <div id="qr-2fa"></div>
+            <div id="totp-setup-qr"></div>
         </div>
 
         <div class="form-group">
             <label for="otp">2. Enter the code displayed in the Authenticator app</label>
-            <input type="text" id="setup-otp" class="form-control" placeholder="6-digit code" />
+            <input type="text" id="totp-setup-token" class="form-control" placeholder="6-digit code" />
         </div>
 
-        <input type="hidden" id="setup-secret" />
+        <input type="hidden" id="totp-setup-secret" />
 
         <div class="form-group">
-            <button id="setup-submit" disabled type="submit" class="btn">Enable two factor authentication</button>
+            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable two factor authentication</button>
         </div>
     </form>
 
@@ -73,11 +73,11 @@
     var el = {
         disableForm: document.getElementById('disable-2fa'),
         output: document.getElementById('output-2fa'),
-        setupForm: document.getElementById('setup-2fa'),
-        setupInputOtp: document.getElementById('setup-otp'),
-        setupInputSecret: document.getElementById('setup-secret'),
-        setupQr: document.getElementById('qr-2fa'),
-        setupSubmit: document.querySelector('#setup-2fa button[type="submit"]'),
+        totpSetupForm: document.getElementById('totp-setup'),
+        totpSetupToken: document.getElementById('totp-setup-token'),
+        totpSetupSecret: document.getElementById('totp-setup-secret'),
+        totpQr: document.getElementById('totp-setup-qr'),
+        totpSetupSubmit: document.querySelector('#totp-setup-submit'),
         wrapper: document.querySelector('.twofactor')
     }
 
@@ -86,35 +86,35 @@
 
         if (
             typeof val !== 'string' ||
-            typeof el.setupInputSecret.value !== 'string' ||
+            typeof el.totpSetupSecret.value !== 'string' ||
             val.length !== 6 ||
-            el.setupInputSecret.value.length !== 32 ||
+            el.totpSetupSecret.value.length !== 32 ||
             !(/^\+?\d+$/.test(val))
         ) {
-            el.setupSubmit.setAttribute('disabled', '');
+            el.totpSetupSubmit.setAttribute('disabled', '');
         } else {
-            el.setupSubmit.removeAttribute('disabled');
+            el.totpSetupSubmit.removeAttribute('disabled');
         }
     }
 
-    function render_setup(res) {
+    function render_totp_setup(res) {
         function render_qr_code(encoded) {
             var img = document.createElement('img');
             img.src = encoded;
 
             var code = document.createElement('div');
-            code.innerHTML = `Secret: ${res.secret}`;
+            code.innerHTML = `Secret: ${res.totp_secret}`;
 
-            el.setupQr.appendChild(img);
-            el.setupQr.appendChild(code);
+            el.totpQr.appendChild(img);
+            el.totpQr.appendChild(code);
         }
 
-        el.setupInputOtp.addEventListener('input', update_setup_disabled);
-        el.setupForm.addEventListener('submit', do_setup);
+        el.totpSetupToken.addEventListener('input', update_setup_disabled);
+        el.totpSetupForm.addEventListener('submit', do_enable_totp);
 
-        el.setupInputSecret.setAttribute('value', res.secret);
+        el.totpSetupSecret.setAttribute('value', res.totp_secret);
+        render_qr_code(res.totp_qr);
 
-        render_qr_code(res.qr_code);
         el.wrapper.classList.add('disabled');
     }
 
@@ -140,27 +140,27 @@
 
         hide_error();
 
-        el.setupForm.reset();
-        el.setupForm.removeEventListener('submit', do_setup);
+        el.totpSetupForm.reset();
+        el.totpSetupForm.removeEventListener('submit', do_enable_totp);
 
-        el.setupInputSecret.setAttribute('value', '');
-        el.setupInputOtp.removeEventListener('input', update_setup_disabled);
+        el.totpSetupSecret.setAttribute('value', '');
+        el.totpSetupToken.removeEventListener('input', update_setup_disabled);
 
-        el.setupSubmit.setAttribute('disabled', '');
-        el.setupQr.innerHTML = '';
+        el.totpSetupSubmit.setAttribute('disabled', '');
+        el.totpQr.innerHTML = '';
     }
 
     function show_two_factor_auth() {
         reset_view();
 
         api(
-            '/two-factor-auth/status',
+            '/2fa/status',
             'GET',
             {},
             function(res) {
                 el.wrapper.classList.add('loaded');
-                var isEnabled = res.status === 'on'
-                return isEnabled ? render_disable(res) : render_setup(res);
+                var isTotpEnabled = res.type === 'totp'
+                return isTotpEnabled ? render_disable(res) : render_totp_setup(res);
             }
         );
     }
@@ -170,7 +170,7 @@
         hide_error();
 
         api(
-            '/two-factor-auth/disable',
+            '/2fa/totp/disable',
             'POST',
             {},
             function() { show_two_factor_auth(); }
@@ -179,16 +179,16 @@
         return false;
     }
 
-    function do_setup(evt) {
+    function do_enable_totp(evt) {
         evt.preventDefault();
         hide_error();
 
         api(
-            '/two-factor-auth/setup',
+            '/2fa/totp/enable',
             'POST',
             {
-                token: $(el.setupInputOtp).val(),
-                secret: $(el.setupInputSecret).val()
+                token: $(el.totpSetupToken).val(),
+                secret: $(el.totpSetupSecret).val()
             },
             function(res) { show_two_factor_auth(); },
             function(res) {

From 6594e19a1fa5f6e31ed76d7daf1f8c9dda39e1fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 2 Sep 2020 20:30:08 +0200
Subject: [PATCH 05/27] Autofocus otp input when logging in, update layout

---
 management/templates/login.html | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/management/templates/login.html b/management/templates/login.html
index 0322dd5f..8d8bd394 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -18,7 +18,7 @@
     display: none;
   }
 
-  #loginForm.twofactor #loginOtp {
+  #loginForm.is-twofactor #loginOtp {
     display: block
   }
 </style>
@@ -71,9 +71,9 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
       </div>
     </div>
     <div class="form-group" id="loginOtp">
-        <label for="loginOtpInput" class="col-sm-3 control-label">Two Factor Code</label>
-        <div class="col-sm-9">
-            <input type="text" class="form-control" id="loginOtpInput" placeholder="123456">
+        <div class="col-sm-offset-3 col-sm-9">
+          <label for="loginOtpInput" class="control-label">Two Factor Code</label>
+          <input type="text" class="form-control" id="loginOtpInput" placeholder="6-digit code">
         </div>
     </div>
     <div class="form-group">
@@ -88,10 +88,11 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
 function do_login() {
   if ($('#loginEmail').val() == "") {
     show_modal_error("Login Failed", "Enter your email address.", function() {
-	$('#loginEmail').focus();
+      $('#loginEmail').focus();
     });
     return false;
   }
+
   if ($('#loginPassword').val() == "") {
     show_modal_error("Login Failed", "Enter your email password.", function() {
         $('#loginPassword').focus();
@@ -110,10 +111,13 @@ function do_login() {
     // This API call always succeeds. It returns a JSON object indicating
     // whether the request was authenticated or not.
     if (response.status != 'ok') {
-      if (response.status === 'missing_token' && !$('#loginForm').hasClass('twofactor')) {
-        $('#loginForm').addClass('twofactor');
+      if (response.status === 'missing_token' && !$('#loginForm').hasClass('is-twofactor')) {
+        $('#loginForm').addClass('is-twofactor');
+        setTimeout(() => {
+            $('#loginOtpInput').focus();
+        });
       } else {
-        $('#loginForm').removeClass('twofactor');
+        $('#loginForm').removeClass('is-twofactor');
         // Show why the login failed.
         show_modal_error("Login Failed", response.reason)
 
@@ -137,7 +141,7 @@ function do_login() {
       $('#loginEmail').val('');
       $('#loginPassword').val('');
       $('#loginOtpInput').val('');
-      $('#loginForm').removeClass('twofactor');
+      $('#loginForm').removeClass('is-twofactor');
 
       // Remember the credentials.
       if (typeof localStorage != 'undefined' && typeof sessionStorage != 'undefined') {
@@ -172,7 +176,7 @@ function do_logout() {
 }
 
 function show_login() {
-  $('#loginForm').removeClass('twofactor');
+  $('#loginForm').removeClass('is-twofactor');
   $('#loginOtpInput').val('');
   $('#loginEmail,#loginPassword').each(function() {
     var input = $(this);

From ce70f44c581013435d76c2853ee2702ed7076b38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 11:19:19 +0200
Subject: [PATCH 06/27] Extract TOTPStrategy class to totp.py

* this decouples `TOTP` validation and storage logic from `auth` and moves it to `totp`
* reduce `pyotp.validate#valid_window` from `2` to `1`
---
 management/auth.py   | 29 +++--------------------------
 management/daemon.py |  8 ++++----
 management/totp.py   | 41 ++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 47 insertions(+), 31 deletions(-)

diff --git a/management/auth.py b/management/auth.py
index 83d9c1d6..27d9f094 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -4,17 +4,10 @@ from flask import make_response
 
 import utils, totp
 from mailconfig import get_mail_password, get_mail_user_privileges
-from mailconfig import get_two_factor_info, set_two_factor_last_used_token
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
 
-class MissingTokenError(ValueError):
-	pass
-
-class BadTokenError(ValueError):
-	pass
-
 class KeyAuthService:
 	"""Generate an API key for authenticating clients
 
@@ -91,26 +84,10 @@ class KeyAuthService:
 			if is_user_key:
 				return (username, privs)
 
-			secret, last_token = get_two_factor_info(username, env)
+			totp_strategy = totp.TOTPStrategy(email=username)
+			# this will raise `totp.MissingTokenError` or `totp.BadTokenError` for bad requests
+			totp_strategy.validate_request(request, env)
 
-			# 2FA is not enabled, we can skip further checks
-			if secret == "" or secret == None:
-				return (username, privs)
-
-			# If 2FA is enabled, raise if:
-			# 1. no token is provided via `x-auth-token`
-			# 2. a previously supplied token is used (to counter replay attacks)
-			# 3. the token is invalid
-			# in that case, we need to raise and indicate to the client to supply a TOTP
-			token_header = request.headers.get('x-auth-token')
-			if token_header == None or token_header == "":
-				raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
-
-			# TODO: Should a token replay be handled as its own error?
-			if token_header == last_token or totp.validate(secret, token_header) != True:
-				raise BadTokenError("Two factor code incorrect")
-
-			set_two_factor_last_used_token(username, token_header, env)
 			return (username, privs)
 
 	def get_user_credentials(self, email, pw, env):
diff --git a/management/daemon.py b/management/daemon.py
index e1e5be60..75e438d5 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -40,10 +40,10 @@ def authorized_personnel_only(viewfunc):
 		error = None
 		try:
 			email, privs = auth_service.authenticate(request, env)
-		except auth.MissingTokenError as e:
+		except totp.MissingTokenError as e:
 			privs = []
 			error = str(e)
-		except auth.BadTokenError as e:
+		except totp.BadTokenError as e:
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
 
@@ -128,7 +128,7 @@ def me():
 	# Is the caller authorized?
 	try:
 		email, privs = auth_service.authenticate(request, env)
-	except auth.MissingTokenError as e:
+	except totp.MissingTokenError as e:
 		# Log the failed login
 		log_failed_login(request)
 
@@ -136,7 +136,7 @@ def me():
 			"status": "missing_token",
 			"reason": str(e),
 		})
-	except auth.BadTokenError as e:
+	except totp.BadTokenError as e:
 		# Log the failed login
 		log_failed_login(request)
 
diff --git a/management/totp.py b/management/totp.py
index 908b4764..2cb1b148 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -6,6 +6,7 @@ import struct
 import time
 import pyotp
 import qrcode
+from mailconfig import get_two_factor_info, set_two_factor_last_used_token
 
 def get_secret():
 	return base64.b32encode(os.urandom(20)).decode('utf-8')
@@ -30,4 +31,42 @@ def validate(secret, token):
 	@see https://tools.ietf.org/html/rfc4226#section-5.4
 	"""
 	totp = pyotp.TOTP(secret)
-	return totp.verify(token, valid_window=2)
+	return totp.verify(token, valid_window=1)
+
+class MissingTokenError(ValueError):
+	pass
+
+class BadTokenError(ValueError):
+	pass
+
+class TOTPStrategy():
+	def __init__(self, email):
+		self.type = 'totp'
+		self.email = email
+
+	def store_successful_login(self, token, env):
+		return set_two_factor_last_used_token(self.email, token, env)
+
+	def validate_request(self, request, env):
+		secret, mru_token = get_two_factor_info(self.email, env)
+
+		# 2FA is not enabled, we can skip further checks
+		if secret == "" or secret == None:
+			return True
+
+		# If 2FA is enabled, raise if:
+		# 1. no token is provided via `x-auth-token`
+		# 2. a previously supplied token is used (to counter replay attacks)
+		# 3. the token is invalid
+		# in that case, we need to raise and indicate to the client to supply a TOTP
+		token_header = request.headers.get('x-auth-token')
+
+		if token_header == None or token_header == "":
+			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
+
+		# TODO: Should a token replay be handled as its own error?
+		if token_header == mru_token or validate(secret, token_header) != True:
+			raise BadTokenError("Two factor code incorrect")
+
+		self.store_successful_login(token_header, env)
+		return True

From 89b301afc7f8123d06f9b8daeff0943b68410b01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 13:48:03 +0200
Subject: [PATCH 07/27] Update OpenApi docs, rename /2fa/ => /mfa/

---
 api/mailinabox.yml                        | 128 +++++++++++++++++++++-
 management/daemon.py                      |   7 +-
 management/templates/two-factor-auth.html |   6 +-
 3 files changed, 134 insertions(+), 7 deletions(-)

diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index 57ba5aa4..27c248da 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -8,7 +8,7 @@ info:
     This API is documented in [**OpenAPI format**](http://spec.openapis.org/oas/v3.0.3).
     ([View the full HTTP specification](https://raw.githubusercontent.com/mail-in-a-box/mailinabox/api-spec/api/mailinabox.yml).)
 
-    All endpoints are relative to `https://{host}/admin` and are secured with [`Basic Access` authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
+    All endpoints are relative to `https://{host}/admin` and are secured with [`Basic Access` authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). If you have multi-factor authentication enabled, authentication with a `user:password` combination will fail unless a valid OTP is supplied via the `x-auth-token` header. Authentication via a `user:user_key` pair is possible without the header being present.
   contact:
     name: Mail-in-a-Box support
     url: https://mailinabox.email/
@@ -46,6 +46,9 @@ tags:
   - name: Web
     description: |
       Static web hosting operations, which include getting domain information and updating domain root directories.
+  - name: MFA
+    description: |
+      Manage multi-factor authentication schemes. Currently, only TOTP is supported.
   - name: System
     description: |
       System operations, which include system status checks, new version checks
@@ -1662,6 +1665,95 @@ paths:
             text/html:
               schema:
                 type: string
+  /mfa/status:
+    get:
+      tags:
+        - MFA
+      summary: Retrieve MFA status
+      description: Retrieves which type of MFA is used and configuration
+      operationId: mfaStatus
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X GET "https://{host}/admin/mfa/status" \
+              -u "<email>:<password>"
+      responses:
+        200:
+          description: Successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MfaStatusResponse'
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
+  /mfa/totp/enable:
+    post:
+      tags:
+        - MFA
+      summary: Enable TOTP authentication
+      description: Enables TOTP authentication for the currently logged-in admin user
+      operationId: mfaTotpEnable
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X POST "https://{host}/admin/mfa/totp/enable" \
+              -d "code=123456" \
+              -d "secret=<string>" \
+              -u "<email>:<password>"
+      requestBody:
+        required: true
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/MfaEnableRequest'
+      responses:
+        200:
+          description: Successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MfaEnableSuccessResponse'
+        400:
+          description: Bad request
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MfaEnableBadRequestResponse'
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
+  /mfa/totp/disable:
+    post:
+      tags:
+        - MFA
+      summary: Disable TOTP authentication
+      description: Disable TOTP authentication for the currently logged-in admin user
+      operationId: mfaTotpDisable
+      x-codeSamples:
+        - lang: curl
+          source: |
+            curl -X POST "https://{host}/admin/mfa/totp/disable" \
+              -u "<email>:<user_key>"
+      responses:
+        200:
+          description: Successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/MfaDisableSuccessResponse'
+        403:
+          description: Forbidden
+          content:
+            text/html:
+              schema:
+                type: string
 components:
   securitySchemes:
     basicAuth:
@@ -2529,3 +2621,37 @@ components:
       type: string
       example: web updated
       description: Web update response.
+    MfaStatusResponse:
+      type: object
+      properties:
+        type:
+          type: string
+          example: totp
+          nullable: true
+        totp_secret:
+          type: string
+          nullable: true
+        totp_qr:
+          type: string
+          nullable: true
+    MfaEnableRequest:
+      type: object
+      required:
+        - secret
+        - code
+      properties:
+        secret:
+          type: string
+        code:
+          type: string
+    MfaEnableSuccessResponse:
+      type: object
+    MfaEnableBadRequestResponse:
+      type: object
+      required:
+        - error
+      properties:
+        error:
+          type: string
+    MfaDisableSuccessResponse:
+      type: object
\ No newline at end of file
diff --git a/management/daemon.py b/management/daemon.py
index 75e438d5..55c0a3ec 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -412,7 +412,7 @@ def ssl_provision_certs():
 
 # Two Factor Auth
 
-@app.route('/2fa/status', methods=['GET'])
+@app.route('/mfa/status', methods=['GET'])
 @authorized_personnel_only
 def two_factor_auth_get_status():
 	email, _ = auth_service.authenticate(request, env)
@@ -433,11 +433,12 @@ def two_factor_auth_get_status():
 		"totp_qr": secret_qr
 	})
 
-@app.route('/2fa/totp/enable', methods=['POST'])
+@app.route('/mfa/totp/enable', methods=['POST'])
 @authorized_personnel_only
 def totp_post_enable():
 	email, _ = auth_service.authenticate(request, env)
 
+	# TODO: Handle case where user already has TOTP enabled
 	secret = request.form.get('secret')
 	token = request.form.get('token')
 
@@ -450,7 +451,7 @@ def totp_post_enable():
 
 	return json_response({ "error": 'token_mismatch' }, 400)
 
-@app.route('/2fa/totp/disable', methods=['POST'])
+@app.route('/mfa/totp/disable', methods=['POST'])
 @authorized_personnel_only
 def totp_post_disable():
 	email, _ = auth_service.authenticate(request, env)
diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
index 810e600e..6a6b6c31 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/two-factor-auth.html
@@ -154,7 +154,7 @@
         reset_view();
 
         api(
-            '/2fa/status',
+            '/mfa/status',
             'GET',
             {},
             function(res) {
@@ -170,7 +170,7 @@
         hide_error();
 
         api(
-            '/2fa/totp/disable',
+            '/mfa/totp/disable',
             'POST',
             {},
             function() { show_two_factor_auth(); }
@@ -184,7 +184,7 @@
         hide_error();
 
         api(
-            '/2fa/totp/enable',
+            '/mfa/totp/enable',
             'POST',
             {
                 token: $(el.totpSetupToken).val(),

From ee01eae55ea9d71600a7f6421849859b59a6b53a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 19:07:21 +0200
Subject: [PATCH 08/27] Decouple totp from users table by moving to
 totp_credentials table

* this allows implementation of other mfa schemes in the future (webauthn)
* also makes key management easier and enforces one totp credentials per user on db-level
---
 management/daemon.py                      | 17 +++++----
 management/mailconfig.py                  | 44 ++++++++++++-----------
 management/templates/index.html           |  2 +-
 management/templates/login.html           |  2 +-
 management/templates/two-factor-auth.html |  2 +-
 management/totp.py                        | 10 +++---
 setup/mail-users.sh                       |  5 +--
 7 files changed, 43 insertions(+), 39 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 55c0a3ec..9f56df8c 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -9,7 +9,7 @@ import auth, utils, totp
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mailconfig import get_two_factor_info, set_two_factor_secret, remove_two_factor_secret
+from mailconfig import get_mfa_state, create_totp_credential, delete_totp_credential
 
 env = utils.load_environment()
 
@@ -410,18 +410,17 @@ def ssl_provision_certs():
 	requests = provision_certificates(env, limit_domains=None)
 	return json_response({ "requests": requests })
 
-# Two Factor Auth
+# multi-factor auth
 
 @app.route('/mfa/status', methods=['GET'])
 @authorized_personnel_only
 def two_factor_auth_get_status():
 	email, _ = auth_service.authenticate(request, env)
-	two_factor_secret, _ = get_two_factor_info(email, env)
 
-	if two_factor_secret != None:
-		return json_response({
-			"type": 'totp'
-		})
+	mfa_state = get_mfa_state(email, env)
+
+	if mfa_state['type'] == 'totp':
+		return json_response({ "type": 'totp' })
 
 	secret = totp.get_secret()
 	secret_url = totp.get_otp_uri(secret, email)
@@ -446,7 +445,7 @@ def totp_post_enable():
 		return json_response({ "error": 'bad_input' }, 400)
 
 	if (totp.validate(secret, token)):
-		set_two_factor_secret(email, secret, token, env)
+		create_totp_credential(email, secret, token, env)
 		return json_response({})
 
 	return json_response({ "error": 'token_mismatch' }, 400)
@@ -455,7 +454,7 @@ def totp_post_enable():
 @authorized_personnel_only
 def totp_post_disable():
 	email, _ = auth_service.authenticate(request, env)
-	remove_two_factor_secret(email, env)
+	delete_totp_credential(email, env)
 	return json_response({})
 
 # WEB
diff --git a/management/mailconfig.py b/management/mailconfig.py
index 3bc48897..227c7cdf 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -547,38 +547,42 @@ def get_required_aliases(env):
 
 	return aliases
 
-def get_two_factor_info(email, env):
+# multi-factor auth
+
+def get_mfa_state(email, env):
 	c = open_database(env)
+	c.execute('SELECT secret, mru_token FROM totp_credentials WHERE user_email=?', (email,))
 
-	c.execute('SELECT two_factor_secret, two_factor_last_used_token FROM users WHERE email=?', (email,))
-	rows = c.fetchall()
-	if len(rows) != 1:
-		raise ValueError("That's not a user (%s)." % email)
-	return (rows[0][0], rows[0][1])
+	credential_row = c.fetchone()
+	if (credential_row == None):
+		return { 'type': None }
 
-def set_two_factor_secret(email, secret, token, env):
+	return {
+		'type': 'totp',
+		'secret': credential_row[0],
+		'mru_token': credential_row[1]
+	}
+
+def create_totp_credential(email, secret, token, env):
 	validate_two_factor_secret(secret)
 
 	conn, c = open_database(env, with_connection=True)
-	c.execute("UPDATE users SET two_factor_secret=?, two_factor_last_used_token=? WHERE email=?", (secret, token, email))
+	c.execute('INSERT INTO totp_credentials (user_email, secret, mru_token) VALUES (?, ?, ?)', (email, secret, token))
+	conn.commit()
+	return "OK"
+
+def set_mru_totp_code(email, token, env):
+	conn, c = open_database(env, with_connection=True)
+	c.execute('UPDATE totp_credentials SET mru_token=? WHERE user_email=?', (token, email))
+
 	if c.rowcount != 1:
 		raise ValueError("That's not a user (%s)." % email)
 	conn.commit()
 	return "OK"
 
-def set_two_factor_last_used_token(email, token, env):
+def delete_totp_credential(email, env):
 	conn, c = open_database(env, with_connection=True)
-	c.execute("UPDATE users SET two_factor_last_used_token=? WHERE email=?", (token, email))
-	if c.rowcount != 1:
-		raise ValueError("That's not a user (%s)." % email)
-	conn.commit()
-	return "OK"
-
-def remove_two_factor_secret(email, env):
-	conn, c = open_database(env, with_connection=True)
-	c.execute("UPDATE users SET two_factor_secret=null, two_factor_last_used_token=null WHERE email=?", (email,))
-	if c.rowcount != 1:
-		raise ValueError("That's not a user (%s)." % email)
+	c.execute('DELETE FROM totp_credentials WHERE user_email=?', (email,))
 	conn.commit()
 	return "OK"
 
diff --git a/management/templates/index.html b/management/templates/index.html
index 7f8a1e32..7c346e37 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -93,7 +93,7 @@
                 <li class="dropdown-header">Advanced Pages</li>
                 <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                 <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
-                <li><a href="#two_factor_auth" onclick="return show_panel(this);">Two Factor Authentication</a></li>
+                <li><a href="#two_factor_auth" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
                 <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
               </ul>
             </li>
diff --git a/management/templates/login.html b/management/templates/login.html
index 8d8bd394..4d6155f6 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -72,7 +72,7 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
     </div>
     <div class="form-group" id="loginOtp">
         <div class="col-sm-offset-3 col-sm-9">
-          <label for="loginOtpInput" class="control-label">Two Factor Code</label>
+          <label for="loginOtpInput" class="control-label">Two-Factor Code</label>
           <input type="text" class="form-control" id="loginOtpInput" placeholder="6-digit code">
         </div>
     </div>
diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
index 6a6b6c31..bb519e46 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/two-factor-auth.html
@@ -31,7 +31,7 @@
     }
 </style>
 
-<h2>Two Factor Authentication</h2>
+<h2>Two-Factor Authentication</h2>
 
 <div class="twofactor">
     <div class="loading-indicator">Loading...</div>
diff --git a/management/totp.py b/management/totp.py
index 2cb1b148..2cea61b8 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -6,7 +6,7 @@ import struct
 import time
 import pyotp
 import qrcode
-from mailconfig import get_two_factor_info, set_two_factor_last_used_token
+from mailconfig import get_mfa_state, set_mru_totp_code
 
 def get_secret():
 	return base64.b32encode(os.urandom(20)).decode('utf-8')
@@ -45,13 +45,13 @@ class TOTPStrategy():
 		self.email = email
 
 	def store_successful_login(self, token, env):
-		return set_two_factor_last_used_token(self.email, token, env)
+		return set_mru_totp_code(self.email, token, env)
 
 	def validate_request(self, request, env):
-		secret, mru_token = get_two_factor_info(self.email, env)
+		mfa_state = get_mfa_state(self.email, env)
 
 		# 2FA is not enabled, we can skip further checks
-		if secret == "" or secret == None:
+		if mfa_state['type'] != 'totp':
 			return True
 
 		# If 2FA is enabled, raise if:
@@ -65,7 +65,7 @@ class TOTPStrategy():
 			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
 
 		# TODO: Should a token replay be handled as its own error?
-		if token_header == mru_token or validate(secret, token_header) != True:
+		if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
 			raise BadTokenError("Two factor code incorrect")
 
 		self.store_successful_login(token_header, env)
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index 3047489b..14e1d9df 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -20,9 +20,10 @@ db_path=$STORAGE_ROOT/mail/users.sqlite
 # Create an empty database if it doesn't yet exist.
 if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
-    # TODO: Add migration
-	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '', two_factor_secret TEXT, two_factor_last_used_token TEXT);" | sqlite3 $db_path;
+	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
+  # TODO: Add migration
+	echo "CREATE TABLE totp_credentials (id INTEGER PRIMARY KEY AUTOINCREMENT, user_email TEXT NOT NULL UNIQUE, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_email) REFERENCES users(email) ON DELETE CASCADE);" | sqlite3 $db_path;
 fi
 
 # ### User Authentication

From 7c4eb0fb7071e0a14aba8b4dad3f6d063518fc64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 19:39:29 +0200
Subject: [PATCH 09/27] Add sqlite migration

---
 management/daemon.py | 1 -
 setup/mail-users.sh  | 1 -
 setup/migrate.py     | 4 ++++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 9f56df8c..09787cd6 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -437,7 +437,6 @@ def two_factor_auth_get_status():
 def totp_post_enable():
 	email, _ = auth_service.authenticate(request, env)
 
-	# TODO: Handle case where user already has TOTP enabled
 	secret = request.form.get('secret')
 	token = request.form.get('token')
 
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index 14e1d9df..ea1f9756 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -22,7 +22,6 @@ if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
 	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
-  # TODO: Add migration
 	echo "CREATE TABLE totp_credentials (id INTEGER PRIMARY KEY AUTOINCREMENT, user_email TEXT NOT NULL UNIQUE, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_email) REFERENCES users(email) ON DELETE CASCADE);" | sqlite3 $db_path;
 fi
 
diff --git a/setup/migrate.py b/setup/migrate.py
index b10f085f..454eb438 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -181,6 +181,10 @@ def migration_12(env):
             conn.commit()
             conn.close()
 
+def migration_13(env):
+	# Add a table for `totp_credentials`
+	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
+	shell("check_call", ["sqlite3", db, "CREATE TABLE IF NOT EXISTS totp_credentials (id INTEGER PRIMARY KEY AUTOINCREMENT, user_email TEXT NOT NULL UNIQUE, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_email) REFERENCES users(email) ON DELETE CASCADE);"])
 
 def get_current_migration():
 	ver = 0

From 08ae3d2b7faefcc2a574e76946d983155e20bb0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 19:48:54 +0200
Subject: [PATCH 10/27] Rename internal validate_two_factor_secret =>
 validate_two_factor_secret

---
 management/mailconfig.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/management/mailconfig.py b/management/mailconfig.py
index 227c7cdf..7f4cec36 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -564,7 +564,7 @@ def get_mfa_state(email, env):
 	}
 
 def create_totp_credential(email, secret, token, env):
-	validate_two_factor_secret(secret)
+	validate_totp_secret(secret)
 
 	conn, c = open_database(env, with_connection=True)
 	c.execute('INSERT INTO totp_credentials (user_email, secret, mru_token) VALUES (?, ?, ?)', (email, secret, token))
@@ -647,7 +647,7 @@ def validate_password(pw):
 	if len(pw) < 8:
 		raise ValueError("Passwords must be at least eight characters.")
 
-def validate_two_factor_secret(secret):
+def validate_totp_secret(secret):
 	if type(secret) != str or secret.strip() == "":
 		raise ValueError("No secret provided.")
 	if len(secret) != 32:

From b0df35eba0dc841bdcab3d663d6a1fb210851181 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Thu, 3 Sep 2020 20:39:03 +0200
Subject: [PATCH 11/27]  conn.close() if mru_token update can't .commit()

---
 management/mailconfig.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/management/mailconfig.py b/management/mailconfig.py
index 7f4cec36..c1a083e9 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -576,7 +576,9 @@ def set_mru_totp_code(email, token, env):
 	c.execute('UPDATE totp_credentials SET mru_token=? WHERE user_email=?', (token, email))
 
 	if c.rowcount != 1:
+		conn.close()
 		raise ValueError("That's not a user (%s)." % email)
+
 	conn.commit()
 	return "OK"
 

From 481a333dc0fa86c321b56b02fbb045172faa4bbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Fri, 4 Sep 2020 20:28:15 +0200
Subject: [PATCH 12/27] Address review feedback, thanks @hija

---
 management/daemon.py     | 10 ++++------
 management/mailconfig.py |  2 +-
 management/totp.py       |  2 +-
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 09787cd6..3aee9e32 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -38,23 +38,21 @@ def authorized_personnel_only(viewfunc):
 	def newview(*args, **kwargs):
 		# Authenticate the passed credentials, which is either the API key or a username:password pair.
 		error = None
+		privs = []
+
 		try:
 			email, privs = auth_service.authenticate(request, env)
+
 		except totp.MissingTokenError as e:
-			privs = []
 			error = str(e)
 		except totp.BadTokenError as e:
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
-
-			privs = []
 			error = str(e)
 		except ValueError as e:
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
-
 			# Authentication failed.
-			privs = []
 			error = "Incorrect username or password"
 
 		# Authorized to access an API view?
@@ -443,7 +441,7 @@ def totp_post_enable():
 	if type(secret) != str or type(token) != str or len(token) != 6 or len(secret) != 32:
 		return json_response({ "error": 'bad_input' }, 400)
 
-	if (totp.validate(secret, token)):
+	if totp.validate(secret, token):
 		create_totp_credential(email, secret, token, env)
 		return json_response({})
 
diff --git a/management/mailconfig.py b/management/mailconfig.py
index c1a083e9..491a4d5c 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -554,7 +554,7 @@ def get_mfa_state(email, env):
 	c.execute('SELECT secret, mru_token FROM totp_credentials WHERE user_email=?', (email,))
 
 	credential_row = c.fetchone()
-	if (credential_row == None):
+	if credential_row is None:
 		return { 'type': None }
 
 	return {
diff --git a/management/totp.py b/management/totp.py
index 2cea61b8..23853129 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -61,7 +61,7 @@ class TOTPStrategy():
 		# in that case, we need to raise and indicate to the client to supply a TOTP
 		token_header = request.headers.get('x-auth-token')
 
-		if token_header == None or token_header == "":
+		if not token_header:
 			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
 
 		# TODO: Should a token replay be handled as its own error?

From 49c333221ab3ff8b8b5ba93ecc455393e5093f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sun, 6 Sep 2020 12:54:45 +0200
Subject: [PATCH 13/27] Use hmac.compare_digest() to compare mru_token

---
 management/totp.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/totp.py b/management/totp.py
index 23853129..634305a6 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -65,7 +65,7 @@ class TOTPStrategy():
 			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
 
 		# TODO: Should a token replay be handled as its own error?
-		if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
+		if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
 			raise BadTokenError("Two factor code incorrect")
 
 		self.store_successful_login(token_header, env)

From 4791c2fc620203807cd8ab0a40fdabc6fd469aa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sun, 6 Sep 2020 13:03:54 +0200
Subject: [PATCH 14/27] Safeguard against empty mru_token column

* hmac.compare_digest() expects arguments of type string, make sure we don't pass None
 * Currently, this cannot happen but we might not want to store `mru_token` during setup
---
 management/mailconfig.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/management/mailconfig.py b/management/mailconfig.py
index 491a4d5c..6e31eae8 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -557,10 +557,12 @@ def get_mfa_state(email, env):
 	if credential_row is None:
 		return { 'type': None }
 
+	secret, mru_token = credential_row
+
 	return {
 		'type': 'totp',
-		'secret': credential_row[0],
-		'mru_token': credential_row[1]
+		'secret': secret,
+		'mru_token': '' if mru_token is None else mru_token
 	}
 
 def create_totp_credential(email, secret, token, env):

From 2ea97f06431c1da6e65fceb1afa77e0e2703e3e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sun, 6 Sep 2020 13:08:44 +0200
Subject: [PATCH 15/27] Do not log failed login attempts for MissingToken
 errors

* Due to the way that the /login UI works, this persists at least one failed login each time a user logs into the admin panel. This in turn triggers fail2ban at some point.
---
 management/daemon.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index 3aee9e32..0ff8f2a5 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -127,9 +127,6 @@ def me():
 	try:
 		email, privs = auth_service.authenticate(request, env)
 	except totp.MissingTokenError as e:
-		# Log the failed login
-		log_failed_login(request)
-
 		return json_response({
 			"status": "missing_token",
 			"reason": str(e),

From dcb93d071c9e9e12ea0e62576fc16d543954323b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sat, 12 Sep 2020 16:34:06 +0200
Subject: [PATCH 16/27] Add TOTP secret to user_key hash

thanks @downtownallday
* this invalidates all user_keys after TOTP status is changed for user
* after changing TOTP state, a login is required
* due to the forced login, we can't and don't need to store the code used for setup in `mru_code`
---
 management/auth.py                        | 20 +++++++++++++------
 management/daemon.py                      |  2 +-
 management/mailconfig.py                  |  4 ++--
 management/templates/index.html           | 10 ++++++++++
 management/templates/login.html           |  9 ---------
 management/templates/two-factor-auth.html | 24 +++++++++++++++--------
 6 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/management/auth.py b/management/auth.py
index 27d9f094..f3cae996 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -3,7 +3,7 @@ import base64, os, os.path, hmac
 from flask import make_response
 
 import utils, totp
-from mailconfig import get_mail_password, get_mail_user_privileges
+from mailconfig import get_mail_password, get_mail_user_privileges, get_mfa_state
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@@ -136,15 +136,23 @@ class KeyAuthService:
 
 	def create_user_key(self, email, env):
 		# Store an HMAC with the client. The hashed message of the HMAC will be the user's
-		# email address & hashed password and the key will be the master API key. The user of
-		# course has their own email address and password. We assume they do not have the master
-		# API key (unless they are trusted anyway). The HMAC proves that they authenticated
-		# with us in some other way to get the HMAC. Including the password means that when
+		# email address & hashed password and the key will be the master API key. If TOTP
+		# is active, the key will also include the TOTP secret. The user of course has their
+		# own email address and password. We assume they do not have the master API key
+		# (unless they are trusted anyway). The HMAC proves that they authenticated with us
+		# in some other way to get the HMAC. Including the password means that when
 		# a user's password is reset, the HMAC changes and they will correctly need to log
 		# in to the control panel again. This method raises a ValueError if the user does
 		# not exist, due to get_mail_password.
 		msg = b"AUTH:" + email.encode("utf8") + b" " + get_mail_password(email, env).encode("utf8")
-		return hmac.new(self.key.encode('ascii'), msg, digestmod="sha256").hexdigest()
+		
+		mfa_state = get_mfa_state(email, env)
+		hash_key = self.key.encode('ascii')
+
+		if mfa_state['type'] == 'totp':
+			hash_key = hash_key + mfa_state['secret'].encode('ascii')
+
+		return hmac.new(hash_key, msg, digestmod="sha256").hexdigest()
 
 	def _generate_key(self):
 		raw_key = os.urandom(32)
diff --git a/management/daemon.py b/management/daemon.py
index 0ff8f2a5..0efbc03a 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -439,7 +439,7 @@ def totp_post_enable():
 		return json_response({ "error": 'bad_input' }, 400)
 
 	if totp.validate(secret, token):
-		create_totp_credential(email, secret, token, env)
+		create_totp_credential(email, secret, env)
 		return json_response({})
 
 	return json_response({ "error": 'token_mismatch' }, 400)
diff --git a/management/mailconfig.py b/management/mailconfig.py
index 6e31eae8..d25afea0 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -565,11 +565,11 @@ def get_mfa_state(email, env):
 		'mru_token': '' if mru_token is None else mru_token
 	}
 
-def create_totp_credential(email, secret, token, env):
+def create_totp_credential(email, secret, env):
 	validate_totp_secret(secret)
 
 	conn, c = open_database(env, with_connection=True)
-	c.execute('INSERT INTO totp_credentials (user_email, secret, mru_token) VALUES (?, ?, ?)', (email, secret, token))
+	c.execute('INSERT INTO totp_credentials (user_email, secret) VALUES (?, ?)', (email, secret))
 	conn.commit()
 	return "OK"
 
diff --git a/management/templates/index.html b/management/templates/index.html
index 7c346e37..8fdb7c22 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -363,6 +363,16 @@ function api(url, method, data, callback, callback_error, headers) {
 
 var current_panel = null;
 var switch_back_to_panel = null;
+
+function do_logout() {
+  api_credentials = ["", ""];
+  if (typeof localStorage != 'undefined')
+    localStorage.removeItem("miab-cp-credentials");
+  if (typeof sessionStorage != 'undefined')
+    sessionStorage.removeItem("miab-cp-credentials");
+  show_panel('login');
+}
+
 function show_panel(panelid) {
   if (panelid.getAttribute)
     // we might be passed an HTMLElement <a>.
diff --git a/management/templates/login.html b/management/templates/login.html
index 4d6155f6..db8dce84 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -166,15 +166,6 @@ function do_login() {
   });
 }
 
-function do_logout() {
-  api_credentials = ["", ""];
-  if (typeof localStorage != 'undefined')
-    localStorage.removeItem("miab-cp-credentials");
-  if (typeof sessionStorage != 'undefined')
-    sessionStorage.removeItem("miab-cp-credentials");
-  show_panel('login');
-}
-
 function show_login() {
   $('#loginForm').removeClass('is-twofactor');
   $('#loginOtpInput').val('');
diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
index bb519e46..bfb9177f 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/two-factor-auth.html
@@ -37,31 +37,35 @@
     <div class="loading-indicator">Loading...</div>
 
     <form id="totp-setup">
+        <p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
+
         <div class="form-group">
-            <h3>Setup</h3>
-            <p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
+            <h3>Setup Instructions</h3>
             <p>1. Scan the QR code or enter the secret into an authenticator app (e.g. Google Authenticator)</p>
             <div id="totp-setup-qr"></div>
         </div>
 
         <div class="form-group">
             <label for="otp">2. Enter the code displayed in the Authenticator app</label>
+            <p>You will have to log into the admin panel again after enabling two-factor authentication.</p>
             <input type="text" id="totp-setup-token" class="form-control" placeholder="6-digit code" />
         </div>
 
         <input type="hidden" id="totp-setup-secret" />
 
         <div class="form-group">
-            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable two factor authentication</button>
+            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable two-factor authentication</button>
         </div>
     </form>
 
     <form id="disable-2fa">
         <div class="form-group">
-            <p>Two factor authentication is active.</p>
+            <p>Two-factor authentication is active for your account. You can disable it by clicking below button.</p>
+            <p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
+        </div>
+        <div class="form-group">
+            <button type="submit" class="btn btn-danger">Disable two-factor authentication</button>
         </div>
-
-        <button type="submit" class="btn btn-danger">Disable two factor authentication</button>
     </form>
 
     <div id="output-2fa" class="panel panel-danger">
@@ -173,7 +177,9 @@
             '/mfa/totp/disable',
             'POST',
             {},
-            function() { show_two_factor_auth(); }
+            function() {
+                do_logout();
+            }
         );
 
         return false;
@@ -190,7 +196,9 @@
                 token: $(el.totpSetupToken).val(),
                 secret: $(el.totpSetupSecret).val()
             },
-            function(res) { show_two_factor_auth(); },
+            function(res) {
+                do_logout();
+            },
             function(res) {
                 var errorMessage = 'Something went wrong.';
                 var parsed;

From 7d6427904f9c53e35dfff441ec54c87ddec17727 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sat, 12 Sep 2020 16:38:44 +0200
Subject: [PATCH 17/27] Typo

---
 management/templates/two-factor-auth.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/templates/two-factor-auth.html b/management/templates/two-factor-auth.html
index bfb9177f..8108c211 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/two-factor-auth.html
@@ -37,7 +37,7 @@
     <div class="loading-indicator">Loading...</div>
 
     <form id="totp-setup">
-        <p>After enabling two factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
+        <p>After enabling two-factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
 
         <div class="form-group">
             <h3>Setup Instructions</h3>

From a8ea456b4956afbc564a1fc116c9227862142fe2 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 26 Sep 2020 09:58:25 -0400
Subject: [PATCH 18/27] Reorganize the MFA backend methods

---
 management/auth.py       |  81 +++++++++++++------------
 management/daemon.py     |  86 +++++++++-----------------
 management/mailconfig.py |  49 ---------------
 management/mfa.py        | 126 +++++++++++++++++++++++++++++++++++++++
 management/totp.py       |  72 ----------------------
 setup/mail-users.sh      |   2 +-
 setup/migrate.py         |   6 +-
 7 files changed, 200 insertions(+), 222 deletions(-)
 create mode 100644 management/mfa.py
 delete mode 100644 management/totp.py

diff --git a/management/auth.py b/management/auth.py
index f3cae996..d55e0697 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -1,9 +1,10 @@
-import base64, os, os.path, hmac
+import base64, os, os.path, hmac, json
 
 from flask import make_response
 
-import utils, totp
-from mailconfig import get_mail_password, get_mail_user_privileges, get_mfa_state
+import utils
+from mailconfig import get_mail_password, get_mail_user_privileges
+from mfa import get_mfa_state, validate_auth_mfa
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@@ -72,40 +73,29 @@ class KeyAuthService:
 		if username in (None, ""):
 			raise ValueError("Authorization header invalid.")
 		elif username == self.key:
-			# The user passed the API key which grants administrative privs.
+			# The user passed the master API key which grants administrative privs.
 			return (None, ["admin"])
 		else:
-			# The user is trying to log in with a username and user-specific
-			# API key or password. Raises or returns privs and an indicator
-			# whether the user is using their password or a user-specific API-key.
-			privs, is_user_key = self.get_user_credentials(username, password, env)
+			# The user is trying to log in with a username and either a password
+			# (and possibly a MFA token) or a user-specific API key.
+			return (username, self.check_user_auth(username, password, request, env))
 
-			# If the user is using their API key to login, 2FA has been passed before
-			if is_user_key:
-				return (username, privs)
-
-			totp_strategy = totp.TOTPStrategy(email=username)
-			# this will raise `totp.MissingTokenError` or `totp.BadTokenError` for bad requests
-			totp_strategy.validate_request(request, env)
-
-			return (username, privs)
-
-	def get_user_credentials(self, email, pw, env):
-		# Validate a user's credentials. On success returns a list of
-		# privileges (e.g. [] or ['admin']). On failure raises a ValueError
-		# with a login error message.
+	def check_user_auth(self, email, pw, request, env):
+		# Validate a user's login email address and password. If MFA is enabled,
+		# check the MFA token in the X-Auth-Token header.
+		#
+		# On success returns a list of privileges (e.g. [] or ['admin']). On login
+		# failure, raises a ValueError with a login error message.
 
 		# Sanity check.
 		if email == "" or pw == "":
 			raise ValueError("Enter an email address and password.")
 
-		is_user_key = False
-
 		# The password might be a user-specific API key. create_user_key raises
 		# a ValueError if the user does not exist.
 		if hmac.compare_digest(self.create_user_key(email, env), pw):
 			# OK.
-			is_user_key = True
+			pass
 		else:
 			# Get the hashed password of the user. Raise a ValueError if the
 			# email address does not correspond to a user.
@@ -125,6 +115,12 @@ class KeyAuthService:
 				# Login failed.
 				raise ValueError("Invalid password.")
 
+			# If MFA is enabled, check that MFA passes.
+			status, hints = validate_auth_mfa(email, request, env)
+			if not status:
+				# Login valid. Hints may have more info.
+				raise ValueError(",".join(hints))
+
 		# Get privileges for authorization. This call should never fail because by this
 		# point we know the email address is a valid user. But on error the call will
 		# return a tuple of an error message and an HTTP status code.
@@ -132,26 +128,29 @@ class KeyAuthService:
 		if isinstance(privs, tuple): raise ValueError(privs[0])
 
 		# Return a list of privileges.
-		return (privs, is_user_key)
+		return privs
 
 	def create_user_key(self, email, env):
-		# Store an HMAC with the client. The hashed message of the HMAC will be the user's
-		# email address & hashed password and the key will be the master API key. If TOTP
-		# is active, the key will also include the TOTP secret. The user of course has their
-		# own email address and password. We assume they do not have the master API key
-		# (unless they are trusted anyway). The HMAC proves that they authenticated with us
-		# in some other way to get the HMAC. Including the password means that when
-		# a user's password is reset, the HMAC changes and they will correctly need to log
-		# in to the control panel again. This method raises a ValueError if the user does
-		# not exist, due to get_mail_password.
+		# Create a user API key, which is a shared secret that we can re-generate from
+		# static information in our database. The shared secret contains the user's
+		# email address, current hashed password, and current MFA state, so that the
+		# key becomes invalid if any of that information changes.
+		#
+		# Use an HMAC to generate the API key using our master API key as a key,
+		# which also means that the API key becomes invalid when our master API key
+		# changes --- i.e. when this process is restarted.
+		#
+		# Raises ValueError via get_mail_password if the user doesn't exist.
+
+		# Construct the HMAC message from the user's email address and current password.
 		msg = b"AUTH:" + email.encode("utf8") + b" " + get_mail_password(email, env).encode("utf8")
-		
-		mfa_state = get_mfa_state(email, env)
+
+		# Add to the message the current MFA state, which is a list of MFA information.
+		# Turn it into a string stably.
+		msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8")
+
+		# Make the HMAC.
 		hash_key = self.key.encode('ascii')
-
-		if mfa_state['type'] == 'totp':
-			hash_key = hash_key + mfa_state['secret'].encode('ascii')
-
 		return hmac.new(hash_key, msg, digestmod="sha256").hexdigest()
 
 	def _generate_key(self):
diff --git a/management/daemon.py b/management/daemon.py
index 0efbc03a..2752593a 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -5,11 +5,11 @@ from functools import wraps
 
 from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response
 
-import auth, utils, totp
+import auth, utils, mfa
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mailconfig import get_mfa_state, create_totp_credential, delete_totp_credential
+from mfa import get_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
 
 env = utils.load_environment()
 
@@ -36,30 +36,31 @@ app = Flask(__name__, template_folder=os.path.abspath(os.path.join(os.path.dirna
 def authorized_personnel_only(viewfunc):
 	@wraps(viewfunc)
 	def newview(*args, **kwargs):
-		# Authenticate the passed credentials, which is either the API key or a username:password pair.
+		# Authenticate the passed credentials, which is either the API key or a username:password pair
+		# and an optional X-Auth-Token token.
 		error = None
 		privs = []
 
 		try:
 			email, privs = auth_service.authenticate(request, env)
-
-		except totp.MissingTokenError as e:
-			error = str(e)
-		except totp.BadTokenError as e:
-			# Write a line in the log recording the failed login
-			log_failed_login(request)
-			error = str(e)
 		except ValueError as e:
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
+
 			# Authentication failed.
-			error = "Incorrect username or password"
+			error = str(e)
 
 		# Authorized to access an API view?
 		if "admin" in privs:
+			# Store the email address of the logged in user so it can be accessed
+			# from the API methods that affect the calling user.
+			request.user_email = email
+			request.user_privs = privs
+
 			# Call view func.
 			return viewfunc(*args, **kwargs)
-		elif not error:
+
+		if not error:
 			error = "You are not an administrator."
 
 		# Not authorized. Return a 401 (send auth) and a prompt to authorize by default.
@@ -126,27 +127,12 @@ def me():
 	# Is the caller authorized?
 	try:
 		email, privs = auth_service.authenticate(request, env)
-	except totp.MissingTokenError as e:
-		return json_response({
-			"status": "missing_token",
-			"reason": str(e),
-		})
-	except totp.BadTokenError as e:
-		# Log the failed login
-		log_failed_login(request)
-
-		return json_response({
-			"status": "bad_token",
-			"reason": str(e),
-		})
-
 	except ValueError as e:
 		# Log the failed login
 		log_failed_login(request)
-
 		return json_response({
 			"status": "invalid",
-			"reason": "Incorrect username or password",
+			"reason": str(e),
 		})
 
 	resp = {
@@ -409,47 +395,33 @@ def ssl_provision_certs():
 
 @app.route('/mfa/status', methods=['GET'])
 @authorized_personnel_only
-def two_factor_auth_get_status():
-	email, _ = auth_service.authenticate(request, env)
-
-	mfa_state = get_mfa_state(email, env)
-
-	if mfa_state['type'] == 'totp':
-		return json_response({ "type": 'totp' })
-
-	secret = totp.get_secret()
-	secret_url = totp.get_otp_uri(secret, email)
-	secret_qr = totp.get_qr_code(secret_url)
-
+def mfa_get_status():
 	return json_response({
-		"type": None,
-		"totp_secret": secret,
-		"totp_qr": secret_qr
+		"enabled_mfa": get_mfa_state(request.user_email, env),
+		"new_mfa": {
+			"totp": provision_totp(request.user_email, env)
+		}
 	})
 
 @app.route('/mfa/totp/enable', methods=['POST'])
 @authorized_personnel_only
 def totp_post_enable():
-	email, _ = auth_service.authenticate(request, env)
-
 	secret = request.form.get('secret')
 	token = request.form.get('token')
-
-	if type(secret) != str or type(token) != str or len(token) != 6 or len(secret) != 32:
+	if type(token) != str:
 		return json_response({ "error": 'bad_input' }, 400)
+	try:
+		validate_totp_secret(secret)
+		enable_mfa(request.user_email, "totp", secret, token, env)
+	except ValueError as e:
+		return str(e)
+	return "OK"
 
-	if totp.validate(secret, token):
-		create_totp_credential(email, secret, env)
-		return json_response({})
-
-	return json_response({ "error": 'token_mismatch' }, 400)
-
-@app.route('/mfa/totp/disable', methods=['POST'])
+@app.route('/mfa/disable', methods=['POST'])
 @authorized_personnel_only
 def totp_post_disable():
-	email, _ = auth_service.authenticate(request, env)
-	delete_totp_credential(email, env)
-	return json_response({})
+	disable_mfa(request.user_email, request.form.get('mfa-id'), env)
+	return "OK"
 
 # WEB
 
diff --git a/management/mailconfig.py b/management/mailconfig.py
index d25afea0..47faad5f 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -547,49 +547,6 @@ def get_required_aliases(env):
 
 	return aliases
 
-# multi-factor auth
-
-def get_mfa_state(email, env):
-	c = open_database(env)
-	c.execute('SELECT secret, mru_token FROM totp_credentials WHERE user_email=?', (email,))
-
-	credential_row = c.fetchone()
-	if credential_row is None:
-		return { 'type': None }
-
-	secret, mru_token = credential_row
-
-	return {
-		'type': 'totp',
-		'secret': secret,
-		'mru_token': '' if mru_token is None else mru_token
-	}
-
-def create_totp_credential(email, secret, env):
-	validate_totp_secret(secret)
-
-	conn, c = open_database(env, with_connection=True)
-	c.execute('INSERT INTO totp_credentials (user_email, secret) VALUES (?, ?)', (email, secret))
-	conn.commit()
-	return "OK"
-
-def set_mru_totp_code(email, token, env):
-	conn, c = open_database(env, with_connection=True)
-	c.execute('UPDATE totp_credentials SET mru_token=? WHERE user_email=?', (token, email))
-
-	if c.rowcount != 1:
-		conn.close()
-		raise ValueError("That's not a user (%s)." % email)
-
-	conn.commit()
-	return "OK"
-
-def delete_totp_credential(email, env):
-	conn, c = open_database(env, with_connection=True)
-	c.execute('DELETE FROM totp_credentials WHERE user_email=?', (email,))
-	conn.commit()
-	return "OK"
-
 def kick(env, mail_result=None):
 	results = []
 
@@ -651,12 +608,6 @@ def validate_password(pw):
 	if len(pw) < 8:
 		raise ValueError("Passwords must be at least eight characters.")
 
-def validate_totp_secret(secret):
-	if type(secret) != str or secret.strip() == "":
-		raise ValueError("No secret provided.")
-	if len(secret) != 32:
-		raise ValueError("Secret should be a 32 characters base32 string")
-
 if __name__ == "__main__":
 	import sys
 	if len(sys.argv) > 2 and sys.argv[1] == "validate-email":
diff --git a/management/mfa.py b/management/mfa.py
new file mode 100644
index 00000000..af696ac4
--- /dev/null
+++ b/management/mfa.py
@@ -0,0 +1,126 @@
+import base64
+import hmac
+import io
+import os
+import pyotp
+import qrcode
+
+from mailconfig import open_database
+
+def get_user_id(email, c):
+	c.execute('SELECT id FROM users WHERE email=?', (email,))
+	r = c.fetchone()
+	if not r: raise ValueError("User does not exist.")
+	return r[0]
+
+def get_mfa_state(email, env):
+	c = open_database(env)
+	c.execute('SELECT id, type, secret, mru_token FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	return [
+		{ "id": r[0], "type": r[1], "secret": r[2], "mru_token": r[3] }
+		for r in c.fetchall()
+	]
+
+def enable_mfa(email, type, secret, token, env):
+	if type == "totp":
+		validate_totp_secret(secret)
+		# Sanity check with the provide current token.
+		totp = pyotp.TOTP(secret)
+		if not totp.verify(token, valid_window=1):
+			raise ValueError("Invalid token.")
+	else:
+		raise ValueError("Invalid MFA type.")
+
+	conn, c = open_database(env, with_connection=True)
+	c.execute('INSERT INTO mfa (user_id, type, secret) VALUES (?, ?, ?)', (get_user_id(email, c), type, secret))
+	conn.commit()
+
+def set_mru_token(email, token, env):
+	conn, c = open_database(env, with_connection=True)
+	c.execute('UPDATE mfa SET mru_token=? WHERE user_id=?', (token, get_user_id(email, c)))
+	conn.commit()
+
+def disable_mfa(email, mfa_id, env):
+	conn, c = open_database(env, with_connection=True)
+	if mfa_id is None:
+		# Disable all MFA for a user.
+		c.execute('DELETE FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	else:
+		# Disable a particular MFA mode for a user.
+		c.execute('DELETE FROM mfa WHERE user_id=? AND id=?', (get_user_id(email, c), mfa_id))
+	conn.commit()
+
+def validate_totp_secret(secret):
+	if type(secret) != str or secret.strip() == "":
+		raise ValueError("No secret provided.")
+	if len(secret) != 32:
+		raise ValueError("Secret should be a 32 characters base32 string")
+
+def provision_totp(email, env):
+	# Make a new secret.
+	secret = base64.b32encode(os.urandom(20)).decode('utf-8')
+	validate_totp_secret(secret) # sanity check
+
+	# Make a URI that we encode within a QR code.
+	uri = pyotp.TOTP(secret).provisioning_uri(
+		name=email,
+		issuer_name=env["PRIMARY_HOSTNAME"] + " Mail-in-a-Box Control Panel"
+	)
+
+	# Generate a QR code as a base64-encode PNG image.
+	qr = qrcode.make(uri)
+	byte_arr = io.BytesIO()
+	qr.save(byte_arr, format='PNG')
+	png_b64 = base64.b64encode(byte_arr.getvalue()).decode('utf-8')
+
+	return {
+		"type": "totp",
+		"secret": secret,
+		"qr_code_base64": png_b64
+	}
+
+def validate_auth_mfa(email, request, env):
+	# Validates that a login request satisfies any MFA modes
+	# that have been enabled for the user's account. Returns
+	# a tuple (status, [hints]). status is True for a successful
+	# MFA login, False for a missing token. If status is False,
+	# hints is an array of codes that indicate what the user
+	# can try. Possible codes are:
+	# "missing-totp-token"
+	# "invalid-totp-token"
+
+	mfa_state = get_mfa_state(email, env)
+
+	# If no MFA modes are added, return True.
+	if len(mfa_state) == 0:
+		return (True, [])
+
+	# Try the enabled MFA modes.
+	hints = set()
+	for mfa_mode in mfa_state:
+		if mfa_mode["type"] == "totp":
+			# Check that a token is present in the X-Auth-Token header.
+			# If not, give a hint that one can be supplied.
+			token = request.headers.get('x-auth-token')
+			if not token:
+				hints.add("missing-totp-token")
+				continue
+
+			# Check for a replay attack.
+			if hmac.compare_digest(token, mfa_mode['mru_token'] or ""):
+				# If the token fails, skip this MFA mode.
+				hints.add("invalid-totp-token")
+				continue
+
+			# Check the token.
+			totp = pyotp.TOTP(mfa_mode["secret"])
+			if not totp.verify(token, valid_window=1):
+				hints.add("invalid-totp-token")
+				continue
+
+			# On success, record the token to prevent a replay attack.
+			set_mru_token(email, token, env)
+			return (True, [])
+
+	# On a failed login, indicate failure and any hints for what the user can do instead.
+	return (False, list(hints))
diff --git a/management/totp.py b/management/totp.py
deleted file mode 100644
index 634305a6..00000000
--- a/management/totp.py
+++ /dev/null
@@ -1,72 +0,0 @@
-import base64
-import hmac
-import io
-import os
-import struct
-import time
-import pyotp
-import qrcode
-from mailconfig import get_mfa_state, set_mru_totp_code
-
-def get_secret():
-	return base64.b32encode(os.urandom(20)).decode('utf-8')
-
-def get_otp_uri(secret, email):
-	return pyotp.TOTP(secret).provisioning_uri(
-		name=email,
-		issuer_name='mailinabox'
-	)
-
-def get_qr_code(data):
-	qr = qrcode.make(data)
-	byte_arr = io.BytesIO()
-	qr.save(byte_arr, format='PNG')
-
-	encoded = base64.b64encode(byte_arr.getvalue()).decode('utf-8')
-	return 'data:image/png;base64,{}'.format(encoded)
-
-def validate(secret, token):
-	"""
-	@see https://tools.ietf.org/html/rfc6238#section-4
-	@see https://tools.ietf.org/html/rfc4226#section-5.4
-	"""
-	totp = pyotp.TOTP(secret)
-	return totp.verify(token, valid_window=1)
-
-class MissingTokenError(ValueError):
-	pass
-
-class BadTokenError(ValueError):
-	pass
-
-class TOTPStrategy():
-	def __init__(self, email):
-		self.type = 'totp'
-		self.email = email
-
-	def store_successful_login(self, token, env):
-		return set_mru_totp_code(self.email, token, env)
-
-	def validate_request(self, request, env):
-		mfa_state = get_mfa_state(self.email, env)
-
-		# 2FA is not enabled, we can skip further checks
-		if mfa_state['type'] != 'totp':
-			return True
-
-		# If 2FA is enabled, raise if:
-		# 1. no token is provided via `x-auth-token`
-		# 2. a previously supplied token is used (to counter replay attacks)
-		# 3. the token is invalid
-		# in that case, we need to raise and indicate to the client to supply a TOTP
-		token_header = request.headers.get('x-auth-token')
-
-		if not token_header:
-			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
-
-		# TODO: Should a token replay be handled as its own error?
-		if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
-			raise BadTokenError("Two factor code incorrect")
-
-		self.store_successful_login(token_header, env)
-		return True
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index ea1f9756..9fcdf79d 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -22,7 +22,7 @@ if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
 	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
-	echo "CREATE TABLE totp_credentials (id INTEGER PRIMARY KEY AUTOINCREMENT, user_email TEXT NOT NULL UNIQUE, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_email) REFERENCES users(email) ON DELETE CASCADE);" | sqlite3 $db_path;
+	echo "CREATE TABLE IF NOT EXISTS mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);" | sqlite3 $db_path;
 fi
 
 # ### User Authentication
diff --git a/setup/migrate.py b/setup/migrate.py
index 454eb438..5b6e398b 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -182,9 +182,11 @@ def migration_12(env):
             conn.close()
 
 def migration_13(env):
-	# Add a table for `totp_credentials`
+	# Add the "mfa" table for configuring MFA for login to the control panel.
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
-	shell("check_call", ["sqlite3", db, "CREATE TABLE IF NOT EXISTS totp_credentials (id INTEGER PRIMARY KEY AUTOINCREMENT, user_email TEXT NOT NULL UNIQUE, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_email) REFERENCES users(email) ON DELETE CASCADE);"])
+	shell("check_call", ["sqlite3", db, "CREATE TABLE IF NOT EXISTS mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
+
+###########################################################
 
 def get_current_migration():
 	ver = 0

From b80f2256911451963c1bd027461c2a4912307aa5 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sun, 27 Sep 2020 08:31:23 -0400
Subject: [PATCH 19/27] Reorganize MFA front-end and add label column

---
 management/daemon.py                          | 21 +++--
 management/mfa.py                             |  8 +-
 management/templates/index.html               | 10 ++-
 management/templates/login.html               | 26 +++---
 .../{two-factor-auth.html => mfa.html}        | 89 +++++++++++++------
 setup/mail-users.sh                           |  2 +-
 setup/migrate.py                              |  2 +-
 7 files changed, 105 insertions(+), 53 deletions(-)
 rename management/templates/{two-factor-auth.html => mfa.html} (60%)

diff --git a/management/daemon.py b/management/daemon.py
index 2752593a..f4f972dc 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -128,12 +128,18 @@ def me():
 	try:
 		email, privs = auth_service.authenticate(request, env)
 	except ValueError as e:
-		# Log the failed login
-		log_failed_login(request)
-		return json_response({
-			"status": "invalid",
-			"reason": str(e),
-		})
+		if "missing-totp-token" in str(e):
+			return json_response({
+				"status": "missing-totp-token",
+				"reason": str(e),
+			})
+		else:
+			# Log the failed login
+			log_failed_login(request)
+			return json_response({
+				"status": "invalid",
+				"reason": str(e),
+			})
 
 	resp = {
 		"status": "ok",
@@ -408,11 +414,12 @@ def mfa_get_status():
 def totp_post_enable():
 	secret = request.form.get('secret')
 	token = request.form.get('token')
+	label = request.form.get('label')
 	if type(token) != str:
 		return json_response({ "error": 'bad_input' }, 400)
 	try:
 		validate_totp_secret(secret)
-		enable_mfa(request.user_email, "totp", secret, token, env)
+		enable_mfa(request.user_email, "totp", secret, token, label, env)
 	except ValueError as e:
 		return str(e)
 	return "OK"
diff --git a/management/mfa.py b/management/mfa.py
index af696ac4..4db0ac9e 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -15,13 +15,13 @@ def get_user_id(email, c):
 
 def get_mfa_state(email, env):
 	c = open_database(env)
-	c.execute('SELECT id, type, secret, mru_token FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	c.execute('SELECT id, type, secret, mru_token, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
 	return [
-		{ "id": r[0], "type": r[1], "secret": r[2], "mru_token": r[3] }
+		{ "id": r[0], "type": r[1], "secret": r[2], "mru_token": r[3], "label": r[4] }
 		for r in c.fetchall()
 	]
 
-def enable_mfa(email, type, secret, token, env):
+def enable_mfa(email, type, secret, token, label, env):
 	if type == "totp":
 		validate_totp_secret(secret)
 		# Sanity check with the provide current token.
@@ -32,7 +32,7 @@ def enable_mfa(email, type, secret, token, env):
 		raise ValueError("Invalid MFA type.")
 
 	conn, c = open_database(env, with_connection=True)
-	c.execute('INSERT INTO mfa (user_id, type, secret) VALUES (?, ?, ?)', (get_user_id(email, c), type, secret))
+	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
 	conn.commit()
 
 def set_mru_token(email, token, env):
diff --git a/management/templates/index.html b/management/templates/index.html
index 8fdb7c22..12f6ad8e 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -93,16 +93,18 @@
                 <li class="dropdown-header">Advanced Pages</li>
                 <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                 <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
-                <li><a href="#two_factor_auth" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
                 <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
               </ul>
             </li>
             <li class="dropdown">
-              <a href="#" class="dropdown-toggle" data-toggle="dropdown">Mail <b class="caret"></b></a>
+              <a href="#" class="dropdown-toggle" data-toggle="dropdown">Mail &amp; Users <b class="caret"></b></a>
               <ul class="dropdown-menu">
                 <li><a href="#mail-guide" onclick="return show_panel(this);">Instructions</a></li>
                 <li><a href="#users" onclick="return show_panel(this);">Users</a></li>
                 <li><a href="#aliases" onclick="return show_panel(this);">Aliases</a></li>
+                <li class="divider"></li>
+                <li class="dropdown-header">Your Account</li>
+                <li><a href="#mfa" onclick="return show_panel(this);">Two-Factor Authentication</a></li>
               </ul>
             </li>
             <li><a href="#sync_guide" onclick="return show_panel(this);">Contacts/Calendar</a></li>
@@ -132,8 +134,8 @@
       {% include "custom-dns.html" %}
       </div>
 
-      <div id="panel_two_factor_auth" class="admin_panel">
-      {% include "two-factor-auth.html" %}
+      <div id="panel_mfa" class="admin_panel">
+      {% include "mfa.html" %}
       </div>
 
       <div id="panel_login" class="admin_panel">
diff --git a/management/templates/login.html b/management/templates/login.html
index db8dce84..67cb08d2 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -61,6 +61,13 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
         <input name="password" type="password" class="form-control" id="loginPassword" placeholder="Password">
       </div>
     </div>
+    <div class="form-group" id="loginOtp">
+      <label for="loginOtpInput" class="col-sm-3 control-label">Code</label>
+      <div class="col-sm-9">
+          <input type="text" class="form-control" id="loginOtpInput" placeholder="6-digit code">
+          <div class="help-block" style="margin-top: 5px; font-size: 90%">Enter the six-digit code generated by your two factor authentication app.</div>
+      </div>
+    </div>
     <div class="form-group">
       <div class="col-sm-offset-3 col-sm-9">
         <div class="checkbox">
@@ -70,12 +77,6 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
         </div>
       </div>
     </div>
-    <div class="form-group" id="loginOtp">
-        <div class="col-sm-offset-3 col-sm-9">
-          <label for="loginOtpInput" class="control-label">Two-Factor Code</label>
-          <input type="text" class="form-control" id="loginOtpInput" placeholder="6-digit code">
-        </div>
-    </div>
     <div class="form-group">
       <div class="col-sm-offset-3 col-sm-9">
         <button type="submit" class="btn btn-default">Sign in</button>
@@ -111,13 +112,18 @@ function do_login() {
     // This API call always succeeds. It returns a JSON object indicating
     // whether the request was authenticated or not.
     if (response.status != 'ok') {
-      if (response.status === 'missing_token' && !$('#loginForm').hasClass('is-twofactor')) {
+      if (response.status === 'missing-totp-token' || (response.status === 'invalid' && response.reason == 'invalid-totp-token')) {
         $('#loginForm').addClass('is-twofactor');
-        setTimeout(() => {
-            $('#loginOtpInput').focus();
-        });
+        if (response.reason === "invalid-totp-token") {
+          show_modal_error("Login Failed", "Incorrect two factor authentication token.");
+        } else {
+          setTimeout(() => {
+              $('#loginOtpInput').focus();
+          });
+        }
       } else {
         $('#loginForm').removeClass('is-twofactor');
+
         // Show why the login failed.
         show_modal_error("Login Failed", response.reason)
 
diff --git a/management/templates/two-factor-auth.html b/management/templates/mfa.html
similarity index 60%
rename from management/templates/two-factor-auth.html
rename to management/templates/mfa.html
index 8108c211..32b7f6cd 100644
--- a/management/templates/two-factor-auth.html
+++ b/management/templates/mfa.html
@@ -33,38 +33,65 @@
 
 <h2>Two-Factor Authentication</h2>
 
+<p>When two-factor authentication is enabled, you will be prompted to enter a six digit code from an
+authenticator app (usually on your phone) when you log into this control panel.</p>
+
+<div class="panel panel-danger">
+<div class="panel-heading">
+Enabling two-factor authentication does not protect access to your email
+</div>
+<div class="panel-body">
+Enabling two-factor authentication on this page only limits access to this control panel. Remember that most websites allow you to
+reset your password by checking your email, so anyone with access to your email can typically take over
+your other accounts. Additionally, if your email address or any alias that forwards to your email
+address is a typical domain control validation address (e.g admin@, administrator@, postmaster@, hostmaster@,
+webmaster@, abuse@), extra care should be taken to protect the account. <strong>Always use a strong password,
+and ensure every administrator account for this control panel does the same.</strong>
+</div>
+</div>
+
 <div class="twofactor">
     <div class="loading-indicator">Loading...</div>
 
     <form id="totp-setup">
-        <p>After enabling two-factor authentication, any login to the admin panel will require you to enter a time-limited 6-digit number from an authenticator app after entering your normal credentials.</p>
+        <h3>Setup Instructions</h3>
 
         <div class="form-group">
-            <h3>Setup Instructions</h3>
-            <p>1. Scan the QR code or enter the secret into an authenticator app (e.g. Google Authenticator)</p>
+            <p>1. Install <a href="https://freeotp.github.io/">FreeOTP</a> or <a href="https://www.pcworld.com/article/3225913/what-is-two-factor-authentication-and-which-2fa-apps-are-best.html">any
+            other two-factor authentication app</a> that supports TOTP.</p>
+        </div>
+
+        <div class="form-group">
+            <p style="margin-bottom: 0">2. Scan the QR code in the app or directly enter the secret into the app:</p>
             <div id="totp-setup-qr"></div>
         </div>
 
         <div class="form-group">
-            <label for="otp">2. Enter the code displayed in the Authenticator app</label>
-            <p>You will have to log into the admin panel again after enabling two-factor authentication.</p>
+            <label for="otp-label" style="font-weight: normal">3. Optionally, give your device a label so that you can remember what device you set it up on:</label>
+            <input type="text" id="totp-setup-label" class="form-control" placeholder="my phone" />
+        </div>
+
+        <div class="form-group">
+            <label for="otp" style="font-weight: normal">4. Use the app to generate your first six-digit code and enter it here:</label>
             <input type="text" id="totp-setup-token" class="form-control" placeholder="6-digit code" />
         </div>
 
         <input type="hidden" id="totp-setup-secret" />
 
         <div class="form-group">
-            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable two-factor authentication</button>
+            <p>When you click Enable Two-Factor Authentication, you will be logged out of the control panel and will have to log in
+            again, now using your two-factor authentication app.</p>
+            <button id="totp-setup-submit" disabled type="submit" class="btn">Enable Two-Factor Authentication</button>
         </div>
     </form>
 
     <form id="disable-2fa">
         <div class="form-group">
-            <p>Two-factor authentication is active for your account. You can disable it by clicking below button.</p>
+            <p>Two-factor authentication is active for your account<span id="mfa-device-label"></span>.</p>
             <p>You will have to log into the admin panel again after disabling two-factor authentication.</p>
         </div>
         <div class="form-group">
-            <button type="submit" class="btn btn-danger">Disable two-factor authentication</button>
+            <button type="submit" class="btn btn-danger">Disable Two-Factor Authentication</button>
         </div>
     </form>
 
@@ -80,6 +107,7 @@
         totpSetupForm: document.getElementById('totp-setup'),
         totpSetupToken: document.getElementById('totp-setup-token'),
         totpSetupSecret: document.getElementById('totp-setup-secret'),
+        totpSetupLabel: document.getElementById('totp-setup-label'),
         totpQr: document.getElementById('totp-setup-qr'),
         totpSetupSubmit: document.querySelector('#totp-setup-submit'),
         wrapper: document.querySelector('.twofactor')
@@ -101,30 +129,29 @@
         }
     }
 
-    function render_totp_setup(res) {
-        function render_qr_code(encoded) {
-            var img = document.createElement('img');
-            img.src = encoded;
+    function render_totp_setup(provisioned_totp) {
+        var img = document.createElement('img');
+        img.src = "data:image/png;base64," + provisioned_totp.qr_code_base64;
 
-            var code = document.createElement('div');
-            code.innerHTML = `Secret: ${res.totp_secret}`;
+        var code = document.createElement('div');
+        code.innerHTML = `Secret: ${provisioned_totp.secret}`;
 
-            el.totpQr.appendChild(img);
-            el.totpQr.appendChild(code);
-        }
+        el.totpQr.appendChild(img);
+        el.totpQr.appendChild(code);
 
         el.totpSetupToken.addEventListener('input', update_setup_disabled);
         el.totpSetupForm.addEventListener('submit', do_enable_totp);
 
-        el.totpSetupSecret.setAttribute('value', res.totp_secret);
-        render_qr_code(res.totp_qr);
+        el.totpSetupSecret.setAttribute('value', provisioned_totp.secret);
 
         el.wrapper.classList.add('disabled');
     }
 
-    function render_disable() {
+    function render_disable(mfa) {
         el.disableForm.addEventListener('submit', do_disable);
         el.wrapper.classList.add('enabled');
+        if (mfa.label)
+          $("#mfa-device-label").text(" on device '" + mfa.label + "'");
     }
 
     function hide_error() {
@@ -154,7 +181,7 @@
         el.totpQr.innerHTML = '';
     }
 
-    function show_two_factor_auth() {
+    function show_mfa() {
         reset_view();
 
         api(
@@ -163,8 +190,17 @@
             {},
             function(res) {
                 el.wrapper.classList.add('loaded');
-                var isTotpEnabled = res.type === 'totp'
-                return isTotpEnabled ? render_disable(res) : render_totp_setup(res);
+
+                var has_mfa = false;
+                res.enabled_mfa.forEach(function(mfa) {
+                    if (mfa.type == "totp") {
+                        render_disable(mfa);
+                        has_mfa = true;
+                    }
+                });
+
+                if (!has_mfa)
+                  render_totp_setup(res.new_mfa.totp);
             }
         );
     }
@@ -174,9 +210,9 @@
         hide_error();
 
         api(
-            '/mfa/totp/disable',
+            '/mfa/disable',
             'POST',
-            {},
+            { type: 'totp' },
             function() {
                 do_logout();
             }
@@ -194,7 +230,8 @@
             'POST',
             {
                 token: $(el.totpSetupToken).val(),
-                secret: $(el.totpSetupSecret).val()
+                secret: $(el.totpSetupSecret).val(),
+                label: $(el.totpSetupLabel).val()
             },
             function(res) {
                 do_logout();
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index 9fcdf79d..b2625a34 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -22,7 +22,7 @@ if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
 	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
-	echo "CREATE TABLE IF NOT EXISTS mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);" | sqlite3 $db_path;
+	echo "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);" | sqlite3 $db_path;
 fi
 
 # ### User Authentication
diff --git a/setup/migrate.py b/setup/migrate.py
index 5b6e398b..e4a253dd 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -184,7 +184,7 @@ def migration_12(env):
 def migration_13(env):
 	# Add the "mfa" table for configuring MFA for login to the control panel.
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
-	shell("check_call", ["sqlite3", db, "CREATE TABLE IF NOT EXISTS mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
+	shell("check_call", ["sqlite3", db, "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
 
 ###########################################################
 

From 4dced10a3f22e7ce201fdc3bd29681e1899f1e1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Mon, 28 Sep 2020 21:04:44 +0200
Subject: [PATCH 20/27] Fix handling of bad input when enabling mfa

---
 management/daemon.py          |  4 ++--
 management/templates/mfa.html | 27 ++-------------------------
 2 files changed, 4 insertions(+), 27 deletions(-)

diff --git a/management/daemon.py b/management/daemon.py
index f4f972dc..bc519789 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -416,12 +416,12 @@ def totp_post_enable():
 	token = request.form.get('token')
 	label = request.form.get('label')
 	if type(token) != str:
-		return json_response({ "error": 'bad_input' }, 400)
+		return ("Bad Input", 400)
 	try:
 		validate_totp_secret(secret)
 		enable_mfa(request.user_email, "totp", secret, token, label, env)
 	except ValueError as e:
-		return str(e)
+		return (str(e), 400)
 	return "OK"
 
 @app.route('/mfa/disable', methods=['POST'])
diff --git a/management/templates/mfa.html b/management/templates/mfa.html
index 32b7f6cd..8e2737c1 100644
--- a/management/templates/mfa.html
+++ b/management/templates/mfa.html
@@ -233,31 +233,8 @@ and ensure every administrator account for this control panel does the same.</st
                 secret: $(el.totpSetupSecret).val(),
                 label: $(el.totpSetupLabel).val()
             },
-            function(res) {
-                do_logout();
-            },
-            function(res) {
-                var errorMessage = 'Something went wrong.';
-                var parsed;
-
-                try {
-                    parsed = JSON.parse(res);
-                } catch (err) {
-                    return render_error(errorMessage);
-                }
-
-                var error = parsed && parsed.error
-                    ? parsed.error
-                    : null;
-
-                if (error === 'token_mismatch') {
-                    errorMessage = 'Code does not match.';
-                } else if (error === 'bad_input') {
-                    errorMessage = 'Received request with malformed data.';
-                }
-
-                render_error(errorMessage);
-            }
+            function(res) { do_logout(); },
+            function(res) { render_error(res); }
         );
 
         return false;

From 6d82c0035af921730793fb61ed20a94136cc8bce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Mon, 28 Sep 2020 21:27:24 +0200
Subject: [PATCH 21/27] Update openAPI docs

---
 api/mailinabox.yml | 63 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 45 insertions(+), 18 deletions(-)

diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index 27c248da..118c0ce9 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -1714,28 +1714,34 @@ paths:
         200:
           description: Successful operation
           content:
-            application/json:
+            text/html:
               schema:
                 $ref: '#/components/schemas/MfaEnableSuccessResponse'
         400:
           description: Bad request
           content:
-            application/json:
+            text/html:
               schema:
-                $ref: '#/components/schemas/MfaEnableBadRequestResponse'
+                type: string
         403:
           description: Forbidden
           content:
             text/html:
               schema:
                 type: string
-  /mfa/totp/disable:
+  /mfa/disable:
     post:
       tags:
         - MFA
-      summary: Disable TOTP authentication
-      description: Disable TOTP authentication for the currently logged-in admin user
+      summary: Disable multi-factor authentication
+      description: Disables multi-factor authentication for the currently logged-in admin user. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id`
       operationId: mfaTotpDisable
+      requestBody:
+        required: false
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/MfaDisableRequest'
       x-codeSamples:
         - lang: curl
           source: |
@@ -1745,7 +1751,7 @@ paths:
         200:
           description: Successful operation
           content:
-            application/json:
+            text/html:
               schema:
                 $ref: '#/components/schemas/MfaDisableSuccessResponse'
         403:
@@ -2624,16 +2630,29 @@ components:
     MfaStatusResponse:
       type: object
       properties:
-        type:
-          type: string
-          example: totp
-          nullable: true
-        totp_secret:
-          type: string
-          nullable: true
-        totp_qr:
-          type: string
+        enabled_mfa:
+          type: object
+          properties:
+            id:
+              type: string
+            type:
+              type: string
+            secret:
+              type: string
+            mru_token:
+              type: string
+            label:
+              type: string
           nullable: true
+        new_mfa:
+          type: object
+          properties:
+            type:
+              type: string
+            secret:
+              type: string
+            qr_code_base64:
+              type: string
     MfaEnableRequest:
       type: object
       required:
@@ -2644,8 +2663,10 @@ components:
           type: string
         code:
           type: string
+        label:
+          type: string
     MfaEnableSuccessResponse:
-      type: object
+      type: string
     MfaEnableBadRequestResponse:
       type: object
       required:
@@ -2653,5 +2674,11 @@ components:
       properties:
         error:
           type: string
+    MfaDisableRequest:
+      type: object
+      properties:
+        mfa_id:
+          type: string
+          nullable: true
     MfaDisableSuccessResponse:
-      type: object
\ No newline at end of file
+      type: string
\ No newline at end of file

From 00b3a3b0a962fbd11e16710f86a358bc7c6e8837 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Tue, 29 Sep 2020 19:39:40 +0200
Subject: [PATCH 22/27] Remove unique key constraint on foreign key user_id in
 mfa table

---
 setup/mail-users.sh | 2 +-
 setup/migrate.py    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index b2625a34..48b3ef32 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -22,7 +22,7 @@ if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
 	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
 	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
-	echo "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);" | sqlite3 $db_path;
+	echo "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);" | sqlite3 $db_path;
 fi
 
 # ### User Authentication
diff --git a/setup/migrate.py b/setup/migrate.py
index e4a253dd..c52ac967 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -184,7 +184,7 @@ def migration_12(env):
 def migration_13(env):
 	# Add the "mfa" table for configuring MFA for login to the control panel.
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
-	shell("check_call", ["sqlite3", db, "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL UNIQUE, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
+	shell("check_call", ["sqlite3", db, "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
 
 ###########################################################
 

From be5032ffbe70f087b195b41a9224928ab5fa57b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Tue, 29 Sep 2020 19:46:02 +0200
Subject: [PATCH 23/27] Don't expose mru_token and secret for enabled mfas over
 HTTP

---
 api/mailinabox.yml   | 6 +-----
 management/daemon.py | 4 ++--
 management/mfa.py    | 8 ++++++++
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index 118c0ce9..15a048f9 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -2637,10 +2637,6 @@ components:
               type: string
             type:
               type: string
-            secret:
-              type: string
-            mru_token:
-              type: string
             label:
               type: string
           nullable: true
@@ -2681,4 +2677,4 @@ components:
           type: string
           nullable: true
     MfaDisableSuccessResponse:
-      type: string
\ No newline at end of file
+      type: string
diff --git a/management/daemon.py b/management/daemon.py
index bc519789..04b109f7 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -9,7 +9,7 @@ import auth, utils, mfa
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mfa import get_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
+from mfa import get_public_mfa_state, provision_totp, validate_totp_secret, enable_mfa, disable_mfa
 
 env = utils.load_environment()
 
@@ -403,7 +403,7 @@ def ssl_provision_certs():
 @authorized_personnel_only
 def mfa_get_status():
 	return json_response({
-		"enabled_mfa": get_mfa_state(request.user_email, env),
+		"enabled_mfa": get_public_mfa_state(request.user_email, env),
 		"new_mfa": {
 			"totp": provision_totp(request.user_email, env)
 		}
diff --git a/management/mfa.py b/management/mfa.py
index 4db0ac9e..b7f29bce 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -21,6 +21,14 @@ def get_mfa_state(email, env):
 		for r in c.fetchall()
 	]
 
+def get_public_mfa_state(email, env):
+	c = open_database(env)
+	c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	return [
+		{ "id": r[0], "type": r[1], "label": r[2] }
+		for r in c.fetchall()
+	]
+
 def enable_mfa(email, type, secret, token, label, env):
 	if type == "totp":
 		validate_totp_secret(secret)

From ada2167d08b5072b6447181b5558788c9cce9e71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Tue, 29 Sep 2020 20:05:58 +0200
Subject: [PATCH 24/27] Only update mru_token for matched mfa row

---
 management/mfa.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/management/mfa.py b/management/mfa.py
index b7f29bce..541fbc26 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -43,9 +43,9 @@ def enable_mfa(email, type, secret, token, label, env):
 	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
 	conn.commit()
 
-def set_mru_token(email, token, env):
+def set_mru_token(email, mfa_id, token, env):
 	conn, c = open_database(env, with_connection=True)
-	c.execute('UPDATE mfa SET mru_token=? WHERE user_id=?', (token, get_user_id(email, c)))
+	c.execute('UPDATE mfa SET mru_token=? WHERE user_id=? AND id=?', (token, get_user_id(email, c), mfa_id))
 	conn.commit()
 
 def disable_mfa(email, mfa_id, env):
@@ -127,7 +127,7 @@ def validate_auth_mfa(email, request, env):
 				continue
 
 			# On success, record the token to prevent a replay attack.
-			set_mru_token(email, token, env)
+			set_mru_token(email, mfa_mode['id'], token, env)
 			return (True, [])
 
 	# On a failed login, indicate failure and any hints for what the user can do instead.

From 1f0e493b8c2d9f69ad57b5d56fee4e631d0f6008 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Wed, 30 Sep 2020 12:34:26 +0200
Subject: [PATCH 25/27] Exclude mru_token in user key hash

---
 management/auth.py |  4 ++--
 management/mfa.py  | 14 ++++++++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/management/auth.py b/management/auth.py
index d55e0697..fd143c76 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -4,7 +4,7 @@ from flask import make_response
 
 import utils
 from mailconfig import get_mail_password, get_mail_user_privileges
-from mfa import get_mfa_state, validate_auth_mfa
+from mfa import get_hash_mfa_state, validate_auth_mfa
 
 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@@ -147,7 +147,7 @@ class KeyAuthService:
 
 		# Add to the message the current MFA state, which is a list of MFA information.
 		# Turn it into a string stably.
-		msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8")
+		msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8")
 
 		# Make the HMAC.
 		hash_key = self.key.encode('ascii')
diff --git a/management/mfa.py b/management/mfa.py
index 541fbc26..6af2288e 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -22,11 +22,17 @@ def get_mfa_state(email, env):
 	]
 
 def get_public_mfa_state(email, env):
-	c = open_database(env)
-	c.execute('SELECT id, type, label FROM mfa WHERE user_id=?', (get_user_id(email, c),))
+	mfa_state = get_mfa_state(email, env)
 	return [
-		{ "id": r[0], "type": r[1], "label": r[2] }
-		for r in c.fetchall()
+		{ "id": s["id"], "type": s["type"], "label": s["label"] }
+		for s in mfa_state
+	]
+
+def get_hash_mfa_state(email, env):
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
+		for s in mfa_state
 	]
 
 def enable_mfa(email, type, secret, token, label, env):

From ac9ecc3bd3fc6c04453f4c135774fc1e3b873464 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Thu, 29 Oct 2020 15:10:11 -0400
Subject: [PATCH 26/27] Rename tools/mail.py to management/cli.py

---
 tools/mail.py => management/cli.py | 38 ++++++++++++++++++------------
 management/templates/login.html    |  6 ++---
 setup/firstuser.sh                 | 10 ++++----
 setup/nextcloud.sh                 |  2 +-
 4 files changed, 32 insertions(+), 24 deletions(-)
 rename tools/mail.py => management/cli.py (79%)

diff --git a/tools/mail.py b/management/cli.py
similarity index 79%
rename from tools/mail.py
rename to management/cli.py
index 215f39eb..f264fa70 100755
--- a/tools/mail.py
+++ b/management/cli.py
@@ -1,4 +1,10 @@
 #!/usr/bin/python3
+#
+# This is a command-line script for calling management APIs
+# on the Mail-in-a-Box control panel backend. The script
+# reads /var/lib/mailinabox/api.key for the backend's
+# root API key. This file is readable only by root, so this
+# tool can only be used as root.
 
 import sys, getpass, urllib.request, urllib.error, json, re
 
@@ -53,21 +59,23 @@ def setup_key_auth(mgmt_uri):
 	urllib.request.install_opener(opener)
 
 if len(sys.argv) < 2:
-	print("Usage: ")
-	print("  tools/mail.py user  (lists users)")
-	print("  tools/mail.py user add user@domain.com [password]")
-	print("  tools/mail.py user password user@domain.com [password]")
-	print("  tools/mail.py user remove user@domain.com")
-	print("  tools/mail.py user make-admin user@domain.com")
-	print("  tools/mail.py user remove-admin user@domain.com")
-	print("  tools/mail.py user admins (lists admins)")
-	print("  tools/mail.py alias  (lists aliases)")
-	print("  tools/mail.py alias add incoming.name@domain.com sent.to@other.domain.com")
-	print("  tools/mail.py alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'")
-	print("  tools/mail.py alias remove incoming.name@domain.com")
-	print()
-	print("Removing a mail user does not delete their mail folders on disk. It only prevents IMAP/SMTP login.")
-	print()
+	print("""Usage:
+  {cli} user  (lists users)
+  {cli} user add user@domain.com [password]
+  {cli} user password user@domain.com [password]
+  {cli} user remove user@domain.com
+  {cli} user make-admin user@domain.com
+  {cli} user remove-admin user@domain.com
+  {cli} user admins (lists admins)
+  {cli} alias  (lists aliases)
+  {cli} alias add incoming.name@domain.com sent.to@other.domain.com
+  {cli} alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'
+  {cli} alias remove incoming.name@domain.com
+
+Removing a mail user does not delete their mail folders on disk. It only prevents IMAP/SMTP login.
+""".format(
+	cli="management/cli.py"
+		))
 
 elif sys.argv[1] == "user" and len(sys.argv) == 2:
 	# Dump a list of users, one per line. Mark admins with an asterisk.
diff --git a/management/templates/login.html b/management/templates/login.html
index 67cb08d2..4c432aae 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -32,13 +32,13 @@
   <p class="text-danger">There are no users on this system! To make an administrative user,
   log into this machine using SSH (like when you first set it up) and run:</p>
   <pre>cd mailinabox
-sudo tools/mail.py user add me@{{hostname}}
-sudo tools/mail.py user make-admin me@{{hostname}}</pre>
+sudo management/cli.py user add me@{{hostname}}
+sudo management/cli.py user make-admin me@{{hostname}}</pre>
   {% else %}
   <p class="text-danger">There are no administrative users on this system! To make an administrative user,
   log into this machine using SSH (like when you first set it up) and run:</p>
   <pre>cd mailinabox
-sudo tools/mail.py user make-admin me@{{hostname}}</pre>
+sudo management/cli.py user make-admin me@{{hostname}}</pre>
   {% endif %}
   <hr>
 </div>
diff --git a/setup/firstuser.sh b/setup/firstuser.sh
index f6947695..e2d6531c 100644
--- a/setup/firstuser.sh
+++ b/setup/firstuser.sh
@@ -1,6 +1,6 @@
 # If there aren't any mail users yet, create one.
-if [ -z "`tools/mail.py user`" ]; then
-	# The outut of "tools/mail.py user" is a list of mail users. If there
+if [ -z "`management/cli.py user`" ]; then
+	# The outut of "management/cli.py user" is a list of mail users. If there
 	# aren't any yet, it'll be empty.
 
 	# If we didn't ask for an email address at the start, do so now.
@@ -47,11 +47,11 @@ if [ -z "`tools/mail.py user`" ]; then
 	fi
 
 	# Create the user's mail account. This will ask for a password if none was given above.
-	tools/mail.py user add $EMAIL_ADDR ${EMAIL_PW:-}
+	management/cli.py user add $EMAIL_ADDR ${EMAIL_PW:-}
 
 	# Make it an admin.
-	hide_output tools/mail.py user make-admin $EMAIL_ADDR
+	hide_output management/cli.py user make-admin $EMAIL_ADDR
 
 	# Create an alias to which we'll direct all automatically-created administrative aliases.
-	tools/mail.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null
+	management/cli.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null
 fi
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 76c04800..ea1939c4 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -324,7 +324,7 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 # and there's a lot they could mess up, so we don't make any users admins of Nextcloud.
 # But if we wanted to, we would do this:
 # ```
-# for user in $(tools/mail.py user admins); do
+# for user in $(management/cli.py user admins); do
 #	 sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "INSERT OR IGNORE INTO oc_group_user VALUES ('admin', '$user')"
 # done
 # ```

From 545e7a52e465f5abc5ecabdc2d446d719febe7e6 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Thu, 29 Oct 2020 15:41:34 -0400
Subject: [PATCH 27/27] Add MFA list/disable to the management CLI so admins
 can restore access if MFA device is lost

---
 api/mailinabox.yml            | 10 ++++-----
 management/cli.py             | 22 +++++++++++++++----
 management/daemon.py          | 40 +++++++++++++++++++++++++++--------
 management/mfa.py             |  1 +
 management/templates/mfa.html |  2 +-
 tools/mail.py                 |  3 +++
 6 files changed, 59 insertions(+), 19 deletions(-)
 create mode 100755 tools/mail.py

diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index 15a048f9..a9a2c124 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -1666,16 +1666,16 @@ paths:
               schema:
                 type: string
   /mfa/status:
-    get:
+    post:
       tags:
         - MFA
-      summary: Retrieve MFA status
+      summary: Retrieve MFA status for you or another user
       description: Retrieves which type of MFA is used and configuration
       operationId: mfaStatus
       x-codeSamples:
         - lang: curl
           source: |
-            curl -X GET "https://{host}/admin/mfa/status" \
+            curl -X POST "https://{host}/admin/mfa/status" \
               -u "<email>:<password>"
       responses:
         200:
@@ -1733,8 +1733,8 @@ paths:
     post:
       tags:
         - MFA
-      summary: Disable multi-factor authentication
-      description: Disables multi-factor authentication for the currently logged-in admin user. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id`
+      summary: Disable multi-factor authentication for you or another user
+      description: Disables multi-factor authentication for the currently logged-in admin user or another user if a 'user' parameter is submitted. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id`.
       operationId: mfaTotpDisable
       requestBody:
         required: false
diff --git a/management/cli.py b/management/cli.py
index f264fa70..1b91b003 100755
--- a/management/cli.py
+++ b/management/cli.py
@@ -6,7 +6,7 @@
 # root API key. This file is readable only by root, so this
 # tool can only be used as root.
 
-import sys, getpass, urllib.request, urllib.error, json, re
+import sys, getpass, urllib.request, urllib.error, json, re, csv
 
 def mgmt(cmd, data=None, is_json=False):
 	# The base URL for the management daemon. (Listens on IPv4 only.)
@@ -60,14 +60,16 @@ def setup_key_auth(mgmt_uri):
 
 if len(sys.argv) < 2:
 	print("""Usage:
-  {cli} user  (lists users)
+  {cli} user                                     (lists users)
   {cli} user add user@domain.com [password]
   {cli} user password user@domain.com [password]
   {cli} user remove user@domain.com
   {cli} user make-admin user@domain.com
   {cli} user remove-admin user@domain.com
-  {cli} user admins (lists admins)
-  {cli} alias  (lists aliases)
+  {cli} user admins                              (lists admins)
+  {cli} user mfa show user@domain.com            (shows MFA devices for user, if any)
+  {cli} user mfa disable user@domain.com [id]    (disables MFA for user)
+  {cli} alias                                    (lists aliases)
   {cli} alias add incoming.name@domain.com sent.to@other.domain.com
   {cli} alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com'
   {cli} alias remove incoming.name@domain.com
@@ -121,6 +123,18 @@ elif sys.argv[1] == "user" and sys.argv[2] == "admins":
 			if "admin" in user['privileges']:
 				print(user['email'])
 
+elif sys.argv[1] == "user" and len(sys.argv) == 5 and sys.argv[2:4] == ["mfa", "show"]:
+	# Show MFA status for a user.
+	status = mgmt("/mfa/status", { "user": sys.argv[4] }, is_json=True)
+	W = csv.writer(sys.stdout)
+	W.writerow(["id", "type", "label"])
+	for mfa in status["enabled_mfa"]:
+		W.writerow([mfa["id"], mfa["type"], mfa["label"]])
+
+elif sys.argv[1] == "user" and len(sys.argv) in (5, 6) and sys.argv[2:4] == ["mfa", "disable"]:
+	# Disable MFA (all or a particular device) for a user.
+	print(mgmt("/mfa/disable", { "user": sys.argv[4], "mfa-id": sys.argv[5] if len(sys.argv) == 6 else None }))
+
 elif sys.argv[1] == "alias" and len(sys.argv) == 2:
 	print(mgmt("/mail/aliases"))
 
diff --git a/management/daemon.py b/management/daemon.py
index 04b109f7..ffc6d5d5 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -5,7 +5,7 @@ from functools import wraps
 
 from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response
 
-import auth, utils, mfa
+import auth, utils
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
@@ -399,15 +399,27 @@ def ssl_provision_certs():
 
 # multi-factor auth
 
-@app.route('/mfa/status', methods=['GET'])
+@app.route('/mfa/status', methods=['POST'])
 @authorized_personnel_only
 def mfa_get_status():
-	return json_response({
-		"enabled_mfa": get_public_mfa_state(request.user_email, env),
-		"new_mfa": {
-			"totp": provision_totp(request.user_email, env)
+	# Anyone accessing this route is an admin, and we permit them to
+	# see the MFA status for any user if they submit a 'user' form
+	# field. But we don't include provisioning info since a user can
+	# only provision for themselves.
+	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
+	try:
+		resp = {
+			"enabled_mfa": get_public_mfa_state(email, env)
 		}
-	})
+		if email == request.user_email:
+			resp.update({
+				"new_mfa": {
+					"totp": provision_totp(email, env)
+				}
+			})
+	except ValueError as e:
+		return (str(e), 400)
+	return json_response(resp)
 
 @app.route('/mfa/totp/enable', methods=['POST'])
 @authorized_personnel_only
@@ -427,8 +439,18 @@ def totp_post_enable():
 @app.route('/mfa/disable', methods=['POST'])
 @authorized_personnel_only
 def totp_post_disable():
-	disable_mfa(request.user_email, request.form.get('mfa-id'), env)
-	return "OK"
+	# Anyone accessing this route is an admin, and we permit them to
+	# disable the MFA status for any user if they submit a 'user' form
+	# field.
+	email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request
+	try:
+		result = disable_mfa(email, request.form.get('mfa-id') or None, env) # convert empty string to None
+	except ValueError as e:
+		return (str(e), 400)
+	if result: # success
+		return "OK"
+	else: # error
+		return ("Invalid user or MFA id.", 400)
 
 # WEB
 
diff --git a/management/mfa.py b/management/mfa.py
index 6af2288e..32eb5183 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -63,6 +63,7 @@ def disable_mfa(email, mfa_id, env):
 		# Disable a particular MFA mode for a user.
 		c.execute('DELETE FROM mfa WHERE user_id=? AND id=?', (get_user_id(email, c), mfa_id))
 	conn.commit()
+	return c.rowcount > 0
 
 def validate_totp_secret(secret):
 	if type(secret) != str or secret.strip() == "":
diff --git a/management/templates/mfa.html b/management/templates/mfa.html
index 8e2737c1..f45b263f 100644
--- a/management/templates/mfa.html
+++ b/management/templates/mfa.html
@@ -186,7 +186,7 @@ and ensure every administrator account for this control panel does the same.</st
 
         api(
             '/mfa/status',
-            'GET',
+            'POST',
             {},
             function(res) {
                 el.wrapper.classList.add('loaded');
diff --git a/tools/mail.py b/tools/mail.py
new file mode 100755
index 00000000..f7d5b410
--- /dev/null
+++ b/tools/mail.py
@@ -0,0 +1,3 @@
+#!/bin/bash
+# This script has moved.
+management/cli.py "$@"