Add support for time-based one-time passwords.

Author: Tekki

Changes

@@ -1,6 +1,7 @@
 Revision history for SQL-Ledger, starting with version 3.0.0
 
 Not Released
+  - MFA with time-based one-time passwords (codes from Authenticator App)
   - payment screen shows links to invoices
 
 3.2.12.55 2025-02-19

SL/Form.pm

@@ -204,7 +204,7 @@ sub dump_timer {
 
 
 sub perl_modules {
-  return [qw|Archive::Zip Excel::Writer::XLSX Mojolicious Spreadsheet::ParseXLSX|];
+  return [qw|Archive::Zip Excel::Writer::XLSX Mojolicious Spreadsheet::ParseXLSX Text::QRCode|];
 }
 
 

SL/QRCode.pm

@@ -0,0 +1,141 @@
+#=====================================================================
+# SQL-Ledger ERP
+# Copyright (C) 2025
+#
+#  Author: Tekki
+#     Web: https://tekki.ch
+#
+#======================================================================
+#
+# Generator for QR Codes
+#
+#======================================================================
+package SL::QRCode;
+
+use POSIX 'fmax';
+use Text::QRCode;
+
+sub plot_svg {
+  my ($text, %param) = @_;
+
+  $param{background} ||= 'white';
+  $param{dotsize}    ||= 1;
+  $param{foreground} ||= 'black';
+  $param{height}     ||= 0;
+  $param{level}      ||= 'M';
+  $param{margin}     ||= 2;
+  $param{scale}      ||= 1;
+  $param{version}    ||= 0;
+  $param{width}      ||= 0;
+
+  my @code = Text::QRCode->new(level => $param{level}, version => $param{version})->plot($text)->@*;
+
+  my $vbwidth = my $vbheight = 0;
+  my $x_max   = $code[0]->@* - 1;
+  my $y_max   = @code - 1;
+
+  my @elements = (qq|  <rect width="100%" height="100%" fill="$param{background}"/>|);
+  my @dot;
+
+  my $rect = sub {
+    my ($x, $y, $width, $height) = @_;
+
+    my $x1 = $x + $param{margin};
+    my $y1 = $y + $param{margin};
+    $vbwidth  = fmax $vbwidth,  $x1 + $width;
+    $vbheight = fmax $vbheight, $y1 + $height;
+
+    push @elements,
+      qq|  <rect x="$x1" y="$y1" width="$width" height="$height" fill="$param{foreground}"/>|;
+
+  };
+
+  my $add_dot = sub {
+    if (@dot) {
+      $rect->(@dot);
+      @dot = ();
+    }
+  };
+
+  for my $y (0 .. $y_max) {
+    for my $x (0 .. $x_max) {
+      if ($code[$y][$x] eq '*') {
+        if (@dot) {
+          $dot[2] += $param{dotsize};
+        } else {
+          @dot = ($x * $param{dotsize}, $y * $param{dotsize}, $param{dotsize}, $param{dotsize});
+        }
+      } else {
+        $add_dot->();
+      }
+    }
+    $add_dot->();
+  }
+
+  $vbheight += $param{margin};
+  $vbwidth  += $param{margin};
+
+  my @attr = (qq|viewBox="0 0 $vbwidth $vbheight"|);
+
+  my $height     = $vbheight * $param{scale};
+  my $width      = $vbwidth * $param{scale};
+  my $attributes = sprintf 'viewBox="0 0 %d %d" width="%d" height="%d"', $vbwidth, $vbheight,
+    $param{width} || $vbwidth * $param{scale}, $param{height} || $vbheight * $param{scale};
+
+  my $svg
+    = qq|<svg $attributes xmlns="http://www.w3.org/2000/svg">\n|
+    . join("\n", @elements)
+    . qq|\n</svg>|;
+
+  return $svg;
+}
+
+1;
+
+=encoding utf8
+
+=head1 NAME
+
+SL::QRCode - Generator for QR Codes
+
+=head1 SYNOPSIS
+
+    use SL::QRCode;
+
+    my %default_params = (
+      level      => 'M',
+      version    => 0,
+      background => 'white',
+      foreground => 'black',
+      dotsize    => 1,
+      width      => 0,
+      height     => 0,
+      margin     => 2,
+      scale      => 1,
+    );
+
+    my $svg = SL::QRCode::plot_svg($text, %default_params);
+
+=head1 DESCRIPTION
+
+L<SL::QRCode> provides functions to generate QR Codes.
+
+=head1 DEPENDENCIES
+
+L<SL::QRCode>
+
+=over
+
+=item * uses
+L<Text::QRCode>
+
+=back
+
+=head1 FUNCTIONS
+
+=head2 plot_svg
+
+    my $svg = SL::QRCode::plot_svg($text);
+    my $svg = SL::QRCode::plot_svg($text, %params);
+
+=cut

SL/TOTP.pm

@@ -0,0 +1,155 @@
+#=====================================================================
+# SQL-Ledger ERP
+# Copyright (C) 2025
+#
+#  Author: Tekki
+#     Web: https://tekki.ch
+#
+#======================================================================
+#
+# Time-based one-time passwords
+#
+#======================================================================
+package SL::TOTP;
+
+use Digest::SHA 'hmac_sha1';
+use Encode 'decode';
+
+sub add_secret {
+  my ($user, $memberfile, $userspath) = @_;
+
+  $user->{totp_secret} = &generate_secret;
+
+  if ($memberfile && $userspath) {
+    for (qw|name signature|) {
+      $user->{$_} = decode 'UTF-8', $user->{$_};
+    }
+    $user->{packpw} = 1;
+    $user->save_member($memberfile, $userspath);
+  }
+}
+
+sub check_code {
+  my ($user, $code, $timestamp) = @_;
+
+  $timestamp //= time;
+  my $hash   = hmac_sha1(pack('Q>', int($timestamp / 30)), decode_base32($user->{totp_secret}));
+  my $offset = ord(substr($hash, -1)) & 0x0f;
+  my $otp    = ((unpack("N", substr($hash, $offset, 4))) & 0x7fffffff) % 10**6;
+
+  return sprintf("%06d", $otp) eq $code;
+}
+
+# decode_base32 and encode_base32: from MIME::Base32 by Jens Rehsack
+
+sub decode_base32 {
+  my $arg = uc(shift || '');    # mimic MIME::Base64
+  $arg =~ tr|A-Z2-7|\0-\37|;
+  $arg = unpack('B*', $arg);
+  $arg =~ s/000(.....)/$1/g;
+  my $l = length $arg;
+  $arg = substr($arg, 0, $l & ~7) if $l & 7;
+  $arg = pack('B*', $arg);
+  return $arg;
+}
+
+sub encode_base32 {
+  my $arg = shift;
+  return '' unless defined($arg);    # mimic MIME::Base64
+  $arg = unpack('B*', $arg);
+  $arg =~ s/(.....)/000$1/g;
+  my $l = length($arg);
+  if ($l & 7) {
+    my $e = substr($arg, $l & ~7);
+    $arg = substr($arg, 0, $l & ~7);
+    $arg .= "000$e" . '0' x (5 - length $e);
+  }
+  $arg = pack('B*', $arg);
+  $arg =~ tr|\0-\37|A-Z2-7|;
+  return $arg;
+}
+
+sub generate_secret {
+  my $secret = join '', map { chr int rand 256 } 1 .. 20;
+  
+  return encode_base32($secret);
+}
+
+sub url {
+  my ($user) = @_;
+
+  my $account = $user->{login};
+  $account .= "\@$ENV{SERVER_NAME}" if $ENV{SERVER_NAME};
+
+  return
+    qq|otpauth://totp/SQL-Ledger:$account?secret=$user->{totp_secret}&issuer=SQL-Ledger&algorithm=SHA1&digits=6&period=30|;
+}
+
+1;
+
+=encoding utf8
+
+=head1 NAME
+
+SL::TOTP - Time-based one-time passwords
+
+=head1 SYNOPSIS
+
+    use SL::TOTP;
+    use SL::User;
+
+    my $user = User->new($memberfile, $form->{login});
+    SL::TOTP->add_secret($user, $memberfile, $userspath);
+
+    my $url = SL::TOTP::url($user);
+
+    SL::TOTP->check_code($user, $code);
+
+=head1 DESCRIPTION
+
+L<SL::TOTP> provides functions for time-based one-time passwords.
+
+=head1 DEPENDENCIES
+
+L<SL::TOTP>
+
+=over
+
+=item * uses
+L<Digest::SHA>
+
+=back
+
+=head1 FUNCTIONS
+
+L<SL::TOTP> implements the following functions:
+
+=head2 add_secret
+
+    my $user = User->new($memberfile, $form->{login});
+    SL::TOTP::add_secret($user, $memberfile, $userspath);
+
+    SL::TOTP::add_secret($user);  # without saving
+
+=head2 check_code
+
+    my $ok = SL::TOTP::check_code($user, $code);  # current time
+    my $ok = SL::TOTP::check_code($user, $code, $timestamp); 
+
+=head2 decode_base32
+
+    my $decoded = SL::TOTP::decode_base32($encoded_string);
+
+=head2 encode_base32
+
+    my $encoded_string = SL::TOTP::encode_base32($unencoded_string);
+
+=head2 generate_secret
+
+    my $secret = SL::TOTP::generate_secret();
+
+=head2 url
+
+    my $url = SL::TOTP::url($user);
+
+=cut

SL/User.pm

@@ -923,7 +923,8 @@ sub config_vars {
              dbconnect dbdriver dbhost dbname dboptions dbpasswd
              dbport dbuser menuwidth name email emailcopy numberformat password
              outputformat printer sessionkey sid
-             signature stylesheet tan templates timeout vclimit);
+             signature stylesheet tan totp_activated totp_secret
+             templates timeout vclimit);
 
   @conf;