2FA reset

app/Http/Controllers/TwilioController.php

@@ -11,9 +11,12 @@
 
 namespace App\Http\Controllers;
 
+use App\Http\Requests\Twilio\Confirm2faRequest;
 use App\Http\Requests\Twilio\ConfirmSmsRequest;
+use App\Http\Requests\Twilio\Generate2faRequest;
 use App\Http\Requests\Twilio\GenerateSmsRequest;
 use App\Libraries\MultiDB;
+use App\Models\User;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Http\Response;
 use Twilio\Rest\Client;
@@ -100,7 +103,73 @@ class TwilioController extends BaseController
 
         return response()->json(['message' => 'SMS not verified'], 400);
 
-
     }
 
+    public function generate2faResetCode(Generate2faRequest $request)
+    {
+        $user = User::where('email', $request->email)->first();
+
+        if(!$user)
+            return response()->json(['message' => 'Unable to retrieve user.'], 400);
+
+        $sid = config('ninja.twilio_account_sid');
+        $token = config('ninja.twilio_auth_token');
+
+        $twilio = new Client($sid, $token);
+
+
+        try {
+            $verification = $twilio->verify
+                                   ->v2
+                                   ->services(config('ninja.twilio_verify_sid'))
+                                   ->verifications
+                                   ->create($user->phone, "sms");
+        }
+        catch(\Exception $e) {
+
+            return response()->json(['message' => 'Invalid phone number on file, we are unable to reset. Please contact support.'], 400);
+
+        }
+
+        $user->sms_verification_code = $verification->sid;
+        $user->save();
+
+        return response()->json(['message' => 'Code sent.'], 200);
+    }
+
+    public function confirm2faResetCode(Confirm2faRequest $request)
+    {
+        $user = User::where('email', $request->email)->first();
+
+        if(!$user)
+            return response()->json(['message' => 'Unable to retrieve user.'], 400);
+
+        $sid = config('ninja.twilio_account_sid');
+        $token = config('ninja.twilio_auth_token');
+
+        $twilio = new Client($sid, $token);
+
+        $verification_check = $twilio->verify
+                                     ->v2
+                                     ->services(config('ninja.twilio_verify_sid'))
+                                     ->verificationChecks
+                                     ->create([
+                                             "to" => $user->phone,
+                                             "code" => $request->code
+                                       ]);
+        
+
+        if($verification_check->status == 'approved'){
+
+            $user->google_2fa_secret = '';
+            $user->sms_verification_code = '';
+            $user->save();
+
+            return response()->json(['message' => 'SMS verified, 2FA disabled.'], 200);
+        }
+
+        return response()->json(['message' => 'SMS not verified.'], 400);
+
+    }    
+
 }

app/Http/Requests/Twilio/Confirm2faRequest.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com).
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://www.elastic.co/licensing/elastic-license
+ */
+
+namespace App\Http\Requests\Twilio;
+
+use App\Http\Requests\Request;
+use App\Libraries\MultiDB;
+
+
+class Confirm2faRequest extends Request
+{
+
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize() : bool
+    {
+        return true;
+    }
+
+    public function rules()
+    {
+
+        return [
+            'code' => 'required',
+            'email' => 'required|exists,users:email',
+        ];
+    }
+
+    public function prepareForValidation()
+    {
+        $input = $this->all();
+
+        if(array_key_exists('email', $input))
+            MultiDB::userFindAndSetDb($input['email']);
+
+        $this->replace($input);
+    }
+
+}

app/Http/Requests/Twilio/Generate2faRequest.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com).
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://www.elastic.co/licensing/elastic-license
+ */
+
+namespace App\Http\Requests\Twilio;
+
+use App\Http\Requests\Request;
+use App\Libraries\MultiDB;
+
+
+class Generate2faRequest extends Request
+{
+
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize() : bool
+    {
+        return true;
+    }
+
+
+    public function rules()
+    {
+
+        return [
+            'email' => 'required|exists,users:email',
+        ];
+        
+    }
+
+    public function prepareForValidation()
+    {
+        $input = $this->all();
+
+        if(array_key_exists('email', $input))
+            MultiDB::userFindAndSetDb($input['email']);
+
+        $this->replace($input);
+    }
+
+}

database/migrations/2022_10_27_044909_add_user_sms_verification_code.php

@@ -0,0 +1,30 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+       Schema::table('users', function (Blueprint $table) {
+            $table->string('sms_verification_code', 191)->nullable();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        //
+    }
+};

routes/api.php

@@ -298,7 +298,6 @@ Route::group(['middleware' => ['throttle:300,1', 'api_db', 'token_auth', 'locale
     Route::post('settings/enable_two_factor', [TwoFactorController::class, 'enableTwoFactor']);
     Route::post('settings/disable_two_factor', [TwoFactorController::class, 'disableTwoFactor']);
 
-
     Route::post('verify', [TwilioController::class, 'generate'])->name('verify.generate')->middleware('throttle:100,1');
     Route::post('verify/confirm', [TwilioController::class, 'confirm'])->name('verify.confirm');
     
@@ -344,6 +343,9 @@ Route::group(['middleware' => ['throttle:300,1', 'api_db', 'token_auth', 'locale
 
 });
 
+Route::post('sms_reset', [TwilioController::class, 'generate2faResetCode'])->name('sms_reset.generate')->middleware('throttle:10,1');
+Route::post('sms_reset/confirm', [TwilioController::class, 'confirm2faResetCode'])->name('sms_reset.confirm')->middleware('throttle:20,1');
+
 Route::match(['get', 'post'], 'payment_webhook/{company_key}/{company_gateway_id}', PaymentWebhookController::class)
     ->middleware('throttle:1000,1')
     ->name('payment_webhook');