Migrate to Twilio Verify API

Ben · markharding · commit 7dafa5d2e745 · 2021-12-08T09:35:29.000Z
diff --git a/Controllers/api/v1/twofactor.php b/Controllers/api/v1/twofactor.php
@@ -14,6 +14,7 @@
 use Minds\Core\Security;
 use Minds\Core\Security\TwoFactor\TwoFactorRequiredException;
 use Minds\Core\SMS\Exceptions\VoIpPhoneException;
+use Minds\Helpers\FormatPhoneNumber;
 use Minds\Entities;
 use Minds\Interfaces;
 use Zend\Diactoros\ServerRequestFactory;
@@ -53,9 +54,21 @@ public function post($pages)
             $pages[0] = '';
         }
 
+        $featuresManager = Di::_()->get('Features\Manager');
+        $twilioVerify = Di::_()->get('SMS\Twilio\Verify');
 
         switch ($pages[0]) {
             case "setup":
+                if ($featuresManager->has('twilio-verify')) {
+                    $number = FormatPhoneNumber::format($_POST['tel']);
+
+                    if (!$twilioVerify->verify($number)) {
+                        throw new VoIpPhoneException();
+                    }
+
+                    $twilioVerify->send($number, '');
+                    break;
+                }
 
                 try {
                     $twoFactorManager = Di::_()->get('Security\TwoFactor\Manager');
@@ -86,11 +99,7 @@ public function post($pages)
                 }
 
                 $message = 'Minds TwoFactor code: '. $twofactor->getCode($secret);
-                $number = $_POST['tel'];
-                
-                if ($number[0] !== '+') {
-                    $number = '+'.$number;
-                }
+                $number = FormatPhoneNumber::format($_POST['tel']);
 
                 if ($sms->send($number, $message)) {
                     $response['secret'] = $secret;
@@ -103,7 +112,21 @@ public function post($pages)
             case "check":
                 $secret = $_POST['secret'];
                 $code = $_POST['code'];
-                $telno = $_POST['telno'];
+                $telno = FormatPhoneNumber::format($_POST['telno']);
+
+                if ($featuresManager->has('twilio-verify')) {
+                    if ($twilioVerify->verifyCode($code, $telno)) {
+                        $user->twofactor = true;
+                        $user->telno = $telno;
+                    } else {
+                        $response['status'] = "error";
+                        $response['message'] = "2factor code failed";
+                        $user->twofactor = false;
+                    }
+                    $user->save();
+                    break;
+                }
+
                 if ($twofactor->verifyCode($secret, $code, 1)) {
                     $response['status'] = "success";
                     $response['message'] = "2factor now setup";
diff --git a/Controllers/api/v2/blockchain/rewards.php b/Controllers/api/v2/blockchain/rewards.php
@@ -26,8 +26,9 @@ public function post($pages)
                 if (!isset($_POST['number'])) {
                     return Factory::response(['status' => 'error', 'message' => 'phone field is required']);
                 }
-                $number = $_POST['number'];
-                $resend = $_POST['retry'];
+
+                $number = filter_var($_POST['number'] ?? '', FILTER_SANITIZE_STRING);
+                $resend = filter_var($_POST['retry'] ?? false, FILTER_VALIDATE_BOOLEAN);
 
                 try {
                     $join = new Join();
@@ -61,9 +62,10 @@ public function post($pages)
                 }
                 $code = $_POST['code'];
 
-                if (!isset($_POST['secret'])) {
-                    return Factory::response(['status' => 'error', 'message' => 'code field is required']);
+                if (!Core\Di\Di::_()->get('Features\Manager')->has('twilio-verify') && !isset($_POST['secret'])) {
+                    return Factory::response(['status' => 'error', 'message' => 'secret field is required']);
                 }
+
                 $secret = $_POST['secret'];
 
                 $user = Session::getLoggedInUser();
diff --git a/Core/Features/Provider.php b/Core/Features/Provider.php
@@ -82,6 +82,7 @@ public function register()
                 'cloudflare-streams',
                 'notifications-v3',
                 'withdrawal-console',
+                'twilio-verify',
                 'helpdesk-2021',
                 'plus-discovery-filter',
                 'twitter-sync',
diff --git a/Core/Rewards/Join.php b/Core/Rewards/Join.php
@@ -62,6 +62,12 @@ class Join
     /** @var JoinedValidator */
     private $joinedValidator;
 
+    /** @var Features\Manager */
+    private $featuresManager;
+
+    /** @var TwilioVerify */
+    private $twilioVerify;
+
     public function __construct(
         $twofactor = null,
         $sms = null,
@@ -73,7 +79,9 @@ public function __construct(
         $ofacBlacklist = null,
         $testnetBalance = null,
         $referralDelegate = null,
-        KeyValueLimiter  $kvLimiter = null
+        KeyValueLimiter  $kvLimiter = null,
+        $featuresManager = null,
+        $twilioVerify = null
     ) {
         $this->twofactor = $twofactor ?: Di::_()->get('Security\TwoFactor');
         $this->sms = $sms ?: Di::_()->get('SMS');
@@ -86,6 +94,8 @@ public function __construct(
         $this->testnetBalance = $testnetBalance ?: Di::_()->get('Blockchain\Wallets\OffChain\TestnetBalance');
         $this->referralDelegate = $referralDelegate ?: new Delegates\ReferralDelegate;
         $this->kvLimiter = $kvLimiter ?? Di::_()->get("Security\RateLimits\KeyValueLimiter");
+        $this->featuresManager = $featuresManager ?? Di::_()->get('Features\Manager');
+        $this->twilioVerify = $twilioVerify ?? Di::_()->get('SMS\Twilio\Verify');
     }
 
     public function setUser(&$user)
@@ -127,8 +137,6 @@ public function setSecret($secret)
      */
     public function verify()
     {
-        $secret = $this->twofactor->createSecret();
-        $code = $this->twofactor->getCode($secret);
 
         // Limit a single account to 3 attempts per day
         $this->kvLimiter
@@ -138,6 +146,23 @@ public function verify()
             ->setMax(3) // 2 per day
             ->checkAndIncrement(); // Will throw exception
 
+
+        if ($this->featuresManager->has('twilio-verify')) {
+            if (!$this->twilioVerify->verify($this->number)) {
+                throw new VoIpPhoneException();
+            }
+
+            if (!$this->user->isEmailConfirmed()) {
+                throw new UnverifiedEmailException();
+            }
+
+            $this->twilioVerify->send($this->number, '');
+            return;
+        }
+
+        $secret = $this->twofactor->createSecret();
+        $code = $this->twofactor->getCode($secret);
+
         $user_guid = $this->user->guid;
         $this->db->insert("rewards:verificationcode:$user_guid", compact('code', 'secret'));
 
@@ -158,6 +183,11 @@ public function verify()
 
     public function resendCode()
     {
+        if ($this->featuresManager->has('twilio-verify')) {
+            $this->verify();
+            return;
+        }
+
         $user_guid = $this->user->guid;
         $username = $this->user->getUsername();
         $row = $this->db->getRow("rewards:verificationcode:$user_guid");
@@ -180,7 +210,15 @@ public function confirm()
             return false; //already joined
         }
 
-        if ($this->twofactor->verifyCode($this->secret, $this->code, 8)) {
+        $valid = false;
+        
+        if ($this->featuresManager->has('twilio-verify')) {
+            $valid = $this->twilioVerify->verifyCode($this->code, $this->number);
+        } else {
+            $valid = $this->twofactor->verifyCode($this->secret, $this->code, 8);
+        }
+        
+        if ($valid) {
             $hash = hash('sha256', $this->number . $this->config->get('phone_number_hash_salt'));
             $this->user->setPhoneNumberHash($hash);
             $this->user->save();
diff --git a/Core/SMS/SMSProvider.php b/Core/SMS/SMSProvider.php
@@ -7,6 +7,7 @@
 
 use Minds\Core\Di\Provider;
 use Minds\Core\SMS\Services\Twilio;
+use Minds\Core\SMS\Services\TwilioVerify;
 
 class SMSProvider extends Provider
 {
@@ -15,6 +16,9 @@ public function register()
         $this->di->bind('SMS', function ($di) {
             return new Twilio();
         }, ['useFactory' => true]);
+        $this->di->bind('SMS\Twilio\Verify', function ($di) {
+            return new TwilioVerify();
+        }, ['useFactory' => true]);
         $this->di->bind('SMS\SNS', function ($di) {
             return new Services\SNS();
         }, ['useFactory' => true]);
diff --git a/Core/SMS/Services/TwilioVerify.php b/Core/SMS/Services/TwilioVerify.php
@@ -0,0 +1,143 @@
+<?php
+
+/**
+ * Minds Twilio Verify Service
+ */
+
+namespace Minds\Core\SMS\Services;
+
+use Minds\Common\IpAddress;
+use Minds\Core\Di\Di;
+use Minds\Core\Config;
+use Minds\Core\SMS\Exceptions\InvalidPhoneException;
+use Minds\Core\SMS\SMSServiceInterface;
+use Twilio\Rest\Client as TwilioClient;
+use Minds\Core\Security\RateLimits\KeyValueLimiter;
+
+class TwilioVerify implements SMSServiceInterface
+{
+    /** @var TwilioClient */
+    protected $client;
+
+    /** @var Config */
+    protected $config;
+
+    /** @var string */
+    protected $from;
+
+    /** @var KeyValueLimiter */
+    protected $kvLimiter;
+
+    /** @var IpAddress */
+    protected $ipAddress;
+
+    public function __construct($client = null, $config = null, $kvLimiter = null, IpAddress $ipAddress = null)
+    {
+        $this->config = $config ?? Di::_()->get('Config');
+        $this->client = $client;
+        $this->kvLimiter = $kvLimiter ?? Di::_()->get("Security\RateLimits\KeyValueLimiter");
+        $this->ipAddress = $ipAddress ?? new IpAddress();
+    }
+
+    /**
+     * Verifies the number isn't a voip line.
+     * @param $number
+     * @return boolean
+     * @throws InvalidPhoneException
+     */
+    public function verify($number): bool
+    {
+        try {
+            $phone_number = $this->getClient()->lookups->v1->phoneNumbers($number)
+                ->fetch(["type" => "carrier"]);
+
+            return $phone_number->carrier['type'] !== 'voip';
+        } catch (\Exception $e) {
+            error_log("[guard] Twilio error: {$e->getMessage()}");
+            throw new InvalidPhoneException('Invalid Phone Number', 0, $e);
+        }
+    }
+
+    /**
+     * Send a verification request.
+     * @param string $number - users phone number.
+     * @param string $number - depreciated.
+     */
+    public function send($number, $message = ''): bool
+    {
+        $result = null;
+
+        // // Only allow 5 messages sent to a number per day
+        // // To prevent malicious users flooding the system
+        $phoneNumberHash = hash('sha256', $number . $this->config->get('phone_number_hash_salt'));
+
+        $this->kvLimiter
+            ->setKey('sms-sender-twilio')
+            ->setValue($phoneNumberHash)
+            ->setSeconds(86400) // Day
+            ->setMax(5) // 5 per day
+            ->checkAndIncrement(); // Will throw exception
+
+        // Only allow 10 SMS messages per IP address per day
+        $this->kvLimiter
+            ->setKey('sms-sender-twilio-ip')
+            ->setValue($this->ipAddress->get())
+            ->setSeconds(86400) // Day
+            ->setMax(10) // 10 per day
+            ->checkAndIncrement(); // Will throw exception
+
+        try {
+            // Send SMS
+            $result = $this->getClient()->verify->v2->services($this->getConfig()['verify']['service_sid'])
+                ->verifications
+                ->create($number, "sms");
+        } catch (\Exception $e) {
+            error_log("[guard] TwilioVerify error: {$e->getMessage()}");
+        }
+
+        return $result ? $result->sid : false;
+    }
+
+    /**
+     * Verify a given code.
+     * @param string $code - code received by user.
+     * @param string $number - users phone number.
+     * @return bool - true if code is valid.
+     */
+    public function verifyCode(string $code, string $number): bool
+    {
+        $result = $this->getClient()->verify->v2->services(
+            $this->getConfig()['verify']['service_sid']
+        )
+            ->verificationChecks
+            ->create(
+                $code,
+                ["to" => $number]
+            );
+        
+        return $result->status === 'approved';
+    }
+
+    /**
+     * Get the Twilio client
+     * @return TwilioClient
+     */
+    private function getClient(): TwilioClient
+    {
+        if (!$this->client) {
+            $AccountSid = $this->getConfig()['account_sid'] ?: 'not set';
+            $AuthToken = $this->getConfig()['auth_token'] ?: 'not set';
+            $this->client = new TwilioClient($AccountSid, $AuthToken);
+        }
+        return $this->client;
+    }
+
+    /**
+     * Get Twilio config
+     * @return array
+     */
+    private function getConfig(): array
+    {
+        return $this->config->get('twilio');
+    }
+}
diff --git a/Core/Security/TwoFactor/Delegates/SMSDelegate.php b/Core/Security/TwoFactor/Delegates/SMSDelegate.php
diff --git a/Helpers/FormatPhoneNumber.php b/Helpers/FormatPhoneNumber.php
diff --git a/settings.example.php b/settings.example.php
