- Implemented the complete first-run experience:
Account creation and guarded onboarding flow. Current-cash starting balance with automatic rollover enabled. Dynamic bill generation, shared/custom categories, recurring targets, and optional same-day onboarding transactions. Optional dormant reserve and additional categories. Mailgun email or authenticator-app 2FA configuration. Responsive dark/light UI with no overflow at 390px. Fixed administrator session-ID creation bug. Core implementation: [OnboardingService.php (line 59)](/Users/tyemeclifford/Documents/GH/budget/app/OnboardingService.php:59), [onboarding.php (line 19)](/Users/tyemeclifford/Documents/GH/budget/views/onboarding.php:19), and [index.php (line 143)](/Users/tyemeclifford/Documents/GH/budget/public/index.php:143). Verification passed: financial self-test, onboarding integration test, full browser walkthrough, mobile layout, routing guards, and zero browser console errors. Live email delivery requires actual Mailgun credentials and was not sent during testing.
This commit is contained in:
+72
-5
@@ -31,9 +31,11 @@ final class Auth
|
||||
'password_hash' => password_hash($password, PASSWORD_DEFAULT),
|
||||
'secret' => $secret,
|
||||
]);
|
||||
$userId = (int) $this->pdo->lastInsertId();
|
||||
$this->settings->set('alerts.email', strtolower(trim($email)));
|
||||
$this->settings->set('security.2fa_required', $enableTwoFactor);
|
||||
$_SESSION['user_id'] = (int) $this->pdo->lastInsertId();
|
||||
$this->settings->set('onboarding.completed', false);
|
||||
$_SESSION['user_id'] = $userId;
|
||||
session_regenerate_id(true);
|
||||
return $secret;
|
||||
}
|
||||
@@ -48,10 +50,16 @@ final class Auth
|
||||
}
|
||||
|
||||
if ((bool) $this->settings->get('security.2fa_required', false)) {
|
||||
if (empty($user['totp_secret'])) {
|
||||
return 'unconfigured_2fa';
|
||||
$method = (string) $this->settings->get('security.2fa_method', 'totp');
|
||||
if ($method === 'email') {
|
||||
$this->startEmailChallenge($user);
|
||||
} else {
|
||||
if (empty($user['totp_secret'])) {
|
||||
return 'unconfigured_2fa';
|
||||
}
|
||||
$_SESSION['pending_2fa_user'] = (int) $user['id'];
|
||||
$_SESSION['pending_2fa_method'] = 'totp';
|
||||
}
|
||||
$_SESSION['pending_2fa_user'] = (int) $user['id'];
|
||||
return '2fa';
|
||||
}
|
||||
|
||||
@@ -65,13 +73,16 @@ final class Auth
|
||||
if ($userId === 0) {
|
||||
return false;
|
||||
}
|
||||
if (($_SESSION['pending_2fa_method'] ?? 'totp') === 'email') {
|
||||
return $this->verifyEmailChallenge($userId, $code);
|
||||
}
|
||||
$statement = $this->pdo->prepare('SELECT totp_secret FROM users WHERE id = :id');
|
||||
$statement->execute(['id' => $userId]);
|
||||
$secret = (string) $statement->fetchColumn();
|
||||
if ($secret === '' || !Totp::verify($secret, $code)) {
|
||||
return false;
|
||||
}
|
||||
unset($_SESSION['pending_2fa_user']);
|
||||
unset($_SESSION['pending_2fa_user'], $_SESSION['pending_2fa_method']);
|
||||
$this->completeLogin($userId);
|
||||
return true;
|
||||
}
|
||||
@@ -111,4 +122,60 @@ final class Auth
|
||||
$_SESSION['user_id'] = $userId;
|
||||
session_regenerate_id(true);
|
||||
}
|
||||
|
||||
private function startEmailChallenge(array $user): void
|
||||
{
|
||||
$mailgun = new Mailgun($this->settings);
|
||||
if (!$mailgun->configured()) {
|
||||
throw new \RuntimeException('Email two-factor authentication requires complete Mailgun settings.');
|
||||
}
|
||||
$code = (string) random_int(100000, 999999);
|
||||
$appName = (string) $this->settings->get('app.name', 'Neon Ledger');
|
||||
$mailgun->send(
|
||||
(string) $user['email'],
|
||||
$appName . ' sign-in code',
|
||||
'<div style="font-family:system-ui,sans-serif;max-width:520px;margin:auto;padding:28px">'
|
||||
. '<h1 style="font-size:22px">Your sign-in code</h1>'
|
||||
. '<p>Enter this code to finish signing in. It expires in 10 minutes.</p>'
|
||||
. '<p style="font-size:32px;font-weight:800;letter-spacing:8px">' . $code . '</p>'
|
||||
. '<p style="color:#687187">If you did not try to sign in, you can ignore this email.</p>'
|
||||
. '</div>'
|
||||
);
|
||||
$_SESSION['pending_2fa_user'] = (int) $user['id'];
|
||||
$_SESSION['pending_2fa_method'] = 'email';
|
||||
$_SESSION['pending_2fa_code'] = password_hash($code, PASSWORD_DEFAULT);
|
||||
$_SESSION['pending_2fa_expires'] = time() + 600;
|
||||
$_SESSION['pending_2fa_attempts'] = 0;
|
||||
}
|
||||
|
||||
private function verifyEmailChallenge(int $userId, string $code): bool
|
||||
{
|
||||
$expires = (int) ($_SESSION['pending_2fa_expires'] ?? 0);
|
||||
$attempts = (int) ($_SESSION['pending_2fa_attempts'] ?? 0);
|
||||
$hash = (string) ($_SESSION['pending_2fa_code'] ?? '');
|
||||
if ($expires < time() || $attempts >= 5 || $hash === '') {
|
||||
$this->clearPendingChallenge();
|
||||
return false;
|
||||
}
|
||||
|
||||
$_SESSION['pending_2fa_attempts'] = $attempts + 1;
|
||||
if (!preg_match('/^\d{6}$/', $code) || !password_verify($code, $hash)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$this->clearPendingChallenge();
|
||||
$this->completeLogin($userId);
|
||||
return true;
|
||||
}
|
||||
|
||||
private function clearPendingChallenge(): void
|
||||
{
|
||||
unset(
|
||||
$_SESSION['pending_2fa_user'],
|
||||
$_SESSION['pending_2fa_method'],
|
||||
$_SESSION['pending_2fa_code'],
|
||||
$_SESSION['pending_2fa_expires'],
|
||||
$_SESSION['pending_2fa_attempts']
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user