Brook.Totp

ASP.NET Core & 双因素验证2FA 实战经验分享

必读

双因素认证

双因素身份认证就是通过你所知道再加上你所能拥有的这二个要素组合到一起才能发挥作用的身份认证系统。双因素认证是一种采用时间同步技术的系统，采用了基于时间、事件和密钥三变量而产生的一次性密码来代替传统的静态密码。每个动态密码卡都有一个唯一的密钥，该密钥同时存放在服务器端，每次认证时动态密码卡与服务器分别根据同样的密钥，同样的随机参数（时间、事件）和同样的算法计算了认证的动态密码，从而确保密码的一致性，从而实现了用户的认证。就像我们去银行办卡送的口令牌.一. 前言

二. AspNetCore.Totp

accountIdentity = accountIdentity.Replace(" ", "");            var encodedSecretKey = Base32.Encode(accountSecretKey);            var provisionUrl = UrlEncoder.Encode(string.Format("otpauth://totp/{0}?secret={1}&issuer={2}", accountIdentity, encodedSecretKey, UrlEncoder.Encode(issuer)));            var protocol = useHttps ? "https" : "http";            var url = $"{protocol}://chart.googleapis.com/chart?cht=qr&chs={qrCodeWidth}x{qrCodeHeight}&chl={provisionUrl}";            var totpSetup = new TotpSetup            {                QrCodeImage = this.GetQrImage(url),                ManualSetupKey = encodedSecretKey            };

services.AddSingleton<ITotpSetupGenerator, TotpSetupGenerator>();services.AddSingleton<ITotpValidator, TotpValidator>();services.AddSingleton<ITotpGenerator, TotpGenerator>();

 private readonly ITotpGenerator _totpGenerator;        private readonly ITotpSetupGenerator _totpSetupGenerator;        private readonly ITotpValidator _totpValidator;        public ValuesController(ITotpSetupGenerator totpSetupGenerator)        {            _totpSetupGenerator = totpSetupGenerator;            _totpGenerator = new TotpGenerator();            _totpValidator = new TotpValidator(_totpGenerator);        }

三. Brook.Totp

        /// <summary>        /// 生成二维码        /// </summary>        /// <param name="provisionUrl"></param>        /// <param name="pixelsPerModule"></param>        /// <returns></returns>        private string GetQrBase64Imageg(string provisionUrl,int pixelsPerModule)        {            QRCodeGenerator qrGenerator = new QRCodeGenerator();            QRCodeData qrCodeData = qrGenerator.CreateQrCode(provisionUrl, QRCodeGenerator.ECCLevel.Q);            Base64QRCode qrCode = new Base64QRCode(qrCodeData);            string qrCodeImageAsBase64 = qrCode.GetGraphic(2);            return  $"data:image/png;base64,{qrCodeImageAsBase64}";        }

services.AddBrookTotp();

private readonly ITotp _totp;public AccountController(ITotp totp){        _totp = totp;}

四.双因素APP

五. 完整流程效果图

六.如何使用

services.AddMemoryCache();services.AddSingleton<ICacheManage, CacheManage>();services.AddBrookTotp();services.AddDbContext<BrookTotpDBContext>(options => options.UseInMemoryDatabase(databaseName: "BrookTotpDB"));

private readonly ITotp _totp;public AccountController(ITotp totp){        _totp = totp;}//获取二维码[Authorize]public IActionResult GetQr(){    var totpSetup = _totp.GenerateUrl("dotNETBuild", CurremtUser.Email, CurremtUser.SecretKeyFor2FA);    return Json(new { qrCodeContennt = totpSetup.QrCodeImageContent });}//验证双因素校验码[Authorize][HttpPost]public async Task<IActionResult> Valid(int code){    var valid = _totp.Validate(CurremtUser.SecretKeyFor2FA        , code, 30);    if (!valid)    {        return Json(new { result = 0, msg = "2FA校验失败" });    }    //校验成功后 如果是第一次绑定校验 需将用户的accountSecretKey 存入数据库    CurremtUser.IsOpen2FA = true;    await _userService.UpdateAsync(CurremtUser);    _cacheManage.Remove(string.Format(CacheKeys.GetUserForEmail, CurremtUser.Email));    var claims = new List<Claim>    {        new Claim("user", CurremtUser.Email),        new Claim("role", "Member")    };    await HttpContext.SignInAsync(new ClaimsPrincipal(new ClaimsIdentity(claims, "Cookies", "user", "role")));    return Json(new { result = 1, msg = "2FA校验成功", url = "/Home/Index" });}

七.写在最后