146 lines
4.1 KiB
PHP
146 lines
4.1 KiB
PHP
<?php
|
|
|
|
namespace App\Models;
|
|
|
|
use App\Models\Concerns\HasPdnEncryption;
|
|
use Database\Factories\UserFactory;
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\Relations\HasMany;
|
|
use Illuminate\Database\Eloquent\SoftDeletes;
|
|
use Illuminate\Foundation\Auth\User as Authenticatable;
|
|
use Illuminate\Notifications\Notifiable;
|
|
use Illuminate\Support\Carbon;
|
|
use Spatie\Permission\Traits\HasRoles;
|
|
|
|
/**
|
|
* Учётная запись пользователя.
|
|
*
|
|
* Меры ФСТЭК: ИАФ.2 (жизненный цикл идентификатора, soft delete), ИАФ.4 (MFA),
|
|
* ИАФ.3 (срок действия пароля), УПД.4 (роли через spatie/laravel-permission).
|
|
*
|
|
* @property int $id
|
|
* @property string $name
|
|
* @property string $email
|
|
* @property Carbon|null $email_verified_at
|
|
* @property string $password
|
|
* @property Carbon|null $password_changed_at
|
|
* @property string|null $mfa_secret Зашифровано (ЗНИ)
|
|
* @property string|null $mfa_recovery_codes Зашифровано (ЗНИ), JSON
|
|
* @property Carbon|null $mfa_confirmed_at
|
|
* @property bool $is_blocked
|
|
* @property Carbon|null $last_login_at
|
|
* @property string|null $remember_token
|
|
*/
|
|
class User extends Authenticatable
|
|
{
|
|
/** @use HasFactory<UserFactory> */
|
|
use HasFactory;
|
|
|
|
use HasPdnEncryption;
|
|
use HasRoles;
|
|
use Notifiable;
|
|
use SoftDeletes;
|
|
|
|
protected $fillable = [
|
|
'name',
|
|
'email',
|
|
'password',
|
|
];
|
|
|
|
protected $hidden = [
|
|
'password',
|
|
'remember_token',
|
|
'mfa_secret',
|
|
'mfa_recovery_codes',
|
|
];
|
|
|
|
/**
|
|
* Поля ПДн/секреты, шифруемые на уровне приложения (мера ЗНИ).
|
|
*
|
|
* @var array<int, string>
|
|
*/
|
|
protected array $encrypted = [
|
|
'mfa_secret',
|
|
'mfa_recovery_codes',
|
|
];
|
|
|
|
protected function casts(): array
|
|
{
|
|
return [
|
|
'email_verified_at' => 'datetime',
|
|
'password' => 'hashed',
|
|
'password_changed_at' => 'datetime',
|
|
'mfa_confirmed_at' => 'datetime',
|
|
'last_login_at' => 'datetime',
|
|
'is_blocked' => 'boolean',
|
|
];
|
|
}
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Многофакторная аутентификация (ИАФ.4)
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
|
|
public function hasMfaEnabled(): bool
|
|
{
|
|
return $this->mfa_secret !== null && $this->mfa_confirmed_at !== null;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, string>
|
|
*/
|
|
public function recoveryCodes(): array
|
|
{
|
|
$raw = $this->mfa_recovery_codes;
|
|
|
|
return $raw ? (array) json_decode($raw, true) : [];
|
|
}
|
|
|
|
/**
|
|
* @param array<int, string> $codes
|
|
*/
|
|
public function setRecoveryCodes(array $codes): void
|
|
{
|
|
$this->mfa_recovery_codes = (string) json_encode(array_values($codes), JSON_UNESCAPED_UNICODE);
|
|
}
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Парольная политика (ИАФ.3)
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
|
|
public function passwordExpired(): bool
|
|
{
|
|
$maxAge = (int) config('security.password.max_age_days');
|
|
|
|
if ($maxAge <= 0) {
|
|
return false;
|
|
}
|
|
|
|
$changedAt = $this->password_changed_at ?? $this->created_at;
|
|
|
|
return $changedAt === null || $changedAt->lt(now()->subDays($maxAge));
|
|
}
|
|
|
|
/**
|
|
* @return HasMany<PasswordHistory, $this>
|
|
*/
|
|
public function passwordHistories(): HasMany
|
|
{
|
|
return $this->hasMany(PasswordHistory::class);
|
|
}
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Состояние учётной записи (ИАФ.2, УПД.1)
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
|
|
public function isBlocked(): bool
|
|
{
|
|
return (bool) $this->is_blocked;
|
|
}
|
|
}
|