Allow 2FA to be setup on first login

Once 2FA is enforced for a user and they have no 2FA setup yet this will
now prompt them with a setup screen. Given that providers are enabled
that allow setup then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

1 files changed, 67 insertions, 0 deletions

diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php
index 7405e66cdfc..e2a0b5423ab 100644
--- a/core/Controller/TwoFactorChallengeController.php
+++ b/core/Controller/TwoFactorChallengeController.php
@@ -32,6 +32,7 @@ use OC_Util;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\StandaloneTemplateResponse;
+use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP;
 use OCP\Authentication\TwoFactorAuth\TwoFactorException;
@@ -107,6 +108,7 @@ class TwoFactorChallengeController extends Controller {
 		$providerSet = $this->twoFactorManager->getProviderSet($user);
 		$allProviders = $providerSet->getProviders();
 		list($providers, $backupProvider) = $this->splitProvidersAndBackupCodes($allProviders);
+		$setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
 
 		$data = [
 			'providers' => $providers,
@@ -114,6 +116,7 @@ class TwoFactorChallengeController extends Controller {
 			'providerMissing' => $providerSet->isProviderMissing(),
 			'redirect_url' => $redirect_url,
 			'logout_url' => $this->getLogoutUrl(),
+			'hasSetupProviders' => !empty($setupProviders),
 		];
 		return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest');
 	}
@@ -131,6 +134,7 @@ class TwoFactorChallengeController extends Controller {
 		$user = $this->userSession->getUser();
 		$providerSet = $this->twoFactorManager->getProviderSet($user);
 		$provider = $providerSet->getProvider($challengeProviderId);
+
 		if (is_null($provider)) {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
 		}
@@ -209,4 +213,67 @@ class TwoFactorChallengeController extends Controller {
 		]));
 	}
 
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function setupProviders() {
+		$user = $this->userSession->getUser();
+		$setupProviders = $this->twoFactorManager->getLoginSetupProviders($user);
+
+		$data = [
+			'providers' => $setupProviders,
+			'logout_url' => $this->getLogoutUrl(),
+		];
+
+		$response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest');
+		return $response;
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function setupProvider(string $providerId) {
+		$user = $this->userSession->getUser();
+		$providers = $this->twoFactorManager->getLoginSetupProviders($user);
+
+		$provider = null;
+		foreach ($providers as $p) {
+			if ($p->getId() === $providerId) {
+				$provider = $p;
+				break;
+			}
+		}
+
+		if ($provider === null) {
+			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
+		}
+
+		/** @var IActivatableAtLogin $provider */
+		$tmpl = $provider->getLoginSetup($user)->getBody();
+		$data = [
+			'provider' => $provider,
+			'logout_url' => $this->getLogoutUrl(),
+			'template' => $tmpl->fetchPage(),
+		];
+		$response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest');
+		return $response;
+	}
+
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 *
+	 * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page
+	 */
+	public function confirmProviderSetup(string $providerId) {
+		return new RedirectResponse($this->urlGenerator->linkToRoute(
+			'core.TwoFactorChallenge.showChallenge',
+			[
+				'challengeProviderId' => $providerId,
+			]
+		));
+	}
+
 }