From 579162d7b94465d5041a7bf1229f68e6d92d7b58 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Fri, 5 Apr 2019 18:21:08 +0200 Subject: Allow 2FA to be setup on first login Once 2FA is enforced for a user and they have no 2FA setup yet this will now prompt them with a setup screen. Given that providers are enabled that allow setup then. Signed-off-by: Roeland Jago Douma Signed-off-by: Christoph Wurst --- core/Controller/TwoFactorChallengeController.php | 67 ++++++++++++++++++++++++ 1 file changed, 67 insertions(+) (limited to 'core/Controller') diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php index 7405e66cdfc..e2a0b5423ab 100644 --- a/core/Controller/TwoFactorChallengeController.php +++ b/core/Controller/TwoFactorChallengeController.php @@ -32,6 +32,7 @@ use OC_Util; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\StandaloneTemplateResponse; +use OCP\Authentication\TwoFactorAuth\IActivatableAtLogin; use OCP\Authentication\TwoFactorAuth\IProvider; use OCP\Authentication\TwoFactorAuth\IProvidesCustomCSP; use OCP\Authentication\TwoFactorAuth\TwoFactorException; @@ -107,6 +108,7 @@ class TwoFactorChallengeController extends Controller { $providerSet = $this->twoFactorManager->getProviderSet($user); $allProviders = $providerSet->getProviders(); list($providers, $backupProvider) = $this->splitProvidersAndBackupCodes($allProviders); + $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user); $data = [ 'providers' => $providers, @@ -114,6 +116,7 @@ class TwoFactorChallengeController extends Controller { 'providerMissing' => $providerSet->isProviderMissing(), 'redirect_url' => $redirect_url, 'logout_url' => $this->getLogoutUrl(), + 'hasSetupProviders' => !empty($setupProviders), ]; return new StandaloneTemplateResponse($this->appName, 'twofactorselectchallenge', $data, 'guest'); } @@ -131,6 +134,7 @@ class TwoFactorChallengeController extends Controller { $user = $this->userSession->getUser(); $providerSet = $this->twoFactorManager->getProviderSet($user); $provider = $providerSet->getProvider($challengeProviderId); + if (is_null($provider)) { return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); } @@ -209,4 +213,67 @@ class TwoFactorChallengeController extends Controller { ])); } + /** + * @NoAdminRequired + * @NoCSRFRequired + */ + public function setupProviders() { + $user = $this->userSession->getUser(); + $setupProviders = $this->twoFactorManager->getLoginSetupProviders($user); + + $data = [ + 'providers' => $setupProviders, + 'logout_url' => $this->getLogoutUrl(), + ]; + + $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupselection', $data, 'guest'); + return $response; + } + + /** + * @NoAdminRequired + * @NoCSRFRequired + */ + public function setupProvider(string $providerId) { + $user = $this->userSession->getUser(); + $providers = $this->twoFactorManager->getLoginSetupProviders($user); + + $provider = null; + foreach ($providers as $p) { + if ($p->getId() === $providerId) { + $provider = $p; + break; + } + } + + if ($provider === null) { + return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge')); + } + + /** @var IActivatableAtLogin $provider */ + $tmpl = $provider->getLoginSetup($user)->getBody(); + $data = [ + 'provider' => $provider, + 'logout_url' => $this->getLogoutUrl(), + 'template' => $tmpl->fetchPage(), + ]; + $response = new StandaloneTemplateResponse($this->appName, 'twofactorsetupchallenge', $data, 'guest'); + return $response; + } + + /** + * @NoAdminRequired + * @NoCSRFRequired + * + * @todo handle the extreme edge case of an invalid provider ID and redirect to the provider selection page + */ + public function confirmProviderSetup(string $providerId) { + return new RedirectResponse($this->urlGenerator->linkToRoute( + 'core.TwoFactorChallenge.showChallenge', + [ + 'challengeProviderId' => $providerId, + ] + )); + } + } -- cgit v1.2.3