src/Umbraco.Web.BackOffice/Controllers/TwoFactorLoginController.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Web.BackOffice.Security;
using Umbraco.Cms.Web.Common.Authorization;

namespace Umbraco.Cms.Web.BackOffice.Controllers
{
    public class TwoFactorLoginController : UmbracoAuthorizedJsonController
    {
        private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;
        private readonly ILogger<TwoFactorLoginController> _logger;
        private readonly ITwoFactorLoginService2 _twoFactorLoginService;
        private readonly IBackOfficeSignInManager _backOfficeSignInManager;
        private readonly IBackOfficeUserManager _backOfficeUserManager;
        private readonly IOptionsSnapshot<TwoFactorLoginViewOptions> _twoFactorLoginViewOptions;

        public TwoFactorLoginController(
            IBackOfficeSecurityAccessor backOfficeSecurityAccessor,
            ILogger<TwoFactorLoginController> logger,
            ITwoFactorLoginService twoFactorLoginService,
            IBackOfficeSignInManager backOfficeSignInManager,
            IBackOfficeUserManager backOfficeUserManager,
            IOptionsSnapshot<TwoFactorLoginViewOptions> twoFactorLoginViewOptions)
        {
            _backOfficeSecurityAccessor = backOfficeSecurityAccessor;
            _logger = logger;

            if (twoFactorLoginService is not ITwoFactorLoginService2 twoFactorLoginService2)
            {
                throw new ArgumentException("twoFactorLoginService needs to implement ITwoFactorLoginService2 until the interfaces are merged", nameof(twoFactorLoginService));
            }
            _twoFactorLoginService = twoFactorLoginService2;
            _backOfficeSignInManager = backOfficeSignInManager;
            _backOfficeUserManager = backOfficeUserManager;
            _twoFactorLoginViewOptions = twoFactorLoginViewOptions;
        }

        /// <summary>
        /// Used to retrieve the 2FA providers for code submission
        /// </summary>
        /// <returns></returns>
        [HttpGet]
        [AllowAnonymous]
        public async Task<ActionResult<IEnumerable<string>>> GetEnabled2FAProvidersForCurrentUser()
        {
            var user = await _backOfficeSignInManager.GetTwoFactorAuthenticationUserAsync();
            if (user == null)
            {
                _logger.LogWarning("No verified user found, returning 404");
                return NotFound();
            }

            var userFactors = await _backOfficeUserManager.GetValidTwoFactorProvidersAsync(user);
            return new ObjectResult(userFactors);
        }


        [HttpGet]
        public async Task<ActionResult<IEnumerable<UserTwoFactorProviderModel>>> Get2FAProvidersForUser(int userId)
        {
            var user = await _backOfficeUserManager.FindByIdAsync(userId.ToString());

            var enabledProviderNameHashSet = new HashSet<string>(await _twoFactorLoginService.GetEnabledTwoFactorProviderNamesAsync(user.Key));

            var providerNames = await _backOfficeUserManager.GetValidTwoFactorProvidersAsync(user);

            return providerNames.Select(providerName =>
                new UserTwoFactorProviderModel(providerName, enabledProviderNameHashSet.Contains(providerName))).ToArray();
        }

        [HttpGet]
        public async Task<ActionResult<object>> SetupInfo(string providerName)
        {
            var user = _backOfficeSecurityAccessor?.BackOfficeSecurity.CurrentUser;

            var setupInfo = await _twoFactorLoginService.GetSetupInfoAsync(user.Key, providerName);

            return setupInfo;
        }


        [HttpPost]
        public async Task<ActionResult<bool>> ValidateAndSave(string providerName, string secret, string code)
        {
            var user = _backOfficeSecurityAccessor?.BackOfficeSecurity.CurrentUser;

            return await _twoFactorLoginService.ValidateAndSaveAsync(providerName, user.Key, secret, code);
        }

        [HttpPost]
        [Authorize(Policy = AuthorizationPolicies.SectionAccessUsers)]
        public async Task<ActionResult<bool>> Disable(string providerName, Guid userKey)
        {
            return await _twoFactorLoginService.DisableAsync(userKey, providerName);
        }

        [HttpPost]
        public async Task<ActionResult<bool>> DisableWithCode(string providerName, string code)
        {
            Guid key =  _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Key;

            return await _twoFactorLoginService.DisableWithCodeAsync(providerName, key, code);
        }

        [HttpGet]
        public ActionResult<string> ViewPathForProviderName(string providerName)
        {
            var options = _twoFactorLoginViewOptions.Get(providerName);
            return options.SetupViewPath;
        }
    }
}
-												Simplified setup of 2FA for users (#12142)

* Added functionality to enable 2FA for users..

* Do not use the obsolete ctor in tests

* cleanup

* Cleanup

* Convert User view from overlay to infinite editor

* Add support for having additional editors on top of the user (2fa) which overlay does not support
* Add controllerAs syntax in the template
* Remove unused dependencies

* Adjustments to 2fa login view

* organize elements
* add translations
* add a11y helpers
* add autocompletion = one-time-code
* change to controllerAs syntax

* add callback to cancel 2fa and fix error where submit button was not reset when all other validations were

* add a cancel/go back button to the 2fa view

* replace header with something less obstrusive

* move logout button to the footer in the new editor view

* change 'edit profile' to an umb-box and move ng-if for password fields out to reduce amount of checks

* Add umb-box to external login provider section

* add umb-box to user history section

* bug: fix bug where notificationsService would not allow new notifications if removeAll had been called

* add styling and a11y to configureTwoFactor view

- also ensure that the view reloads when changes happen in the custom user view to enable 2fa
- ensure that view updates when disabling 2fa
- add extra button to show options (disable) for each 2fa provider

* add notification when 2fa is disabled

* add data-element to support the intro tour

also changed a minor selector in the cypress test

* correct usage of umb-box with umb-box-content

* do not use the .form class twice to prevent double box-shadow

* make tranlastion for 2fa placeholder shorter

* ensure that field with 2fa provider is always visible when more than 1 provider

* move error state of 2fa field to token field

* update translation of multiple 2fa providers

* move CTA buttons to right side to follow general UI practices

* rename options to disable

* add disabled state

* add helper folders to gitignore so you can work with plugins and custom code without committing it accidentally

* move the disable functionality to its own infinite editor view

* use properties from umb-control-group correctly

* add 'track by' to repeater

* make use of umb-control-group

* remove unused functions

* clean up translations

* add Danish translations

* copy translations to english

* Only return enabled 2fa providers as expected

Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
											
										
										
											2022-04-19 08:33:03 +02:00
+								using System;
 								using System.Collections.Generic;
 								using System.Linq;
 								using System.Runtime.Serialization;
 								using System.Threading.Tasks;
 								using Microsoft.AspNetCore.Authorization;
 								using Microsoft.AspNetCore.Mvc;
 								using Microsoft.Extensions.Logging;
 								using Microsoft.Extensions.Options;
 								using Umbraco.Cms.Core.Models;
 								using Umbraco.Cms.Core.Security;
 								using Umbraco.Cms.Core.Services;
 								using Umbraco.Cms.Web.BackOffice.Security;
 								using Umbraco.Cms.Web.Common.Authorization;
 								namespace Umbraco.Cms.Web.BackOffice.Controllers
 								{
 								    public class TwoFactorLoginController : UmbracoAuthorizedJsonController
 								    {
 								        private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;
 								        private readonly ILogger<TwoFactorLoginController> _logger;
 								        private readonly ITwoFactorLoginService2 _twoFactorLoginService;
 								        private readonly IBackOfficeSignInManager _backOfficeSignInManager;
 								        private readonly IBackOfficeUserManager _backOfficeUserManager;
 								        private readonly IOptionsSnapshot<TwoFactorLoginViewOptions> _twoFactorLoginViewOptions;
 								        public TwoFactorLoginController(
 								            IBackOfficeSecurityAccessor backOfficeSecurityAccessor,
 								            ILogger<TwoFactorLoginController> logger,
 								            ITwoFactorLoginService twoFactorLoginService,
 								            IBackOfficeSignInManager backOfficeSignInManager,
 								            IBackOfficeUserManager backOfficeUserManager,
 								            IOptionsSnapshot<TwoFactorLoginViewOptions> twoFactorLoginViewOptions)
 								        {
 								            _backOfficeSecurityAccessor = backOfficeSecurityAccessor;
 								            _logger = logger;
 								            if (twoFactorLoginService is not ITwoFactorLoginService2 twoFactorLoginService2)
 								            {
 								                throw new ArgumentException("twoFactorLoginService needs to implement ITwoFactorLoginService2 until the interfaces are merged", nameof(twoFactorLoginService));
 								            }
 								            _twoFactorLoginService = twoFactorLoginService2;
 								            _backOfficeSignInManager = backOfficeSignInManager;
 								            _backOfficeUserManager = backOfficeUserManager;
 								            _twoFactorLoginViewOptions = twoFactorLoginViewOptions;
 								        }
 								        /// <summary>
 								        /// Used to retrieve the 2FA providers for code submission
 								        /// </summary>
 								        /// <returns></returns>
 								        [HttpGet]
 								        [AllowAnonymous]
 								        public async Task<ActionResult<IEnumerable<string>>> GetEnabled2FAProvidersForCurrentUser()
 								        {
 								            var user = await _backOfficeSignInManager.GetTwoFactorAuthenticationUserAsync();
 								            if (user == null)
 								            {
 								                _logger.LogWarning("No verified user found, returning 404");
 								                return NotFound();
 								            }
 								            var userFactors = await _backOfficeUserManager.GetValidTwoFactorProvidersAsync(user);
 								            return new ObjectResult(userFactors);
 								        }
 								        [HttpGet]
 								        public async Task<ActionResult<IEnumerable<UserTwoFactorProviderModel>>> Get2FAProvidersForUser(int userId)
 								        {
 								            var user = await _backOfficeUserManager.FindByIdAsync(userId.ToString());
 								            var enabledProviderNameHashSet = new HashSet<string>(await _twoFactorLoginService.GetEnabledTwoFactorProviderNamesAsync(user.Key));
 								            var providerNames = await _backOfficeUserManager.GetValidTwoFactorProvidersAsync(user);
 								            return providerNames.Select(providerName =>
 								                new UserTwoFactorProviderModel(providerName, enabledProviderNameHashSet.Contains(providerName))).ToArray();
 								        }
 								        [HttpGet]
 								        public async Task<ActionResult<object>> SetupInfo(string providerName)
 								        {
 								            var user = _backOfficeSecurityAccessor?.BackOfficeSecurity.CurrentUser;
 								            var setupInfo = await _twoFactorLoginService.GetSetupInfoAsync(user.Key, providerName);
 								            return setupInfo;
 								        }
 								        [HttpPost]
 								        public async Task<ActionResult<bool>> ValidateAndSave(string providerName, string secret, string code)
 								        {
 								            var user = _backOfficeSecurityAccessor?.BackOfficeSecurity.CurrentUser;
 								            return await _twoFactorLoginService.ValidateAndSaveAsync(providerName, user.Key, secret, code);
 								        }
 								        [HttpPost]
 								        [Authorize(Policy = AuthorizationPolicies.SectionAccessUsers)]
 								        public async Task<ActionResult<bool>> Disable(string providerName, Guid userKey)
 								        {
 								            return await _twoFactorLoginService.DisableAsync(userKey, providerName);
 								        }
 								        [HttpPost]
 								        public async Task<ActionResult<bool>> DisableWithCode(string providerName, string code)
 								        {
 								            Guid key =  _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Key;
 								            return await _twoFactorLoginService.DisableWithCodeAsync(providerName, key, code);
 								        }
 								        [HttpGet]
 								        public ActionResult<string> ViewPathForProviderName(string providerName)
 								        {
 								            var options = _twoFactorLoginViewOptions.Get(providerName);
 								            return options.SetupViewPath;
 								        }
 								    }
 								}