OTP prompt for login page

phoenixctms · rkrenn · Mar 31, 2022 · Mar 20, 2022 · Mar 20, 2022 · Mar 20, 2022
commit b7340f8d2cbd105f9f641601fa52fc7df3a09bb3
diff --git a/web/src/main/java/org/phoenixctms/ctsms/web/model/SessionScopeBean.java b/web/src/main/java/org/phoenixctms/ctsms/web/model/SessionScopeBean.java
@@ -18,6 +18,7 @@
 import java.util.TimeZone;
 
 import javax.annotation.PostConstruct;
+import javax.faces.application.FacesMessage;
 import javax.faces.bean.ManagedBean;
 import javax.faces.bean.SessionScoped;
 import javax.faces.context.ExternalContext;
@@ -200,6 +201,7 @@ public static Collection<TimeZoneVO> getTimeZones() {
 	private int failedAttempts;
 	private boolean authenticationFailed;
 	private boolean localPasswordRequired;
+	private boolean otpRequired;
 	private String authenticationFailedMessage;
 	private MenuModel userMenuModel;
 	private ColumnManagementBean columnManager;
@@ -212,21 +214,22 @@ public SessionScopeBean() {
 		failedAttempts = 0;
 		authenticationFailed = false;
 		localPasswordRequired = false;
+		otpRequired = false;
 		authenticationFailedMessage = null;
 	}
 
 	public synchronized void changePassword() {
-		//		try {
-		//			logon = WebUtil.getServiceLocator().getUserService().setPassword(auth, newPassword, oldPassword);
-		//			auth.setPassword(newPassword);
-		//			initSets();
-		//			logout(JsUtil.encodeBase64(WebUtil.createViewUrl(Urls.USER, false, GetParamNames.USER_ID, logon.getInheritedUser().getId()), true));
-		//		} catch (ServiceException | AuthorisationException | IllegalArgumentException e) {
-		//			Messages.addMessage(FacesMessage.SEVERITY_ERROR, e.getMessage());
-		//		} catch (AuthenticationException e) {
-		//			Messages.addMessage(FacesMessage.SEVERITY_ERROR, e.getMessage());
-		//			WebUtil.publishException(e);
-		//		}
+		try {
+			logon = WebUtil.getServiceLocator().getUserService().setPassword(auth, newPassword, oldPassword, false);
+			auth.setPassword(newPassword);
+			initSets();
+			logout(JsUtil.encodeBase64(WebUtil.createViewUrl(Urls.USER, false, GetParamNames.USER_ID, logon.getInheritedUser().getId()), true));
+		} catch (ServiceException | AuthorisationException | IllegalArgumentException e) {
+			Messages.addMessage(FacesMessage.SEVERITY_ERROR, e.getMessage());
+		} catch (AuthenticationException e) {
+			Messages.addMessage(FacesMessage.SEVERITY_ERROR, e.getMessage());
+			WebUtil.publishException(e);
+		}
 	}
 
 	private void clearAuthenticationFailedMessage() {
@@ -976,12 +979,16 @@ public synchronized boolean isLocalAuthMethod() {
 		return true;
 	}
 
+	public synchronized boolean isOtpRequired() {
+		return otpRequired;
+	}
+
 	public synchronized boolean isLocalPasswordRequired() {
 		return localPasswordRequired;
 	}
 
 	public synchronized boolean isLoggedIn() {
-		return logon != null;
+		return logon != null && !otpRequired;
 	}
 
 	public synchronized boolean isShowStatusBarInfo() {
@@ -1188,16 +1195,22 @@ private void loadUserMenuModel() {
 
 	public synchronized String login() {
 		logon = null;
+		otpRequired = false;
 		auth.setHost(WebUtil.getRemoteHost());
 		String outcome;
 		try {
 			logon = WebUtil.getServiceLocator().getToolsService().logon(auth);
-			ApplicationScopeBean.registerActiveUser(logon.getInheritedUser());
-			WebUtil.setSessionTimeout();
-			failedAttempts = 0;
 			auth.setLocalPassword(null);
 			clearAuthenticationFailedMessage();
-			outcome = getLoginOutcome(true);
+			if (logon.getEnable2fa()) {
+				otpRequired = true;
+				outcome = getLoginOutcome(false);
+			} else {
+				ApplicationScopeBean.registerActiveUser(logon.getInheritedUser());
+				WebUtil.setSessionTimeout();
+				failedAttempts = 0;
+				outcome = getLoginOutcome(true);
+			}
 		} catch (ServiceException e) {
 			failedAttempts++;
 			authenticationFailed = true;
@@ -1234,6 +1247,58 @@ public synchronized String login() {
 		return outcome;
 	}
 
+	public synchronized String verifyOtp() {
+		String outcome;
+		if (logon != null && otpRequired) {
+			try {
+				WebUtil.getServiceLocator().getUserService().verifyOTP(auth, logon.getInheritedUser().getId(), logon.getOtpSent(), null);
+				otpRequired = false;
+				auth.setOtp(null);
+				ApplicationScopeBean.registerActiveUser(logon.getInheritedUser());
+				WebUtil.setSessionTimeout();
+				failedAttempts = 0;
+				outcome = getLoginOutcome(true);
+			} catch (ServiceException e) {
+				logon = null;
+				failedAttempts++;
+				authenticationFailed = true;
+				authenticationFailedMessage = e.getMessage();
+				outcome = getLoginOutcome(false);
+			} catch (AuthenticationException e) {
+				logon = null;
+				failedAttempts++;
+				authenticationFailed = true;
+				if (Settings.getBoolean(SettingCodes.HIDE_DETAILED_AUTHENTICATION_ERROR, Bundle.SETTINGS, DefaultSettings.HIDE_DETAILED_AUTHENTICATION_ERROR)) {
+					authenticationFailedMessage = Messages.getString(MessageCodes.OPAQUE_AUTHENTICATION_ERROR_MESSAGE);
+				} else {
+					authenticationFailedMessage = e.getMessage();
+				}
+				outcome = getLoginOutcome(false);
+			} catch (AuthorisationException e) {
+				logon = null;
+				failedAttempts++;
+				authenticationFailed = true;
+				authenticationFailedMessage = e.getMessage();
+				outcome = getLoginOutcome(false);
+			} catch (IllegalArgumentException e) {
+				logon = null;
+				failedAttempts++;
+				authenticationFailed = true;
+				authenticationFailedMessage = e.getMessage();
+				outcome = getLoginOutcome(false);
+			} finally {
+				initSets();
+			}
+		} else {
+			logon = null;
+			failedAttempts++;
+			authenticationFailed = true;
+			authenticationFailedMessage = e.getMessage();
+			outcome = getLoginOutcome(false);
+		}
+		return outcome;
+	}
+
 	public synchronized void logout() {
 		FacesContext context = FacesContext.getCurrentInstance();
 		logout(WebUtil.getRefererBase64((HttpServletRequest) context.getExternalContext().getRequest()));
@@ -1276,6 +1341,7 @@ public synchronized String resetLoginInputs() {
 		auth.setUsername(null);
 		auth.setPassword(null);
 		auth.setLocalPassword(null);
+		auth.setOtp(null);
 		clearAuthenticationFailedMessage();
 		return getLoginOutcome(false);
 	}

diff --git a/web/src/main/webapp/login.xhtml b/web/src/main/webapp/login.xhtml
@@ -43,7 +43,26 @@
 					<h:panelGrid rendered="#{!sessionScopeBean.loggedIn}" columns="1"
 						cellpadding="0" styleClass="ctsms-login-panelgrid"
 						rowClasses="ctsms-input-tied-row,ctsms-input-row,ctsms-message-row,ctsms-message-row,ctsms-message-row,ctsms-message-row,ctsms-toolbar-row">
+
 						<h:panelGrid columns="3" cellpadding="2"
+						    rendered="#{sessionScopeBean.otpRequired}"
+							columnClasses="ctsms-label-for-column,ctsms-input-column,ctsms-message-for-column">
+							<h:outputLabel for="otp"
+								value="#{labels.login_otp_label}" />
+							<h:panelGroup>
+								<p:inputText id="otp" value="#{sessionScopeBean.otp}"
+									required="true" label="#{labels.login_otp}"
+									styleClass="ctsms-control" />
+								<p:tooltip rendered="true" for="otp">
+									<h:outputText value="#{labels.login_otp_tooltip}"
+										escape="false" />
+								</p:tooltip>
+							</h:panelGroup>
+							<p:message for="otp" />
+						</h:panelGrid>
+
+						<h:panelGrid columns="3" cellpadding="2"
+						    rendered="#{!sessionScopeBean.otpRequired}"
 							columnClasses="ctsms-label-for-column,ctsms-input-column,ctsms-message-for-column">
 							<h:outputLabel for="username"
 								value="#{labels.login_username_label}" />
@@ -89,7 +108,7 @@
 								style="#{sessionScopeBean.localPasswordRequired ? '' : 'display:none;'}"
 								for="localPassword" />
 						</h:panelGrid>
-						<h:panelGrid rendered="#{sessionScopeBean.captchaRequired}"
+						<h:panelGrid rendered="#{!sessionScopeBean.otpRequired and sessionScopeBean.captchaRequired}"
 							columns="2" cellpadding="2"
 							columnClasses="ctsms-input-column,ctsms-message-for-column">
 							<ctsms:captcha required="false" id="captcha" secure="true"
@@ -99,7 +118,8 @@
 						</h:panelGrid>
 
 						<h:outputLink
-							rendered="#{!sessionScopeBean.captchaRequired and !sessionScopeBean.localPasswordRequired}"
+							rendered="#{(!sessionScopeBean.otpRequired and !sessionScopeBean.captchaRequired and !sessionScopeBean.localPasswordRequired)
+							            or (sessionScopeBean.otpRequired and XXXXXX)}"
 							value="http://phoenixctms.org">
 							<h:graphicImage style="border:0px;"
 								value="resources/images/phoenix_banner.png" />
@@ -135,12 +155,24 @@
 							<p:toolbarGroup align="right">
 								<p:commandButton value="#{labels.login_button_label}"
 									action="#{sessionScopeBean.login}"
+									rendered="#{!sessionScopeBean.otpRequired}"
+									icon="ui-icon ui-icon-arrowreturnthick-1-e" ajax="false"
+									disabled="false">
+									<f:param
+										name="#{applicationScopeBean.parameterName('REFERER')}"
+										value="#{refererBase64 == null ? '' : refererBase64}" />
+								</p:commandButton>
+
+								<p:commandButton value="#{labels.login_button_label}"
+									action="#{sessionScopeBean.login}"
+									rendered="#{sessionScopeBean.otpRequired}"
 									icon="ui-icon ui-icon-arrowreturnthick-1-e" ajax="false"
 									disabled="false">
 									<f:param
 										name="#{applicationScopeBean.parameterName('REFERER')}"
 										value="#{refererBase64 == null ? '' : refererBase64}" />
 								</p:commandButton>
+
 								<p:commandButton value="#{labels.reset_button_label}"
 									action="#{sessionScopeBean.resetLoginInputs}"
 									icon="ui-icon ui-icon-close" immediate="true" ajax="false"