OXDEV-9078 Add the flag for user to enable/disable the 2FA

The interface feature is not there yet, should be implemented soon.

Signed-off-by: Anton Fedurtsya <anton@fedurtsya.com>

Author: Sieg

migration/data/Version20251128093245.php

@@ -12,16 +12,11 @@
 use Doctrine\DBAL\Schema\Schema;
 use Doctrine\Migrations\AbstractMigration;
 
-// todo-critical: remove this
 final class Version20251128093245 extends AbstractMigration
 {
     public function up(Schema $schema): void
     {
-        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPCODE` VARCHAR(128) default NULL COMMENT "OTP code"');
-        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPEXPTIME` DATETIME default NULL COMMENT "OTP code expiration time"');
-        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPATTEMPTS` INT NOT NULL default 0 COMMENT "OTP code attempts"');
-        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMOTPLASTSENT` DATETIME default NULL COMMENT "Last OTP sent timestamp"');
-        $this->addSql('ALTER TABLE `oxuser` ADD column `OESMEXTERNALAUTH` TINYINT(1) NOT NULL default 0 COMMENT "User registered via external authentication"');
+        $this->addSql('ALTER TABLE `oxuser` ADD column `OE2FAENABLED` TINYINT(1) NOT NULL default 0 COMMENT "User has 2FA enabled"');
     }
 
     public function down(Schema $schema): void

src/Authentication/TwoFactorAuth/DTO/User.php

@@ -14,6 +14,7 @@ class User implements UserInterface
     public function __construct(
         private string $userId,
         private string $email,
+        private bool $twoFAEnabled,
     ) {
     }
 
@@ -26,4 +27,9 @@ public function getEmail(): string
     {
         return $this->email;
     }
+
+    public function isTwoFAEnabled(): bool
+    {
+        return $this->twoFAEnabled;
+    }
 }

src/Authentication/TwoFactorAuth/DTO/UserInterface.php

@@ -14,4 +14,6 @@ interface UserInterface
     public function getUserId(): string;
 
     public function getEmail(): string;
+
+    public function isTwoFAEnabled(): bool;
 }

src/Authentication/TwoFactorAuth/Infrastructure/Factory/UserFactory.php

@@ -20,6 +20,7 @@ public function createFromModel(User $userModel): UserInterface
         return new UserDto(
             userId: $userModel->getId(),
             email: $userModel->getFieldData('oxusername'),
+            twoFAEnabled: (bool) $userModel->getFieldData('oe2faenabled'),
         );
     }
 }

src/Authentication/TwoFactorAuth/Service/TwoFAUserService.php

@@ -12,6 +12,7 @@
 use OxidEsales\Eshop\Core\Utils;
 use OxidEsales\EshopCommunity\Internal\Framework\Session\SessionInterface;
 use OxidEsales\SecurityModule\Authentication\Service\InternalRedirectServiceInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Service\UserLoginAdapterInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFASettingsInterface;
 
@@ -29,6 +30,7 @@ public function __construct(
         private SessionInterface $session,
         private UserLoginAdapterInterface $loginAdapter,
         private InternalRedirectServiceInterface $redirectService,
+        private UserRepositoryInterface $userRepository,
     ) {
     }
 
@@ -58,4 +60,14 @@ public function isChallengeVerified(string $userId): bool
     {
         return $this->twoFAService->isVerified($userId);
     }
+
+    public function isTwoFARequired(string $userId): bool
+    {
+        if (!$this->settings->isTwoFactorAuthEnabled()) {
+            return false;
+        }
+
+        $user = $this->userRepository->getUserById($userId);
+        return $user->isTwoFAEnabled();
+    }
 }

src/Authentication/TwoFactorAuth/Service/TwoFAUserServiceInterface.php

@@ -18,4 +18,6 @@ public function getPendingUserId(): string;
     public function loginUser(string $userId): void;
 
     public function isChallengeVerified(string $userId): bool;
+
+    public function isTwoFARequired(string $userId): bool;
 }

src/Shared/Model/User.php

@@ -13,7 +13,6 @@
 use OxidEsales\Eshop\Core\Exception\UserException;
 use OxidEsales\Eshop\Core\Registry;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserServiceInterface;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFASettingsInterface;
 use OxidEsales\SecurityModule\Captcha\Captcha\Image\Exception\CaptchaValidateException as ImageCaptchaException;
 use OxidEsales\SecurityModule\Captcha\Captcha\HoneyPot\Exception\CaptchaValidateException as HoneyPotCaptchaException;
 use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
@@ -90,10 +89,9 @@ protected function onLogin($userName, #[\SensitiveParameter] $password)
         parent::onLogin($userName, $password);
 
         $userId = $this->getId();
-        $settingsService = $this->getService(TwoFASettingsInterface::class);
-        if ($userId && $settingsService->isTwoFactorAuthEnabled() && !$this->isAdmin()) {
+        if ($userId && !$this->isAdmin()) {
             $twoFAUserService = $this->getService(TwoFAUserServiceInterface::class);
-            if (!$twoFAUserService->isChallengeVerified($userId)) {
+            if ($twoFAUserService->isTwoFARequired($userId) && !$twoFAUserService->isChallengeVerified($userId)) {
                 $twoFAUserService->startChallengeForUser($userId);
             }
         }

tests/Integration/Shared/Model/UserTest.php

@@ -19,7 +19,6 @@
 use OxidEsales\EshopCommunity\Core\Di\ContainerFacade;
 // phpcs:ignore Generic.Files.LineLength
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserServiceInterface;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Settings\TwoFASettingsInterface;
 use OxidEsales\SecurityModule\Captcha\Service\ModuleSettingsServiceInterface as CaptchaSettingsServiceInterface;
 use OxidEsales\SecurityModule\Shared\Model\User as SecurityModuleUser;
 use OxidEsales\SecurityModule\Tests\Integration\IntegrationTestCase;
@@ -63,7 +62,9 @@ public function testCheckValuesWithInvalidCaptcha()
         $captchaSettings = $this->createStub(CaptchaSettingsServiceInterface::class);
         $captchaSettings->method('isCaptchaEnabled')->willReturn(true);
 
-        $sut = $this->getSut([CaptchaSettingsServiceInterface::class => $captchaSettings]);
+        $sut = $this->getSut([
+            CaptchaSettingsServiceInterface::class => $captchaSettings,
+        ]);
         $sut->checkValues('', '', '', [], []);
     }
 
@@ -85,7 +86,9 @@ public function testCheckValuesWithEmptyCaptcha()
         $captchaSettings = $this->createStub(CaptchaSettingsServiceInterface::class);
         $captchaSettings->method('isCaptchaEnabled')->willReturn(true);
 
-        $sut = $this->getSut([CaptchaSettingsServiceInterface::class => $captchaSettings]);
+        $sut = $this->getSut([
+            CaptchaSettingsServiceInterface::class => $captchaSettings,
+        ]);
         $sut->checkValues('', '', '', [], []);
     }
 
@@ -106,7 +109,9 @@ public function testLoginWithInvalidCaptcha()
         $captchaSettings = $this->createStub(CaptchaSettingsServiceInterface::class);
         $captchaSettings->method('isCaptchaEnabled')->willReturn(true);
 
-        $sut = $this->getSut([CaptchaSettingsServiceInterface::class => $captchaSettings]);
+        $sut = $this->getSut([
+            CaptchaSettingsServiceInterface::class => $captchaSettings,
+        ]);
         $sut->login('', '');
     }
 
@@ -127,7 +132,9 @@ public function testLoginWithEmptyCaptcha()
         $captchaSettings = $this->createStub(CaptchaSettingsServiceInterface::class);
         $captchaSettings->method('isCaptchaEnabled')->willReturn(true);
 
-        $sut = $this->getSut([CaptchaSettingsServiceInterface::class => $captchaSettings]);
+        $sut = $this->getSut([
+            CaptchaSettingsServiceInterface::class => $captchaSettings,
+        ]);
         $sut->login('', '');
     }
 
@@ -145,7 +152,9 @@ public function testLoginWithValidCaptchaAndValidCredentials(): void
         $captchaSettings = $this->createStub(CaptchaSettingsServiceInterface::class);
         $captchaSettings->method('isCaptchaEnabled')->willReturn(true);
 
-        $sut = $this->getSut([CaptchaSettingsServiceInterface::class => $captchaSettings]);
+        $sut = $this->getSut([
+            CaptchaSettingsServiceInterface::class => $captchaSettings,
+        ]);
         $result = $sut->login(self::TWO_FA_USER_NAME, self::TWO_FA_USER_PASSWORD);
 
         $this->assertTrue($result);
@@ -155,20 +164,15 @@ public function testLoginWith2FAEnabledAndUnverifiedChallengeTriggersChallenge()
     {
         $userId = $this->getTwoFAUserId();
 
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(true);
-
         $userServiceSpy = $this->createMock(TwoFAUserServiceInterface::class);
-        $userServiceSpy->method('isChallengeVerified')
-            ->with($userId)
-            ->willReturn(false);
+        $userServiceSpy->method('isTwoFARequired')->with($userId)->willReturn(true);
+        $userServiceSpy->method('isChallengeVerified')->with($userId)->willReturn(false);
         $userServiceSpy->expects($this->once())
             ->method('startChallengeForUser')
             ->with($userId);
 
         $sut = $this->getSut([
-            TwoFASettingsInterface::class => $twoFaSettings,
-            TwoFAUserServiceInterface::class => $userServiceSpy
+            TwoFAUserServiceInterface::class => $userServiceSpy,
         ]);
         $sut->login(self::TWO_FA_USER_NAME, self::TWO_FA_USER_PASSWORD);
     }
@@ -177,19 +181,13 @@ public function testLoginWith2FAEnabledAndVerifiedChallengeNOTTriggeringChalleng
     {
         $userId = $this->getTwoFAUserId();
 
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(true);
-
         $userServiceSpy = $this->createMock(TwoFAUserServiceInterface::class);
-        $userServiceSpy->method('isChallengeVerified')
-            ->with($userId)
-            ->willReturn(true);
-        $userServiceSpy->expects($this->never())
-            ->method('startChallengeForUser');
+        $userServiceSpy->method('isTwoFARequired')->with($userId)->willReturn(true);
+        $userServiceSpy->method('isChallengeVerified')->with($userId)->willReturn(true);
+        $userServiceSpy->expects($this->never())->method('startChallengeForUser');
 
         $sut = $this->getSut([
-            TwoFASettingsInterface::class => $twoFaSettings,
-            TwoFAUserServiceInterface::class => $userServiceSpy
+            TwoFAUserServiceInterface::class => $userServiceSpy,
         ]);
 
         $result = $sut->login(self::TWO_FA_USER_NAME, self::TWO_FA_USER_PASSWORD);
@@ -200,14 +198,11 @@ public function testLoginWithoutPasswordOnLoadedUserWith2FAEnabledAndChallengeVe
     {
         $userId = $this->getTwoFAUserId();
 
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(true);
-
         $userServiceMock = $this->createMock(TwoFAUserServiceInterface::class);
+        $userServiceMock->method('isTwoFARequired')->with($userId)->willReturn(true);
         $userServiceMock->method('isChallengeVerified')->with($userId)->willReturn(true);
 
         $sut = $this->getSut([
-            TwoFASettingsInterface::class => $twoFaSettings,
             TwoFAUserServiceInterface::class => $userServiceMock,
         ]);
         $sut->load($userId);
@@ -216,21 +211,18 @@ public function testLoginWithoutPasswordOnLoadedUserWith2FAEnabledAndChallengeVe
         $this->assertTrue($result);
     }
 
-    public function testLoginWithoutPasswordOnLoadedUserWith2FAEnabledAndChallengeNotVerifiedNOTLogsUserIn(): void
+    public function testLoginWithoutPasswordOnLoadedUserWith2FAEnabledAndChallengeNotVerifiedTriggersChallenge(): void
     {
         $userId = $this->getTwoFAUserId();
 
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(true);
-
         $userServiceSpy = $this->createMock(TwoFAUserServiceInterface::class);
+        $userServiceSpy->method('isTwoFARequired')->with($userId)->willReturn(true);
         $userServiceSpy->method('isChallengeVerified')->with($userId)->willReturn(false);
         $userServiceSpy->expects($this->once())
             ->method('startChallengeForUser')
             ->with($userId);
 
         $sut = $this->getSut([
-            TwoFASettingsInterface::class => $twoFaSettings,
             TwoFAUserServiceInterface::class => $userServiceSpy,
         ]);
         $sut->load($userId);
@@ -246,10 +238,7 @@ public function testLoginWith2FAEnabledAndBadCredentialsThrowsException(
         $this->expectException(UserException::class);
         $this->expectExceptionMessage('ERROR_MESSAGE_USER_NOVALIDLOGIN');
 
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(true);
-
-        $sut = $this->getSut([TwoFASettingsInterface::class => $twoFaSettings]);
+        $sut = $this->getSut();
         $sut->login($username, $password);
     }
 
@@ -259,20 +248,17 @@ public static function invalidLoginDataProvider(): Generator
         yield 'nonexistent user' => ['nonexistent@test.com', 'anypassword'];
     }
 
-    public function testLoginWith2FADisabledDoesntTouch2FA(): void
+    public function testLogin2FANotRequiredDoesntTouchChallengeAndJustLogins(): void
     {
-        $twoFaSettings = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaSettings->method('isTwoFactorAuthEnabled')->willReturn(false);
+        $userId = $this->getTwoFAUserId();
 
         $userServiceSpy = $this->createMock(TwoFAUserServiceInterface::class);
-        $userServiceSpy->expects($this->never())
-            ->method('isChallengeVerified');
-        $userServiceSpy->expects($this->never())
-            ->method('startChallengeForUser');
+        $userServiceSpy->method('isTwoFARequired')->with($userId)->willReturn(false);
+        $userServiceSpy->expects($this->never())->method('isChallengeVerified');
+        $userServiceSpy->expects($this->never())->method('startChallengeForUser');
 
         $sut = $this->getSut([
-            TwoFASettingsInterface::class => $twoFaSettings,
-            TwoFAUserServiceInterface::class => $userServiceSpy
+            TwoFAUserServiceInterface::class => $userServiceSpy,
         ]);
 
         $result = $sut->login(self::TWO_FA_USER_NAME, self::TWO_FA_USER_PASSWORD);
@@ -281,16 +267,16 @@ public function testLoginWith2FADisabledDoesntTouch2FA(): void
 
     private function getSut(array $serviceOverrides = []): SecurityModuleUser
     {
-        $captchaDefault = $this->createStub(CaptchaSettingsServiceInterface::class);
-        $captchaDefault->method('isCaptchaEnabled')->willReturn(false);
-
-        $twoFaDefault = $this->createStub(TwoFASettingsInterface::class);
-        $twoFaDefault->method('isTwoFactorAuthEnabled')->willReturn(false);
-
         $services = array_merge(
             [
-                CaptchaSettingsServiceInterface::class => $captchaDefault,
-                TwoFASettingsInterface::class => $twoFaDefault,
+                CaptchaSettingsServiceInterface::class => $this->createConfiguredStub(
+                    CaptchaSettingsServiceInterface::class,
+                    ['isCaptchaEnabled' => false]
+                ),
+                TwoFAUserServiceInterface::class => $this->createConfiguredStub(
+                    TwoFAUserServiceInterface::class,
+                    ['isTwoFARequired' => false]
+                ),
             ],
             $serviceOverrides
         );

tests/Unit/Authentication/TwoFactorAuth/DTO/UserTest.php

@@ -22,10 +22,12 @@ public function initializeAndReadProperties(): void
         $sut = new User(
             userId: $userId = uniqid(),
             email: $email = uniqid(),
+            twoFAEnabled: $twoFAEnabled = (bool) random_int(0, 1),
         );
 
         $this->assertInstanceOf(UserInterface::class, $sut);
         $this->assertSame($userId, $sut->getUserId());
         $this->assertSame($email, $sut->getEmail());
+        $this->assertSame($twoFAEnabled, $sut->isTwoFAEnabled());
     }
 }

tests/Unit/Authentication/TwoFactorAuth/Infrastructure/Factory/UserFactoryTest.php

@@ -18,18 +18,23 @@
 class UserFactoryTest extends TestCase
 {
     #[Test]
-    public function createFromModelMapsIdAndEmail(): void
+    public function createFromModelMapsAllProperties(): void
     {
+        $twoFAEnabledRaw = random_int(0, 1);
+
         $userModelStub = $this->createStub(User::class);
         $userModelStub->method('getId')->willReturn($userId = uniqid());
-        $userModelStub->method('getFieldData')->with('oxusername')->willReturn($email = uniqid());
-
-        $sut = $this->getSut();
+        $userModelStub->method('getFieldData')
+            ->willReturnMap([
+                ['oxusername', $email = uniqid()],
+                ['oe2faenabled', $twoFAEnabledRaw],
+            ]);
 
-        $result = $sut->createFromModel(userModel: $userModelStub);
+        $result = $this->getSut()->createFromModel(userModel: $userModelStub);
 
         $this->assertSame($userId, $result->getUserId());
         $this->assertSame($email, $result->getEmail());
+        $this->assertSame((bool) $twoFAEnabledRaw, $result->isTwoFAEnabled());
     }
 
     #[Test]