Merge branch 'b-7.4.x-attempts-limit-OXDEV-10036' into b-7.4.x-2fa-OXDEV-9078

Author: tkcreateit

assets/out/src/css/authentication.css

@@ -0,0 +1,9 @@
+.btn-responsive {
+    width: 100%;
+}
+
+@media (min-width: 768px) {
+    .btn-responsive {
+        width: auto;
+    }
+}

assets/out/src/js/index.js

@@ -53,7 +53,7 @@ if (resendBtn) {
     const resendOtp = new ResendOtp(resendBtn);
 
     // restore cooldown on refresh
-    resendOtp.restoreIfNeeded();
+    resendOtp.restoreOnRefresh();
     resendBtn.addEventListener('click', function () {
         resendOtp.resend();
     });

assets/out/src/js/module/resend-otp.js

@@ -4,15 +4,38 @@
  */
 
 export class ResendOtp {
-    constructor(button, { hintId = 'resend-hint' } = {}) {
+    constructor(button, options = {}) {
+        const {
+            hintId = 'resend-hint',
+            submitButtonId = 'auth_submit',
+            attemptsDisplayId = 'remaining-attempts',
+            codeInputId = 'auth_code',
+            maxAttempts = 5
+        } = options;
+
         this.btn = button;
         this.hint = document.getElementById(hintId);
+        this.submitBtn = document.getElementById(submitButtonId);
+        this.attemptsDisplay = document.getElementById(attemptsDisplayId);
+        this.codeInput = document.getElementById(codeInputId);
+        this.maxAttempts = maxAttempts;
 
         this.cooldownSeconds = Number(button.dataset.cooldown || 60);
         this.url = button.dataset.url;
         this.storageKey = `otp_resend_until_${this.url}`;
 
         this.timer = null;
+
+        this.initAttemptsCheck();
+    }
+
+    initAttemptsCheck() {
+        if (this.attemptsDisplay) {
+            const attempts = parseInt(this.attemptsDisplay.textContent, 10);
+            if (attempts === 0) {
+                this.disableSubmit();
+            }
+        }
     }
 
     async resend() {
@@ -31,13 +54,40 @@ export class ResendOtp {
             this.storeUntil(until);
             this.startCooldown(until);
 
+            this.resetAttempts();
+
         } catch (e) {
             console.error(e);
             this.unlock();
             this.setHint('Could not resend code.');
         }
     }
 
+    resetAttempts() {
+        if (this.attemptsDisplay) {
+            this.attemptsDisplay.textContent = this.maxAttempts;
+        }
+        this.enableSubmit();
+    }
+
+    disableSubmit() {
+        if (this.submitBtn) {
+            this.submitBtn.disabled = true;
+        }
+        if (this.codeInput) {
+            this.codeInput.disabled = true;
+        }
+    }
+
+    enableSubmit() {
+        if (this.submitBtn) {
+            this.submitBtn.disabled = false;
+        }
+        if (this.codeInput) {
+            this.codeInput.disabled = false;
+        }
+    }
+
     startCooldown(until) {
         clearInterval(this.timer);
         console.log(`Starting OTP resend cooldown until ${new Date(until).toISOString()}`);
@@ -83,7 +133,7 @@ export class ResendOtp {
         localStorage.removeItem(this.storageKey);
     }
 
-    restoreIfNeeded() {
+    restoreOnRefresh() {
         console.log('Restoring OTP resend cooldown if needed');
         const until = this.getStoredUntil();
         if (until && until > Date.now()) {

src/Authentication/TwoFactorAuth/Service/AuthorizeService.php

@@ -72,4 +72,17 @@ public function getVerificationUrl(): string
 
         return $verificator->getVerificationUrl();
     }
+
+    public function getRemainingAttempts(): int
+    {
+        $activeVerificator = $this->moduleSettings->getTwoFactorAuthType();
+
+        $verificator = $this->verifyCollector->getVerificator(
+            $activeVerificator
+        );
+
+        $userId = $this->session->get(self::USER_SESSION_KEY);
+
+        return $verificator->getRemainingAttempts($userId);
+    }
 }

src/Authentication/TwoFactorAuth/Service/AuthorizeServiceInterface.php

@@ -14,4 +14,6 @@ public function validate(string $inputCode): void;
     public function generate(): void;
 
     public function getVerificationUrl(): string;
+
+    public function getRemainingAttempts(): int;
 }

src/Authentication/TwoFactorAuth/Service/Verificator/OTP/OTPVerificator.php

@@ -10,6 +10,7 @@
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP;
 
 use OxidEsales\Eshop\Core\Config;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\AttemptLimitExceededException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\InvalidCodeException;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\Verificator\OTP\Generator\OTPGeneratorInterface;
@@ -42,6 +43,10 @@ public function validateCode(string $userId, string $inputCode): void
             $this->otpValidator->validateCode($otpData->getCode(), $inputCode);
         } catch (InvalidCodeException $e) {
             $this->userRepository->updateAttempts($userId, $otpData->getAttempts() + 1);
+            if ($this->getRemainingAttempts($userId) === 0) {
+                throw new AttemptLimitExceededException();
+            }
+
             throw $e;
         }
 
@@ -57,4 +62,12 @@ public function getVerificationUrl(): string
     {
         return $this->config->getShopHomeUrl() . 'cl=twofactorauth';
     }
+
+    public function getRemainingAttempts(string $userId): int
+    {
+        $otpData = $this->userRepository->getUserOTPData($userId);
+        $maxAttempts = $this->otpValidator->getMaxAttempts();
+
+        return max(0, $maxAttempts - $otpData->getAttempts());
+    }
 }

src/Authentication/TwoFactorAuth/Service/Verificator/OTP/Validator/OTPValidator.php

@@ -45,4 +45,9 @@ public function checkExpirationTime(?DateTimeInterface $expiresAt): void
             throw new TimeExpiredException();
         }
     }
+
+    public function getMaxAttempts(): int
+    {
+        return self::MAX_ATTEMPTS;
+    }
 }

src/Authentication/TwoFactorAuth/Service/Verificator/OTP/Validator/OTPValidatorInterface.php

@@ -20,4 +20,6 @@ public function validateCode(?string $userCode, string $inputCode): void;
     public function checkLoginAttempts(int $attempts): void;
 
     public function checkExpirationTime(?DateTimeInterface $expiresAt): void;
+
+    public function getMaxAttempts(): int;
 }

src/Authentication/TwoFactorAuth/Service/Verificator/VerificatorAdapterInterface.php

@@ -16,4 +16,6 @@ public function validateCode(string $userId, string $inputCode): void;
     public function generate(string $userId): string;
 
     public function getVerificationUrl(): string;
+
+    public function getRemainingAttempts(string $userId): int;
 }

src/Shared/Core/ViewConfig.php

@@ -10,6 +10,7 @@
 namespace OxidEsales\SecurityModule\Shared\Core;
 
 use OxidEsales\SecurityModule\Authentication\OAuth2\Service\ProviderCollectorInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeServiceInterface;
 use OxidEsales\SecurityModule\Captcha\Captcha\Image\Service\ImageCaptchaService;
 use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
 use OxidEsales\SecurityModule\PasswordPolicy\Service\ModuleSettingsServiceInterface as PasswordSettingsServiceInterface;
@@ -58,4 +59,9 @@ public function getActiveProviders(): iterable
 
         return array_filter($providers, fn($provider) => $provider->isActive());
     }
+
+    public function getRemainingAttempts(): int
+    {
+        return $this->getService(AuthorizeServiceInterface::class)->getRemainingAttempts();
+    }
 }