OXDEV-9927 Add user service to handle OTP on login

Author: TitaKoleva

metadata.php

@@ -43,7 +43,8 @@
     'controllers' => [
         'captcha' => \OxidEsales\SecurityModule\Captcha\Controller\CaptchaController::class,
         'password' => \OxidEsales\SecurityModule\PasswordPolicy\Controller\PasswordAjaxController::class,
-        'oauth' => \OxidEsales\SecurityModule\Authentication\OAuth2\Controller\OAuthController::class
+        'oauth' => \OxidEsales\SecurityModule\Authentication\OAuth2\Controller\OAuthController::class,
+        'twofactorauth' => \OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\TwoFactorAuthController::class,
     ],
     'templates'   => [
     ],

src/Authentication/TwoFactorAuth/Controller/TwoFactorAuthController.php

@@ -17,4 +17,9 @@ private function handleOTP(): void
 
         $this->getService(OTPServiceInterface::class)->validateCode($user, $code);
     }
+
+    public function render()
+    {
+        return parent::render(); // TODO: Change the autogenerated stub
+    }
 }

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php

@@ -9,12 +9,15 @@
 
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository;
 
+use OxidEsales\EshopCommunity\Internal\Framework\Database\QueryBuilderFactoryInterface;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\DataObject\UserInterface;
 use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Factory\UserFactoryInterface;
 
 class UserRepository implements UserRepositoryInterface
 {
     public function __construct(
-        private UserFactoryInterface $userFactory
+        private UserFactoryInterface $userFactory,
+        private readonly QueryBuilderFactoryInterface $queryBuilderFactory,
     ) {
     }
 
@@ -53,4 +56,15 @@ public function resetCodeFields(string $userId): void
         ]);
         $userModel->save();
     }
+
+    public function getUserPasswordHash(string $userName): string
+    {
+        $qb = $this->queryBuilderFactory->create();
+        $qb->select('OXPASSWORD')
+            ->from('oxuser')
+            ->where('oxusername = :userName')
+            ->setParameter('userName', $userName);
+
+        return $qb->execute()->fetchOne();
+    }
 }

src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php

@@ -14,4 +14,6 @@ public function updateAttempts(string $userId, int $attempts): int;
     public function resetCodeFields(string $userId): void;
 
     public function addOTPtoUser(string $userId, string $otp, int $expiresAt): bool;
+
+    public function getUserPasswordHash(string $userId): string;
 }

src/Authentication/TwoFactorAuth/Infrastructure/Repository/services.yaml

@@ -5,3 +5,4 @@ services:
 
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepository
+    public: true

src/Authentication/TwoFactorAuth/Service/AuthorizeService.php

@@ -11,12 +11,12 @@
 
 class AuthorizeService implements AuthorizeServiceInterface
 {
-    public function validate()
+    public function validate(): void
     {
         //todo: call correct provider service to validate the code
     }
 
-    public function generate($userName)
+    public function generate($userName): void
     {
         //todo: call correct provider service to generate the code
     }

src/Authentication/TwoFactorAuth/Service/AuthorizeServiceInterface.php

@@ -1,7 +1,15 @@
 <?php
 
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
 namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
 
 interface AuthorizeServiceInterface
 {
+    public function validate(): void;
+
+    public function generate($userName): void;
 }

src/Authentication/TwoFactorAuth/Service/services.yaml

@@ -14,6 +14,10 @@ services:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeService
     public: true
 
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\UserServiceInterface:
+    class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\UserService
+    public: true
+
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\NotifierCollectorInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\NotifierCollector
     public: true

src/Authentication/TwoFactorAuth/services.yaml

@@ -1,3 +1,4 @@
 imports:
   - { resource: Infrastructure/services.yaml }
   - { resource: Service/services.yaml }
+  - { resource: Infrastructure/services.yaml }

src/Shared/Model/User.php

@@ -12,7 +12,7 @@
 use OxidEsales\Eshop\Core\Exception\InputException;
 use OxidEsales\Eshop\Core\Exception\UserException;
 use OxidEsales\Eshop\Core\Registry;
-use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\AuthorizeService;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\UserServiceInterface;
 use OxidEsales\SecurityModule\Captcha\Captcha\Image\Exception\CaptchaValidateException as ImageCaptchaException;
 use OxidEsales\SecurityModule\Captcha\Captcha\HoneyPot\Exception\CaptchaValidateException as HoneyPotCaptchaException;
 use OxidEsales\SecurityModule\Captcha\Service\CaptchaServiceInterface;
@@ -77,16 +77,23 @@ public function login($userName, $password, $setSessionCookie = false): bool
             }
         }
 
-        $login = parent::login($userName, $password, $setSessionCookie);
-
-        //todo: $userService->handleLogin($login);
+        if (!$this->isOTPEnabled() || $this->isAdmin()) {
+            return parent::login($userName, $password, $setSessionCookie);
+        }
 
-        if (!$this->isOTPEnabled()) {
-            return $login;
+        $userService = $this->getService(UserServiceInterface::class);
+        if (!$userService->checkPassword($password, $userName)) {
+            return false; // invalid login
         }
 
-        $authorizeService = $this->getService(AuthorizeService::class);
-        $authorizeService->generate($userName); //save to db and send to email
+        $userService->handleLogin($userName);
+        Registry::getSession()->setVariable('pending_otp_user', $this->getId());
+        Registry::getUtils()->redirect(Registry::getConfig()->getShopHomeUrl() . 'cl=twofactorauth');
+
+        // We do NOT return success and do NOT create session
+        return false;
+//        $authorizeService = $this->getService(AuthorizeService::class);
+//        $authorizeService->generate($userName); //save to db and send to email
         // redirect to template for code -> submit
         // validate code on submit
         //redirect to whatever