OXDEV-9078 Add two FA settings in user account

TitaKoleva · TitaKoleva · commit b7948f7f4147 · 2026-04-09T20:44:55.000+03:00
diff --git a/metadata.php b/metadata.php
@@ -35,6 +35,7 @@
     'extend'      => [
         \OxidEsales\Eshop\Application\Controller\NewsletterController::class => \OxidEsales\SecurityModule\Captcha\Shop\NewsletterController::class,
         \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class => \OxidEsales\SecurityModule\Shared\Controller\ForgotPasswordController::class,
+        \OxidEsales\Eshop\Application\Controller\AccountPasswordController::class => \OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\AccountPasswordController::class,
         \OxidEsales\Eshop\Application\Model\User::class => \OxidEsales\SecurityModule\Shared\Model\User::class,
         \OxidEsales\Eshop\Core\InputValidator::class    => \OxidEsales\SecurityModule\Shared\Core\InputValidator::class,
         \OxidEsales\Eshop\Core\ViewConfig::class        => \OxidEsales\SecurityModule\Shared\Core\ViewConfig::class
diff --git a/src/Authentication/TwoFactorAuth/Controller/AccountPasswordController.php b/src/Authentication/TwoFactorAuth/Controller/AccountPasswordController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller;
+
+use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserSettingsServiceInterface;
+
+/**
+ *  todo-critical: remove it if we go with new Security section
+ * @mixin \OxidEsales\Eshop\Application\Controller\AccountPasswordController
+ * @eshopExtension
+ */
+class AccountPasswordController extends AccountPasswordController_parent
+{
+    public function saveTwoFactorAuth(): void
+    {
+        $user = $this->getUser();
+        if (!$user) {
+            return;
+        }
+
+        $enabled = (bool) Registry::getRequest()->getRequestParameter('twofa_enabled');
+        $this->getService(TwoFAUserSettingsServiceInterface::class)->setEnabledForUser($user->getId(), $enabled);
+    }
+
+    public function isTwoFAEnabled(): bool
+    {
+        $user = $this->getUser();
+        if (!$user) {
+            return false;
+        }
+
+        return $this->getService(TwoFAUserSettingsServiceInterface::class)->isEnabledForUser($user->getId());
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/Controller/AccountSecurityController.php b/src/Authentication/TwoFactorAuth/Controller/AccountSecurityController.php
@@ -0,0 +1,51 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller;
+
+use OxidEsales\Eshop\Application\Controller\FrontendController;
+use OxidEsales\Eshop\Core\Registry;
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserSettingsServiceInterface;
+
+// todo-critical: remove if we go with Change Password extension
+class AccountSecurityController extends FrontendController
+{
+    /**
+     * @var string
+     * @SuppressWarnings("PHPMD.CamelCasePropertyName")
+     */
+    protected $_sThisTemplate = '@oe_security_module/templates/account_security';
+
+    public function __construct(
+        private readonly TwoFAUserSettingsServiceInterface $userSettingsService,
+    ) {
+        parent::__construct();
+    }
+
+    public function saveTwoFactorAuth(): void
+    {
+        $user = $this->getUser();
+        if (!$user) {
+            return;
+        }
+
+        $enabled = (bool) Registry::getRequest()->getRequestParameter('twofa_enabled');
+        $this->userSettingsService->setEnabledForUser($user->getId(), $enabled);
+    }
+
+    public function isTwoFAEnabled(): bool
+    {
+        $user = $this->getUser();
+        if (!$user) {
+            return false;
+        }
+
+        return $this->userSettingsService->isEnabledForUser($user->getId());
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/Controller/services.yaml b/src/Authentication/TwoFactorAuth/Controller/services.yaml
@@ -9,3 +9,8 @@ services:
     public: true
     tags:
         - { name: 'oxid.view_controller', controller_key: 'twofactorauth' }
+
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\AccountSecurityController:
+    public: true
+    tags:
+        - { name: 'oxid.view_controller', controller_key: 'account_security' }
diff --git a/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php b/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepository.php
@@ -32,4 +32,16 @@ public function getUserById(string $userId): UserInterface
 
         return $this->userDtoFactory->createFromModel($userModel);
     }
+
+    public function setTwoFAEnabled(string $userId, bool $enabled): void
+    {
+        $userModel = $this->userFactory->create();
+
+        if (!$userModel->load($userId)) {
+            throw new UserNotFoundException();
+        }
+
+        $userModel->assign(['oe2faenabled' => (int) $enabled]);
+        $userModel->save();
+    }
 }
diff --git a/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php b/src/Authentication/TwoFactorAuth/Infrastructure/Repository/UserRepositoryInterface.php
@@ -16,4 +16,7 @@ interface UserRepositoryInterface
 {
     /** @throws UserNotFoundException */
     public function getUserById(string $userId): UserInterface;
+
+    /** @throws UserNotFoundException */
+    public function setTwoFAEnabled(string $userId, bool $enabled): void;
 }
diff --git a/src/Authentication/TwoFactorAuth/Service/TwoFAUserSettingsService.php b/src/Authentication/TwoFactorAuth/Service/TwoFAUserSettingsService.php
@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
+
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Infrastructure\Repository\UserRepositoryInterface;
+
+class TwoFAUserSettingsService implements TwoFAUserSettingsServiceInterface
+{
+    public function __construct(
+        private UserRepositoryInterface $userRepository,
+    ) {
+    }
+
+    public function isEnabledForUser(string $userId): bool
+    {
+        return $this->userRepository->getUserById($userId)->isTwoFAEnabled();
+    }
+
+    public function setEnabledForUser(string $userId, bool $enabled): void
+    {
+        $this->userRepository->setTwoFAEnabled($userId, $enabled);
+    }
+}
diff --git a/src/Authentication/TwoFactorAuth/Service/TwoFAUserSettingsServiceInterface.php b/src/Authentication/TwoFactorAuth/Service/TwoFAUserSettingsServiceInterface.php
@@ -0,0 +1,21 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service;
+
+use OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Exception\UserNotFoundException;
+
+interface TwoFAUserSettingsServiceInterface
+{
+    /** @throws UserNotFoundException */
+    public function isEnabledForUser(string $userId): bool;
+
+    /** @throws UserNotFoundException */
+    public function setEnabledForUser(string $userId, bool $enabled): void;
+}
diff --git a/src/Authentication/TwoFactorAuth/Service/services.yaml b/src/Authentication/TwoFactorAuth/Service/services.yaml
@@ -8,3 +8,7 @@ services:
   OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserServiceInterface:
     class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserService
     public: true
+
+  OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserSettingsServiceInterface:
+    class: OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Service\TwoFAUserSettingsService
+    public: true
diff --git a/tests/PhpStan/phpstan-bootstrap.php b/tests/PhpStan/phpstan-bootstrap.php
@@ -29,5 +29,10 @@ class_alias(
 
 class_alias(
     \OxidEsales\Eshop\Application\Controller\ForgotPasswordController::class,
+    \OxidEsales\SecurityModule\Authentication\TwoFactorAuth\Controller\AccountPasswordController_parent::class
+);
+
+class_alias(
+    \OxidEsales\Eshop\Application\Controller\AccountPasswordController::class,
     \OxidEsales\SecurityModule\Shared\Controller\ForgotPasswordController_parent::class
 );
diff --git a/translations/de/oesecuritymodule_lang.php b/translations/de/oesecuritymodule_lang.php
@@ -62,4 +62,10 @@
 
     'OE_SECURITY_EXTERNAL_AUTH_PASSWORD_INFO' => 'Sie sind mit einem externen Anbieter angemeldet. Die Passwortverwaltung ist für dieses Konto nicht verfügbar.',
     'OE_SECURITY_RESET_PASSWORD'              => 'Passwort zurücksetzen',
+
+    'OE_SECURITY_PASSWORD_AND_SECURITY'           => 'Passwort & Sicherheit',
+    'OE_SECURITY_SECURITY_TITLE'                  => 'Sicherheit',
+    'OE_SECURITY_TWO_FACTOR_SETTINGS_TITLE'       => 'Zwei-Faktor-Authentifizierung',
+    'OE_SECURITY_TWO_FACTOR_SETTINGS_DESCRIPTION' => 'Fügen Sie Ihrem Konto eine zusätzliche Sicherheitsebene hinzu. Wenn aktiviert, müssen Sie bei jeder Anmeldung einen Bestätigungscode eingeben, der an Ihre E-Mail gesendet wird.',
+    'OE_SECURITY_TWO_FACTOR_ENABLE'               => 'Zwei-Faktor-Authentifizierung aktivieren',
 ];
diff --git a/translations/en/oesecuritymodule_lang.php b/translations/en/oesecuritymodule_lang.php
@@ -62,4 +62,10 @@
 
     'OE_SECURITY_EXTERNAL_AUTH_PASSWORD_INFO' => 'You are signed in with an external provider. Password management is not available for this account.',
     'OE_SECURITY_RESET_PASSWORD'              => 'Reset password',
+
+    'OE_SECURITY_PASSWORD_AND_SECURITY'           => 'Password & Security',
+    'OE_SECURITY_SECURITY_TITLE'                  => 'Security',
+    'OE_SECURITY_TWO_FACTOR_SETTINGS_TITLE'       => 'Two-Factor Authentication',
+    'OE_SECURITY_TWO_FACTOR_SETTINGS_DESCRIPTION' => 'Add an extra layer of security to your account. When enabled, you will need to enter a verification code sent to your email each time you log in.',
+    'OE_SECURITY_TWO_FACTOR_ENABLE'               => 'Enable two-factor authentication',
 ];
diff --git a/views/twig/extensions/themes/default/page/account/dashboard.html.twig b/views/twig/extensions/themes/default/page/account/dashboard.html.twig
@@ -0,0 +1,18 @@
+{# todo-critical: remove if we go with separate Security section #}
+{% extends 'page/account/dashboard.html.twig' %}
+
+{% block account_dashboard_password_title %}{{ translate({ ident: "OE_SECURITY_PASSWORD_AND_SECURITY" }) }}{% endblock %}
+
+{% block account_dashboard_items %}
+    {{ parent() }}
+    <div class="col mb-3">
+        <div class="card card-lg h-100">
+            <h2 class="h4 card-header card-title">{{ translate({ ident: "OE_SECURITY_SECURITY_TITLE" }) }}</h2>
+            <div class="card-body">
+                <a class="btn btn-outline-primary stretched-link" href="{{ seo_url({ ident: oViewConf.getSslSelfLink() ~ "cl=account_security" }) }}">
+                    {{ translate({ ident: "MORE" }) }}
+                </a>
+            </div>
+        </div>
+    </div>
+{% endblock %}
diff --git a/views/twig/extensions/themes/default/page/account/inc/account_menu.html.twig b/views/twig/extensions/themes/default/page/account/inc/account_menu.html.twig
@@ -0,0 +1,15 @@
+{# todo-critical: remove if we go with separate Security section #}
+{% extends 'page/account/inc/account_menu.html.twig' %}
+
+{% block account_menu_password_item %}
+    <a class="dropdown-item{% if active_link == "password" %} active{% endif %}"
+       href="{{ seo_url({ ident: oViewConf.getSslSelfLink() ~ "cl=account_password" }) }}"
+       title="{{ translate({ ident: "OE_SECURITY_PASSWORD_AND_SECURITY" }) }}">{{ translate({ ident: "OE_SECURITY_PASSWORD_AND_SECURITY" }) }}</a>
+{% endblock %}
+
+{% block account_menu %}
+    {{ parent() }}
+    <a class="dropdown-item{% if active_link == "security" %} active{% endif %}"
+       href="{{ seo_url({ ident: oViewConf.getSslSelfLink() ~ "cl=account_security" }) }}"
+       title="{{ translate({ ident: "OE_SECURITY_SECURITY_TITLE" }) }}">{{ translate({ ident: "OE_SECURITY_SECURITY_TITLE" }) }}</a>
+{% endblock %}
diff --git a/views/twig/extensions/themes/default/page/account/password.html.twig b/views/twig/extensions/themes/default/page/account/password.html.twig
@@ -0,0 +1,10 @@
+{# todo-critical: remove if we go with separate Security section #}
+{% extends 'page/account/password.html.twig' %}
+
+{% block account_password_heading %}{{ translate({ ident: "OE_SECURITY_PASSWORD_AND_SECURITY" }) }}{% endblock %}
+
+{% block account_password_card_title %}<h2 class="h5">{{ translate({ ident: "CHANGE_PASSWORD" }) }}</h2>{% endblock %}
+
+{% block account_security_settings %}
+    {% include '@oe_security_module/form/two_factor_auth_settings.html.twig' %}
+{% endblock %}
diff --git a/views/twig/form/two_factor_auth_settings.html.twig b/views/twig/form/two_factor_auth_settings.html.twig
@@ -0,0 +1,28 @@
+<div class="card card-lg mt-4">
+    <div class="card-body">
+        <h2 class="h5">{{ translate({ ident: "OE_SECURITY_TWO_FACTOR_SETTINGS_TITLE" }) }}</h2>
+        <p>{{ translate({ ident: "OE_SECURITY_TWO_FACTOR_SETTINGS_DESCRIPTION" }) }}</p>
+        <form action="{{ oViewConf.getSelfLink()|raw }}" method="post">
+            {{ oViewConf.getHiddenSid()|raw }}
+            {# todo-critical: amend value according to what we will go with - controller or password extension #}
+            <input type="hidden" name="cl" value="{{ formController ?? 'account_password' }}">
+            <input type="hidden" name="fnc" value="saveTwoFactorAuth">
+            <div class="form-check form-switch mb-3">
+                <input
+                    class="form-check-input"
+                    type="checkbox"
+                    id="twofa_enabled"
+                    name="twofa_enabled"
+                    value="1"
+                    {% if oView.isTwoFAEnabled() %}checked{% endif %}
+                >
+                <label class="form-check-label" for="twofa_enabled">
+                    {{ translate({ ident: "OE_SECURITY_TWO_FACTOR_ENABLE" }) }}
+                </label>
+            </div>
+            <button type="submit" class="btn btn-primary btn-responsive">
+                {{ translate({ ident: "SAVE" }) }}
+            </button>
+        </form>
+    </div>
+</div>
diff --git a/views/twig/templates/account_security.html.twig b/views/twig/templates/account_security.html.twig
@@ -0,0 +1,17 @@
+{# todo-critical: remove if we go with Password & Security #}
+{% capture append = "oxidBlock_content" %}
+    <div class="container-xxl py-5">
+        <div class="row">
+            <h1 class="h3 page-header col pl-0 ml-3">
+                {{ translate({ ident: "OE_SECURITY_SECURITY_TITLE" }) }}
+            </h1>
+            <div class="col-12 col-sm-3 button-col">
+                {% include "page/account/inc/account_menu.html.twig" with {active_link: "security"} %}
+            </div>
+        </div>
+
+        {% include '@oe_security_module/form/two_factor_auth_settings.html.twig' with { formController: 'account_security' } %}
+    </div>
+{% endcapture %}
+
+{% include "layout/page.html.twig" %}

Original file line number	Diff line number	Diff line change
`@@ -16,4 +16,7 @@ interface UserRepositoryInterface`
`16`	`16`	`{`
`17`	`17`	`/** @throws UserNotFoundException */`
`18`	`18`	`public function getUserById(string $userId): UserInterface;`
	`19`	`+`
	`20`	`+ /** @throws UserNotFoundException */`
	`21`	`+ public function setTwoFAEnabled(string $userId, bool $enabled): void;`
`19`	`22`	`}`