NeosTwoFactorAuthentication/Classes/Controller/ReloginApiController.php at a6a387d409c0ed3c12bbc681aded59223563caca · sandstorm/NeosTwoFactorAuthentication · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?php

namespace Sandstorm\NeosTwoFactorAuthentication\Controller;

use Neos\Flow\Annotations as Flow;
use Neos\Flow\Mvc\Controller\ActionController;
use Neos\Flow\Mvc\View\JsonView;
use Neos\Flow\Security\Context as SecurityContext;
use Sandstorm\NeosTwoFactorAuthentication\Domain\AuthenticationStatus;
use Sandstorm\NeosTwoFactorAuthentication\Service\SecondFactorService;
use Sandstorm\NeosTwoFactorAuthentication\Service\SecondFactorSessionStorageService;

class ReloginApiController extends ActionController
{
    /**
     * @var string
     */
    protected $defaultViewObjectName = JsonView::class;

    /**
     * @var array<string>
     */
    protected $supportedMediaTypes = ['application/json'];

    /**
     * @Flow\Inject
     */
    protected SecurityContext $securityContext;

    /**
     * @Flow\Inject
     */
    protected SecondFactorService $secondFactorService;

    /**
     * @Flow\Inject
     */
    protected SecondFactorSessionStorageService $secondFactorSessionStorageService;

    /**
     * Returns whether the currently authenticated account requires a second factor.
     */
    public function secondFactorStatusAction(): void
    {
        $account = $this->securityContext->getAccount();
        if ($account === null) {
            $this->response->setStatusCode(401);
            $this->view->assign('value', ['error' => 'Not authenticated']);
            return;
        }

        $required = $this->secondFactorService->isSecondFactorEnabledForAccount($account);
        $this->view->assign('value', ['secondFactorRequired' => $required]);
    }

    /**
     * Validates the submitted OTP and sets the session to AUTHENTICATED on success.
     *
     * CSRF protection is skipped because after session timeout + re-login, the CSRF token
     * context may not match. The endpoint is still protected by session authentication
     * and policy authorization (Policy.yaml).
     *
     * @Flow\SkipCsrfProtection
     */
    public function verifySecondFactorAction(): void
    {
        $account = $this->securityContext->getAccount();
        if ($account === null) {
            $this->response->setStatusCode(401);
            $this->view->assign('value', ['success' => false, 'error' => 'Not authenticated']);
            return;
        }

        // Read the raw body — rewind the stream first since Flow may have already read it
        $httpRequest = $this->request->getHttpRequest();
        $bodyStream = $httpRequest->getBody();
        $bodyStream->rewind();
        $body = json_decode($bodyStream->getContents(), true);
        $otp = $body['otp'] ?? '';

        if ($otp === '') {
            $this->response->setStatusCode(400);
            $this->view->assign('value', ['success' => false, 'error' => 'Missing OTP']);
            return;
        }

        $isValid = $this->secondFactorService->validateOtpForAccount($otp, $account);

        if ($isValid) {
            $this->secondFactorSessionStorageService->setAuthenticationStatus(AuthenticationStatus::AUTHENTICATED);
            $this->view->assign('value', ['success' => true]);
            return;
        }

        $this->response->setStatusCode(401);
        $this->view->assign('value', ['success' => false, 'error' => 'Invalid OTP']);
    }
}