Merge pull request #173 from magento-gl/Sync-2.4.8-beta1-pre-release

sidolov · web-flow · commit a8391f08afe4 · 2024-10-15T08:46:03.000-05:00
AC-13224: Sync 2.4.8-beta1-develop with 2.4-develop
diff --git a/TwoFactorAuth/Controller/Adminhtml/Authy/Authpost.php b/TwoFactorAuth/Controller/Adminhtml/Authy/Authpost.php
@@ -19,9 +19,13 @@
 use Magento\TwoFactorAuth\Controller\Adminhtml\AbstractAction;
 use Magento\TwoFactorAuth\Model\Provider\Engine\Authy;
 use Magento\User\Model\User;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\User\Model\ResourceModel\User as UserResource;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * @SuppressWarnings(PHPMD.CamelCaseMethodName)
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Authpost extends AbstractAction implements HttpPostActionInterface
 {
@@ -60,6 +64,26 @@ class Authpost extends AbstractAction implements HttpPostActionInterface
      */
     private $alert;
 
+    /**
+     * Config path for the 2FA Attempts
+     */
+    private const XML_PATH_2FA_RETRY_ATTEMPTS = 'twofactorauth/general/twofactorauth_retry';
+
+    /**
+     * Config path for the 2FA Attempts
+     */
+    private const XML_PATH_2FA_LOCK_EXPIRE = 'twofactorauth/general/auth_lock_expire';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * @var UserResource
+     */
+    private $userResource;
+
     /**
      * @param Action\Context $context
      * @param Session $session
@@ -69,6 +93,9 @@ class Authpost extends AbstractAction implements HttpPostActionInterface
      * @param TfaInterface $tfa
      * @param AlertInterface $alert
      * @param DataObjectFactory $dataObjectFactory
+     * @param UserResource|null $userResource
+     * @param ScopeConfigInterface|null $scopeConfig
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         Action\Context $context,
@@ -78,7 +105,9 @@ public function __construct(
         TfaSessionInterface $tfaSession,
         TfaInterface $tfa,
         AlertInterface $alert,
-        DataObjectFactory $dataObjectFactory
+        DataObjectFactory $dataObjectFactory,
+        ?UserResource $userResource = null,
+        ?ScopeConfigInterface $scopeConfig = null
     ) {
         parent::__construct($context);
         $this->tfa = $tfa;
@@ -88,6 +117,8 @@ public function __construct(
         $this->authy = $authy;
         $this->dataObjectFactory = $dataObjectFactory;
         $this->alert = $alert;
+        $this->scopeConfig = $scopeConfig ?? ObjectManager::getInstance()->get(ScopeConfigInterface::class);
+        $this->userResource = $userResource ?? ObjectManager::getInstance()->get(UserResource::class);
     }
 
     /**
@@ -109,6 +140,13 @@ public function execute()
         $result = $this->jsonFactory->create();
 
         try {
+            if (!$this->allowApiRetries()) { //locked the user
+                $lockThreshold = $this->scopeConfig->getValue(self::XML_PATH_2FA_LOCK_EXPIRE);
+                if ($this->userResource->lock((int)$user->getId(), 0, $lockThreshold)) {
+                    $result->setData(['success' => false, 'message' => "Your account is temporarily disabled."]);
+                    return $result;
+                }
+            }
             $this->authy->verify($user, $this->dataObjectFactory->create([
                 'data' => $this->getRequest()->getParams(),
             ]));
@@ -141,4 +179,18 @@ protected function _isAllowed()
             $this->tfa->getProviderIsAllowed((int) $user->getId(), Authy::CODE) &&
             $this->tfa->getProvider(Authy::CODE)->isActive((int) $user->getId());
     }
+
+    /**
+     * Check if retry attempt above threshold value
+     *
+     * @return bool
+     */
+    private function allowApiRetries() : bool
+    {
+        $maxRetries = $this->scopeConfig->getValue(self::XML_PATH_2FA_RETRY_ATTEMPTS);
+        $verifyAttempts = $this->session->getOtpAttempt();
+        $verifyAttempts = $verifyAttempts === null ? 1 : $verifyAttempts+1;
+        $this->session->setOtpAttempt($verifyAttempts);
+        return  $maxRetries >= $verifyAttempts;
+    }
 }
diff --git a/TwoFactorAuth/Controller/Adminhtml/Google/Authpost.php b/TwoFactorAuth/Controller/Adminhtml/Google/Authpost.php
@@ -19,6 +19,9 @@
 use Magento\TwoFactorAuth\Controller\Adminhtml\AbstractAction;
 use Magento\TwoFactorAuth\Model\Provider\Engine\Google;
 use Magento\User\Model\User;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\User\Model\ResourceModel\User as UserResource;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Google authenticator post controller
@@ -61,6 +64,26 @@ class Authpost extends AbstractAction implements HttpPostActionInterface
      */
     private $alert;
 
+    /**
+     * Config path for the 2FA Attempts
+     */
+    private const XML_PATH_2FA_RETRY_ATTEMPTS = 'twofactorauth/general/twofactorauth_retry';
+
+    /**
+     * Config path for the 2FA Attempts
+     */
+    private const XML_PATH_2FA_LOCK_EXPIRE = 'twofactorauth/general/auth_lock_expire';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * @var UserResource
+     */
+    private $userResource;
+
     /**
      * @param Action\Context $context
      * @param Session $session
@@ -70,6 +93,9 @@ class Authpost extends AbstractAction implements HttpPostActionInterface
      * @param TfaInterface $tfa
      * @param AlertInterface $alert
      * @param DataObjectFactory $dataObjectFactory
+     * @param UserResource|null $userResource
+     * @param ScopeConfigInterface|null $scopeConfig
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         Action\Context $context,
@@ -79,7 +105,9 @@ public function __construct(
         TfaSessionInterface $tfaSession,
         TfaInterface $tfa,
         AlertInterface $alert,
-        DataObjectFactory $dataObjectFactory
+        DataObjectFactory $dataObjectFactory,
+        ?UserResource $userResource = null,
+        ?ScopeConfigInterface $scopeConfig = null
     ) {
         parent::__construct($context);
         $this->tfa = $tfa;
@@ -89,6 +117,8 @@ public function __construct(
         $this->tfaSession = $tfaSession;
         $this->dataObjectFactory = $dataObjectFactory;
         $this->alert = $alert;
+        $this->scopeConfig = $scopeConfig ?? ObjectManager::getInstance()->get(ScopeConfigInterface::class);
+        $this->userResource = $userResource ?? ObjectManager::getInstance()->get(UserResource::class);
     }
 
     /**
@@ -103,6 +133,14 @@ public function execute()
         /** @var \Magento\Framework\DataObject $request */
         $request = $this->dataObjectFactory->create(['data' => $this->getRequest()->getParams()]);
 
+        if (!$this->allowApiRetries()) { //locked the user
+            $lockThreshold = $this->scopeConfig->getValue(self::XML_PATH_2FA_LOCK_EXPIRE);
+            if ($this->userResource->lock((int)$user->getId(), 0, $lockThreshold)) {
+                $response->setData(['success' => false, 'message' => "Your account is temporarily disabled."]);
+                return $response;
+            }
+        }
+
         if ($this->google->verify($user, $request)) {
             $this->tfaSession->grantAccess();
             $response->setData(['success' => true]);
@@ -133,4 +171,18 @@ protected function _isAllowed()
             && $this->tfa->getProviderIsAllowed((int)$user->getId(), Google::CODE)
             && $this->tfa->getProvider(Google::CODE)->isActive((int)$user->getId());
     }
+
+    /**
+     * Check if retry attempt above threshold value
+     *
+     * @return bool
+     */
+    private function allowApiRetries() : bool
+    {
+        $maxRetries = $this->scopeConfig->getValue(self::XML_PATH_2FA_RETRY_ATTEMPTS);
+        $verifyAttempts = $this->session->getOtpAttempt();
+        $verifyAttempts = $verifyAttempts === null ? 1 : $verifyAttempts+1;
+        $this->session->setOtpAttempt($verifyAttempts);
+        return  $maxRetries >= $verifyAttempts;
+    }
 }
diff --git a/TwoFactorAuth/Controller/Adminhtml/Tfa/Reset.php b/TwoFactorAuth/Controller/Adminhtml/Tfa/Reset.php
@@ -89,6 +89,7 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        return parent::_isAllowed() && $this->_authorization->isAllowed('Magento_TwoFactorAuth::tfa');
+        return parent::_isAllowed() && $this->_authorization->isAllowed('Magento_TwoFactorAuth::tfa')
+            && $this->_authorization->isAllowed('Magento_User::acl_users');
     }
 }
diff --git a/TwoFactorAuth/etc/adminhtml/system.xml b/TwoFactorAuth/etc/adminhtml/system.xml
@@ -35,6 +35,21 @@
                     <label>Configuration Email URL for Web API</label>
                     <comment>This can be used to override the default email configuration link that is sent when using the Magento Web API's to authenticate. Use the placeholder :tfat to indicate where the token should be injected</comment>
                 </field>
+                <field canRestore="1" id="twofactorauth_retry" translate="label" type="text" sortOrder="40"
+                       showInDefault="1" showInWebsite="0" showInStore="0">
+                    <label>Retry attempt limit for Two-Factor Authentication</label>
+                    <comment>
+                        Determines how many times a user can try to complete the 2FA process before being temporarily locked out.
+                    </comment>
+                </field>
+                <field canRestore="1" id="auth_lock_expire" translate="label" type="text" sortOrder="40"
+                       showInDefault="1" showInWebsite="0" showInStore="0">
+                    <label>Two-Factor Authentication lockout time (seconds)</label>
+                    <comment>
+                        Determines how long a user is locked out if they reach the threshold defined above.
+                        Please enter at least 120 and at most 1800 (30 minutes).
+                    </comment>
+                </field>
             </group>
             <group id="google" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="0"
                    showInStore="0">
diff --git a/TwoFactorAuth/etc/config.xml b/TwoFactorAuth/etc/config.xml
@@ -11,6 +11,8 @@
         <twofactorauth>
             <general>
                 <force_providers></force_providers>
+                <twofactorauth_retry>10</twofactorauth_retry>
+                <auth_lock_expire>300</auth_lock_expire>
             </general>
             <authy>
                 <onetouch_message>Login request to your Magento Admin</onetouch_message>
diff --git a/TwoFactorAuth/i18n/en_US.csv b/TwoFactorAuth/i18n/en_US.csv
@@ -0,0 +1,5 @@
+"Configuration for TwoFactorAuth retry attempts","Configuration for TwoFactorAuth retry attempts"
+"Configuration for TwoFactorAuth lock expire time","Configuration for TwoFactorAuth lock expire time"
+"TwoFactorAuth Configuration","TwoFactorAuth Configuration"
+"Security configurations for TwoFactorAuth page","Security configurations for TwoFactorAuth page"
+"Your account is temporarily disabled.","Your account is temporarily disabled."

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@ public function execute()`
`89`	`89`	`*/`
`90`	`90`	`protected function _isAllowed()`
`91`	`91`	`{`
`92`		`- return parent::_isAllowed() && $this->_authorization->isAllowed('Magento_TwoFactorAuth::tfa');`
	`92`	`+ return parent::_isAllowed() && $this->_authorization->isAllowed('Magento_TwoFactorAuth::tfa')`
	`93`	`+ && $this->_authorization->isAllowed('Magento_User::acl_users');`
`93`	`94`	`}`
`94`	`95`	`}`