Make 2FA requirement check extensible (#13889)

Author: MikeAlhayek

src/OrchardCore.Modules/OrchardCore.Users/Controllers/TwoFactorAuthenticationController.cs

@@ -40,6 +40,7 @@ public class TwoFactorAuthenticationController : AccountBaseController
     private readonly IDistributedCache _distributedCache;
     private readonly UrlEncoder _urlEncoder;
     private readonly ShellSettings _shellSettings;
+    private readonly ITwoFactorAuthenticationHandlerCoordinator _twoFactorHandlerCoordinator;
     private readonly IHtmlLocalizer H;
     private readonly IStringLocalizer S;
 
@@ -54,7 +55,8 @@ public TwoFactorAuthenticationController(
         INotifier notifier,
         IDistributedCache distributedCache,
         UrlEncoder urlEncoder,
-        ShellSettings shellSettings)
+        ShellSettings shellSettings,
+        ITwoFactorAuthenticationHandlerCoordinator twoFactorHandlerCoordinator)
         : base(userManager)
     {
         _signInManager = signInManager;
@@ -65,6 +67,7 @@ public TwoFactorAuthenticationController(
         _distributedCache = distributedCache;
         _urlEncoder = urlEncoder;
         _shellSettings = shellSettings;
+        _twoFactorHandlerCoordinator = twoFactorHandlerCoordinator;
         H = htmlLocalizer;
         S = stringLocalizer;
     }
@@ -139,7 +142,7 @@ public async Task<IActionResult> LoginWithTwoFactorAuthentication(LoginWithTwoFa
         if (result.IsLockedOut)
         {
             _logger.LogWarning("User account locked out.");
-            ModelState.AddModelError(String.Empty, S["The account is locked out"]);
+            ModelState.AddModelError(String.Empty, S["The account is locked out."]);
             await _accountEvents.InvokeAsync((e, user) => e.IsLockedOutAsync(user), user, _logger);
 
             return RedirectToAction(nameof(AccountController.Login), typeof(AccountController).ControllerName());
@@ -202,8 +205,6 @@ public async Task<IActionResult> LoginWithRecoveryCode(LoginWithRecoveryCodeView
 
             var result = await _signInManager.TwoFactorRecoveryCodeSignInAsync(recoveryCode);
 
-            var userId = await _userManager.GetUserIdAsync(user);
-
             if (result.Succeeded)
             {
                 await _accountEvents.InvokeAsync((e, user) => e.LoggedInAsync(user), user, _logger);
@@ -221,7 +222,7 @@ public async Task<IActionResult> LoginWithRecoveryCode(LoginWithRecoveryCodeView
                 return RedirectToAction(nameof(AccountController.Login), typeof(AccountController).ControllerName());
             }
 
-            _logger.LogWarning("Invalid recovery code entered for user with ID '{UserId}' ", userId);
+            _logger.LogWarning("Invalid recovery code entered for user.");
             ModelState.AddModelError(String.Empty, S["Invalid recovery code entered."]);
         }
 
@@ -241,7 +242,7 @@ public async Task<IActionResult> EnableAuthenticator(string returnUrl)
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         var model = await LoadSharedKeyAndQrCodeUriAsync(user, loginSettings);
@@ -266,7 +267,7 @@ public async Task<IActionResult> EnableAuthenticator(EnableAuthenticatorViewMode
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         if (!ModelState.IsValid)
@@ -322,7 +323,7 @@ public async Task<IActionResult> Index()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         var model = new TwoFactorAuthenticationViewModel()
@@ -331,7 +332,7 @@ public async Task<IActionResult> Index()
             IsTwoFaEnabled = await _userManager.GetTwoFactorEnabledAsync(user),
             IsMachineRemembered = await _signInManager.IsTwoFactorClientRememberedAsync(user),
             RecoveryCodesLeft = await _userManager.CountRecoveryCodesAsync(user),
-            CanDisableTwoFa = !loginSettings.RequireTwoFactorAuthentication
+            CanDisableTwoFa = !await _twoFactorHandlerCoordinator.IsRequiredAsync()
             || !await loginSettings.CanEnableTwoFactorAuthenticationAsync(role => _userManager.IsInRoleAsync(user, role)),
         };
 
@@ -353,7 +354,7 @@ public async Task<IActionResult> ForgetTwoFactorClient()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         await _signInManager.ForgetTwoFactorClientAsync();
@@ -375,7 +376,7 @@ public async Task<IActionResult> GenerateRecoveryCodes()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         var isTwoFactorEnabled = await _userManager.GetTwoFactorEnabledAsync(user);
@@ -405,11 +406,10 @@ public async Task<IActionResult> GenerateRecoveryCodesPost()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
-        var isTwoFactorEnabled = await _userManager.GetTwoFactorEnabledAsync(user);
-        if (!isTwoFactorEnabled)
+        if (!await _userManager.GetTwoFactorEnabledAsync(user))
         {
             await _notifier.ErrorAsync(H["Cannot generate recovery codes for user because they do not have 2FA enabled."]);
 
@@ -437,7 +437,7 @@ public async Task<IActionResult> ShowRecoveryCodes()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         var userId = await _userManager.GetUserIdAsync(user);
@@ -468,7 +468,7 @@ public async Task<IActionResult> ResetAuthenticator()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         return View();
@@ -490,7 +490,7 @@ public async Task<IActionResult> ResetAuthenticatorPost()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
         await _userManager.SetTwoFactorEnabledAsync(user, false);
@@ -514,10 +514,10 @@ public async Task<IActionResult> DisableTwoFactorAuthentication()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
-        if (loginSettings.RequireTwoFactorAuthentication
+        if (await _twoFactorHandlerCoordinator.IsRequiredAsync()
             && await loginSettings.CanEnableTwoFactorAuthenticationAsync(role => _userManager.IsInRoleAsync(user, role)))
         {
             await _notifier.WarningAsync(H["Two-factor authentication cannot be disabled for the current user."]);
@@ -544,10 +544,10 @@ public async Task<IActionResult> DisableTwoFactorAuthenticationPost()
         var user = await _userManager.GetUserAsync(User);
         if (user == null)
         {
-            return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
+            return NotFound("Unable to load user.");
         }
 
-        if (loginSettings.RequireTwoFactorAuthentication
+        if (await _twoFactorHandlerCoordinator.IsRequiredAsync()
             && await loginSettings.CanEnableTwoFactorAuthenticationAsync(role => _userManager.IsInRoleAsync(user, role)))
         {
             await _notifier.WarningAsync(H["Two-factor authentication cannot be disabled for the current user."]);

src/OrchardCore.Modules/OrchardCore.Users/Filters/TwoFactorAuthenticationAuthorizationFilter.cs

@@ -6,6 +6,7 @@
 using Microsoft.Extensions.Options;
 using OrchardCore.Entities;
 using OrchardCore.Settings;
+using OrchardCore.Users.Events;
 using OrchardCore.Users.Models;
 using OrchardCore.Users.Services;
 
@@ -14,10 +15,14 @@ namespace OrchardCore.Users.Filters;
 public class TwoFactorAuthenticationAuthorizationFilter : IAsyncAuthorizationFilter
 {
     private readonly UserOptions _userOptions;
+    private readonly ITwoFactorAuthenticationHandlerCoordinator _twoFactorHandlerCoordinator;
 
-    public TwoFactorAuthenticationAuthorizationFilter(IOptions<UserOptions> userOptions)
+    public TwoFactorAuthenticationAuthorizationFilter(
+        IOptions<UserOptions> userOptions,
+        ITwoFactorAuthenticationHandlerCoordinator twoFactorHandlerCoordinator)
     {
         _userOptions = userOptions.Value;
+        _twoFactorHandlerCoordinator = twoFactorHandlerCoordinator;
     }
 
     public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
@@ -43,8 +48,8 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
 
         var loginSettings = (await siteService.GetSiteSettingsAsync()).As<LoginSettings>();
 
-        if (loginSettings.RequireTwoFactorAuthentication
-            && loginSettings.IsTwoFactorAuthenticationEnabled()
+        if (loginSettings.IsTwoFactorAuthenticationEnabled()
+            && await _twoFactorHandlerCoordinator.IsRequiredAsync()
             && context.HttpContext.User.HasClaim(claim => claim.Type == TwoFactorAuthenticationClaimsProvider.TwoFactorAuthenticationClaimType))
         {
             context.Result = new RedirectResult("~/" + _userOptions.EnableAuthenticatorPath);

src/OrchardCore.Modules/OrchardCore.Users/Services/TwoFactorAuthenticationClaimsProvider.cs

@@ -4,6 +4,7 @@
 using Microsoft.AspNetCore.Identity;
 using OrchardCore.Entities;
 using OrchardCore.Settings;
+using OrchardCore.Users.Events;
 using OrchardCore.Users.Models;
 
 namespace OrchardCore.Users.Services;
@@ -14,13 +15,16 @@ public class TwoFactorAuthenticationClaimsProvider : IUserClaimsProvider
 
     private readonly UserManager<IUser> _userManager;
     private readonly ISiteService _siteService;
+    private readonly ITwoFactorAuthenticationHandlerCoordinator _twoFactorHandlerCoordinator;
 
     public TwoFactorAuthenticationClaimsProvider(
         UserManager<IUser> userManager,
-        ISiteService siteService)
+        ISiteService siteService,
+        ITwoFactorAuthenticationHandlerCoordinator twoFactorHandlerCoordinator)
     {
         _userManager = userManager;
         _siteService = siteService;
+        _twoFactorHandlerCoordinator = twoFactorHandlerCoordinator;
     }
 
     public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
@@ -37,7 +41,7 @@ public async Task GenerateAsync(IUser user, ClaimsIdentity claims)
 
         var loginSettings = (await _siteService.GetSiteSettingsAsync()).As<LoginSettings>();
 
-        if (loginSettings.RequireTwoFactorAuthentication
+        if (await _twoFactorHandlerCoordinator.IsRequiredAsync()
             && !await _userManager.GetTwoFactorEnabledAsync(user)
             && await loginSettings.CanEnableTwoFactorAuthenticationAsync(role => _userManager.IsInRoleAsync(user, role)))
         {

src/OrchardCore/OrchardCore.Users.Abstractions/Events/ITwoFactorAuthenticationHandler.cs

@@ -0,0 +1,12 @@
+using System.Threading.Tasks;
+
+namespace OrchardCore.Users.Events;
+
+public interface ITwoFactorAuthenticationHandler
+{
+    /// <summary>
+    /// Checks if the two-factor authentication should be required or not.
+    /// </summary>
+    /// <returns>true if the two-factor authentication is required otherwise false.</returns>
+    Task<bool> IsRequiredAsync();
+}

src/OrchardCore/OrchardCore.Users.Abstractions/Events/ITwoFactorAuthenticationHandlerCoordinator.cs

@@ -0,0 +1,12 @@
+using System.Threading.Tasks;
+
+namespace OrchardCore.Users.Events;
+
+public interface ITwoFactorAuthenticationHandlerCoordinator
+{
+    /// <summary>
+    /// Checks if the two-factor authentication should be required or not.
+    /// </summary>
+    /// <returns>true if any of the two-factor authentication providers require 2FA otherwise false.</returns>
+    Task<bool> IsRequiredAsync();
+}

src/OrchardCore/OrchardCore.Users.Core/Extensions/UsersServiceCollectionExtensions.cs

@@ -5,6 +5,7 @@
 using OrchardCore.Security;
 using OrchardCore.Security.Services;
 using OrchardCore.Users;
+using OrchardCore.Users.Events;
 using OrchardCore.Users.Handlers;
 using OrchardCore.Users.Indexes;
 using OrchardCore.Users.Services;
@@ -50,6 +51,9 @@ public static IServiceCollection AddUsers(this IServiceCollection services)
             services.AddScoped<IUserClaimsPrincipalFactory<IUser>, DefaultUserClaimsPrincipalProviderFactory>();
             services.AddScoped<IUserEventHandler, UserDisabledEventHandler>();
 
+            services.AddScoped<ITwoFactorAuthenticationHandler, DefaultTwoFactorAuthenticationHandler>();
+            services.AddScoped<ITwoFactorAuthenticationHandlerCoordinator, DefaultTwoFactorAuthenticationHandlerCoordinator>();
+
             return services;
         }
     }

src/OrchardCore/OrchardCore.Users.Core/Services/DefaultTwoFactorAuthenticationHandler.cs

@@ -0,0 +1,24 @@
+using System.Threading.Tasks;
+using OrchardCore.Entities;
+using OrchardCore.Settings;
+using OrchardCore.Users.Events;
+using OrchardCore.Users.Models;
+
+namespace OrchardCore.Users.Services;
+
+public class DefaultTwoFactorAuthenticationHandler : ITwoFactorAuthenticationHandler
+{
+    private readonly ISiteService _siteService;
+
+    public DefaultTwoFactorAuthenticationHandler(ISiteService siteService)
+    {
+        _siteService = siteService;
+    }
+
+    public async Task<bool> IsRequiredAsync()
+    {
+        var loginSettings = (await _siteService.GetSiteSettingsAsync()).As<LoginSettings>();
+
+        return loginSettings.RequireTwoFactorAuthentication;
+    }
+}

src/OrchardCore/OrchardCore.Users.Core/Services/DefaultTwoFactorAuthenticationHandlerCoordinator.cs

@@ -0,0 +1,29 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using OrchardCore.Users.Events;
+
+namespace OrchardCore.Users.Services;
+
+public class DefaultTwoFactorAuthenticationHandlerCoordinator : ITwoFactorAuthenticationHandlerCoordinator
+{
+    private readonly IEnumerable<ITwoFactorAuthenticationHandler> _handlers;
+
+    public DefaultTwoFactorAuthenticationHandlerCoordinator(
+        IEnumerable<ITwoFactorAuthenticationHandler> handlers)
+    {
+        _handlers = handlers;
+    }
+
+    public async Task<bool> IsRequiredAsync()
+    {
+        foreach (var handler in _handlers)
+        {
+            if (await handler.IsRequiredAsync())
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}