Prompt for MFA code

Dave MacFarlane · Dave MacFarlane · commit d5c971dc815e · 2025-08-20T14:02:09.000-04:00
diff --git a/modules/login/jsx/mfaPrompt.tsx b/modules/login/jsx/mfaPrompt.tsx
@@ -0,0 +1,103 @@
+import {createRoot} from 'react-dom/client';
+import {useState, useEffect, useCallback} from 'react';
+
+function Digit(props: {value: number|null|string, onChange: (newvalue: number) => boolean}) {
+	return <input style={{flex: 1,
+		width: "1em",
+		fontSize: "3em",
+		marginLeft: "0.5ex",
+		textAlign: "center"
+	}}
+		type="text"
+		readOnly={true}
+		onKeyDown={(e: React.KeyboardEvent) => {
+			e.preventDefault();
+			if(e.keyCode >= 48 /* '0' */ && e.keyCode <= 57 /* '9' */) {
+				if(props.onChange(e.keyCode-48)) {
+					const target = e.target as HTMLElement;
+					(target.nextSibling as HTMLElement)?.focus();
+				}
+				return;
+			}
+			if(e.key == "ArrowLeft") {
+				const target = e.target as HTMLElement;
+				(target.previousSibling as HTMLElement)?.focus();
+			} if(e.key == "ArrowRight") {
+				const target = e.target as HTMLElement;
+				(target.nextSibling as HTMLElement)?.focus();
+			}
+		}
+		}
+		value={props.value || ""}
+	/>;
+}
+function CodePrompt(props: {onValidate: () => void}) {
+	const [code, setCode] = useState<[number|null, number|null, number|null, number|null, number|null, number|null]>([null, null, null, null, null, null]);
+	const digitCallback = useCallback( (index: number, value: number): boolean => {
+		if(value >= 0 && value <= 9) {
+			code[index] = value;
+			setCode([...code]);
+			return true;
+		}
+		return false;
+	}, []);
+	useEffect( () => {
+		if(code.indexOf(null) >= 0) {
+			console.log("not yet entered");
+			return;
+		}
+		fetch("/login/mfa",
+		      {
+			      method: "POST",
+			      body: JSON.stringify({"code": code.join("")}),
+			      credentials: 'same-origin',
+			      
+		      }
+		     ).then( (resp) => {
+			     if(!resp.ok) {
+				     console.warn("invalid response");
+			     }
+			     return resp.json();
+		     }).then( (json) => {
+			     if(json["success"]) {
+				     window.location.reload();
+			     }
+			     console.log(json);
+		     }).catch( (e) => {
+			     console.error("error validating code");
+		     });
+
+		console.log("validate code")
+		//call onValidate
+	}, [code]);
+
+
+	
+	return <div style={{display: "flex"}}>
+		<Digit value={code[0] === 0 ? "0" : code[0]} onChange={(newval: number) => digitCallback(0, newval)}/>
+		<Digit value={code[1] === 0 ? "0" : code[1]} onChange={(newval: number) => digitCallback(1, newval)}/>
+		<Digit value={code[2] === 0 ? "0" : code[2]} onChange={(newval: number) => digitCallback(2, newval)}/>
+		<Digit value={code[3] === 0 ? "0" : code[3]} onChange={(newval: number) => digitCallback(3, newval)}/>
+		<Digit value={code[4] === 0 ? "0" : code[4]} onChange={(newval: number) => digitCallback(4, newval)}/>
+		<Digit value={code[5] === 0 ? "0" : code[5]} onChange={(newval: number) => digitCallback(5, newval)}/>
+		</div>;
+}
+
+function MFAPrompt() {
+	return (<div>
+		<h2>Multifactor authentication required</h2>
+		<p>Enter the code from your authenticator app below to proceed.</p>
+		<CodePrompt onValidate={() => {window.location.reload()}}/>
+
+	</div>)
+
+}
+
+declare const loris: any;
+window.addEventListener('load', () => {
+  createRoot(
+    document.getElementsByClassName('main-content')[0]
+  ).render(
+    <MFAPrompt />
+  );
+});
diff --git a/modules/login/php/mfa.class.inc b/modules/login/php/mfa.class.inc
@@ -0,0 +1,127 @@
+<?php declare(strict_types=1);
+
+namespace LORIS\login;
+
+use \Psr\Http\Message\ServerRequestInterface;
+use \Psr\Http\Message\ResponseInterface;
+use \LORIS\Middleware\ETagCalculator;
+
+/**
+ * POST request for authentication.
+ *
+ * Used to request account.
+ *
+ * @category Loris
+ * @package  Login
+ * @author   Alizée Wickenheiser <alizee.wickenheiser@mcin.ca>
+ * @license  http://www.gnu.org/licenses/gpl-3.0.txt GPLv3
+ * @link     https://www.github.com/aces/Loris/
+ */
+class MFA extends \NDB_Page
+{
+    public $skipTemplate = true;
+
+    /**
+     * Include additional JS files
+     *
+     * @return array of javascript to be inserted
+     */
+    function getJSDependencies()
+    {
+        $factory = \NDB_Factory::singleton();
+        $baseURL = $factory->settings()->getBaseURL();
+        $deps    = parent::getJSDependencies();
+        return array_merge(
+            $deps,
+            [
+                $baseURL . '/login/js/mfaPrompt.js',
+            ]
+        );
+    }
+    /**
+     * Include additional CSS files:
+     *
+     * @return array of javascript to be inserted
+     */
+    function getCSSDependencies()
+    {
+        $factory = \NDB_Factory::singleton();
+        $baseURL = $factory->settings()->getBaseURL();
+        $deps    = parent::getCSSDependencies();
+        return array_merge(
+            $deps,
+            [$baseURL . '/login/css/login.css']
+        );
+    }
+    /**
+     * This function will return a json object for login module.
+     *
+     * @param ServerRequestInterface $request The incoming PSR7 request
+     *
+     * @return ResponseInterface The outgoing PSR7 response
+     */
+    public function handle(ServerRequestInterface $request) : ResponseInterface
+    {
+        // Ensure POST request.
+        switch ($request->getMethod()) {
+	case 'GET':
+		return parent::handle($request);
+        case 'POST':
+            return $this->_handlePOST($request);
+        default:
+            return new \LORIS\Http\Response\JSON\MethodNotAllowed(
+                $this->allowedMethods()
+            );
+        }
+    }
+
+    /**
+     * Processes the values & saves to database and return a json response.
+     *
+     * @param ServerRequestInterface $request The incoming PSR7 request.
+     *
+     * @return ResponseInterface The outgoing PSR7 response
+     */
+    private function _handlePOST(ServerRequestInterface $request) : ResponseInterface
+    {
+	    $requestdata = json_decode((string )$request->getBody(), true);
+	    $user = $request->getAttribute("user");
+	    if(!isset($requestdata['code'])) {
+		    return new \LORIS\Http\Response\JSON\Unauthorized("missing code");
+	    }
+
+	    $validator = $user->getTOTPValidator();
+	    $counter = $validator->getTimeCounter();
+	    $wantCode = $validator->getCode($counter, 6);
+	    if($wantCode === $requestdata['code']) {
+		    $login = $_SESSION['State']->getProperty('login');
+		    $login->setPassedMFA();
+		    return new \LORIS\Http\Response\JSON\OK(["success" => "validated code"]);
+	    } else {
+		    return new \LORIS\Http\Response\JSON\Unauthorized("invalid code");
+	    }
+    }
+
+    /**
+     * Return an array of valid HTTP methods for this endpoint
+     *
+     * @return string[] Valid versions
+     */
+    protected function allowedMethods(): array
+    {
+        return ['GET', 'POST'];
+    }
+
+    /**
+     * Returns true if the user has permission to access
+     * the Login module
+     *
+     * @param \User $user The user whose access is being checked
+     *
+     * @return bool true if user has permission
+     */
+    function _hasAccess(\User $user) : bool
+    {
+        return true;
+    }
+}
diff --git a/modules/my_preferences/php/mfa.class.inc b/modules/my_preferences/php/mfa.class.inc
@@ -76,7 +76,12 @@ class MFA extends \NDB_Page
 		    return new \LORIS\Http\Response\JSON\BadRequest('Code does not match expected value');
 	    }
 	    $db = $this->loris->getDatabaseConnection();
-	    $db->update("users", ['TOTPSecret' => $secret], ['ID' => $user->getId()]);
+	    $db->_trackChanges = false;
+	    // We are dealing with binary data that never gets exposed to the user
+	    $db->unsafeUpdate("users", ['TOTPSecret' => $secret], ['ID' => $user->getId()]);
+
+	    $login = $_SESSION['state']->getProperty('login');
+	    $login->setPassedMFA();
 	    return new \LORIS\Http\Response\JSON\OK(['ok' => 'success',
 		    'message' => 'Successfully registered multifactor authenticator']);
     }
diff --git a/php/libraries/AnonymousUser.class.inc b/php/libraries/AnonymousUser.class.inc
@@ -85,4 +85,8 @@ class AnonymousUser extends \User
     {
         return [];
     }
+
+    function totpRequired() : bool {
+	    return false;
+    }
 }
diff --git a/php/libraries/SinglePointLogin.class.inc b/php/libraries/SinglePointLogin.class.inc
@@ -601,7 +601,15 @@ class SinglePointLogin
         $_SESSION['State']->setProperty('login', $this);
     }
 
-    function passedMFA() : bool {
+    public function passedMFA() {
 	    return $_SESSION['PassedMFA'] ?? false === true;
     }
+    public function setPassedMFA() {
+	    // NDB_Client called session_write_close, we need to re-start it
+	    // to edit a session variable.
+	    session_start();
+	    $_SESSION['PassedMFA'] = true;
+	    session_write_close();
+    }
+
 }
diff --git a/php/libraries/User.class.inc b/php/libraries/User.class.inc
@@ -694,6 +694,14 @@ class User extends UserPermissions implements
         return $this->userInfo['Pending_approval'] == 'Y';
     }
 
+
+    public function getTOTPValidator() : ?\LORIS\Security\OTP\TOTP
+    {
+	    if($this->userInfo['TOTPSecret'] === null) {
+		    return null;
+	    }
+	    return new \LORIS\Security\OTP\TOTP(secret: $this->userInfo['TOTPSecret']);
+    }
     public function totpRequired(): bool
     {
         return $this->userInfo['TOTPSecret'] !== null;
diff --git a/src/Middleware/MFA.php b/src/Middleware/MFA.php
@@ -42,19 +42,31 @@ public function process(
     ) : ResponseInterface {
         $loris = $request->getAttribute("loris");
 	$user = $request->getAttribute("user");
-	if($user instanceof \LORIS\AnonymousUser) {
-		// No MFA required on the login page
-		return $this->next->process($request, $handler);
-	}
-	// Should only be true for the MFA validation endpoints
-	if($request->getAttribute("bypassMFA") === true) {
+	if($user->totpRequired() === false) {
 		return $this->next->process($request, $handler);
 	}
 	$singlepointlogin = $_SESSION['State']->getProperty('login');
-	if($singlepointlogin->passedMFA()) {
+	if($singlepointlogin->passedMFA() === true) {
 		return $this->next->process($request, $handler);
+	}
 
+	$loginmodule = $loris->getModule("login");
+	$loginmodule->registerAutoloader();
+	$page = $loginmodule->loadPage($loris, "mfa");
+	$baseURL = $request->getAttribute("baseurl");
+
+	// Whitelist of resources needed to load the MFA prompt page
+	if(str_ends_with($request->getURI()->getPath(), ".js") || 
+		str_ends_with($request->getURI()->getPath(), ".css") ||
+		str_ends_with($request->getURI()->getPath(), "Authentication") ||
+		str_ends_with($request->getURI()->getPath(), "summary_statistics")) {
+		return $this->next->process($request, $handler);
 	}
-	return new \LORIS\Http\Response\JSON\OK(["foo" => 'xx']);
+	return new AnonymousPageDecorationMiddleware(
+		$baseURL ?? "",
+		\NDB_Config::singleton(),
+		$page->getJSDependencies(),
+		$page->getCSSDependencies(),	
+	)->process($request, $page);
     }
 }
diff --git a/webpack.config.ts b/webpack.config.ts
@@ -15,7 +15,7 @@ const target = process.env.target;
 const lorisModules: Record<string, string[]> = {
   media: ['CandidateMediaWidget', 'mediaIndex'],
   issue_tracker: ['issueTrackerIndex', 'index', 'CandidateIssuesWidget'],
-  login: ['loginIndex'],
+  login: ['loginIndex', 'mfaPrompt'],
   publication: ['publicationIndex', 'viewProjectIndex'],
   document_repository: ['docIndex', 'editFormIndex'],
   candidate_parameters: ['CandidateParameters', 'ConsentWidget', 'DiagnosisEvolution'],

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,12 @@ class MFA extends \NDB_Page`
`76`	`76`	`return new \LORIS\Http\Response\JSON\BadRequest('Code does not match expected value');`
`77`	`77`	`}`
`78`	`78`	`$db = $this->loris->getDatabaseConnection();`
`79`		`- $db->update("users", ['TOTPSecret' => $secret], ['ID' => $user->getId()]);`
	`79`	`+ $db->_trackChanges = false;`
	`80`	`+ // We are dealing with binary data that never gets exposed to the user`
	`81`	`+ $db->unsafeUpdate("users", ['TOTPSecret' => $secret], ['ID' => $user->getId()]);`
	`82`	`+`
	`83`	`+ $login = $_SESSION['state']->getProperty('login');`
	`84`	`+ $login->setPassedMFA();`
`80`	`85`	`return new \LORIS\Http\Response\JSON\OK(['ok' => 'success',`
`81`	`86`	`'message' => 'Successfully registered multifactor authenticator']);`
`82`	`87`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,4 +85,8 @@ class AnonymousUser extends \User`
`85`	`85`	`{`
`86`	`86`	`return [];`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+ function totpRequired() : bool {`
	`90`	`+ return false;`
	`91`	`+ }`
`88`	`92`	`}`
Original file line number	Diff line number	Diff line change
`@@ -601,7 +601,15 @@ class SinglePointLogin`
`601`	`601`	`$_SESSION['State']->setProperty('login', $this);`
`602`	`602`	`}`
`603`	`603`
`604`		`- function passedMFA() : bool {`
	`604`	`+ public function passedMFA() {`
`605`	`605`	`return $_SESSION['PassedMFA'] ?? false === true;`
`606`	`606`	`}`
	`607`	`+ public function setPassedMFA() {`
	`608`	`+ // NDB_Client called session_write_close, we need to re-start it`
	`609`	`+ // to edit a session variable.`
	`610`	`+ session_start();`
	`611`	`+ $_SESSION['PassedMFA'] = true;`
	`612`	`+ session_write_close();`
	`613`	`+ }`
	`614`	`+`
`607`	`615`	`}`
Original file line number	Diff line number	Diff line change
`@@ -694,6 +694,14 @@ class User extends UserPermissions implements`
`694`	`694`	`return $this->userInfo['Pending_approval'] == 'Y';`
`695`	`695`	`}`
`696`	`696`
	`697`	`+`
	`698`	`+ public function getTOTPValidator() : ?\LORIS\Security\OTP\TOTP`
	`699`	`+ {`
	`700`	`+ if($this->userInfo['TOTPSecret'] === null) {`
	`701`	`+ return null;`
	`702`	`+ }`
	`703`	`+ return new \LORIS\Security\OTP\TOTP(secret: $this->userInfo['TOTPSecret']);`
	`704`	`+ }`
`697`	`705`	`public function totpRequired(): bool`
`698`	`706`	`{`
`699`	`707`	`return $this->userInfo['TOTPSecret'] !== null;`