AC-9797: 2FA functionality enhancement

Author: Rizwan Khan

TwoFactorAuth/Block/Provider/Google/Auth.php

@@ -8,12 +8,35 @@
 namespace Magento\TwoFactorAuth\Block\Provider\Google;
 
 use Magento\Backend\Block\Template;
+use Magento\Framework\App\Config\ScopeConfigInterface;
 
 /**
  * @api
  */
 class Auth extends Template
 {
+    /**
+     * Config path for the 2FA Attempts
+     */
+    public const XML_PATH_2FA_RETRY_ATTEMPTS = 'twofactorauth/general/twofactorauth_retry';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * @param ScopeConfigInterface|null $scopeConfig
+     */
+    public function __construct(
+        \Magento\Backend\Block\Template\Context $context,
+        ScopeConfigInterface $scopeConfig,
+        array $data = []
+    ) {
+        parent::__construct($context, $data);
+        $this->scopeConfig = $scopeConfig;
+    }
+
     /**
      * @inheritdoc
      */
@@ -25,6 +48,9 @@ public function getJsLayout()
         $this->jsLayout['components']['tfa-auth']['successUrl'] =
             $this->getUrl($this->_urlBuilder->getStartupPageUrl());
 
+        $this->jsLayout['components']['tfa-auth']['attempts'] =
+            $this->scopeConfig->getValue(self::XML_PATH_2FA_RETRY_ATTEMPTS);
+
         return parent::getJsLayout();
     }
 }

TwoFactorAuth/etc/adminhtml/system.xml

@@ -35,6 +35,11 @@
                     <label>Configuration Email URL for Web API</label>
                     <comment>This can be used to override the default email configuration link that is sent when using the Magento Web API's to authenticate. Use the placeholder :tfat to indicate where the token should be injected</comment>
                 </field>
+                <field canRestore="1" id="twofactorauth_retry" translate="label" type="text" sortOrder="40"
+                       showInDefault="1" showInWebsite="0" showInStore="0">
+                    <label>Configuration for 2FA retry attempts</label>
+                    <comment>Security configurations for TowFatcorAuth page. To avoid the bruteforce of twofactorauth API</comment>
+                </field>
             </group>
             <group id="google" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="0"
                    showInStore="0">

TwoFactorAuth/view/adminhtml/web/js/google/auth.js

@@ -11,6 +11,8 @@ define([
 ], function ($, ko, Component, error) {
     'use strict';
 
+    let attempts = 0;
+
     return Component.extend({
         currentStep: ko.observable('register'),
         waitText: ko.observable(''),
@@ -40,6 +42,14 @@ define([
             return this.postUrl;
         },
 
+        /**
+         * Get Retry Attempts
+         * @returns {int}
+         */
+        getRetryAttempts: function () {
+            return this.attempts;
+        },
+
         /**
          * Get plain Secret Code
          * @returns {String}
@@ -62,6 +72,13 @@ define([
         doVerify: function () {
             var me = this;
 
+            attempts++;
+            if (attempts > this.getRetryAttempts()){
+                alert("Maximum otp retries are done.");
+                location.href = $(".tfa-logout-link").attr("href");
+                return;
+            }
+
             this.waitText('Please wait...');
             $.post(this.getPostUrl(), {
                 'tfa_code': this.verifyCode()