ACP2E-2755: Issue with rest api after enable 2FA Duo

o-iegorov · o-iegorov · commit 54efe6de304b · 2024-01-24T12:46:57.000-06:00
diff --git a/TwoFactorAuth/Model/Provider/Engine/DuoSecurity.php b/TwoFactorAuth/Model/Provider/Engine/DuoSecurity.php
@@ -77,13 +77,21 @@ class DuoSecurity implements EngineInterface
      */
     private $scopeConfig;
 
+    /**
+     * @var bool
+     */
+    private $forceUseDuoAuth;
+
     /**
      * @param ScopeConfigInterface $scopeConfig
+     * @param bool $forceUseDuoAuth
      */
     public function __construct(
-        ScopeConfigInterface $scopeConfig
+        ScopeConfigInterface $scopeConfig,
+        bool $forceUseDuoAuth = false
     ) {
         $this->scopeConfig = $scopeConfig;
+        $this->forceUseDuoAuth = $forceUseDuoAuth;
     }
 
     /**
@@ -208,7 +216,7 @@ public function getRequestSignature(UserInterface $user): string
         $duoSignature = $this->signValues(
             $this->getSecretKey(),
             $values,
-            static::DUO_PREFIX,
+            $this->getPrefix(),
             static::DUO_EXPIRE,
             $time
         );
@@ -223,6 +231,16 @@ public function getRequestSignature(UserInterface $user): string
         return $duoSignature . ':' . $appSignature;
     }
 
+    /**
+     * Return prefix to use in the signature
+     *
+     * @return string
+     */
+    private function getPrefix() : string
+    {
+        return ($this->forceUseDuoAuth) ? static::DUO_PREFIX : static::AUTH_PREFIX;
+    }
+
     /**
      * @inheritDoc
      */
@@ -236,8 +254,8 @@ public function verify(UserInterface $user, DataObject $request): bool
         }
         [$authSig, $appSig] = $signatures;
 
+        $authUser = $this->parseValues($this->getSecretKey(), $authSig, static::AUTH_PREFIX, $time);
         $appUser = $this->parseValues($this->getApplicationKey(), $appSig, static::APP_PREFIX, $time);
-        $authUser = $this->parseValues($this->getSecretKey(), $authSig, static::DUO_PREFIX, $time);
 
         return (($authUser === $appUser) && ($appUser === $user->getUserName()));
     }
diff --git a/TwoFactorAuth/etc/adminhtml/di.xml b/TwoFactorAuth/etc/adminhtml/di.xml
@@ -21,4 +21,9 @@
     <type name="Magento\Backend\Model\Auth">
         <plugin name="delete_tfat_cookie" type="Magento\TwoFactorAuth\Plugin\DeleteCookieOnLogout"/>
     </type>
+    <type name="Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity">
+        <arguments>
+            <argument name="forceUseDuoAuth" xsi:type="boolean">true</argument>
+        </arguments>
+    </type>
 </config>
