MC-37886: Rate-limit 2FA initial setup E-mails

Author: OlgaVasyltsun

TwoFactorAuth/Model/TfaSession.php

@@ -17,7 +17,9 @@
  */
 class TfaSession extends SessionManager implements TfaSessionInterface
 {
-    const SKIPPED_PROVIDERS_KEY = 'tfa_skipped_config';
+    private const SKIPPED_PROVIDERS_KEY = 'tfa_skipped_config';
+
+    private const TFA_EMAIL_SENT = 'tfa_email_sent';
 
     /**
      * @inheritDoc
@@ -42,14 +44,32 @@ public function isGranted(): bool
      */
     public function getSkippedProviderConfig(): array
     {
-        return $this->getData(static::SKIPPED_PROVIDERS_KEY) ?? [];
+        return $this->getData(self::SKIPPED_PROVIDERS_KEY) ?? [];
     }
 
     /**
      * @inheritDoc
      */
     public function setSkippedProviderConfig(array $config): void
     {
-        $this->storage->setData(static::SKIPPED_PROVIDERS_KEY, $config);
+        $this->storage->setData(self::SKIPPED_PROVIDERS_KEY, $config);
+    }
+
+    /**
+     * Get flag that tfa configuration email was sent
+     *
+     * @return bool
+     */
+    public function isTfaEmailSent(): bool
+    {
+        return (bool) $this->storage->getData(self::TFA_EMAIL_SENT);
+    }
+
+    /**
+     * Set flag that tfa configuration email was sent
+     */
+    public function setTfaEmailSentFlag(): void
+    {
+        $this->storage->setData(self::TFA_EMAIL_SENT, true);
     }
 }

TwoFactorAuth/Model/UserConfig/SignedTokenManager.php

@@ -13,19 +13,14 @@
 use Magento\Framework\Serialize\Serializer\Json;
 use Magento\Framework\Stdlib\DateTime\DateTime;
 use Magento\TwoFactorAuth\Api\UserConfigTokenManagerInterface;
-use Magento\Framework\App\CacheInterface;
 use Magento\Framework\App\ObjectManager;
+use Magento\TwoFactorAuth\Model\TfaSession;
 
 /**
  * @inheritDoc
  */
 class SignedTokenManager implements UserConfigTokenManagerInterface
 {
-    /**
-     * @var string
-     */
-    public const CACHE_ID = 'tfa_token';
-
     /**
      * @var EncryptorInterface
      */
@@ -42,26 +37,26 @@ class SignedTokenManager implements UserConfigTokenManagerInterface
     private $dateTime;
 
     /**
-     * @var CacheInterface
+     * @var TfaSession
      */
-    private $cache;
+    private $tfaSession;
 
     /**
      * @param EncryptorInterface $encryptor
      * @param Json $json
      * @param DateTime $dateTime
-     * @param CacheInterface|null $cache
+     * @param TfaSession|null $tfaSession
      */
     public function __construct(
         EncryptorInterface $encryptor,
         Json $json,
         DateTime $dateTime,
-        CacheInterface $cache = null
+        TfaSession $tfaSession = null
     ) {
         $this->encryptor = $encryptor;
         $this->json = $json;
         $this->dateTime = $dateTime;
-        $this->cache = $cache ?? ObjectManager::getInstance()->get(CacheInterface::class);
+        $this->tfaSession = $tfaSession ?? ObjectManager::getInstance()->get(TfaSession::class);
     }
 
     /**
@@ -72,7 +67,7 @@ public function issueFor(int $userId): string
         $data = ['user_id' => $userId, 'tfa_configuration' => true, 'iss' => $this->dateTime->timestamp()];
         $encodedData = $this->json->serialize($data);
         $signature = base64_encode($this->encryptor->hash($encodedData));
-        $this->cache->save(base64_encode($encodedData .'.' .$signature), self::CACHE_ID . $userId);
+        $this->tfaSession->setTfaEmailSentFlag();
         return base64_encode($encodedData .'.' .$signature);
     }
 

TwoFactorAuth/Model/UserConfig/UserConfigRequestManager.php

@@ -15,8 +15,8 @@
 use Magento\TwoFactorAuth\Api\UserConfigTokenManagerInterface;
 use Magento\TwoFactorAuth\Api\UserNotifierInterface;
 use Magento\Framework\Authorization\PolicyInterface as Authorization;
-use Magento\Framework\App\CacheInterface;
 use Magento\Framework\App\ObjectManager;
+use Magento\TwoFactorAuth\Model\TfaSession;
 
 /**
  * @inheritDoc
@@ -44,29 +44,29 @@ class UserConfigRequestManager implements UserConfigRequestManagerInterface
     private $auth;
 
     /**
-     * @var CacheInterface
+     * @var TfaSession
      */
-    private $cache;
+    private $tfaSession;
 
     /**
      * @param TfaInterface $tfa
      * @param UserNotifierInterface $notifier
      * @param UserConfigTokenManagerInterface $tokenManager
      * @param Authorization $auth
-     * @param CacheInterface|null $cache
+     * @param TfaSession|null $tfaSession
      */
     public function __construct(
         TfaInterface $tfa,
         UserNotifierInterface $notifier,
         UserConfigTokenManagerInterface $tokenManager,
         Authorization $auth,
-        CacheInterface $cache = null
+        TfaSession $tfaSession = null
     ) {
         $this->tfa = $tfa;
         $this->notifier = $notifier;
         $this->tokenManager = $tokenManager;
         $this->auth = $auth;
-        $this->cache = $cache ?? ObjectManager::getInstance()->get(CacheInterface::class);
+        $this->tfaSession = $tfaSession ?? ObjectManager::getInstance()->get(TfaSession::class);
     }
 
     /**
@@ -85,16 +85,11 @@ public function sendConfigRequestTo(User $user): void
     {
         $userId = (int)$user->getId();
         if (empty($this->tfa->getUserProviders($userId))) {
-            $tfaToken = $this->cache->load(SignedTokenManager::CACHE_ID . $userId);
-            $isValidOldToken = false;
-            if ($tfaToken !== false) {
-                $isValidOldToken = $this->tokenManager->isValidFor($userId, $tfaToken);
-            }
             //Application level configuration is required.
             if (!$this->auth->isAllowed($user->getAclRole(), 'Magento_TwoFactorAuth::config')) {
                 throw new AuthorizationException(__('User is not authorized to edit 2FA configuration'));
             }
-            if (!$isValidOldToken) {
+            if (!$this->tfaSession->isTfaEmailSent()) {
                 $this->notifier->sendAppConfigRequestMessage($user, $this->tokenManager->issueFor($userId));
             }
         } else {