MC-37886: Rate-limit 2FA initial setup E-mails

OlgaVasyltsun · OlgaVasyltsun · commit bfd92e0e9076 · 2020-12-23T16:37:54.000+02:00
diff --git a/TwoFactorAuth/Model/UserConfig/SignedTokenManager.php b/TwoFactorAuth/Model/UserConfig/SignedTokenManager.php
@@ -13,12 +13,19 @@
 use Magento\Framework\Serialize\Serializer\Json;
 use Magento\Framework\Stdlib\DateTime\DateTime;
 use Magento\TwoFactorAuth\Api\UserConfigTokenManagerInterface;
+use Magento\Framework\App\CacheInterface;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * @inheritDoc
  */
 class SignedTokenManager implements UserConfigTokenManagerInterface
 {
+    /**
+     * @var string
+     */
+    public const CACHE_ID = 'tfa_token';
+
     /**
      * @var EncryptorInterface
      */
@@ -34,16 +41,27 @@ class SignedTokenManager implements UserConfigTokenManagerInterface
      */
     private $dateTime;
 
+    /**
+     * @var CacheInterface
+     */
+    private $cache;
+
     /**
      * @param EncryptorInterface $encryptor
      * @param Json $json
      * @param DateTime $dateTime
+     * @param CacheInterface|null $cache
      */
-    public function __construct(EncryptorInterface $encryptor, Json $json, DateTime $dateTime)
-    {
+    public function __construct(
+        EncryptorInterface $encryptor,
+        Json $json,
+        DateTime $dateTime,
+        CacheInterface $cache = null
+    ) {
         $this->encryptor = $encryptor;
         $this->json = $json;
         $this->dateTime = $dateTime;
+        $this->cache = $cache ?? ObjectManager::getInstance()->get(CacheInterface::class);
     }
 
     /**
@@ -54,7 +72,7 @@ public function issueFor(int $userId): string
         $data = ['user_id' => $userId, 'tfa_configuration' => true, 'iss' => $this->dateTime->timestamp()];
         $encodedData = $this->json->serialize($data);
         $signature = base64_encode($this->encryptor->hash($encodedData));
-
+        $this->cache->save(base64_encode($encodedData .'.' .$signature), self::CACHE_ID . $userId);
         return base64_encode($encodedData .'.' .$signature);
     }
 
diff --git a/TwoFactorAuth/Model/UserConfig/UserConfigRequestManager.php b/TwoFactorAuth/Model/UserConfig/UserConfigRequestManager.php
@@ -15,6 +15,8 @@
 use Magento\TwoFactorAuth\Api\UserConfigTokenManagerInterface;
 use Magento\TwoFactorAuth\Api\UserNotifierInterface;
 use Magento\Framework\Authorization\PolicyInterface as Authorization;
+use Magento\Framework\App\CacheInterface;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * @inheritDoc
@@ -41,22 +43,30 @@ class UserConfigRequestManager implements UserConfigRequestManagerInterface
      */
     private $auth;
 
+    /**
+     * @var CacheInterface
+     */
+    private $cache;
+
     /**
      * @param TfaInterface $tfa
      * @param UserNotifierInterface $notifier
      * @param UserConfigTokenManagerInterface $tokenManager
      * @param Authorization $auth
+     * @param CacheInterface|null $cache
      */
     public function __construct(
         TfaInterface $tfa,
         UserNotifierInterface $notifier,
         UserConfigTokenManagerInterface $tokenManager,
-        Authorization $auth
+        Authorization $auth,
+        CacheInterface $cache = null
     ) {
         $this->tfa = $tfa;
         $this->notifier = $notifier;
         $this->tokenManager = $tokenManager;
         $this->auth = $auth;
+        $this->cache = $cache ?? ObjectManager::getInstance()->get(CacheInterface::class);
     }
 
     /**
@@ -75,11 +85,18 @@ public function sendConfigRequestTo(User $user): void
     {
         $userId = (int)$user->getId();
         if (empty($this->tfa->getUserProviders($userId))) {
+            $tfaToken = $this->cache->load(SignedTokenManager::CACHE_ID . $userId);
+            $isValidOldToken = false;
+            if ($tfaToken !== false) {
+                $isValidOldToken = $this->tokenManager->isValidFor($userId, $tfaToken);
+            }
             //Application level configuration is required.
             if (!$this->auth->isAllowed($user->getAclRole(), 'Magento_TwoFactorAuth::config')) {
                 throw new AuthorizationException(__('User is not authorized to edit 2FA configuration'));
             }
-            $this->notifier->sendAppConfigRequestMessage($user, $this->tokenManager->issueFor($userId));
+            if (!$isValidOldToken) {
+                $this->notifier->sendAppConfigRequestMessage($user, $this->tokenManager->issueFor($userId));
+            }
         } else {
             //Personal provider config required.
             $this->notifier->sendUserConfigRequestMessage($user, $this->tokenManager->issueFor($userId));
