Merge branch 'feature-PRESIDECMS-2794_use-cookie-for-2fa-admin-persistence' into release-10.28.0

Author: DominicWatson

system/base/AdminHandler.cfc

@@ -45,7 +45,7 @@ component {
 
 		if ( !loginExcempt ) {
 			var isAdminUser     = event.isAdminUser();
-			var isAuthenticated = isAdminUser && !loginService.twoFactorAuthenticationRequired( ipAddress = event.getClientIp(), userAgent = event.getUserAgent() );
+			var isAuthenticated = isAdminUser && !loginService.twoFactorAuthenticationRequired();
 
 			if ( !isAuthenticated ) {
 				if ( event.isAjax() ) {

system/coldboxModifications/RequestContextDecorator.cfc

@@ -562,7 +562,7 @@ component accessors=true extends="preside.system.coldboxModifications.RequestCon
 
 		announceInterception( "onAdminLoginSuccess" );
 
-		if ( getModel( "loginService" ).twoFactorAuthenticationRequired( ipAddress = getClientIp(), userAgent = getUserAgent() ) ) {
+		if ( getModel( "loginService" ).twoFactorAuthenticationRequired() ) {
 			getController().relocate( url=buildAdminLink( linkto="login.twoStep" ), persistStruct={ postLoginUrl = postLoginUrl } );
 		}
 

system/forms/system-config/admin-login-security.xml

@@ -13,10 +13,10 @@ This form is used for managing settings for two factor authentication, admin 're
 	</tab>
 	<tab id="2fa" sortorder="20" feature="twoFactorAuthentication">
 		<fieldset id="2fa" sortorder="10">
-			<field name="tfa_enabled"      control="yesNoSwitch" required="false" />
-			<field name="tfa_app_name"     control="textinput"   required="false" />
-			<field name="tfa_enforced"     control="yesNoSwitch" required="false" />
-			<field name="tfa_trust_period" control="spinner"     required="false" defaultvalue="7" minValue="0"/>
+			<field name="tfa_enabled"      control="yesNoSwitch"   required="false" />
+			<field name="tfa_app_name"     control="textinput"     required="false" />
+			<field name="tfa_enforced"     control="yesNoSwitch"   required="false" />
+			<field name="tfa_trust_period" control="spinner"       required="false" defaultvalue="7" minValue="0"/>
 		</fieldset>
 	</tab>
 </form>

system/handlers/admin/EditProfile.cfc

@@ -161,11 +161,7 @@ component extends="preside.system.base.AdminHandler" {
 		var authToken        = formData.oneTimeToken ?: "";
 
 		if ( validationResult.validated() ) {
-			var authVerified = loginService.attemptTwoFactorAuthentication(
-				  token     = authToken
-				, ipAddress = event.getClientIp()
-				, userAgent = event.getUserAgent()
-			);
+			var authVerified = loginService.attemptTwoFactorAuthentication( token=authToken );
 
 			if ( authVerified ) {
 				loginService.enableTwoFactorAuthenticationForUser();

system/handlers/admin/Login.cfc

@@ -70,7 +70,7 @@ component extends="preside.system.base.AdminHandler" {
 		if ( !event.isAdminUser() ){
 			setNextEvent( url=event.buildAdminLink( linkTo="login" ) );
 		}
-		if ( !loginService.twoFactorAuthenticationRequired( ipAddress = event.getClientIp(), userAgent = event.getUserAgent() ) ) {
+		if ( !loginService.twoFactorAuthenticationRequired() ) {
 			_redirectToDefaultAdminEvent( event );
 		}
 
@@ -91,17 +91,13 @@ component extends="preside.system.base.AdminHandler" {
 		if ( !event.isAdminUser() ){
 			setNextEvent( url=event.buildAdminLink( linkTo="login" ) );
 		}
-		if ( !loginService.twoFactorAuthenticationRequired( ipAddress = event.getClientIp(), userAgent = event.getUserAgent() ) ) {
+		if ( !loginService.twoFactorAuthenticationRequired() ) {
 			_redirectToDefaultAdminEvent( event );
 		}
 
 		var postLoginUrl  = event.getValue( name="postLoginUrl", defaultValue="" );
 		var unsavedData   = sessionStorage.getVar( "_unsavedFormData", {} );
-		var authenticated = loginService.attemptTwoFactorAuthentication(
-			  token = ( rc.oneTimeToken ?: "" )
-			, ipAddress = event.getClientIp()
-			, userAgent = event.getUserAgent()
-		);
+		var authenticated = loginService.attemptTwoFactorAuthentication( token=( rc.oneTimeToken ?: "" ) );
 
 		if ( authenticated ) {
 			if ( Len( Trim( postLoginUrl ) ) ) {

system/preside-objects/admin/security/security_user_two_factor_login_record.cfc

@@ -9,9 +9,7 @@
  * @feature   twoFactorAuthentication
  */
 component extends="preside.system.base.SystemPresideObject" displayName="User 2FA Login record" {
-	property name="security_user" relationship="many-to-one" relatedTo="security_user" required=true uniqueindexes="user_machine|1";
+	property name="security_user" relationship="many-to-one" relatedTo="security_user" required=true;
 
-	property name="ip_address"     type="string"   dbtype="varchar" maxLength="50"  required=true uniqueindexes="user_machine|2";
-	property name="user_agent"     type="string"   dbtype="varchar" maxLength="255" required=true uniqueindexes="user_machine|3";
-	property name="logged_in_date" type="datetime" dbtype="datetime"                required=false;
+	property name="logged_in_date" type="datetime" dbtype="datetime" required=false;
 }

system/services/admin/LoginService.cfc

@@ -44,6 +44,7 @@ component displayName="Admin login service" {
 		_setCookieService( arguments.cookieService );
 		_setQrCodeGenerator( arguments.qrCodeGenerator );
 		_setRememberMeCookieKey( "_presidecms-admin-persist" );
+		_setTwoFactorAuthCookiePersistKey( "_presidecms-admin-tfa-persist" );
 
 		return this;
 	}
@@ -481,11 +482,9 @@ component displayName="Admin login service" {
 	 * by the user and whether or not the user is already authenticated.
 	 *
 	 * @autodoc
-	 * @ipAddress.hint The originating IP address of the request
-	 * @userAgent.hint The originating user agent of the request
 	 */
-	public boolean function twoFactorAuthenticationRequired( required string ipAddress, required string userAgent ) {
-		if ( isTwoFactorAuthenticated( argumentCollection=arguments ) ) {
+	public boolean function twoFactorAuthenticationRequired() {
+		if ( isTwoFactorAuthenticated() ) {
 			return false;
 		}
 
@@ -506,10 +505,8 @@ component displayName="Admin login service" {
 	 * authentication.
 	 *
 	 * @autodoc
-	 * @ipAddress.hint The originating IP address of the request
-	 * @userAgent.hint The originating user agent of the request
 	 */
-	public boolean function isTwoFactorAuthenticated( required string ipAddress, required string userAgent ) {
+	public boolean function isTwoFactorAuthenticated() {
 		var authenticated = _getSessionStorage().getVar( name=_getTwoFaSessionKey(), default="" );
 
 		if ( IsBoolean( authenticated ?: "" ) && authenticated ) {
@@ -525,9 +522,8 @@ component displayName="Admin login service" {
 			  selectFields = [ "logged_in_date" ]
 			, filter       = {
 				  security_user = getLoggedInUserId()
-				, ip_address    = arguments.ipAddress
-				, user_agent    = arguments.userAgent
-			  }
+				, id            = _getCookieService().getVar( name=_getTwoFactorAuthCookiePersistKey(), default="" )
+			}
 		);
 
 		if ( !tfaLoginRecord.recordCount ) {
@@ -654,11 +650,9 @@ component displayName="Admin login service" {
 	 *
 	 * @autodoc
 	 * @token.hint     The user provided one time token (should have been generated by authenticator app)
-	 * @ipAddress.hint The IP address of the incoming request
-	 * @userAgent.hint The user agent ot the incoming request
 	 *
 	 */
-	public boolean function attemptTwoFactorAuthentication( required string token, required string ipAddress, required string userAgent ) {
+	public boolean function attemptTwoFactorAuthentication( required string token ) {
 		var userId = getLoggedInUserId();
 		var key    = getTwoFactorAuthenticationKey();
 
@@ -677,21 +671,12 @@ component displayName="Admin login service" {
 				two_step_auth_key_in_use = true
 			} );
 
-			var loginRecordDao = $getPresideObject( "security_user_two_factor_login_record" );
-			var updated = loginRecordDao.updateData( filter={
-				  security_user = userId
-				, ip_address    = arguments.ipAddress
-				, user_agent    = arguments.userAgent
-			}, data={ logged_in_date=Now() } );
-
-			if ( !updated ) {
-				loginRecordDao.insertData({
-					  security_user  = userId
-					, ip_address     = arguments.ipAddress
-					, user_agent     = arguments.userAgent
-					, logged_in_date = Now()
-				});
-			}
+			var loginRecordId = $getPresideObject( "security_user_two_factor_login_record" ).insertData( {
+				  security_user  = userId
+				, logged_in_date = Now()
+			} );
+
+			_getCookieService().setVar( name=_getTwoFactorAuthCookiePersistKey(), value=loginRecordId );
 
 			$audit(
 				  userId = userId
@@ -1056,4 +1041,12 @@ component displayName="Admin login service" {
 		_rememberMeCookieKey = arguments.rememberMeCookieKey;
 	}
 
+	private any function _getTwoFactorAuthCookiePersistKey(){
+		return variables._twoFactorAuthCookieKey;
+	}
+
+	private void function _setTwoFactorAuthCookiePersistKey( required any twoFactorAuthCookieKey ){
+		variables._twoFactorAuthCookieKey = arguments.twoFactorAuthCookieKey;
+	}
+
 }

system/views/general/_adminToolbar.cfm

@@ -4,7 +4,7 @@
 		prc.adminToolbarDisplayMode = prc.adminToolbarDisplayMode ?: getSystemSetting( "frontend-editing", "admin_toolbar_mode", "fixed" );
 	}
 </cfscript>
-<cfif event.isAdminUser() and !getModel( "loginService" ).twoFactorAuthenticationRequired( ipAddress=event.getClientIp(), userAgent=event.getUserAgent() ) and prc.adminToolbarDisplayMode neq "none">
+<cfif event.isAdminUser() and !getModel( "loginService" ).twoFactorAuthenticationRequired() and prc.adminToolbarDisplayMode neq "none">
 	<cfscript>
 		prc.hasCmsPageEditPermissions = prc.hasCmsPageEditPermissions ?: hasCmsPermission( permissionKey="sitetree.edit", context="page", contextKeys=event.getPagePermissionContext() );
 		prc.adminQuickEditDisabled    = prc.adminQuickEditDisabled    ?: isTrue( getSystemSetting( "frontend-editing", "disable_quick_edit" ) );
@@ -162,4 +162,3 @@
 		#ckEditorJs#
 	</cfoutput>
 </cfif>
-