Add validator for a user's 2fa authentication code (#295)

codedmonkey · scheb · commit fb90a9ad515b · 2025-12-04T16:55:14.000+01:00
diff --git a/composer.json b/composer.json
@@ -36,6 +36,7 @@
         "psr/container": ">=1.1",
         "squizlabs/php_codesniffer": "^4.0",
         "symfony/mailer": "^6.4 || ^7.0",
+        "symfony/validator": "^6.4 || ^7.0",
         "symfony/yaml": "^6.4 || ^7.0",
         "vimeo/psalm": "^6.0"
     },
diff --git a/src/bundle/Resources/config/two_factor_provider_google.php b/src/bundle/Resources/config/two_factor_provider_google.php
@@ -7,6 +7,7 @@
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorTwoFactorProvider;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleTotpFactory;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints\UserGoogleTotpCodeValidator;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ReferenceConfigurator;
 use function Symfony\Component\DependencyInjection\Loader\Configurator\service;
@@ -44,6 +45,12 @@
                 service('scheb_two_factor.security.google.form_renderer'),
             ])
 
+        ->set('scheb_two_factor.security.totp.validator.user_google_totp_code', UserGoogleTotpCodeValidator::class)
+            ->args([
+                service('security.token_storage'),
+                service('scheb_two_factor.security.google_authenticator'),
+            ])
+
         ->alias('scheb_two_factor.security.google.form_renderer', 'scheb_two_factor.security.google.default_form_renderer')
 
         ->alias(GoogleAuthenticatorInterface::class, 'scheb_two_factor.security.google_authenticator')
diff --git a/src/bundle/Resources/config/two_factor_provider_totp.php b/src/bundle/Resources/config/two_factor_provider_totp.php
@@ -7,6 +7,7 @@
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticatorInterface;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticatorTwoFactorProvider;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpFactory;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints\UserTotpCodeValidator;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ReferenceConfigurator;
 use function Symfony\Component\DependencyInjection\Loader\Configurator\service;
@@ -45,6 +46,12 @@
                 service('scheb_two_factor.security.totp.form_renderer'),
             ])
 
+        ->set('scheb_two_factor.security.totp.validator.user_totp_code', UserTotpCodeValidator::class)
+            ->args([
+                service('security.token_storage'),
+                service('scheb_two_factor.security.totp_authenticator'),
+            ])
+
         ->alias('scheb_two_factor.security.totp.form_renderer', 'scheb_two_factor.security.totp.default_form_renderer')
 
         ->alias(TotpAuthenticatorInterface::class, 'scheb_two_factor.security.totp_authenticator')
diff --git a/src/google-authenticator/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCode.php b/src/google-authenticator/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCode.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints;
+
+use Attribute;
+use Symfony\Component\Validator\Constraint;
+
+/**
+ * Validator constraint for the current user's Google Authenticator TOTP code.
+ *
+ * @final
+ */
+#[Attribute(Attribute::TARGET_PROPERTY | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
+class UserGoogleTotpCode extends Constraint
+{
+    public const INVALID_TOTP_CODE_ERROR = '6de3acd0-12f5-40eb-a776-2525c4566649';
+
+    protected const ERROR_NAMES = [self::INVALID_TOTP_CODE_ERROR => 'INVALID_TOTP_CODE_ERROR'];
+
+    public string $message = 'code_invalid';
+    public string $translationDomain = 'SchebTwoFactorBundle';
+    public string $service = 'scheb_two_factor.security.totp.validator.user_google_totp_code';
+
+    public function __construct(array|null $options = null, string|null $message = null, string|null $translationDomain = null, string|null $service = null, array|null $groups = null, mixed $payload = null)
+    {
+        parent::__construct($options, $groups, $payload);
+
+        $this->message = $message ?? $this->message;
+        $this->translationDomain = $translationDomain ?? $this->translationDomain;
+        $this->service = $service ?? $this->service;
+    }
+
+    public function validatedBy(): string
+    {
+        return $this->service;
+    }
+}
diff --git a/src/google-authenticator/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeValidator.php b/src/google-authenticator/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeValidator.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints;
+
+use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
+use Symfony\Component\Validator\Constraint;
+use Symfony\Component\Validator\ConstraintValidator;
+use Symfony\Component\Validator\Exception\ConstraintDefinitionException;
+use Symfony\Component\Validator\Exception\UnexpectedTypeException;
+use function get_debug_type;
+use function is_string;
+use function sprintf;
+
+/**
+ * Validator for the `UserGoogleTotpCode` constraint.
+ *
+ * @final
+ *
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class UserGoogleTotpCodeValidator extends ConstraintValidator
+{
+    public function __construct(
+        private readonly TokenStorageInterface $tokenStorage,
+        private readonly GoogleAuthenticatorInterface $googleAuthenticator,
+    ) {
+    }
+
+    public function validate(mixed $value, Constraint $constraint): void
+    {
+        if (!$constraint instanceof UserGoogleTotpCode) {
+            throw new UnexpectedTypeException($constraint, UserGoogleTotpCode::class);
+        }
+
+        if (null === $value || '' === $value) {
+            $this->context->buildViolation($constraint->message)
+                ->setCode(UserGoogleTotpCode::INVALID_TOTP_CODE_ERROR)
+                ->setTranslationDomain($constraint->translationDomain)
+                ->addViolation();
+
+            return;
+        }
+
+        if (!is_string($value)) {
+            throw new UnexpectedTypeException($value, 'string');
+        }
+
+        $token = $this->tokenStorage->getToken();
+
+        if (null === $token) {
+            throw new AuthenticationCredentialsNotFoundException('Could not find Token object for the current user.');
+        }
+
+        $user = $token->getUser();
+
+        if (!$user instanceof TwoFactorInterface) {
+            throw new ConstraintDefinitionException(sprintf('The "%s" class must implement the "%s" interface.', get_debug_type($user), TwoFactorInterface::class));
+        }
+
+        if ($this->googleAuthenticator->checkCode($user, $value)) {
+            return;
+        }
+
+        $this->context->buildViolation($constraint->message)
+            ->setCode(UserGoogleTotpCode::INVALID_TOTP_CODE_ERROR)
+            ->setTranslationDomain($constraint->translationDomain)
+            ->addViolation();
+    }
+}
diff --git a/src/google-authenticator/composer.json b/src/google-authenticator/composer.json
@@ -16,6 +16,9 @@
         "scheb/2fa-bundle": "self.version",
         "spomky-labs/otphp": "^11.0"
     },
+    "suggest": {
+        "symfony/validator": "Needed if you want to use the Google Authenticator TOTP validator constraint"
+    },
     "autoload": {
         "psr-4": {
             "Scheb\\TwoFactorBundle\\": ""
diff --git a/src/totp/Security/TwoFactor/Validator/Constraints/UserTotpCode.php b/src/totp/Security/TwoFactor/Validator/Constraints/UserTotpCode.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints;
+
+use Attribute;
+use Symfony\Component\Validator\Constraint;
+
+/**
+ * Validator constraint for the current user's TOTP code.
+ *
+ * @final
+ */
+#[Attribute(Attribute::TARGET_PROPERTY | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
+class UserTotpCode extends Constraint
+{
+    public const INVALID_TOTP_CODE_ERROR = 'f79333fd-6eef-4394-ab6b-54827e2865b6';
+
+    protected const ERROR_NAMES = [self::INVALID_TOTP_CODE_ERROR => 'INVALID_TOTP_CODE_ERROR'];
+
+    public string $message = 'code_invalid';
+    public string $translationDomain = 'SchebTwoFactorBundle';
+    public string $service = 'scheb_two_factor.security.totp.validator.user_totp_code';
+
+    public function __construct(array|null $options = null, string|null $message = null, string|null $translationDomain = null, string|null $service = null, array|null $groups = null, mixed $payload = null)
+    {
+        parent::__construct($options, $groups, $payload);
+
+        $this->message = $message ?? $this->message;
+        $this->translationDomain = $translationDomain ?? $this->translationDomain;
+        $this->service = $service ?? $this->service;
+    }
+
+    public function validatedBy(): string
+    {
+        return $this->service;
+    }
+}
diff --git a/src/totp/Security/TwoFactor/Validator/Constraints/UserTotpCodeValidator.php b/src/totp/Security/TwoFactor/Validator/Constraints/UserTotpCodeValidator.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints;
+
+use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticatorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
+use Symfony\Component\Validator\Constraint;
+use Symfony\Component\Validator\ConstraintValidator;
+use Symfony\Component\Validator\Exception\ConstraintDefinitionException;
+use Symfony\Component\Validator\Exception\UnexpectedTypeException;
+use function get_debug_type;
+use function is_string;
+use function sprintf;
+
+/**
+ * Validator for the `UserTotpCode` constraint.
+ *
+ * @final
+ *
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class UserTotpCodeValidator extends ConstraintValidator
+{
+    public function __construct(
+        private readonly TokenStorageInterface $tokenStorage,
+        private readonly TotpAuthenticatorInterface $totpAuthenticator,
+    ) {
+    }
+
+    public function validate(mixed $value, Constraint $constraint): void
+    {
+        if (!$constraint instanceof UserTotpCode) {
+            throw new UnexpectedTypeException($constraint, UserTotpCode::class);
+        }
+
+        if (null === $value || '' === $value) {
+            $this->context->buildViolation($constraint->message)
+                ->setCode(UserTotpCode::INVALID_TOTP_CODE_ERROR)
+                ->setTranslationDomain($constraint->translationDomain)
+                ->addViolation();
+
+            return;
+        }
+
+        if (!is_string($value)) {
+            throw new UnexpectedTypeException($value, 'string');
+        }
+
+        $token = $this->tokenStorage->getToken();
+
+        if (null === $token) {
+            throw new AuthenticationCredentialsNotFoundException('Could not find Token object for the current user.');
+        }
+
+        $user = $token->getUser();
+
+        if (!$user instanceof TwoFactorInterface) {
+            throw new ConstraintDefinitionException(sprintf('The "%s" class must implement the "%s" interface.', get_debug_type($user), TwoFactorInterface::class));
+        }
+
+        if ($this->totpAuthenticator->checkCode($user, $value)) {
+            return;
+        }
+
+        $this->context->buildViolation($constraint->message)
+            ->setCode(UserTotpCode::INVALID_TOTP_CODE_ERROR)
+            ->setTranslationDomain($constraint->translationDomain)
+            ->addViolation();
+    }
+}
diff --git a/src/totp/composer.json b/src/totp/composer.json
@@ -16,6 +16,9 @@
         "scheb/2fa-bundle": "self.version",
         "spomky-labs/otphp": "^11.0"
     },
+    "suggest": {
+        "symfony/validator": "Needed if you want to use the TOTP validator constraint"
+    },
     "autoload": {
         "psr-4": {
             "Scheb\\TwoFactorBundle\\": ""
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeDummy.php b/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeDummy.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Tests\Security\TwoFactor\Validator\Constraints;
+
+use Scheb\TwoFactorBundle\Security\TwoFactor\Validator\Constraints\UserGoogleTotpCode;
+
+class UserGoogleTotpCodeDummy
+{
+    #[UserGoogleTotpCode]
+    public string $a;
+
+    #[UserGoogleTotpCode(message: 'myMessage', translationDomain: 'myDomain', service: 'my_service')]
+    public string $b;
+
+    #[UserGoogleTotpCode(['groups' => ['my_group'], 'payload' => 'some attached data'])]
+    public string $c;
+}
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeTest.php b/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeTest.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Tests\Security\TwoFactor\Validator\Constraints;
+
+use PHPUnit\Framework\Attributes\Test;
+use Scheb\TwoFactorBundle\Tests\TestCase;
+use Symfony\Component\Validator\Mapping\ClassMetadata;
+use Symfony\Component\Validator\Mapping\Loader\AttributeLoader;
+
+class UserGoogleTotpCodeTest extends TestCase
+{
+    #[Test]
+    public function configureConstraintFromAttribute_configurationIsCorrect(): void
+    {
+        $metadata = new ClassMetadata(UserGoogleTotpCodeDummy::class);
+        $this->assertTrue((new AttributeLoader())->loadClassMetadata($metadata));
+
+        [$aConstraint] = $metadata->getPropertyMetadata('a')[0]->getConstraints();
+        $this->assertSame('code_invalid', $aConstraint->message);
+        $this->assertSame('SchebTwoFactorBundle', $aConstraint->translationDomain);
+        $this->assertSame('scheb_two_factor.security.totp.validator.user_google_totp_code', $aConstraint->validatedBy());
+
+        [$bConstraint] = $metadata->getPropertyMetadata('b')[0]->getConstraints();
+        $this->assertSame('myMessage', $bConstraint->message);
+        $this->assertSame('myDomain', $bConstraint->translationDomain);
+        $this->assertSame('my_service', $bConstraint->validatedBy());
+        $this->assertSame(['Default', 'UserGoogleTotpCodeDummy'], $bConstraint->groups);
+        $this->assertNull($bConstraint->payload);
+
+        [$cConstraint] = $metadata->getPropertyMetadata('c')[0]->getConstraints();
+        $this->assertSame(['my_group'], $cConstraint->groups);
+        $this->assertSame('some attached data', $cConstraint->payload);
+    }
+}
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeValidatorTest.php b/tests/Security/TwoFactor/Validator/Constraints/UserGoogleTotpCodeValidatorTest.php
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeDummy.php b/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeDummy.php
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeTest.php b/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeTest.php
diff --git a/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeValidatorTest.php b/tests/Security/TwoFactor/Validator/Constraints/UserTotpCodeValidatorTest.php
