AC-10982::[2FA] Integrate with Duo Web SDK to support Universal Prompt-moved functionality for checking duo state in controller

Author: glo05363

TwoFactorAuth/Block/Provider/Duo/Auth.php

@@ -82,6 +82,7 @@ public function getJsLayout()
         }
         $username = $user->getUserName();
         $state = $this->duoSecurity->generateDuoState();
+        $this->session->setDuoState($state);
         $prompt_uri = $this->duoSecurity->initiateAuth($username, $state);
         $this->jsLayout['components']['tfa-auth']['authUrl'] = $prompt_uri;
         return parent::getJsLayout();

TwoFactorAuth/Controller/Adminhtml/Duo/Authpost.php

@@ -122,13 +122,17 @@ private function getUser()
     public function execute()
     {
         $user = $this->getUser();
-
-        if ($this->duoSecurity->verify($user, $this->dataObjectFactory->create([
-            'data' => $this->getRequest()->getParams(),
-        ]))) {
-            $this->tfa->getProvider(DuoSecurity::CODE)->activate((int) $user->getId());
-            $this->tfaSession->grantAccess();
-            return $this->_redirect($this->context->getBackendUrl()->getStartupPageUrl());
+        $username = $user->getUserName();
+        $savedState = $this->session->getDuoState();
+
+        if (!empty($savedState) && !empty($username) && ($this->getRequest()->getParam('state') == $savedState)) {
+            if ($this->duoSecurity->verify($user, $this->dataObjectFactory->create([
+                'data' => $this->getRequest()->getParams(),
+            ]))) {
+                $this->tfa->getProvider(DuoSecurity::CODE)->activate((int) $user->getId());
+                $this->tfaSession->grantAccess();
+                return $this->_redirect($this->context->getBackendUrl()->getStartupPageUrl());
+            }
         } else {
             $this->alert->event(
                 'Magento_TwoFactorAuth',

TwoFactorAuth/Helper/Data.php

@@ -12,7 +12,6 @@
 use Magento\Framework\DataObject;
 use Magento\Framework\Encryption\EncryptorInterface;
 use Magento\Framework\UrlInterface;
-use Magento\TwoFactorAuth\Helper\Data as TwoFactorAuthHelper;
 use Magento\User\Api\Data\UserInterface;
 use Magento\TwoFactorAuth\Api\EngineInterface;
 use Duo\DuoUniversal\Client;
@@ -103,16 +102,10 @@ class DuoSecurity implements EngineInterface
      */
     private $urlBuilder;
 
-    /**
-     * @var TwoFactorAuthHelper
-     */
-    private $helper;
-
     /**
      * @param ScopeConfigInterface $scopeConfig
      * @param EncryptorInterface $encryptor
      * @param UrlInterface $urlBuilder
-     * @param TwoFactorAuthHelper $helper
      * @param Client|null $client
      * @param DuoAuth|null $duoAuth
      * @throws \Duo\DuoUniversal\DuoException
@@ -121,14 +114,12 @@ public function __construct(
         ScopeConfigInterface $scopeConfig,
         EncryptorInterface $encryptor,
         UrlInterface $urlBuilder,
-        TwoFactorAuthHelper $helper,
         Client $client = null,
         DuoAuth $duoAuth = null
     ) {
         $this->scopeConfig = $scopeConfig;
         $this->encryptor = $encryptor;
         $this->urlBuilder = $urlBuilder;
-        $this->helper = $helper;
         if ($this->isDuoForcedProvider()) {
             $this->client = $client ?? new Client(
                 $this->getClientId(),
@@ -221,14 +212,9 @@ private function getSkey(): string
      */
     public function verify(UserInterface $user, DataObject $request): bool
     {
-        $state = $request->getData('state');
         $duoCode = $request->getData('duo_code');
         $username = $user->getUserName();
 
-        if (empty($state) || empty($username)) {
-            return false;
-        }
-
         try {
             // Not saving token as this is for verification purpose
             $this->client->exchangeAuthorizationCodeFor2FAResult($duoCode, $username);
@@ -289,6 +275,8 @@ public function healthCheck(): void
     }
 
     /**
+     * Generate a state for Duo Universal prompt
+     *
      * @return string
      */
     public function generateDuoState() : string