oxtotp/src/Application/Controller/Admin/d3totpadminlogin.php

<?php

/**
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 *
 * https://www.d3data.de
 *
 * @copyright (C) D3 Data Development (Inh. Thomas Dartsch)
 * @author    D3 Data Development - Daniel Seifert <info@shopmodule.com>
 * @link      https://www.oxidmodule.com
 */

declare(strict_types=1);

namespace D3\Totp\Application\Controller\Admin;

use D3\Totp\Application\Model\d3backupcodelist;
use D3\Totp\Application\Model\d3totp;
use D3\Totp\Application\Model\d3totp_conf;
use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;
use D3\Totp\Modules\Application\Controller\Admin\d3_totp_LoginController;
use D3\Totp\Modules\Application\Model\d3_totp_user;
use OxidEsales\Eshop\Application\Controller\Admin\AdminController;
use OxidEsales\Eshop\Application\Controller\Admin\LoginController;
use OxidEsales\Eshop\Application\Model\User;
use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;
use OxidEsales\Eshop\Core\Registry;
use OxidEsales\Eshop\Core\Session;
use OxidEsales\Eshop\Core\Utils;
use Psr\Log\LoggerInterface;

class d3totpadminlogin extends AdminController
{
    protected $_sThisTemplate = 'd3totpadminlogin.tpl';

    /**
     * @return bool
     */
    protected function _authorize(): bool
    {
        return true;
    }

    /**
     * @return d3totp|mixed
     */
    public function d3TotpGetTotpObject()
    {
        return oxNew(d3totp::class);
    }

    /**
     * @return bool
     * @throws DatabaseConnectionException
     */
    protected function isTotpIsNotRequired(): bool
    {
        /** @var d3_totp_user $user */
        $user = $this->d3TotpGetUserObject();
        $userId = $user->d3TotpGetCurrentUser();

        $totp = $this->d3TotpGetTotpObject();
        $totp->loadByUserId($userId);

        return $this->d3TotpGetSession()->hasVariable(d3totp_conf::SESSION_ADMIN_AUTH) ||
            !$totp->isActive();
    }

    /**
     * @return bool
     */
    protected function isTotpLoginNotPossible(): bool
    {
        $user = $this->d3TotpGetUserObject();
        return !$user->d3TotpGetCurrentUser();
    }

    /**
     * @return string
     * @throws DatabaseConnectionException
     */
    public function render(): string
    {
        if ($this->isTotpLoginNotPossible()) {
            $this->d3TotpGetUtils()->redirect('index.php?cl=login', false);
        } elseif ($this->isTotpIsNotRequired()) {
            $this->d3TotpGetUtils()->redirect('index.php?cl=admin_start', false);
        }

        $this->addTplParam('selectedProfile', Registry::getRequest()->getRequestEscapedParameter('profile'));
        $this->addTplParam('selectedChLanguage', Registry::getRequest()->getRequestEscapedParameter('chlanguage'));

        /** @var d3_totp_LoginController $loginController */
        $loginController = $this->d3GetLoginController();
        $loginController->d3totpAfterLoginSetLanguage();

        return parent::render();
    }

    /**
     * @return d3backupcodelist
     */
    public function d3GetBackupCodeListObject(): d3backupcodelist
    {
        return oxNew(d3backupcodelist::class);
    }

    /**
     * @return string|void
     * @throws DatabaseConnectionException
     */
    public function getBackupCodeCountMessage()
    {
        /** @var d3_totp_user $user */
        $user = oxNew(User::class);
        $userId = $user->d3TotpGetCurrentUser();

        $oBackupCodeList = $this->d3GetBackupCodeListObject();
        $iCount = $oBackupCodeList->getAvailableCodeCount($userId);

        if ($iCount < 4) {
            return sprintf(
                Registry::getLang()->translateString('D3_TOTP_AVAILBACKUPCODECOUNT'),
                $iCount
            );
        }
    }

    /**
     * @return string
     */
    public function d3CancelLogin(): string
    {
        /** @var d3_totp_user $oUser */
        $oUser = $this->d3TotpGetUserObject();
        $oUser->logout();
        return "login";
    }

    /**
     * @return User
     */
    public function d3TotpGetUserObject(): User
    {
        return oxNew(User::class);
    }

    /**
     * @return string|void
     * @throws DatabaseConnectionException
     */
    public function checklogin()
    {
        $session = $this->d3TotpGetSession();
        /** @var d3_totp_user $user */
        $user = oxNew(User::class);
        $userId = $user->d3TotpGetCurrentUser();

        try {
            $sTotp = implode('', Registry::getRequest()->getRequestEscapedParameter('d3totp') ?: []);

            $totp = $this->d3TotpGetTotpObject();
            $totp->loadByUserId($userId);

            $this->d3TotpHasValidTotp($sTotp, $totp);

            $selectedProfile = Registry::getRequest()->getRequestEscapedParameter('profile');
            $selectedLanguage = Registry::getRequest()->getRequestEscapedParameter('chlanguage');

            $session->initNewSession();
            $session->setVariable(d3totp_conf::SESSION_ADMIN_PROFILE, $selectedProfile);
            $session->setVariable(d3totp_conf::SESSION_ADMIN_CHLANGUAGE, $selectedLanguage);
            $session->setVariable(d3totp_conf::OXID_ADMIN_AUTH, $userId);
            $session->setVariable(d3totp_conf::SESSION_ADMIN_AUTH, $userId);
            $session->deleteVariable(d3totp_conf::SESSION_ADMIN_CURRENTUSER);

            /** @var d3_totp_LoginController $loginController */
            $loginController = $this->d3GetLoginController();
            $loginController->d3totpAfterLogin();

            return "admin_start";
        } catch (d3totp_wrongOtpException $e) {
            Registry::getUtilsView()->addErrorToDisplay($e);
            $this->getLogger()->error($e->getMessage(), ['UserId'   => $userId]);
            $this->getLogger()->debug($e->getTraceAsString());
        }
    }

    /**
     * @param string|null $sTotp
     * @param d3totp $totp
     * @return bool
     * @throws DatabaseConnectionException
     * @throws d3totp_wrongOtpException
     */
    public function d3TotpHasValidTotp(string $sTotp = null, d3totp $totp): bool
    {
        return $this->d3TotpGetSession()->getVariable(d3totp_conf::SESSION_ADMIN_AUTH)
            || $totp->verify($sTotp);
    }

    /**
     * @return Utils
     */
    public function d3TotpGetUtils(): Utils
    {
        return Registry::getUtils();
    }

    /**
     * @return Session
     */
    public function d3TotpGetSession(): Session
    {
        return Registry::getSession();
    }

    /**
     * @return LoggerInterface
     */
    public function getLogger(): LoggerInterface
    {
        return Registry::getLogger();
    }

    /**
     * @return LoginController
     */
    public function d3GetLoginController(): LoginController
    {
        return oxNew(LoginController::class);
    }
}
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`<?php`

			`/**`
			`* For the full copyright and license information, please view the LICENSE`
			`* file that was distributed with this source code.`
			`*`
			`* https://www.d3data.de`
			`*`
			`* @copyright (C) D3 Data Development (Inh. Thomas Dartsch)`
			`* @author D3 Data Development - Daniel Seifert <info@shopmodule.com>`
			`* @link https://www.oxidmodule.com`
			`*/`

			`declare(strict_types=1);`

			`namespace D3\Totp\Application\Controller\Admin;`

			`use D3\Totp\Application\Model\d3backupcodelist;`
			`use D3\Totp\Application\Model\d3totp;`
			`use D3\Totp\Application\Model\d3totp_conf;`
			`use D3\Totp\Application\Model\Exceptions\d3totp_wrongOtpException;`
move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`use D3\Totp\Modules\Application\Controller\Admin\d3_totp_LoginController;`
fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`use D3\Totp\Modules\Application\Model\d3_totp_user;`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`use OxidEsales\Eshop\Application\Controller\Admin\AdminController;`
move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`use OxidEsales\Eshop\Application\Controller\Admin\LoginController;`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`use OxidEsales\Eshop\Application\Model\User;`
			`use OxidEsales\Eshop\Core\Exception\DatabaseConnectionException;`
			`use OxidEsales\Eshop\Core\Registry;`
adjust tests 2022-11-10 16:45:57 +01:00			`use OxidEsales\Eshop\Core\Session;`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`use OxidEsales\Eshop\Core\Utils;`
adjust tests 2022-11-10 16:45:57 +01:00			`use Psr\Log\LoggerInterface;`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
			`class d3totpadminlogin extends AdminController`
			`{`
			`protected $_sThisTemplate = 'd3totpadminlogin.tpl';`

			`/**`
			`* @return bool`
			`*/`
			`protected function _authorize(): bool`
			`{`
			`return true;`
			`}`

adjust tests 2022-11-10 16:45:57 +01:00			`/**`
			`* @return d3totp\|mixed`
			`*/`
			`public function d3TotpGetTotpObject()`
			`{`
			`return oxNew(d3totp::class);`
			`}`

			`/**`
			`* @return bool`
			`* @throws DatabaseConnectionException`
			`*/`
			`protected function isTotpIsNotRequired(): bool`
			`{`
improve code 2022-11-25 15:42:33 +01:00			`/** @var d3_totp_user $user */`
adjust tests 2022-11-10 16:45:57 +01:00			`$user = $this->d3TotpGetUserObject();`
			`$userId = $user->d3TotpGetCurrentUser();`

			`$totp = $this->d3TotpGetTotpObject();`
			`$totp->loadByUserId($userId);`

separate session var names between frontend and backend 2022-11-23 09:21:52 +01:00			`return $this->d3TotpGetSession()->hasVariable(d3totp_conf::SESSION_ADMIN_AUTH) \|\|`
adjust tests 2022-11-10 16:45:57 +01:00			`!$totp->isActive();`
			`}`

			`/**`
			`* @return bool`
			`*/`
			`protected function isTotpLoginNotPossible(): bool`
			`{`
fix missing redirect on lost session while admin login 2022-11-26 00:23:04 +01:00			`$user = $this->d3TotpGetUserObject();`
			`return !$user->d3TotpGetCurrentUser();`
adjust tests 2022-11-10 16:45:57 +01:00			`}`

extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`/**`
			`* @return string`
adjust tests 2022-11-10 16:45:57 +01:00			`* @throws DatabaseConnectionException`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`*/`
			`public function render(): string`
			`{`
fix missing redirect on lost session while admin login 2022-11-26 00:23:04 +01:00			`if ($this->isTotpLoginNotPossible()) {`
			`$this->d3TotpGetUtils()->redirect('index.php?cl=login', false);`
			`} elseif ($this->isTotpIsNotRequired()) {`
			`$this->d3TotpGetUtils()->redirect('index.php?cl=admin_start', false);`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`}`

move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`$this->addTplParam('selectedProfile', Registry::getRequest()->getRequestEscapedParameter('profile'));`
			`$this->addTplParam('selectedChLanguage', Registry::getRequest()->getRequestEscapedParameter('chlanguage'));`

set selected language for otp form 2022-11-24 20:27:07 +01:00			`/** @var d3_totp_LoginController $loginController */`
adjust tests 2022-11-24 23:52:16 +01:00			`$loginController = $this->d3GetLoginController();`
set selected language for otp form 2022-11-24 20:27:07 +01:00			`$loginController->d3totpAfterLoginSetLanguage();`

extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`return parent::render();`
			`}`

			`/**`
			`* @return d3backupcodelist`
			`*/`
adjust tests 2022-11-10 16:45:57 +01:00			`public function d3GetBackupCodeListObject(): d3backupcodelist`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
			`return oxNew(d3backupcodelist::class);`
			`}`

			`/**`
			`* @return string\|void`
			`* @throws DatabaseConnectionException`
			`*/`
			`public function getBackupCodeCountMessage()`
			`{`
fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`/** @var d3_totp_user $user */`
			`$user = oxNew(User::class);`
			`$userId = $user->d3TotpGetCurrentUser();`

extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`$oBackupCodeList = $this->d3GetBackupCodeListObject();`
fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`$iCount = $oBackupCodeList->getAvailableCodeCount($userId);`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
			`if ($iCount < 4) {`
			`return sprintf(`
			`Registry::getLang()->translateString('D3_TOTP_AVAILBACKUPCODECOUNT'),`
			`$iCount`
			`);`
			`}`
			`}`

			`/**`
adjust tests 2022-11-10 16:45:57 +01:00			`* @return string`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`*/`
adjust tests 2022-11-10 16:45:57 +01:00			`public function d3CancelLogin(): string`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
improve code 2022-11-25 15:42:33 +01:00			`/** @var d3_totp_user $oUser */`
adjust tests 2022-11-10 16:45:57 +01:00			`$oUser = $this->d3TotpGetUserObject();`
			`$oUser->logout();`
			`return "login";`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`}`

			`/**`
improve code 2022-11-25 15:42:33 +01:00			`* @return User`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`*/`
improve code 2022-11-25 15:42:33 +01:00			`public function d3TotpGetUserObject(): User`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
			`return oxNew(User::class);`
			`}`

fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`/**`
			`* @return string\|void`
			`* @throws DatabaseConnectionException`
			`*/`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`public function checklogin()`
			`{`
adjust tests 2022-11-10 16:45:57 +01:00			`$session = $this->d3TotpGetSession();`
fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`/** @var d3_totp_user $user */`
			`$user = oxNew(User::class);`
			`$userId = $user->d3TotpGetCurrentUser();`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
			`try {`
improve code 2022-11-25 15:42:33 +01:00			`$sTotp = implode('', Registry::getRequest()->getRequestEscapedParameter('d3totp') ?: []);`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
adjust tests 2022-11-10 16:45:57 +01:00			`$totp = $this->d3TotpGetTotpObject();`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`$totp->loadByUserId($userId);`

			`$this->d3TotpHasValidTotp($sTotp, $totp);`

move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`$selectedProfile = Registry::getRequest()->getRequestEscapedParameter('profile');`
			`$selectedLanguage = Registry::getRequest()->getRequestEscapedParameter('chlanguage');`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
			`$session->initNewSession();`
move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`$session->setVariable(d3totp_conf::SESSION_ADMIN_PROFILE, $selectedProfile);`
			`$session->setVariable(d3totp_conf::SESSION_ADMIN_CHLANGUAGE, $selectedLanguage);`
fix handle session variables * attempted login user id will stored in session while totp request only * successful totp login stores user id in totp auth session variable 2022-11-10 11:34:05 +01:00			`$session->setVariable(d3totp_conf::OXID_ADMIN_AUTH, $userId);`
separate session var names between frontend and backend 2022-11-23 09:21:52 +01:00			`$session->setVariable(d3totp_conf::SESSION_ADMIN_AUTH, $userId);`
			`$session->deleteVariable(d3totp_conf::SESSION_ADMIN_CURRENTUSER);`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`/** @var d3_totp_LoginController $loginController */`
adjust tests 2022-11-24 23:52:16 +01:00			`$loginController = $this->d3GetLoginController();`
move OTP check from login controller check to onAdminLoginEvent for webauthn compatibility 2022-11-24 00:51:56 +01:00			`$loginController->d3totpAfterLogin();`

extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`return "admin_start";`
			`} catch (d3totp_wrongOtpException $e) {`
			`Registry::getUtilsView()->addErrorToDisplay($e);`
adjust tests 2022-11-10 16:45:57 +01:00			`$this->getLogger()->error($e->getMessage(), ['UserId' => $userId]);`
			`$this->getLogger()->debug($e->getTraceAsString());`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`}`
			`}`

			`/**`
adjust tests 2022-11-10 16:45:57 +01:00			`* @param string\|null $sTotp`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`* @param d3totp $totp`
			`* @return bool`
			`* @throws DatabaseConnectionException`
			`* @throws d3totp_wrongOtpException`
			`*/`
adjust tests 2022-11-10 16:45:57 +01:00			`public function d3TotpHasValidTotp(string $sTotp = null, d3totp $totp): bool`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
separate session var names between frontend and backend 2022-11-23 09:21:52 +01:00			`return $this->d3TotpGetSession()->getVariable(d3totp_conf::SESSION_ADMIN_AUTH)`
fix unthrown invalid totp exception 2022-11-13 23:40:54 +01:00			`\|\| $totp->verify($sTotp);`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`}`

			`/**`
			`* @return Utils`
			`*/`
adjust tests 2022-11-10 16:45:57 +01:00			`public function d3TotpGetUtils(): Utils`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
			`return Registry::getUtils();`
			`}`

			`/**`
adjust tests 2022-11-10 16:45:57 +01:00			`* @return Session`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`*/`
adjust tests 2022-11-10 16:45:57 +01:00			`public function d3TotpGetSession(): Session`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`{`
adjust tests 2022-11-10 16:45:57 +01:00			`return Registry::getSession();`
			`}`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00
adjust tests 2022-11-10 16:45:57 +01:00			`/**`
			`* @return LoggerInterface`
			`*/`
			`public function getLogger(): LoggerInterface`
			`{`
			`return Registry::getLogger();`
extract TOTP check from admin login 2022-11-10 00:00:50 +01:00			`}`
adjust tests 2022-11-24 23:52:16 +01:00
			`/**`
improve code 2022-11-25 15:42:33 +01:00			`* @return LoginController`
adjust tests 2022-11-24 23:52:16 +01:00			`*/`
			`public function d3GetLoginController(): LoginController`
			`{`
			`return oxNew(LoginController::class);`
			`}`
improve code syntax 2022-11-25 20:24:09 +01:00			`}`