Two Factor refactoring. Introduce TwoFactorProcessors.

composer.json

@@ -31,7 +31,7 @@
  "require": {
  "php": ">=7.4.0",
  "cakephp/cakephp": "^4.5",
- "cakedc/auth": "^7.0",
+ "cakedc/auth": "^7.3",
  "cakephp/authorization": "^2.0.0",
  "cakephp/authentication": "^2.0.0"
  },

src/Loader/AuthenticationServiceLoader.php

@@ -15,7 +15,7 @@
 
 use Cake\Core\Configure;
 use CakeDC\Auth\Authentication\AuthenticationService;
-use CakeDC\Users\Plugin;
+use CakeDC\Auth\Authentication\TwoFactorProcessorLoader;
 use Psr\Http\Message\ServerRequestInterface;
 
 /**
@@ -34,10 +34,11 @@ class AuthenticationServiceLoader
  */
  public function __invoke(ServerRequestInterface $request)
  {
- $service = new AuthenticationService();
+ $processors = TwoFactorProcessorLoader::processors();
+ $service = new AuthenticationService(['processors' => $processors]);
  $this->loadIdentifiers($service);
  $this->loadAuthenticators($service);
- $this->loadTwoFactorAuthenticator($service);
+ $this->loadTwoFactorAuthenticator($service, $processors);
 
  return $service;
  }
@@ -81,17 +82,9 @@ protected function loadAuthenticators($service)
  * @param \CakeDC\Auth\Authentication\AuthenticationService $service Authentication service to load identifiers
  * @return void
  */
- protected function loadTwoFactorAuthenticator($service)
+ protected function loadTwoFactorAuthenticator($service, $processors)
  {
- $u2fEnabled = Configure::read('U2f.enabled') !== false;
- if ($u2fEnabled) {
- trigger_error(Plugin::DEPRECATED_MESSAGE_U2F, E_USER_DEPRECATED);
- }
- if (
- Configure::read('OneTimePasswordAuthenticator.login') !== false
- || Configure::read('Webauthn2fa.enabled') !== false
- || $u2fEnabled
- ) {
+ if (collection($processors)->some(fn ($processor) => $processor->enabled())) {
  $service->loadAuthenticator('CakeDC/Auth.TwoFactor', [
  'skipTwoFactorVerify' => true,
  ]);

src/Loader/MiddlewareQueueLoader.php

@@ -20,10 +20,10 @@
 use Authorization\Middleware\RequestAuthorizationMiddleware;
 use Cake\Core\Configure;
 use Cake\Http\MiddlewareQueue;
+use CakeDC\Auth\Authentication\TwoFactorProcessorLoader;
 use CakeDC\Auth\Middleware\TwoFactorMiddleware;
 use CakeDC\Users\Middleware\SocialAuthMiddleware;
 use CakeDC\Users\Middleware\SocialEmailMiddleware;
-use CakeDC\Users\Plugin;
 
 /**
  * Class MiddlewareQueueLoader
@@ -96,16 +96,8 @@ protected function loadAuthenticationMiddleware(
  */
  protected function load2faMiddleware(MiddlewareQueue $middlewareQueue)
  {
- $u2fEnabled = Configure::read('U2f.enabled') !== false;
- if ($u2fEnabled) {
- trigger_error(Plugin::DEPRECATED_MESSAGE_U2F, E_USER_DEPRECATED);
- }
-
- if (
- Configure::read('OneTimePasswordAuthenticator.login') !== false
- || Configure::read('Webauthn2fa.enabled') !== false
- || $u2fEnabled
- ) {
+ $processors = TwoFactorProcessorLoader::processors();
+ if (collection($processors)->some(fn ($processor) => $processor->enabled())) {
  $middlewareQueue->add(TwoFactorMiddleware::class);
  }
  }

tests/TestCase/Controller/Traits/Integration/LoginTraitIntegrationTest.php

@@ -221,6 +221,11 @@ public function testLoginPostRequestRightPasswordIsEnabledU2f()
  {
  EventManager::instance()->on('TestApp.afterPluginBootstrap', function () {
  Configure::write(['U2f.enabled' => true]);
+ Configure::write([
+ 'TwoFactorProcessors' => [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\U2FProcessor::class,
+ ],
+ ]);
  });
  $this->enableRetainFlashMessages();
  $this->post('/login', [

tests/TestCase/PluginTest.php

@@ -41,6 +41,9 @@ public function testMiddleware()
  {
  Configure::write('Users.Social.login', true);
  Configure::write('OneTimePasswordAuthenticator.login', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
  Configure::write('Auth.Authorization.enable', true);
 
  $plugin = new Plugin();
@@ -75,6 +78,9 @@ public function testMiddlewareAuthorizationMiddlewareAndRbacMiddleware()
  Configure::write('Users.Social.login', true);
  Configure::write('OneTimePasswordAuthenticator.login', true);
  Configure::write('Auth.Authorization.enable', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
 
  $plugin = new Plugin();
 
@@ -106,6 +112,9 @@ public function testMiddlewareWithoutAuhorization()
  Configure::write('Users.Social.login', true);
  Configure::write('OneTimePasswordAuthenticator.login', true);
  Configure::write('Auth.Authorization.enable', false);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
 
  $plugin = new Plugin();
 
@@ -133,6 +142,10 @@ public function testMiddlewareNotSocial()
  Configure::write('Users.Social.login', false);
  Configure::write('OneTimePasswordAuthenticator.login', true);
  Configure::write('Auth.Authorization.enable', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
+
  $plugin = new Plugin();
 
  $middleware = new MiddlewareQueue();
@@ -158,6 +171,9 @@ public function testMiddlewareNotOneTimePasswordAuthenticator()
  Configure::write('Users.Social.login', true);
  Configure::write('OneTimePasswordAuthenticator.login', false);
  Configure::write('Auth.Authorization.enable', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
  $plugin = new Plugin();
 
  $middleware = new MiddlewareQueue();
@@ -185,6 +201,9 @@ public function testMiddlewareNotGoogleAuthenticationAndNotSocial()
  Configure::write('Users.Social.login', false);
  Configure::write('OneTimePasswordAuthenticator.login', false);
  Configure::write('Auth.Authorization.enable', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
  $plugin = new Plugin();
 
  $middleware = new MiddlewareQueue();

tests/TestCase/Provider/AuthenticationServiceProviderTest.php

@@ -78,6 +78,9 @@ public function testGetAuthenticationService()
  'Authentication.JwtSubject',
  ]);
  Configure::write('OneTimePasswordAuthenticator.login', true);
+ Configure::write('TwoFactorProcessors', [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ ]);
 
  $authenticationServiceProvider = new AuthenticationServiceProvider();
  $service = $authenticationServiceProvider->getAuthenticationService(new ServerRequest(), new Response());
@@ -215,6 +218,7 @@ public function testGetAuthenticationServiceWithoutOneTimePasswordAuthenticator(
  'Authentication.JwtSubject',
  ]);
  Configure::write('OneTimePasswordAuthenticator.login', false);
+ Configure::write('TwoFactorProcessors', []);
 
  $authenticationServiceProvider = new AuthenticationServiceProvider();
  $service = $authenticationServiceProvider->getAuthenticationService(new ServerRequest(), new Response());

tests/test_app/config/users.php

@@ -9,4 +9,9 @@
  'OAuth.providers.twitter.options.clientSecret' => '999988899',
  'OAuth.providers.google.options.clientId' => '0000000990909090',
  'OAuth.providers.google.options.clientSecret' => '1565464559789798',
+ 'TwoFactorProcessors' => [
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\OneTimePasswordProcessor::class,
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\U2FProcessor::class,
+ \CakeDC\Auth\Authentication\TwoFactorProcessor\Webauthn2faProcessor::class,
+ ],
 ];